OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 429 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
440 transport_(transport_socket), | 440 transport_(transport_socket), |
441 host_and_port_(host_and_port), | 441 host_and_port_(host_and_port), |
442 ssl_config_(ssl_config), | 442 ssl_config_(ssl_config), |
443 user_read_buf_len_(0), | 443 user_read_buf_len_(0), |
444 user_write_buf_len_(0), | 444 user_write_buf_len_(0), |
445 server_cert_nss_(NULL), | 445 server_cert_nss_(NULL), |
446 server_cert_verify_result_(NULL), | 446 server_cert_verify_result_(NULL), |
447 ssl_connection_status_(0), | 447 ssl_connection_status_(0), |
448 client_auth_cert_needed_(false), | 448 client_auth_cert_needed_(false), |
449 cert_verifier_(context.cert_verifier), | 449 cert_verifier_(context.cert_verifier), |
450 ob_cert_xtn_negotiated_(false), | 450 domain_bound_cert_xtn_negotiated_(false), |
451 origin_bound_cert_service_(context.origin_bound_cert_service), | 451 server_bound_cert_service_(context.server_bound_cert_service), |
452 ob_cert_type_(CLIENT_CERT_INVALID_TYPE), | 452 domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE), |
453 ob_cert_request_handle_(NULL), | 453 domain_bound_cert_request_handle_(NULL), |
454 handshake_callback_called_(false), | 454 handshake_callback_called_(false), |
455 completed_handshake_(false), | 455 completed_handshake_(false), |
456 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 456 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
457 eset_mitm_detected_(false), | 457 eset_mitm_detected_(false), |
458 predicted_cert_chain_correct_(false), | 458 predicted_cert_chain_correct_(false), |
459 next_handshake_state_(STATE_NONE), | 459 next_handshake_state_(STATE_NONE), |
460 nss_fd_(NULL), | 460 nss_fd_(NULL), |
461 nss_bufs_(NULL), | 461 nss_bufs_(NULL), |
462 net_log_(transport_socket->socket()->NetLog()), | 462 net_log_(transport_socket->socket()->NetLog()), |
463 ssl_host_info_(ssl_host_info), | 463 ssl_host_info_(ssl_host_info), |
(...skipping 29 matching lines...) Expand all Loading... |
493 ssl_info->cert = server_cert_verify_result_->verified_cert; | 493 ssl_info->cert = server_cert_verify_result_->verified_cert; |
494 ssl_info->connection_status = ssl_connection_status_; | 494 ssl_info->connection_status = ssl_connection_status_; |
495 ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes; | 495 ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes; |
496 for (std::vector<SHA1Fingerprint>::const_iterator | 496 for (std::vector<SHA1Fingerprint>::const_iterator |
497 i = side_pinned_public_keys_.begin(); | 497 i = side_pinned_public_keys_.begin(); |
498 i != side_pinned_public_keys_.end(); i++) { | 498 i != side_pinned_public_keys_.end(); i++) { |
499 ssl_info->public_key_hashes.push_back(*i); | 499 ssl_info->public_key_hashes.push_back(*i); |
500 } | 500 } |
501 ssl_info->is_issued_by_known_root = | 501 ssl_info->is_issued_by_known_root = |
502 server_cert_verify_result_->is_issued_by_known_root; | 502 server_cert_verify_result_->is_issued_by_known_root; |
503 ssl_info->client_cert_sent = WasOriginBoundCertSent() || | 503 ssl_info->client_cert_sent = WasDomainBoundCertSent() || |
504 (ssl_config_.send_client_cert && ssl_config_.client_cert); | 504 (ssl_config_.send_client_cert && ssl_config_.client_cert); |
505 | 505 |
506 PRUint16 cipher_suite = | 506 PRUint16 cipher_suite = |
507 SSLConnectionStatusToCipherSuite(ssl_connection_status_); | 507 SSLConnectionStatusToCipherSuite(ssl_connection_status_); |
508 SSLCipherSuiteInfo cipher_info; | 508 SSLCipherSuiteInfo cipher_info; |
509 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, | 509 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, |
510 &cipher_info, sizeof(cipher_info)); | 510 &cipher_info, sizeof(cipher_info)); |
511 if (ok == SECSuccess) { | 511 if (ok == SECSuccess) { |
512 ssl_info->security_bits = cipher_info.effectiveKeyBits; | 512 ssl_info->security_bits = cipher_info.effectiveKeyBits; |
513 } else { | 513 } else { |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
