Use SSLClientSocketNSS on Mac OS X. ...

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 300 matching lines @@
   LeaveFunction("");
 }
 
 int SSLClientSocketNSS::Init() {
   EnterFunction("");
   // Initialize the NSS SSL library in a threadsafe way.  This also
   // initializes the NSS base library.
   EnsureNSSSSLInit();
   if (!NSS_IsInitialized())
     return ERR_UNEXPECTED;
-#if !defined(OS_WIN)
+#if !defined(OS_MACOSX) && !defined(OS_WIN)
   // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop
   // by MessageLoopForIO::current().
   // X509Certificate::Verify() runs on a worker thread of CertVerifier.
   EnsureOCSPInit();
 #endif
 
   LeaveFunction("");
   return OK;
 }
 
@@ skipping 324 matching lines @@
   return transport_->SetSendBufferSize(size);
 }
 
 X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
   // We set the server_cert_ from OwnAuthCertHandler(), but this handler
   // does not necessarily get called if we are continuing a cached SSL
   // session.
   if (server_cert_ == NULL) {
     server_cert_nss_ = SSL_PeerCertificate(nss_fd_);
     if (server_cert_nss_) {
-#if defined(OS_WIN)
-      // TODO(wtc): close cert_store_ at shutdown.
-      if (!cert_store_)
-        cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
-
+#if defined(OS_MACOSX) || defined(OS_WIN)
       // Get each of the intermediate certificates in the server's chain.
       // These will be added to the server's X509Certificate object, making
       // them available to X509Certificate::Verify() for chain building.
       X509Certificate::OSCertHandles intermediate_ca_certs;
-      PCCERT_CONTEXT cert_context = NULL;
+      X509Certificate::OSCertHandle cert_handle = NULL;
       CERTCertList* cert_list = CERT_GetCertChainFromCert(
           server_cert_nss_, PR_Now(), certUsageSSLCA);
       if (cert_list) {
         for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
              !CERT_LIST_END(node, cert_list);
              node = CERT_LIST_NEXT(node)) {
           if (node->cert == server_cert_nss_)
             continue;
+#if defined(OS_WIN)
           // Work around http://crbug.com/43538 by not importing the
           // problematic COMODO EV SGC CA certificate.  CryptoAPI will
           // download a good certificate for that CA, issued by COMODO
           // Certification Authority, using the AIA extension in the server
           // certificate.
           if (IsProblematicComodoEVCACert(*node->cert))
             continue;
-          cert_context = NULL;
-          BOOL ok = CertAddEncodedCertificateToStore(
-              cert_store_,
-              X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-              node->cert->derCert.data,
-              node->cert->derCert.len,
-              CERT_STORE_ADD_USE_EXISTING,
-              &cert_context);
-          DCHECK(ok);
-          intermediate_ca_certs.push_back(cert_context);
+#endif
+          cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
+              reinterpret_cast<char*>(node->cert->derCert.data),
+              node->cert->derCert.len);
+          DCHECK(cert_handle);
+          intermediate_ca_certs.push_back(cert_handle);
         }
         CERT_DestroyCertList(cert_list);
       }
 
       // Finally create the X509Certificate object.
-      BOOL ok = CertAddEncodedCertificateToStore(
-          cert_store_,
-          X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-          server_cert_nss_->derCert.data,
-          server_cert_nss_->derCert.len,
-          CERT_STORE_ADD_USE_EXISTING,
-          &cert_context);
-      DCHECK(ok);
+      cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
+          reinterpret_cast<char*>(server_cert_nss_->derCert.data),
+          server_cert_nss_->derCert.len);
+      DCHECK(cert_handle);
       server_cert_ = X509Certificate::CreateFromHandle(
-          cert_context,
+          cert_handle,
           X509Certificate::SOURCE_FROM_NETWORK,
           intermediate_ca_certs);
       for (size_t i = 0; i < intermediate_ca_certs.size(); ++i)
-        CertFreeCertificateContext(intermediate_ca_certs[i]);
+        X509Certificate::FreeOSCertHandle(intermediate_ca_certs[i]);
 #else
       server_cert_ = X509Certificate::CreateFromHandle(
           CERT_DupCertificate(server_cert_nss_),
           X509Certificate::SOURCE_FROM_NETWORK,
           X509Certificate::OSCertHandles());
 #endif
     }
   }
   return server_cert_;
 }
@@ skipping 478 matching lines @@
   // Enumerate the client certificates.
   CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para;
   memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para));
   find_by_issuer_para.cbSize = sizeof(find_by_issuer_para);
   find_by_issuer_para.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
   find_by_issuer_para.cIssuer = ca_names->nnames;
   find_by_issuer_para.rgIssuer = ca_names->nnames ? &issuer_list[0] : NULL;
 
   PCCERT_CHAIN_CONTEXT chain_context = NULL;
 
+  // TODO(wtc): close cert_store_ at shutdown.
+  if (!cert_store_)
+    cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
+
   for (;;) {
     // Find a certificate chain.
     chain_context = CertFindChainInStore(my_cert_store,
                                          X509_ASN_ENCODING,
                                          0,
                                          CERT_CHAIN_FIND_BY_ISSUER,
                                          &find_by_issuer_para,
                                          chain_context);
     if (!chain_context) {
       DWORD err = GetLastError();
@@ skipping 20 matching lines @@
         net::X509Certificate::OSCertHandles());
     that->client_certs_.push_back(cert);
   }
 
   BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG);
   DCHECK(ok);
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
+#elif defined(OS_MACOSX)
+  // TODO(wtc): see http://crbug.com/45369.
+  // Not implemented.  Send no client certificate.
+  PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+  return SECFailure;
 #else
   CERTCertificate* cert = NULL;
   SECKEYPrivateKey* privkey = NULL;
   void* wincx  = SSL_RevealPinArg(socket);
 
   // Second pass: a client certificate should have been selected.
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
       cert = CERT_DupCertificate(
           that->ssl_config_.client_cert->os_cert_handle());
@@ skipping 231 matching lines @@
   PRErrorCode prerr = PR_GetError();
   if (prerr == PR_WOULD_BLOCK_ERROR) {
     LeaveFunction("");
     return ERR_IO_PENDING;
   }
   LeaveFunction("");
   return MapNSPRError(prerr);
 }
 
 }  // namespace net