OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 2017 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2028 if (!chain_context) { | 2028 if (!chain_context) { |
2029 DWORD err = GetLastError(); | 2029 DWORD err = GetLastError(); |
2030 if (err != CRYPT_E_NOT_FOUND) | 2030 if (err != CRYPT_E_NOT_FOUND) |
2031 DLOG(ERROR) << "CertFindChainInStore failed: " << err; | 2031 DLOG(ERROR) << "CertFindChainInStore failed: " << err; |
2032 break; | 2032 break; |
2033 } | 2033 } |
2034 | 2034 |
2035 // Get the leaf certificate. | 2035 // Get the leaf certificate. |
2036 PCCERT_CONTEXT cert_context = | 2036 PCCERT_CONTEXT cert_context = |
2037 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; | 2037 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; |
2038 // Copy it to our own certificate store, so that we can close the "MY" | 2038 // Copy the certificate into a NULL store, so that we can close the "MY" |
2039 // certificate store before returning from this function. | 2039 // store before returning from this function. |
2040 PCCERT_CONTEXT cert_context2; | 2040 PCCERT_CONTEXT cert_context2; |
2041 BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2041 BOOL ok = CertAddCertificateContextToStore(NULL, cert_context, |
2042 cert_context, | |
2043 CERT_STORE_ADD_USE_EXISTING, | 2042 CERT_STORE_ADD_USE_EXISTING, |
2044 &cert_context2); | 2043 &cert_context2); |
2045 if (!ok) { | 2044 if (!ok) { |
2046 NOTREACHED(); | 2045 NOTREACHED(); |
2047 continue; | 2046 continue; |
2048 } | 2047 } |
2049 | 2048 |
2050 // Copy the rest of the chain to our own store as well. Copying the chain | 2049 // Copy the rest of the chain to our own store as well. Copying the chain |
2051 // stops gracefully if an error is encountered, with the partial chain | 2050 // stops gracefully if an error is encountered, with the partial chain |
2052 // being used as the intermediates, rather than failing to consider the | 2051 // being used as the intermediates, rather than failing to consider the |
2053 // client certificate. | 2052 // client certificate. |
2054 net::X509Certificate::OSCertHandles intermediates; | 2053 net::X509Certificate::OSCertHandles intermediates; |
2055 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { | 2054 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { |
2056 PCCERT_CONTEXT intermediate_copy; | 2055 PCCERT_CONTEXT intermediate_copy; |
2057 ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2056 ok = CertAddCertificateContextToStore( |
2057 NULL, | |
2058 chain_context->rgpChain[0]->rgpElement[i]->pCertContext, | 2058 chain_context->rgpChain[0]->rgpElement[i]->pCertContext, |
wtc
2011/07/17 01:55:32
Move this to the previous line.
| |
2059 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); | 2059 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); |
2060 if (!ok) { | 2060 if (!ok) { |
2061 NOTREACHED(); | 2061 NOTREACHED(); |
2062 break; | 2062 break; |
2063 } | 2063 } |
2064 intermediates.push_back(intermediate_copy); | 2064 intermediates.push_back(intermediate_copy); |
2065 } | 2065 } |
2066 | 2066 |
2067 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 2067 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
2068 cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2068 cert_context2, intermediates); |
2069 intermediates); | |
2070 that->client_certs_.push_back(cert); | 2069 that->client_certs_.push_back(cert); |
2071 | 2070 |
2072 X509Certificate::FreeOSCertHandle(cert_context2); | 2071 X509Certificate::FreeOSCertHandle(cert_context2); |
2073 for (net::X509Certificate::OSCertHandles::iterator it = | 2072 for (net::X509Certificate::OSCertHandles::iterator it = |
2074 intermediates.begin(); it != intermediates.end(); ++it) { | 2073 intermediates.begin(); it != intermediates.end(); ++it) { |
2075 net::X509Certificate::FreeOSCertHandle(*it); | 2074 net::X509Certificate::FreeOSCertHandle(*it); |
2076 } | 2075 } |
2077 } | 2076 } |
2078 | 2077 |
2079 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); | 2078 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2222 continue; | 2221 continue; |
2223 // Filter by issuer. | 2222 // Filter by issuer. |
2224 // | 2223 // |
2225 // TODO(davidben): This does a binary comparison of the DER-encoded | 2224 // TODO(davidben): This does a binary comparison of the DER-encoded |
2226 // issuers. We should match according to RFC 5280 sec. 7.1. We should find | 2225 // issuers. We should match according to RFC 5280 sec. 7.1. We should find |
2227 // an appropriate NSS function or add one if needbe. | 2226 // an appropriate NSS function or add one if needbe. |
2228 if (ca_names->nnames && | 2227 if (ca_names->nnames && |
2229 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) | 2228 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) |
2230 continue; | 2229 continue; |
2231 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( | 2230 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( |
2232 node->cert, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2231 node->cert, net::X509Certificate::OSCertHandles()); |
2233 net::X509Certificate::OSCertHandles()); | |
2234 that->client_certs_.push_back(x509_cert); | 2232 that->client_certs_.push_back(x509_cert); |
2235 } | 2233 } |
2236 CERT_DestroyCertList(client_certs); | 2234 CERT_DestroyCertList(client_certs); |
2237 } | 2235 } |
2238 | 2236 |
2239 // Tell NSS to suspend the client authentication. We will then abort the | 2237 // Tell NSS to suspend the client authentication. We will then abort the |
2240 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. | 2238 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. |
2241 return SECWouldBlock; | 2239 return SECWouldBlock; |
2242 } | 2240 } |
2243 #endif // NSS_PLATFORM_CLIENT_AUTH | 2241 #endif // NSS_PLATFORM_CLIENT_AUTH |
(...skipping 19 matching lines...) Expand all Loading... | |
2263 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2261 valid_thread_id_ = base::PlatformThread::CurrentId(); |
2264 } | 2262 } |
2265 | 2263 |
2266 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2264 bool SSLClientSocketNSS::CalledOnValidThread() const { |
2267 EnsureThreadIdAssigned(); | 2265 EnsureThreadIdAssigned(); |
2268 base::AutoLock auto_lock(lock_); | 2266 base::AutoLock auto_lock(lock_); |
2269 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2267 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
2270 } | 2268 } |
2271 | 2269 |
2272 } // namespace net | 2270 } // namespace net |
OLD | NEW |