614 | 614 |
615 void SSLClientSocketNSS::Disconnect() { | 615 void SSLClientSocketNSS::Disconnect() { |
616 EnterFunction(""); | 616 EnterFunction(""); |
617 | 617 |
618 CHECK(CalledOnValidThread()); | 618 CHECK(CalledOnValidThread()); |
619 | 619 |
620 // Shut down anything that may call us back. | 620 // Shut down anything that may call us back. |
621 verifier_.reset(); | 621 verifier_.reset(); |
622 transport_->socket()->Disconnect(); | 622 transport_->socket()->Disconnect(); |
623 | 623 |
624 if (ob_cert_request_handle_ != NULL) { | 624 if (domain_bound_cert_request_handle_ != NULL) { |
625 origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_); | 625 server_bound_cert_service_->CancelRequest( |
626 ob_cert_request_handle_ = NULL; | 626 domain_bound_cert_request_handle_); |
| 627 domain_bound_cert_request_handle_ = NULL; |
627 } | 628 } |
628 | 629 |
629 // TODO(wtc): Send SSL close_notify alert. | 630 // TODO(wtc): Send SSL close_notify alert. |
630 if (nss_fd_ != NULL) { | 631 if (nss_fd_ != NULL) { |
631 PR_Close(nss_fd_); | 632 PR_Close(nss_fd_); |
632 nss_fd_ = NULL; | 633 nss_fd_ = NULL; |
633 } | 634 } |
634 | 635 |
635 // Reset object state. | 636 // Reset object state. |
636 user_connect_callback_.Reset(); | 637 user_connect_callback_.Reset(); |
(...skipping 13 matching lines...) Expand all Loading... |
650 local_server_cert_verify_result_.Reset(); | 651 local_server_cert_verify_result_.Reset(); |
651 server_cert_verify_result_ = NULL; | 652 server_cert_verify_result_ = NULL; |
652 ssl_connection_status_ = 0; | 653 ssl_connection_status_ = 0; |
653 completed_handshake_ = false; | 654 completed_handshake_ = false; |
654 eset_mitm_detected_ = false; | 655 eset_mitm_detected_ = false; |
655 start_cert_verification_time_ = base::TimeTicks(); | 656 start_cert_verification_time_ = base::TimeTicks(); |
656 predicted_cert_chain_correct_ = false; | 657 predicted_cert_chain_correct_ = false; |
657 nss_bufs_ = NULL; | 658 nss_bufs_ = NULL; |
658 client_certs_.clear(); | 659 client_certs_.clear(); |
659 client_auth_cert_needed_ = false; | 660 client_auth_cert_needed_ = false; |
660 ob_cert_xtn_negotiated_ = false; | 661 domain_bound_cert_xtn_negotiated_ = false; |
661 | 662 |
662 LeaveFunction(""); | 663 LeaveFunction(""); |
663 } | 664 } |
664 | 665 |
665 bool SSLClientSocketNSS::IsConnected() const { | 666 bool SSLClientSocketNSS::IsConnected() const { |
666 // Ideally, we should also check if we have received the close_notify alert | 667 // Ideally, we should also check if we have received the close_notify alert |
667 // message from the server, and return false in that case. We're not doing | 668 // message from the server, and return false in that case. We're not doing |
668 // that, so this function may return a false positive. Since the upper | 669 // that, so this function may return a false positive. Since the upper |
669 // layer (HttpNetworkTransaction) needs to handle a persistent connection | 670 // layer (HttpNetworkTransaction) needs to handle a persistent connection |
670 // closed by the server when we send a request anyway, a false positive in | 671 // closed by the server when we send a request anyway, a false positive in |
(...skipping 290 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
961 | 962 |
962 #ifdef SSL_ENABLE_CACHED_INFO | 963 #ifdef SSL_ENABLE_CACHED_INFO |
963 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, | 964 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, |
964 ssl_config_.cached_info_enabled); | 965 ssl_config_.cached_info_enabled); |
965 if (rv != SECSuccess) | 966 if (rv != SECSuccess) |
966 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); | 967 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); |
967 #endif | 968 #endif |
968 | 969 |
969 #ifdef SSL_ENABLE_OB_CERTS | 970 #ifdef SSL_ENABLE_OB_CERTS |
970 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, | 971 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, |
971 ssl_config_.origin_bound_certs_enabled); | 972 ssl_config_.server_bound_certs_enabled); |
