Mac: Make client-cert picker only show certs the server will accept.

net/socket/ssl_client_socket_mac.cc

Index: net/socket/ssl_client_socket_mac.cc
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index 4cf772251f4861edacf4ccfe0eebcb88d72ee721..911c3bc5ba497f84e32d3d2b6d369f74b5956f07 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -655,19 +655,32 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) {
 void SSLClientSocketMac::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   // I'm being asked for available client certs (identities).
-
-  CFArrayRef allowed_issuer_names = NULL;
-  if (SSLCopyDistinguishedNames(ssl_context_, &allowed_issuer_names) == noErr &&
-      allowed_issuer_names != NULL) {
-    SSL_LOG << "Server has " << CFArrayGetCount(allowed_issuer_names)
-            << " allowed issuer names";
-    CFRelease(allowed_issuer_names);
-    // TODO(snej): Filter GetSSLClientCertificates using this array.
+  // First, get the cert issuer names allowed by the server.
+  std::vector<CertPrincipal> valid_issuers;
+  CFArrayRef valid_issuer_names = NULL;
+  if (SSLCopyDistinguishedNames(ssl_context_, &valid_issuer_names) == noErr &&

[wtc, 2010/03/25 01:00:35]

Note: the server may also tell us what kind of client
certificate they accept in the certificate_types field of
the CertificateRequest message.

In Mac OS X 10.6, we can use the
SSLGetNumberOfClientAuthTypes and SSLGetClientAuthTypes
functions to get certificate_types, which can also be
used to filter the client certs.  Unfortunately these
two functions are declared in SecureTransportPriv.h.

In Mac OS X 10.5, Secure Transport sort of handles that
for us.  It supports only one type of client cert (rsa_sign),
so it will only do client auth if the server's certificate_types
includes rsa_sign.

+      valid_issuer_names != NULL) {
+    SSL_LOG << "Server has " << CFArrayGetCount(valid_issuer_names)
+            << " valid issuer names";
+    int n = CFArrayGetCount(valid_issuer_names);

[wtc, 2010/03/24 23:52:05]

Nit: move this line up so that in the SSL_LOG statement you
can just use |n|.

+    for (int i = 0; i < n; i++) {
+      // Parse each name into a Principal object.

[wtc, 2010/03/24 23:52:05]

Nit: Principal => CertPrincipal.

+      CFDataRef issuer = reinterpret_cast<CFDataRef>(
+          CFArrayGetValueAtIndex(valid_issuer_names, i));
+      CertPrincipal p;
+      if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer),
+                                   CFDataGetLength(issuer))) {
+        valid_issuers.push_back(p);
+      }
+    }
+    CFRelease(valid_issuer_names);
   }
 
+  // Now get the available client certs that match.

[wtc, 2010/03/24 23:52:05]

Nit: match => are issued by the issuers allowed by the server

   cert_request_info->host_and_port = hostname_;
   cert_request_info->client_certs.clear();
   X509Certificate::GetSSLClientCertificates(hostname_,
+                                            valid_issuers,
                                             &cert_request_info->client_certs);
   SSL_LOG << "Asking user to choose between "
           << cert_request_info->client_certs.size() << " client certs...";