Don't select a client certs for TabContents with no TabContentsWrapper.

chrome/browser/chrome_content_browser_client.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chrome_content_browser_client.h"
 
 #include <set>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "chrome/app/breakpad_mac.h"
 #include "chrome/browser/browser_about_handler.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browsing_data_remover.h"
 #include "chrome/browser/character_encoding.h"
 #include "chrome/browser/chrome_benchmarking_message_filter.h"
 #include "chrome/browser/chrome_plugin_message_filter.h"
 #include "chrome/browser/chrome_quota_permission_context.h"
 #include "chrome/browser/content_settings/content_settings_utils.h"
 #include "chrome/browser/content_settings/cookie_settings.h"
+#include "chrome/browser/content_settings/host_content_settings_map.h"
 #include "chrome/browser/content_settings/tab_specific_content_settings.h"
 #include "chrome/browser/download/download_util.h"
 #include "chrome/browser/extensions/extension_info_map.h"
 #include "chrome/browser/extensions/extension_message_handler.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/extensions/extension_web_ui.h"
 #include "chrome/browser/extensions/extension_webrequest_api.h"
 #include "chrome/browser/geolocation/chrome_access_token_store.h"
 #include "chrome/browser/google/google_util.h"
 #include "chrome/browser/net/chrome_net_log.h"
@@ skipping 169 matching lines @@
   for (std::set<std::string>::iterator iter = extension_ids.begin();
        iter != extension_ids.end(); ++iter) {
     const Extension* extension = service->GetExtensionById(*iter, false);
     if (extension && extension->is_storage_isolated())
       return PRIV_ISOLATED;
   }
 
   return PRIV_EXTENSION;
 }
 
+bool CertMatchesFilter(const net::X509Certificate& cert,
+                       const base::DictionaryValue& filter) {
+  // TODO(markusheintz): This is the minimal required filter implementation.
+  // Implement a better matcher.
+
+  // An empty filter matches any client certificate since no requirements are
+  // specified at all.
+  if (filter.empty())
+    return true;
+
+  std::string common_name;
+  if (filter.GetString("ISSUER.CN", &common_name) &&
+      (cert.issuer().common_name == common_name)) {
+    return true;
+  }
+  return false;
+}
+
 }  // namespace
 
 namespace chrome {
 
 content::BrowserMainParts* ChromeContentBrowserClient::CreateBrowserMainParts(
     const content::MainFunctionParams& parameters) {
   ChromeBrowserMainParts* main_parts;
   // Construct the Main browser parts based on the OS type.
 #if defined(OS_WIN)
   main_parts = new ChromeBrowserMainPartsWin(parameters);
@@ skipping 626 matching lines @@
     int render_process_id,
     int render_view_id,
     SSLClientAuthHandler* handler) {
   TabContents* tab = tab_util::GetTabContentsByID(
       render_process_id, render_view_id);
   if (!tab) {
     NOTREACHED();
     return;
   }
 
+  net::SSLCertRequestInfo* cert_request_info = handler->cert_request_info();
+  GURL requesting_url("https://" + cert_request_info->host_and_port);
+  DCHECK(requesting_url.is_valid()) << "Invalid URL string: https://"
+                                    << cert_request_info->host_and_port;
+
+  Profile* profile = Profile::FromBrowserContext(tab->browser_context());
+  DCHECK(profile);
+  scoped_ptr<Value> filter(
+      profile->GetHostContentSettingsMap()->GetWebsiteSetting(
+          requesting_url,
+          requesting_url,
+          CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE,
+          std::string(), NULL));
+
+  if (filter.get()) {
+    // Try to automatically select a client certificate.
+    if (filter->IsType(Value::TYPE_DICTIONARY)) {
+      DictionaryValue* filter_dict =
+          static_cast<DictionaryValue*>(filter.get());
+
+      const std::vector<scoped_refptr<net::X509Certificate> >&
+          all_client_certs = cert_request_info->client_certs;
+      for (size_t i = 0; i < all_client_certs.size(); ++i) {
+        if (CertMatchesFilter(*all_client_certs[i], *filter_dict)) {
+          // Use the first certificate that is matched by the filter.
+          handler->CertificateSelected(all_client_certs[i]);
+          return;
+        }
+      }
+    } else {
+      NOTREACHED();
+    }
+  }
+
   TabContentsWrapper* wrapper =
       TabContentsWrapper::GetCurrentWrapperForContents(tab);
-  wrapper->ssl_helper()->SelectClientCertificate(handler);
+  if (!wrapper) {
+    LOG(ERROR) << " *** No TabcontentsWrapper for: " << tab->GetURL().spec();
+    // If there is no TabContentsWrapper for the given TabContents then we can't
+    // show the user a dialog to select a client certificate. So we simple

[wtc, 2011/12/02 19:01:48]

Nit: simple => simply

NOTE: "cancel the request" is not accurate.  handler->CertificateSelected(NULL)
instructs the SSL library to proceed with no client certificate.
In most cases, the server will abort the SSL handshake.
But some servers may allow the SSL handshake to succeed
but return an HTTP error page.

[markusheintz_, 2011/12/03 13:25:42]

Done.

+    // cancel the request.
+    handler->CertificateSelected(NULL);
+    return;
+  }
+  wrapper->ssl_helper()->ShowClientCertificateRequestDialog(handler);
 }
 
 void ChromeContentBrowserClient::AddNewCertificate(
     net::URLRequest* request,
     net::X509Certificate* cert,
     int render_process_id,
     int render_view_id) {
   // The handler will run the UI and delete itself when it's finished.
   new SSLAddCertHandler(request, cert, render_process_id, render_view_id);
 }
@@ skipping 241 matching lines @@
 #if defined(USE_NSS)
 crypto::CryptoModuleBlockingPasswordDelegate*
     ChromeContentBrowserClient::GetCryptoPasswordDelegate(
         const GURL& url) {
   return browser::NewCryptoModuleBlockingDialogDelegate(
       browser::kCryptoModulePasswordKeygen, url.host());
 }
 #endif
 
 }  // namespace chrome