972 if (rv != SECSuccess) | 973 if (rv != SECSuccess) |
973 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); | 974 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); |
974 #endif | 975 #endif |
975 | 976 |
976 #ifdef SSL_ENCRYPT_CLIENT_CERTS | 977 #ifdef SSL_ENCRYPT_CLIENT_CERTS |
977 // For now, enable the encrypted client certificates extension only if | 978 // For now, enable the encrypted client certificates extension only if |
978 // origin-bound certificates are enabled. | 979 // server-bound certificates are enabled. |
979 rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, | 980 rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, |
980 ssl_config_.origin_bound_certs_enabled); | 981 ssl_config_.server_bound_certs_enabled); |
981 if (rv != SECSuccess) | 982 if (rv != SECSuccess) |
982 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); | 983 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); |
983 #endif | 984 #endif |
984 | 985 |
985 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); | 986 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); |
986 if (rv != SECSuccess) { | 987 if (rv != SECSuccess) { |
987 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT"); | 988 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT"); |
988 return ERR_UNEXPECTED; | 989 return ERR_UNEXPECTED; |
989 } | 990 } |
990 | 991 |
(...skipping 281 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1272 State state = next_handshake_state_; | 1273 State state = next_handshake_state_; |
1273 GotoState(STATE_NONE); | 1274 GotoState(STATE_NONE); |
1274 switch (state) { | 1275 switch (state) { |
1275 case STATE_LOAD_SSL_HOST_INFO: | 1276 case STATE_LOAD_SSL_HOST_INFO: |
1276 DCHECK(rv == OK || rv == ERR_IO_PENDING); | 1277 DCHECK(rv == OK || rv == ERR_IO_PENDING); |
1277 rv = DoLoadSSLHostInfo(); | 1278 rv = DoLoadSSLHostInfo(); |
1278 break; | 1279 break; |
1279 case STATE_HANDSHAKE: | 1280 case STATE_HANDSHAKE: |
1280 rv = DoHandshake(); | 1281 rv = DoHandshake(); |
1281 break; | 1282 break; |
1282 case STATE_GET_OB_CERT_COMPLETE: | 1283 case STATE_GET_DB_CERT_COMPLETE: |
1283 rv = DoGetOBCertComplete(rv); | 1284 rv = DoGetDBCertComplete(rv); |
1284 break; | 1285 break; |
1285 case STATE_VERIFY_DNSSEC: | 1286 case STATE_VERIFY_DNSSEC: |
1286 rv = DoVerifyDNSSEC(rv); | 1287 rv = DoVerifyDNSSEC(rv); |
1287 break; | 1288 break; |
1288 case STATE_VERIFY_CERT: | 1289 case STATE_VERIFY_CERT: |
1289 DCHECK(rv == OK); | 1290 DCHECK(rv == OK); |
1290 rv = DoVerifyCert(rv); | 1291 rv = DoVerifyCert(rv); |
1291 break; | 1292 break; |
1292 case STATE_VERIFY_CERT_COMPLETE: | 1293 case STATE_VERIFY_CERT_COMPLETE: |
1293 rv = DoVerifyCertComplete(rv); | 1294 rv = DoVerifyCertComplete(rv); |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1420 | 1421 |
1421 LeaveFunction(""); | 1422 LeaveFunction(""); |
1422 return rv; | 1423 return rv; |
1423 } | 1424 } |
1424 | 1425 |
1425 int SSLClientSocketNSS::DoHandshake() { | 1426 int SSLClientSocketNSS::DoHandshake() { |
1426 EnterFunction(""); | 1427 EnterFunction(""); |
1427 int net_error = net::OK; | 1428 int net_error = net::OK; |
1428 SECStatus rv = SSL_ForceHandshake(nss_fd_); | 1429 SECStatus rv = SSL_ForceHandshake(nss_fd_); |
1429 | 1430 |
1430 // TODO(rkn): Handle the case in which origin-bound cert generation takes | 1431 // TODO(rkn): Handle the case in which server-bound cert generation takes |
1431 // too long and the server has closed the connection. Report some new error | 1432 // too long and the server has closed the connection. Report some new error |
1432 // code so that the higher level code will attempt to delete the socket and | 1433 // code so that the higher level code will attempt to delete the socket and |
1433 // redo the handshake. | 1434 // redo the handshake. |
1434 | 1435 |
1435 if (client_auth_cert_needed_) { | 1436 if (client_auth_cert_needed_) { |
1436 if (ob_cert_xtn_negotiated_) { | 1437 if (domain_bound_cert_xtn_negotiated_) { |
