Chromium Code Reviews Chromium Code Reviews
Issue 2944008:
Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 2017 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2028 if (!chain_context) { | 2028 if (!chain_context) { |
| 2029 DWORD err = GetLastError(); | 2029 DWORD err = GetLastError(); |
| 2030 if (err != CRYPT_E_NOT_FOUND) | 2030 if (err != CRYPT_E_NOT_FOUND) |
| 2031 DLOG(ERROR) << "CertFindChainInStore failed: " << err; | 2031 DLOG(ERROR) << "CertFindChainInStore failed: " << err; |
| 2032 break; | 2032 break; |
| 2033 } | 2033 } |
| 2034 | 2034 |
| 2035 // Get the leaf certificate. | 2035 // Get the leaf certificate. |
| 2036 PCCERT_CONTEXT cert_context = | 2036 PCCERT_CONTEXT cert_context = |
| 2037 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; | 2037 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; |
| 2038 // Copy it to our own certificate store, so that we can close the "MY" | 2038 // Copy the certificate into a NULL store, so that we can close the "MY" |
| 2039 // certificate store before returning from this function. | 2039 // store before returning from this function. |
| 2040 PCCERT_CONTEXT cert_context2; | 2040 PCCERT_CONTEXT cert_context2; |
| 2041 BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2041 BOOL ok = CertAddCertificateContextToStore(NULL, cert_context, |
| 2042 cert_context, | |
| 2043 CERT_STORE_ADD_USE_EXISTING, | 2042 CERT_STORE_ADD_USE_EXISTING, |
| 2044 &cert_context2); | 2043 &cert_context2); |
| 2045 if (!ok) { | 2044 if (!ok) { |
| 2046 NOTREACHED(); | 2045 NOTREACHED(); |
| 2047 continue; | 2046 continue; |
| 2048 } | 2047 } |
| 2049 | 2048 |
| 2050 // Copy the rest of the chain to our own store as well. Copying the chain | 2049 // Copy the rest of the chain to our own store as well. Copying the chain |
| 2051 // stops gracefully if an error is encountered, with the partial chain | 2050 // stops gracefully if an error is encountered, with the partial chain |
| 2052 // being used as the intermediates, rather than failing to consider the | 2051 // being used as the intermediates, rather than failing to consider the |
| 2053 // client certificate. | 2052 // client certificate. |
| 2054 net::X509Certificate::OSCertHandles intermediates; | 2053 net::X509Certificate::OSCertHandles intermediates; |
| 2055 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { | 2054 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { |
| 2056 PCCERT_CONTEXT intermediate_copy; | 2055 PCCERT_CONTEXT intermediate_copy; |
| 2057 ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2056 ok = CertAddCertificateContextToStore( |
| 2057 NULL, | |
| 2058 chain_context->rgpChain[0]->rgpElement[i]->pCertContext, | 2058 chain_context->rgpChain[0]->rgpElement[i]->pCertContext, |
|
wtc
2011/07/17 01:55:32
Move this to the previous line.
| |
| 2059 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); | 2059 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); |
| 2060 if (!ok) { | 2060 if (!ok) { |
| 2061 NOTREACHED(); | 2061 NOTREACHED(); |
| 2062 break; | 2062 break; |
| 2063 } | 2063 } |
| 2064 intermediates.push_back(intermediate_copy); | 2064 intermediates.push_back(intermediate_copy); |
| 2065 } | 2065 } |
| 2066 | 2066 |
| 2067 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 2067 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
| 2068 cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2068 cert_context2, intermediates); |
| 2069 intermediates); | |
| 2070 that->client_certs_.push_back(cert); | 2069 that->client_certs_.push_back(cert); |
| 2071 | 2070 |
| 2072 X509Certificate::FreeOSCertHandle(cert_context2); | 2071 X509Certificate::FreeOSCertHandle(cert_context2); |
| 2073 for (net::X509Certificate::OSCertHandles::iterator it = | 2072 for (net::X509Certificate::OSCertHandles::iterator it = |
| 2074 intermediates.begin(); it != intermediates.end(); ++it) { | 2073 intermediates.begin(); it != intermediates.end(); ++it) { |
| 2075 net::X509Certificate::FreeOSCertHandle(*it); | 2074 net::X509Certificate::FreeOSCertHandle(*it); |
| 2076 } | 2075 } |
| 2077 } | 2076 } |
| 2078 | 2077 |
| 2079 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); | 2078 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2222 continue; | 2221 continue; |
| 2223 // Filter by issuer. | 2222 // Filter by issuer. |
| 2224 // | 2223 // |
| 2225 // TODO(davidben): This does a binary comparison of the DER-encoded | 2224 // TODO(davidben): This does a binary comparison of the DER-encoded |
| 2226 // issuers. We should match according to RFC 5280 sec. 7.1. We should find | 2225 // issuers. We should match according to RFC 5280 sec. 7.1. We should find |
| 2227 // an appropriate NSS function or add one if needbe. | 2226 // an appropriate NSS function or add one if needbe. |
| 2228 if (ca_names->nnames && | 2227 if (ca_names->nnames && |
| 2229 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) | 2228 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) |
| 2230 continue; | 2229 continue; |
| 2231 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( | 2230 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( |
| 2232 node->cert, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2231 node->cert, net::X509Certificate::OSCertHandles()); |
| 2233 net::X509Certificate::OSCertHandles()); | |
| 2234 that->client_certs_.push_back(x509_cert); | 2232 that->client_certs_.push_back(x509_cert); |
| 2235 } | 2233 } |
| 2236 CERT_DestroyCertList(client_certs); | 2234 CERT_DestroyCertList(client_certs); |
| 2237 } | 2235 } |
| 2238 | 2236 |
| 2239 // Tell NSS to suspend the client authentication. We will then abort the | 2237 // Tell NSS to suspend the client authentication. We will then abort the |
| 2240 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. | 2238 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. |
| 2241 return SECWouldBlock; | 2239 return SECWouldBlock; |
| 2242 } | 2240 } |
| 2243 #endif // NSS_PLATFORM_CLIENT_AUTH | 2241 #endif // NSS_PLATFORM_CLIENT_AUTH |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 2263 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2261 valid_thread_id_ = base::PlatformThread::CurrentId(); |
| 2264 } | 2262 } |
| 2265 | 2263 |
| 2266 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2264 bool SSLClientSocketNSS::CalledOnValidThread() const { |
| 2267 EnsureThreadIdAssigned(); | 2265 EnsureThreadIdAssigned(); |
| 2268 base::AutoLock auto_lock(lock_); | 2266 base::AutoLock auto_lock(lock_); |
| 2269 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2267 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 2270 } | 2268 } |
| 2271 | 2269 |
| 2272 } // namespace net | 2270 } // namespace net |
| OLD | NEW |
