OLD | NEW |
1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code GetDefaultCertNickname(), derived from | 5 // This file includes code GetDefaultCertNickname(), derived from |
6 // nsNSSCertificate::defaultServerNickName() | 6 // nsNSSCertificate::defaultServerNickName() |
7 // in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp | 7 // in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp |
8 // and SSLClientSocketNSS::DoVerifyCertComplete() derived from | 8 // and SSLClientSocketNSS::DoVerifyCertComplete() derived from |
9 // AuthCertificateCallback() in | 9 // AuthCertificateCallback() in |
10 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 10 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
202 transport_recv_busy_(false), | 202 transport_recv_busy_(false), |
203 handshake_io_callback_(this, &SSLClientSocketNSS::OnHandshakeIOComplete), | 203 handshake_io_callback_(this, &SSLClientSocketNSS::OnHandshakeIOComplete), |
204 transport_(transport_socket), | 204 transport_(transport_socket), |
205 hostname_(hostname), | 205 hostname_(hostname), |
206 ssl_config_(ssl_config), | 206 ssl_config_(ssl_config), |
207 user_connect_callback_(NULL), | 207 user_connect_callback_(NULL), |
208 user_read_callback_(NULL), | 208 user_read_callback_(NULL), |
209 user_write_callback_(NULL), | 209 user_write_callback_(NULL), |
210 user_read_buf_len_(0), | 210 user_read_buf_len_(0), |
211 user_write_buf_len_(0), | 211 user_write_buf_len_(0), |
212 client_auth_ca_names_(NULL), | |
213 client_auth_cert_needed_(false), | 212 client_auth_cert_needed_(false), |
214 completed_handshake_(false), | 213 completed_handshake_(false), |
215 next_handshake_state_(STATE_NONE), | 214 next_handshake_state_(STATE_NONE), |
216 nss_fd_(NULL), | 215 nss_fd_(NULL), |
217 nss_bufs_(NULL) { | 216 nss_bufs_(NULL) { |
218 EnterFunction(""); | 217 EnterFunction(""); |
219 } | 218 } |
220 | 219 |
221 SSLClientSocketNSS::~SSLClientSocketNSS() { | 220 SSLClientSocketNSS::~SSLClientSocketNSS() { |
222 EnterFunction(""); | 221 EnterFunction(""); |
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
376 user_read_callback_ = NULL; | 375 user_read_callback_ = NULL; |
377 user_write_callback_ = NULL; | 376 user_write_callback_ = NULL; |
378 user_read_buf_ = NULL; | 377 user_read_buf_ = NULL; |
379 user_read_buf_len_ = 0; | 378 user_read_buf_len_ = 0; |
380 user_write_buf_ = NULL; | 379 user_write_buf_ = NULL; |
381 user_write_buf_len_ = 0; | 380 user_write_buf_len_ = 0; |
382 server_cert_ = NULL; | 381 server_cert_ = NULL; |
383 server_cert_verify_result_.Reset(); | 382 server_cert_verify_result_.Reset(); |
384 completed_handshake_ = false; | 383 completed_handshake_ = false; |
385 nss_bufs_ = NULL; | 384 nss_bufs_ = NULL; |
386 if (client_auth_ca_names_) { | 385 client_certs_.clear(); |
387 CERT_FreeDistNames(client_auth_ca_names_); | |
388 client_auth_ca_names_ = NULL; | |
389 } | |
390 client_auth_cert_needed_ = false; | 386 client_auth_cert_needed_ = false; |
391 | 387 |
392 LeaveFunction(""); | 388 LeaveFunction(""); |
393 } | 389 } |
394 | 390 |
395 bool SSLClientSocketNSS::IsConnected() const { | 391 bool SSLClientSocketNSS::IsConnected() const { |
396 // Ideally, we should also check if we have received the close_notify alert | 392 // Ideally, we should also check if we have received the close_notify alert |
397 // message from the server, and return false in that case. We're not doing | 393 // message from the server, and return false in that case. We're not doing |
398 // that, so this function may return a false positive. Since the upper | 394 // that, so this function may return a false positive. Since the upper |
399 // layer (HttpNetworkTransaction) needs to handle a persistent connection | 395 // layer (HttpNetworkTransaction) needs to handle a persistent connection |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