1437 GotoState(STATE_GET_OB_CERT_COMPLETE); | 1438 GotoState(STATE_GET_DB_CERT_COMPLETE); |
1438 net_error = ERR_IO_PENDING; | 1439 net_error = ERR_IO_PENDING; |
1439 } else { | 1440 } else { |
1440 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1441 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
1441 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1442 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1442 make_scoped_refptr(new SSLErrorParams(net_error, 0))); | 1443 make_scoped_refptr(new SSLErrorParams(net_error, 0))); |
1443 // If the handshake already succeeded (because the server requests but | 1444 // If the handshake already succeeded (because the server requests but |
1444 // doesn't require a client cert), we need to invalidate the SSL session | 1445 // doesn't require a client cert), we need to invalidate the SSL session |
1445 // so that we won't try to resume the non-client-authenticated session in | 1446 // so that we won't try to resume the non-client-authenticated session in |
1446 // the next handshake. This will cause the server to ask for a client | 1447 // the next handshake. This will cause the server to ask for a client |
1447 // cert again. | 1448 // cert again. |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1542 net_log_.AddEvent( | 1543 net_log_.AddEvent( |
1543 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1544 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1544 make_scoped_refptr(new SSLErrorParams(net_error, prerr))); | 1545 make_scoped_refptr(new SSLErrorParams(net_error, prerr))); |
1545 } | 1546 } |
1546 } | 1547 } |
1547 | 1548 |
1548 LeaveFunction(""); | 1549 LeaveFunction(""); |
1549 return net_error; | 1550 return net_error; |
1550 } | 1551 } |
1551 | 1552 |
1552 int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, | 1553 int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert, |
1553 SECKEYPrivateKey** key) { | 1554 SECKEYPrivateKey** key) { |
1554 // Set the certificate. | 1555 // Set the certificate. |
1555 SECItem cert_item; | 1556 SECItem cert_item; |
1556 cert_item.data = (unsigned char*) ob_cert_.data(); | 1557 cert_item.data = (unsigned char*) domain_bound_cert_.data(); |
1557 cert_item.len = ob_cert_.size(); | 1558 cert_item.len = domain_bound_cert_.size(); |
1558 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), | 1559 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), |
1559 &cert_item, | 1560 &cert_item, |
1560 NULL, | 1561 NULL, |
1561 PR_FALSE, | 1562 PR_FALSE, |
1562 PR_TRUE); | 1563 PR_TRUE); |
1563 if (*cert == NULL) | 1564 if (*cert == NULL) |
1564 return MapNSSError(PORT_GetError()); | 1565 return MapNSSError(PORT_GetError()); |
1565 | 1566 |
1566 // Set the private key. | 1567 // Set the private key. |
1567 switch (ob_cert_type_) { | 1568 switch (domain_bound_cert_type_) { |
1568 case CLIENT_CERT_ECDSA_SIGN: { | 1569 case CLIENT_CERT_ECDSA_SIGN: { |
1569 SECKEYPublicKey* public_key = NULL; | 1570 SECKEYPublicKey* public_key = NULL; |
1570 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( | 1571 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( |
1571 OriginBoundCertService::kEPKIPassword, | 1572 ServerBoundCertService::kEPKIPassword, |
1572 reinterpret_cast<const unsigned char*>(ob_private_key_.data()), | 1573 reinterpret_cast<const unsigned char*>( |
1573 ob_private_key_.size(), | 1574 domain_bound_private_key_.data()), |
| 1575 domain_bound_private_key_.size(), |
1574 &(*cert)->subjectPublicKeyInfo, | 1576 &(*cert)->subjectPublicKeyInfo, |
1575 false, | 1577 false, |
1576 false, | 1578 false, |
1577 key, | 1579 key, |
1578 &public_key)) { | 1580 &public_key)) { |
1579 CERT_DestroyCertificate(*cert); | 1581 CERT_DestroyCertificate(*cert); |
1580 *cert = NULL; | 1582 *cert = NULL; |
1581 return MapNSSError(PORT_GetError()); | 1583 return MapNSSError(PORT_GetError()); |
1582 } | 1584 } |
1583 SECKEY_DestroyPublicKey(public_key); | 1585 SECKEY_DestroyPublicKey(public_key); |
1584 break; | 1586 break; |
1585 } | 1587 } |
1586 | 1588 |
1587 default: | 1589 default: |
1588 NOTREACHED(); | 1590 NOTREACHED(); |
