SSL client authentication support for secure proxy in WebSocket

net/socket_stream/socket_stream.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // TODO(ukai): code is similar with http_network_transaction.cc.  We should
 //   think about ways to share code, if possible.
 
 #include "net/socket_stream/socket_stream.h"
 
 #include <set>
 #include <string>
 
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/message_loop.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/auth.h"
 #include "net/base/host_resolver.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
+#include "net/base/ssl_cert_request_info.h"
 #include "net/http/http_auth_handler_factory.h"
+#include "net/http/http_network_session.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
+#include "net/http/http_transaction_factory.h"
 #include "net/http/http_util.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/socks5_client_socket.h"
 #include "net/socket/socks_client_socket.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/socket/tcp_client_socket.h"
 #include "net/socket_stream/socket_stream_metrics.h"
 #include "net/url_request/url_request.h"
 
 static const int kMaxPendingSendAllowed = 32768;  // 32 kilobytes.
@@ skipping 879 matching lines @@
   next_state_ = STATE_SECURE_PROXY_CONNECT_COMPLETE;
   metrics_->OnCountConnectionType(SocketStreamMetrics::SECURE_PROXY_CONNECTION);
   return socket_->Connect(&io_callback_);
 }
 
 int SocketStream::DoSecureProxyConnectComplete(int result) {
   DCHECK_EQ(STATE_NONE, next_state_);
   result = DidEstablishSSL(result);
   if (next_state_ != STATE_NONE)
     return result;
+  if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
+    return HandleCertificateRequest(result);
   if (result == OK)
     next_state_ = STATE_WRITE_TUNNEL_HEADERS;
   else
     next_state_ = STATE_CLOSE;
   return result;
 }
 
 int SocketStream::DoSSLConnect() {
   DCHECK(factory_);
   SSLClientSocketContext ssl_context;
@@ skipping 145 matching lines @@
       auth_identity_.password = entry->password();
       // Restart with auth info.
     }
     return ERR_PROXY_AUTH_UNSUPPORTED;
   } else {
     auth_identity_.invalid = false;
   }
   return ERR_TUNNEL_CONNECTION_FAILED;
 }
 
+int SocketStream::HandleCertificateRequest(int result) {
+  // TODO(toyoshim): We must support SSL client authentication for not only
+  // secure proxy but also secure server.
+
+  if (ssl_config_.send_client_cert)

[ukai, 2011/10/17 01:48:56]

we might need to have 2 SSLConfig?
 server_ssl_config_ and proxy_ssl_config_

[Takashi Toyoshima, 2011/10/17 02:50:05]

When we support client authentication for secure server via secure proxy, it is
true.
Now, I just support authentication only for secure proxy because of two reasons.

One is that this change is temporal one, and will be replaced by refactoring
which integrate socket_stream to http_network_transaction.

Another reason is that we don't have a chance to cache server's
cert_request_info because WebSockets always go on background, and we could not
pop up certification choosing dialog for user decision.

[ukai, 2011/10/17 04:18:08]

even without client authentication, can we use the same SSLConfig for wss over
secure proxy?

[Takashi Toyoshima, 2011/10/17 04:42:30]

Oops!
Sorry, now I see what was wrong
I fix it.

+    // We already have performed SSL client authentication once and failed.
+    return result;
+
+  DCHECK(socket_.get());
+  scoped_refptr<SSLCertRequestInfo> cert_request_info = new SSLCertRequestInfo;
+  SSLClientSocket* ssl_socket =
+      reinterpret_cast<SSLClientSocket*>(socket_.get());

[ukai, 2011/10/17 01:48:56]

static_cast ?

[Takashi Toyoshima, 2011/10/17 02:50:05]

Right.
I fixed it and a same wrong cast in DidEstablishSSL.

+  ssl_socket->GetSSLCertRequestInfo(cert_request_info);
+
+  HttpTransactionFactory* factory = context_->http_transaction_factory();
+  if (!factory)
+    return result;
+  scoped_refptr<HttpNetworkSession> session = factory->GetSession();
+  if (!session.get())
+    return result;
+
+  scoped_refptr<X509Certificate> client_cert;
+  bool found_cached_cert = session->ssl_client_auth_cache()->Lookup(
+      cert_request_info->host_and_port, &client_cert);
+  if (!found_cached_cert)
+    return result;
+  if (!client_cert)
+    return result;
+
+  const std::vector<scoped_refptr<X509Certificate> >& client_certs =
+      cert_request_info->client_certs;
+  bool cert_still_valid = false;
+  for (size_t i = 0; i < client_certs.size(); ++i) {
+    if (client_cert->Equals(client_certs[i])) {
+      cert_still_valid = true;
+      break;
+    }
+  }
+  if (!cert_still_valid)
+    return result;
+
+  ssl_config_.send_client_cert = true;
+  ssl_config_.client_cert = client_cert;
+  next_state_ = STATE_TCP_CONNECT;
+  return OK;
+}
+
 void SocketStream::DoAuthRequired() {
   if (delegate_ && auth_info_.get())
     delegate_->OnAuthRequired(this, auth_info_.get());
   else
     DoLoop(ERR_UNEXPECTED);
 }
 
 void SocketStream::DoRestartWithAuth() {
   DCHECK_EQ(next_state_, STATE_AUTH_REQUIRED);
   auth_cache_.Add(ProxyAuthOrigin(),
@@ skipping 30 matching lines @@
 
 SSLConfigService* SocketStream::ssl_config_service() const {
   return context_->ssl_config_service();
 }
 
 ProxyService* SocketStream::proxy_service() const {
   return context_->proxy_service();
 }
 
 }  // namespace net