518 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 514 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
519 DCHECK(server_cert_ != NULL); | 515 DCHECK(server_cert_ != NULL); |
520 ssl_info->cert = server_cert_; | 516 ssl_info->cert = server_cert_; |
521 LeaveFunction(""); | 517 LeaveFunction(""); |
522 } | 518 } |
523 | 519 |
524 void SSLClientSocketNSS::GetSSLCertRequestInfo( | 520 void SSLClientSocketNSS::GetSSLCertRequestInfo( |
525 SSLCertRequestInfo* cert_request_info) { | 521 SSLCertRequestInfo* cert_request_info) { |
526 EnterFunction(""); | 522 EnterFunction(""); |
527 cert_request_info->host_and_port = hostname_; | 523 cert_request_info->host_and_port = hostname_; |
528 cert_request_info->client_certs.clear(); | 524 cert_request_info->client_certs = client_certs_; |
529 | |
530 void* wincx = SSL_RevealPinArg(nss_fd_); | |
531 | |
532 CERTCertNicknames* names = CERT_GetCertNicknames( | |
533 CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, wincx); | |
534 | |
535 if (names) { | |
536 for (int i = 0; i < names->numnicknames; ++i) { | |
537 CERTCertificate* cert = CERT_FindUserCertByUsage( | |
538 CERT_GetDefaultCertDB(), names->nicknames[i], | |
539 certUsageSSLClient, PR_FALSE, wincx); | |
540 if (!cert) | |
541 continue; | |
542 // Only check unexpired certs. | |
543 if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) == | |
544 secCertTimeValid && | |
545 NSS_CmpCertChainWCANames(cert, client_auth_ca_names_) == | |
546 SECSuccess) { | |
547 SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx); | |
548 if (privkey) { | |
549 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( | |
550 cert, X509Certificate::SOURCE_LONE_CERT_IMPORT); | |
551 cert_request_info->client_certs.push_back(x509_cert); | |
552 SECKEY_DestroyPrivateKey(privkey); | |
553 continue; | |
554 } | |
555 } | |
556 CERT_DestroyCertificate(cert); | |
557 } | |
558 CERT_FreeNicknames(names); | |
559 } | |
560 LeaveFunction(cert_request_info->client_certs.size()); | 525 LeaveFunction(cert_request_info->client_certs.size()); |
561 } | 526 } |
562 | 527 |
563 void SSLClientSocketNSS::DoReadCallback(int rv) { | 528 void SSLClientSocketNSS::DoReadCallback(int rv) { |
564 EnterFunction(rv); | 529 EnterFunction(rv); |
565 DCHECK(rv != ERR_IO_PENDING); | 530 DCHECK(rv != ERR_IO_PENDING); |
566 DCHECK(user_read_callback_); | 531 DCHECK(user_read_callback_); |
567 | 532 |
568 // Since Run may result in Read being called, clear |user_read_callback_| | 533 // Since Run may result in Read being called, clear |user_read_callback_| |
569 // up front. | 534 // up front. |
(...skipping 305 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
875 SECStatus SSLClientSocketNSS::ClientAuthHandler( | 840 SECStatus SSLClientSocketNSS::ClientAuthHandler( |
876 void* arg, | 841 void* arg, |
877 PRFileDesc* socket, | 842 PRFileDesc* socket, |
878 CERTDistNames* ca_names, | 843 CERTDistNames* ca_names, |
879 CERTCertificate** result_certificate, | 844 CERTCertificate** result_certificate, |
880 SECKEYPrivateKey** result_private_key) { | 845 SECKEYPrivateKey** result_private_key) { |
881 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 846 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
882 | 847 |
883 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | 848 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
884 | 849 |
| 850 CERTCertificate* cert = NULL; |
| 851 SECKEYPrivateKey* privkey = NULL; |
| 852 void* wincx = SSL_RevealPinArg(socket); |
| 853 |
885 // Second pass: a client certificate should have been selected. | 854 // Second pass: a client certificate should have been selected. |
886 if (that->ssl_config_.send_client_cert) { | 855 if (that->ssl_config_.send_client_cert) { |
887 if (that->ssl_config_.client_cert) { | 856 if (that->ssl_config_.client_cert) { |
888 void* wincx = SSL_RevealPinArg(socket); | 857 cert = CERT_DupCertificate( |