1589 return ERR_INVALID_ARGUMENT; | 1591 return ERR_INVALID_ARGUMENT; |
1590 } | 1592 } |
1591 | 1593 |
1592 return OK; | 1594 return OK; |
1593 } | 1595 } |
1594 | 1596 |
1595 int SSLClientSocketNSS::DoGetOBCertComplete(int result) { | 1597 int SSLClientSocketNSS::DoGetDBCertComplete(int result) { |
1596 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, | 1598 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, |
1597 result); | 1599 result); |
1598 client_auth_cert_needed_ = false; | 1600 client_auth_cert_needed_ = false; |
1599 ob_cert_request_handle_ = NULL; | 1601 domain_bound_cert_request_handle_ = NULL; |
1600 | 1602 |
1601 if (result != OK) | 1603 if (result != OK) |
1602 return result; | 1604 return result; |
1603 | 1605 |
1604 CERTCertificate* cert; | 1606 CERTCertificate* cert; |
1605 SECKEYPrivateKey* key; | 1607 SECKEYPrivateKey* key; |
1606 int error = ImportOBCertAndKey(&cert, &key); | 1608 int error = ImportDBCertAndKey(&cert, &key); |
1607 if (error != OK) | 1609 if (error != OK) |
1608 return error; | 1610 return error; |
1609 | 1611 |
1610 CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert, | 1612 CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert, |
1611 certUsageSSLClient, | 1613 certUsageSSLClient, |
1612 PR_FALSE); | 1614 PR_FALSE); |
1613 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | 1615 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
1614 make_scoped_refptr(new NetLogIntegerParameter("cert_count", | 1616 make_scoped_refptr(new NetLogIntegerParameter("cert_count", |
1615 cert_chain->len))); | 1617 cert_chain->len))); |
1616 SECStatus rv; | 1618 SECStatus rv; |
1617 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); | 1619 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); |
1618 if (rv != SECSuccess) | 1620 if (rv != SECSuccess) |
1619 return MapNSSError(PORT_GetError()); | 1621 return MapNSSError(PORT_GetError()); |
1620 | 1622 |
1621 GotoState(STATE_HANDSHAKE); | 1623 GotoState(STATE_HANDSHAKE); |
1622 set_origin_bound_cert_type(ob_cert_type_); | 1624 set_domain_bound_cert_type(domain_bound_cert_type_); |
1623 return OK; | 1625 return OK; |
1624 } | 1626 } |
1625 | 1627 |
1626 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { | 1628 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { |
1627 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), | 1629 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), |
1628 server_cert_nss_, | 1630 server_cert_nss_, |
1629 host_and_port_.port()); | 1631 host_and_port_.port()); |
1630 if (r == DNSVR_SUCCESS) { | 1632 if (r == DNSVR_SUCCESS) { |
1631 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; | 1633 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; |
1632 local_server_cert_verify_result_.verified_cert = server_cert_; | 1634 local_server_cert_verify_result_.verified_cert = server_cert_; |
(...skipping 528 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2161 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), | 2163 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), |
2162 that, &SSLClientSocketNSS::UncorkAfterTimeout); | 2164 that, &SSLClientSocketNSS::UncorkAfterTimeout); |
2163 } | 2165 } |
2164 #endif | 2166 #endif |
2165 | 2167 |
2166 // Tell NSS to not verify the certificate. | 2168 // Tell NSS to not verify the certificate. |
2167 return SECSuccess; | 2169 return SECSuccess; |
2168 } | 2170 } |
2169 | 2171 |
2170 // static | 2172 // static |
2171 bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { | 2173 bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) { |
2172 PRBool xtn_negotiated = PR_FALSE; | 2174 PRBool xtn_negotiated = PR_FALSE; |
2173 SECStatus rv = SSL_HandshakeNegotiatedExtension( | 2175 SECStatus rv = SSL_HandshakeNegotiatedExtension( |
2174 socket, ssl_ob_cert_xtn, &xtn_negotiated); | 2176 socket, ssl_ob_cert_xtn, &xtn_negotiated); |
2175 DCHECK_EQ(SECSuccess, rv); | 2177 DCHECK_EQ(SECSuccess, rv); |
2176 | 2178 |
2177 return xtn_negotiated ? true : false; | 2179 return xtn_negotiated ? true : false; |
