Mac: Make client-cert picker only show certs the server will accept.

net/socket/ssl_client_socket_mac.cc

 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_mac.h"
 
 #include <CoreServices/CoreServices.h>
 #include <netdb.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ skipping 637 matching lines @@
   // security info
   SSLCipherSuite suite;
   OSStatus status = SSLGetNegotiatedCipher(ssl_context_, &suite);
   if (!status)
     ssl_info->security_bits = KeySizeOfCipherSuite(suite);
 }
 
 void SSLClientSocketMac::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   // I'm being asked for available client certs (identities).
-
-  CFArrayRef allowed_issuer_names = NULL;
-  if (SSLCopyDistinguishedNames(ssl_context_, &allowed_issuer_names) == noErr &&
-      allowed_issuer_names != NULL) {
-    SSL_LOG << "Server has " << CFArrayGetCount(allowed_issuer_names)
-            << " allowed issuer names";
-    CFRelease(allowed_issuer_names);
-    // TODO(snej): Filter GetSSLClientCertificates using this array.
+  // First, get the cert issuer names allowed by the server.
+  std::vector<CertPrincipal> valid_issuers;
+  CFArrayRef valid_issuer_names = NULL;
+  if (SSLCopyDistinguishedNames(ssl_context_, &valid_issuer_names) == noErr &&

[wtc, 2010/03/25 01:00:35]

Note: the server may also tell us what kind of client
certificate they accept in the certificate_types field of
the CertificateRequest message.

In Mac OS X 10.6, we can use the
SSLGetNumberOfClientAuthTypes and SSLGetClientAuthTypes
functions to get certificate_types, which can also be
used to filter the client certs.  Unfortunately these
two functions are declared in SecureTransportPriv.h.

In Mac OS X 10.5, Secure Transport sort of handles that
for us.  It supports only one type of client cert (rsa_sign),
so it will only do client auth if the server's certificate_types
includes rsa_sign.

+      valid_issuer_names != NULL) {
+    SSL_LOG << "Server has " << CFArrayGetCount(valid_issuer_names)
+            << " valid issuer names";
+    int n = CFArrayGetCount(valid_issuer_names);

[wtc, 2010/03/24 23:52:05]

Nit: move this line up so that in the SSL_LOG statement you
can just use |n|.

+    for (int i = 0; i < n; i++) {
+      // Parse each name into a Principal object.

[wtc, 2010/03/24 23:52:05]

Nit: Principal => CertPrincipal.

+      CFDataRef issuer = reinterpret_cast<CFDataRef>(
+          CFArrayGetValueAtIndex(valid_issuer_names, i));
+      CertPrincipal p;
+      if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer),
+                                   CFDataGetLength(issuer))) {
+        valid_issuers.push_back(p);
+      }
+    }
+    CFRelease(valid_issuer_names);
   }
 
+  // Now get the available client certs that match.

[wtc, 2010/03/24 23:52:05]

Nit: match => are issued by the issuers allowed by the server

   cert_request_info->host_and_port = hostname_;
   cert_request_info->client_certs.clear();
   X509Certificate::GetSSLClientCertificates(hostname_,
+                                            valid_issuers,
                                             &cert_request_info->client_certs);
   SSL_LOG << "Asking user to choose between "
           << cert_request_info->client_certs.size() << " client certs...";
 }
 
 SSLClientSocket::NextProtoStatus
 SSLClientSocketMac::GetNextProto(std::string* proto) {
   proto->clear();
   return kNextProtoUnsupported;
 }
@@ skipping 565 matching lines @@
   if (rv < 0 && rv != ERR_IO_PENDING) {
     us->write_io_buf_ = NULL;
     return OSStatusFromNetError(rv);
   }
 
   // always lie to our caller
   return noErr;
 }
 
 }  // namespace net