889 CERTCertificate* cert = CERT_DupCertificate( | |
890 that->ssl_config_.client_cert->os_cert_handle()); | 858 that->ssl_config_.client_cert->os_cert_handle()); |
891 SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx); | 859 privkey = PK11_FindKeyByAnyCert(cert, wincx); |
892 if (privkey) { | 860 if (privkey) { |
893 // TODO(jsorianopastor): We should wait for server certificate | 861 // TODO(jsorianopastor): We should wait for server certificate |
894 // verification before sending our credentials. See | 862 // verification before sending our credentials. See |
895 // http://crbug.com/13934. | 863 // http://crbug.com/13934. |
896 *result_certificate = cert; | 864 *result_certificate = cert; |
897 *result_private_key = privkey; | 865 *result_private_key = privkey; |
898 return SECSuccess; | 866 return SECSuccess; |
899 } | 867 } |
900 LOG(WARNING) << "Client cert found without private key"; | 868 LOG(WARNING) << "Client cert found without private key"; |
901 } | 869 } |
902 // Send no client certificate. | 870 // Send no client certificate. |
903 return SECFailure; | 871 return SECFailure; |
904 } | 872 } |
905 | 873 |
906 PRArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 874 CERTCertNicknames* names = CERT_GetCertNicknames( |
907 CERTDistNames* ca_names_copy = PORT_ArenaZNew(arena, CERTDistNames); | 875 CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, wincx); |
| 876 if (names) { |
| 877 for (int i = 0; i < names->numnicknames; ++i) { |
| 878 cert = CERT_FindUserCertByUsage( |
| 879 CERT_GetDefaultCertDB(), names->nicknames[i], |
| 880 certUsageSSLClient, PR_FALSE, wincx); |
| 881 if (!cert) |
| 882 continue; |
| 883 // Only check unexpired certs. |
| 884 if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) == |
| 885 secCertTimeValid && |
| 886 NSS_CmpCertChainWCANames(cert, ca_names) == SECSuccess) { |
| 887 privkey = PK11_FindKeyByAnyCert(cert, wincx); |
| 888 if (privkey) { |
| 889 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( |
| 890 cert, X509Certificate::SOURCE_LONE_CERT_IMPORT); |
| 891 that->client_certs_.push_back(x509_cert); |
| 892 SECKEY_DestroyPrivateKey(privkey); |
| 893 continue; |
| 894 } |
| 895 } |
| 896 CERT_DestroyCertificate(cert); |
| 897 } |
| 898 CERT_FreeNicknames(names); |
| 899 } |
908 | 900 |
909 ca_names_copy->arena = arena; | |
910 ca_names_copy->head = NULL; | |
911 ca_names_copy->nnames = ca_names->nnames; | |
912 ca_names_copy->names = PORT_ArenaZNewArray(arena, SECItem, | |
913 ca_names->nnames); | |
914 for (int i = 0; i < ca_names->nnames; ++i) | |
915 SECITEM_CopyItem(arena, &ca_names_copy->names[i], &ca_names->names[i]); | |
916 | |
917 that->client_auth_ca_names_ = ca_names_copy; | |
918 return SECFailure; | 901 return SECFailure; |
919 } | 902 } |
920 | 903 |
921 // static | 904 // static |
922 // NSS calls this when handshake is completed. | 905 // NSS calls this when handshake is completed. |
923 // After the SSL handshake is finished, use CertVerifier to verify | 906 // After the SSL handshake is finished, use CertVerifier to verify |
924 // the saved server certificate. | 907 // the saved server certificate. |
925 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket, | 908 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket, |
926 void* arg) { | 909 void* arg) { |
927 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 910 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1085 } | 1068 } |
1086 PRErrorCode prerr = PR_GetError(); | 1069 PRErrorCode prerr = PR_GetError(); |
1087 if (prerr == PR_WOULD_BLOCK_ERROR) { | 1070 if (prerr == PR_WOULD_BLOCK_ERROR) { |
1088 return ERR_IO_PENDING; | 1071 return ERR_IO_PENDING; |
1089 } | 1072 } |
1090 LeaveFunction(""); | 1073 LeaveFunction(""); |
1091 return NetErrorFromNSPRError(prerr); | 1074 return NetErrorFromNSPRError(prerr); |
1092 } | 1075 } |
1093 | 1076 |
1094 } // namespace net | 1077 } // namespace net |
OLD | NEW |