2178 } | 2180 } |
2179 | 2181 |
2180 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( | 2182 SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler( |
2181 const SECItem* cert_types, | 2183 const SECItem* cert_types, |
2182 CERTCertificate** result_certificate, | 2184 CERTCertificate** result_certificate, |
2183 SECKEYPrivateKey** result_private_key) { | 2185 SECKEYPrivateKey** result_private_key) { |
2184 ob_cert_xtn_negotiated_ = true; | 2186 domain_bound_cert_xtn_negotiated_ = true; |
2185 | 2187 |
2186 // We have negotiated the origin-bound certificate extension. | 2188 // We have negotiated the domain-bound certificate extension. |
2187 std::string origin = "https://" + host_and_port_.ToString(); | 2189 std::string origin = "https://" + host_and_port_.ToString(); |
2188 std::vector<uint8> requested_cert_types(cert_types->data, | 2190 std::vector<uint8> requested_cert_types(cert_types->data, |
2189 cert_types->data + cert_types->len); | 2191 cert_types->data + cert_types->len); |
2190 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); | 2192 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL); |
2191 int error = origin_bound_cert_service_->GetOriginBoundCert( | 2193 int error = server_bound_cert_service_->GetDomainBoundCert( |
2192 origin, | 2194 origin, |
2193 requested_cert_types, | 2195 requested_cert_types, |
2194 &ob_cert_type_, | 2196 &domain_bound_cert_type_, |
2195 &ob_private_key_, | 2197 &domain_bound_private_key_, |
2196 &ob_cert_, | 2198 &domain_bound_cert_, |
2197 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, | 2199 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, |
2198 base::Unretained(this)), | 2200 base::Unretained(this)), |
2199 &ob_cert_request_handle_); | 2201 &domain_bound_cert_request_handle_); |
2200 | 2202 |
2201 if (error == ERR_IO_PENDING) { | 2203 if (error == ERR_IO_PENDING) { |
2202 // Asynchronous case. | 2204 // Asynchronous case. |
2203 client_auth_cert_needed_ = true; | 2205 client_auth_cert_needed_ = true; |
2204 return SECWouldBlock; | 2206 return SECWouldBlock; |
2205 } | 2207 } |
2206 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, | 2208 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, |
2207 error); | 2209 error); |
2208 | 2210 |
2209 SECStatus rv = SECSuccess; | 2211 SECStatus rv = SECSuccess; |
2210 if (error == OK) { | 2212 if (error == OK) { |
2211 // Synchronous success. | 2213 // Synchronous success. |
2212 int result = ImportOBCertAndKey(result_certificate, | 2214 int result = ImportDBCertAndKey(result_certificate, |
2213 result_private_key); | 2215 result_private_key); |
2214 if (result == OK) { | 2216 if (result == OK) { |
2215 set_origin_bound_cert_type(ob_cert_type_); | 2217 set_domain_bound_cert_type(domain_bound_cert_type_); |
2216 } else { | 2218 } else { |
2217 rv = SECFailure; | 2219 rv = SECFailure; |
2218 } | 2220 } |
2219 } else { | 2221 } else { |
2220 rv = SECFailure; // Synchronous failure. | 2222 rv = SECFailure; // Synchronous failure. |
2221 } | 2223 } |
2222 | 2224 |
2223 int cert_count = (rv == SECSuccess) ? 1 : 0; | 2225 int cert_count = (rv == SECSuccess) ? 1 : 0; |
2224 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | 2226 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
2225 make_scoped_refptr(new NetLogIntegerParameter("cert_count", | 2227 make_scoped_refptr(new NetLogIntegerParameter("cert_count", |
(...skipping 11 matching lines...) Expand all Loading... |
2237 CERTCertList** result_certs, | 2239 CERTCertList** result_certs, |
2238 void** result_private_key, | 2240 void** result_private_key, |
2239 CERTCertificate** result_nss_certificate, | 2241 CERTCertificate** result_nss_certificate, |
2240 SECKEYPrivateKey** result_nss_private_key) { | 2242 SECKEYPrivateKey** result_nss_private_key) { |
2241 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 2243 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
2242 | 2244 |
2243 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); | 2245 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); |
