| Index: net/socket/ssl_client_socket_nss.cc
|
| ===================================================================
|
| --- net/socket/ssl_client_socket_nss.cc (revisiĆ³n: 29395)
|
| +++ net/socket/ssl_client_socket_nss.cc (copia de trabajo)
|
| @@ -209,7 +209,6 @@
|
| user_write_callback_(NULL),
|
| user_read_buf_len_(0),
|
| user_write_buf_len_(0),
|
| - client_auth_ca_names_(NULL),
|
| client_auth_cert_needed_(false),
|
| completed_handshake_(false),
|
| next_handshake_state_(STATE_NONE),
|
| @@ -383,10 +382,7 @@
|
| server_cert_verify_result_.Reset();
|
| completed_handshake_ = false;
|
| nss_bufs_ = NULL;
|
| - if (client_auth_ca_names_) {
|
| - CERT_FreeDistNames(client_auth_ca_names_);
|
| - client_auth_ca_names_ = NULL;
|
| - }
|
| + client_certs_.clear();
|
| client_auth_cert_needed_ = false;
|
|
|
| LeaveFunction("");
|
| @@ -525,38 +521,7 @@
|
| SSLCertRequestInfo* cert_request_info) {
|
| EnterFunction("");
|
| cert_request_info->host_and_port = hostname_;
|
| - cert_request_info->client_certs.clear();
|
| -
|
| - void* wincx = SSL_RevealPinArg(nss_fd_);
|
| -
|
| - CERTCertNicknames* names = CERT_GetCertNicknames(
|
| - CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, wincx);
|
| -
|
| - if (names) {
|
| - for (int i = 0; i < names->numnicknames; ++i) {
|
| - CERTCertificate* cert = CERT_FindUserCertByUsage(
|
| - CERT_GetDefaultCertDB(), names->nicknames[i],
|
| - certUsageSSLClient, PR_FALSE, wincx);
|
| - if (!cert)
|
| - continue;
|
| - // Only check unexpired certs.
|
| - if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) ==
|
| - secCertTimeValid &&
|
| - NSS_CmpCertChainWCANames(cert, client_auth_ca_names_) ==
|
| - SECSuccess) {
|
| - SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
|
| - if (privkey) {
|
| - X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
|
| - cert, X509Certificate::SOURCE_LONE_CERT_IMPORT);
|
| - cert_request_info->client_certs.push_back(x509_cert);
|
| - SECKEY_DestroyPrivateKey(privkey);
|
| - continue;
|
| - }
|
| - }
|
| - CERT_DestroyCertificate(cert);
|
| - }
|
| - CERT_FreeNicknames(names);
|
| - }
|
| + cert_request_info->client_certs = client_certs_;
|
| LeaveFunction(cert_request_info->client_certs.size());
|
| }
|
|
|
| @@ -879,6 +844,11 @@
|
| CERTCertificate** result_certificate,
|
| SECKEYPrivateKey** result_private_key) {
|
| SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
|
| + CERTCertificate* cert = NULL;
|
| + X509Certificate* x509_cert = NULL;
|
| + SECKEYPrivateKey* privkey = NULL;
|
| + void* proto_win = NULL;
|
| + CERTCertNicknames* names;
|
|
|
| that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
|
|
|
| @@ -902,19 +872,39 @@
|
| // Send no client certificate.
|
| return SECFailure;
|
| }
|
| + names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
|
| + SEC_CERT_NICKNAMES_USER, proto_win);
|
|
|
| - PRArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
| - CERTDistNames* ca_names_copy = PORT_ArenaZNew(arena, CERTDistNames);
|
| + if (names != NULL) {
|
| + for (int i = 0; i < names->numnicknames; i++) {
|
| + cert = CERT_FindUserCertByUsage(
|
| + CERT_GetDefaultCertDB(),
|
| + names->nicknames[i],
|
| + certUsageSSLClient,
|
| + PR_FALSE,
|
| + proto_win);
|
| + if ( !cert )
|
| + continue;
|
| + // Only check unexpired certs
|
| + if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) !=
|
| + secCertTimeValid ) {
|
| + CERT_DestroyCertificate(cert);
|
| + continue;
|
| + }
|
| + if ( NSS_CmpCertChainWCANames(cert, ca_names) == SECSuccess ) {
|
| + if ( PK11_FindKeyByAnyCert(cert, proto_win) ) {
|
| + x509_cert = X509Certificate::CreateFromHandle(
|
| + cert, X509Certificate::SOURCE_LONE_CERT_IMPORT);
|
| + that->client_certs_.push_back(x509_cert);
|
| + SECKEY_DestroyPrivateKey(privkey);
|
| + continue;
|
| + }
|
| + }
|
| + CERT_DestroyCertificate(cert);
|
| + }
|
| + CERT_FreeNicknames(names);
|
| + }
|
|
|
| - ca_names_copy->arena = arena;
|
| - ca_names_copy->head = NULL;
|
| - ca_names_copy->nnames = ca_names->nnames;
|
| - ca_names_copy->names = PORT_ArenaZNewArray(arena, SECItem,
|
| - ca_names->nnames);
|
| - for (int i = 0; i < ca_names->nnames; ++i)
|
| - SECITEM_CopyItem(arena, &ca_names_copy->names[i], &ca_names->names[i]);
|
| -
|
| - that->client_auth_ca_names_ = ca_names_copy;
|
| return SECFailure;
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 302004:
Client certificates are looked up in ClientAuthHandler to get rid of manual C... (Closed)
Base URL: http://src.chromium.org/svn/trunk/src/