2244 | 2246 |
2245 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); | 2247 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); |
2246 | 2248 |
2247 // Check if an origin-bound certificate is requested. | 2249 // Check if an domain-bound certificate is requested. |
2248 if (OriginBoundCertNegotiated(socket)) { | 2250 if (DomainBoundCertNegotiated(socket)) { |
2249 return that->OriginBoundClientAuthHandler( | 2251 return that->DomainBoundClientAuthHandler( |
2250 cert_types, result_nss_certificate, result_nss_private_key); | 2252 cert_types, result_nss_certificate, result_nss_private_key); |
2251 } | 2253 } |
2252 | 2254 |
2253 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | 2255 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
2254 #if defined(OS_WIN) | 2256 #if defined(OS_WIN) |
2255 if (that->ssl_config_.send_client_cert) { | 2257 if (that->ssl_config_.send_client_cert) { |
2256 if (that->ssl_config_.client_cert) { | 2258 if (that->ssl_config_.client_cert) { |
2257 PCCERT_CONTEXT cert_context = | 2259 PCCERT_CONTEXT cert_context = |
2258 that->ssl_config_.client_cert->os_cert_handle(); | 2260 that->ssl_config_.client_cert->os_cert_handle(); |
2259 | 2261 |
(...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2543 PRFileDesc* socket, | 2545 PRFileDesc* socket, |
2544 CERTDistNames* ca_names, | 2546 CERTDistNames* ca_names, |
2545 CERTCertificate** result_certificate, | 2547 CERTCertificate** result_certificate, |
2546 SECKEYPrivateKey** result_private_key) { | 2548 SECKEYPrivateKey** result_private_key) { |
2547 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 2549 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
2548 | 2550 |
2549 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); | 2551 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); |
2550 | 2552 |
2551 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); | 2553 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); |
2552 | 2554 |
2553 // Check if an origin-bound certificate is requested. | 2555 // Check if an domain-bound certificate is requested. |
2554 if (OriginBoundCertNegotiated(socket)) { | 2556 if (DomainBoundCertNegotiated(socket)) { |
2555 return that->OriginBoundClientAuthHandler( | 2557 return that->DomainBoundClientAuthHandler( |
2556 cert_types, result_certificate, result_private_key); | 2558 cert_types, result_certificate, result_private_key); |
2557 } | 2559 } |
2558 | 2560 |
2559 // Regular client certificate requested. | 2561 // Regular client certificate requested. |
2560 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | 2562 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
2561 void* wincx = SSL_RevealPinArg(socket); | 2563 void* wincx = SSL_RevealPinArg(socket); |
2562 | 2564 |
2563 // Second pass: a client certificate should have been selected. | 2565 // Second pass: a client certificate should have been selected. |
2564 if (that->ssl_config_.send_client_cert) { | 2566 if (that->ssl_config_.send_client_cert) { |
2565 if (that->ssl_config_.client_cert) { | 2567 if (that->ssl_config_.client_cert) { |
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2699 return; | 2701 return; |
2700 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2702 valid_thread_id_ = base::PlatformThread::CurrentId(); |
2701 } | 2703 } |
2702 | 2704 |
2703 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2705 bool SSLClientSocketNSS::CalledOnValidThread() const { |
2704 EnsureThreadIdAssigned(); | 2706 EnsureThreadIdAssigned(); |
2705 base::AutoLock auto_lock(lock_); | 2707 base::AutoLock auto_lock(lock_); |
2706 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2708 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
2707 } | 2709 } |
2708 | 2710 |
2709 OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const { | 2711 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
2710 return origin_bound_cert_service_; | 2712 return server_bound_cert_service_; |
2711 } | 2713 } |
2712 | 2714 |
2713 } // namespace net | 2715 } // namespace net |
OLD | NEW |