Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(94)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 9617039: Change Origin bound certs -> Domain bound certs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: rename all the things Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 429 matching lines...) Expand 10 before | Expand all | Expand 10 after
440 transport_(transport_socket), 440 transport_(transport_socket),
441 host_and_port_(host_and_port), 441 host_and_port_(host_and_port),
442 ssl_config_(ssl_config), 442 ssl_config_(ssl_config),
443 user_read_buf_len_(0), 443 user_read_buf_len_(0),
444 user_write_buf_len_(0), 444 user_write_buf_len_(0),
445 server_cert_nss_(NULL), 445 server_cert_nss_(NULL),
446 server_cert_verify_result_(NULL), 446 server_cert_verify_result_(NULL),
447 ssl_connection_status_(0), 447 ssl_connection_status_(0),
448 client_auth_cert_needed_(false), 448 client_auth_cert_needed_(false),
449 cert_verifier_(context.cert_verifier), 449 cert_verifier_(context.cert_verifier),
450 ob_cert_xtn_negotiated_(false), 450 domain_bound_cert_xtn_negotiated_(false),
451 origin_bound_cert_service_(context.origin_bound_cert_service), 451 server_bound_cert_service_(context.server_bound_cert_service),
452 ob_cert_type_(CLIENT_CERT_INVALID_TYPE), 452 domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE),
453 ob_cert_request_handle_(NULL), 453 domain_bound_cert_request_handle_(NULL),
454 handshake_callback_called_(false), 454 handshake_callback_called_(false),
455 completed_handshake_(false), 455 completed_handshake_(false),
456 ssl_session_cache_shard_(context.ssl_session_cache_shard), 456 ssl_session_cache_shard_(context.ssl_session_cache_shard),
457 eset_mitm_detected_(false), 457 eset_mitm_detected_(false),
458 predicted_cert_chain_correct_(false), 458 predicted_cert_chain_correct_(false),
459 next_handshake_state_(STATE_NONE), 459 next_handshake_state_(STATE_NONE),
460 nss_fd_(NULL), 460 nss_fd_(NULL),
461 nss_bufs_(NULL), 461 nss_bufs_(NULL),
462 net_log_(transport_socket->socket()->NetLog()), 462 net_log_(transport_socket->socket()->NetLog()),
463 ssl_host_info_(ssl_host_info), 463 ssl_host_info_(ssl_host_info),
(...skipping 29 matching lines...) Expand all
493 ssl_info->cert = server_cert_verify_result_->verified_cert; 493 ssl_info->cert = server_cert_verify_result_->verified_cert;
494 ssl_info->connection_status = ssl_connection_status_; 494 ssl_info->connection_status = ssl_connection_status_;
495 ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes; 495 ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes;
496 for (std::vector<SHA1Fingerprint>::const_iterator 496 for (std::vector<SHA1Fingerprint>::const_iterator
497 i = side_pinned_public_keys_.begin(); 497 i = side_pinned_public_keys_.begin();
498 i != side_pinned_public_keys_.end(); i++) { 498 i != side_pinned_public_keys_.end(); i++) {
499 ssl_info->public_key_hashes.push_back(*i); 499 ssl_info->public_key_hashes.push_back(*i);
500 } 500 }
501 ssl_info->is_issued_by_known_root = 501 ssl_info->is_issued_by_known_root =
502 server_cert_verify_result_->is_issued_by_known_root; 502 server_cert_verify_result_->is_issued_by_known_root;
503 ssl_info->client_cert_sent = WasOriginBoundCertSent() || 503 ssl_info->client_cert_sent = WasDomainBoundCertSent() ||
504 (ssl_config_.send_client_cert && ssl_config_.client_cert); 504 (ssl_config_.send_client_cert && ssl_config_.client_cert);
505 505
506 PRUint16 cipher_suite = 506 PRUint16 cipher_suite =
507 SSLConnectionStatusToCipherSuite(ssl_connection_status_); 507 SSLConnectionStatusToCipherSuite(ssl_connection_status_);
508 SSLCipherSuiteInfo cipher_info; 508 SSLCipherSuiteInfo cipher_info;
509 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, 509 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
510 &cipher_info, sizeof(cipher_info)); 510 &cipher_info, sizeof(cipher_info));
511 if (ok == SECSuccess) { 511 if (ok == SECSuccess) {
512 ssl_info->security_bits = cipher_info.effectiveKeyBits; 512 ssl_info->security_bits = cipher_info.effectiveKeyBits;
513 } else { 513 } else {
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after
614 614
615 void SSLClientSocketNSS::Disconnect() { 615 void SSLClientSocketNSS::Disconnect() {
616 EnterFunction(""); 616 EnterFunction("");
617 617
618 CHECK(CalledOnValidThread()); 618 CHECK(CalledOnValidThread());
619 619
620 // Shut down anything that may call us back. 620 // Shut down anything that may call us back.
621 verifier_.reset(); 621 verifier_.reset();
622 transport_->socket()->Disconnect(); 622 transport_->socket()->Disconnect();
623 623
624 if (ob_cert_request_handle_ != NULL) { 624 if (domain_bound_cert_request_handle_ != NULL) {
625 origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_); 625 server_bound_cert_service_->CancelRequest(
626 ob_cert_request_handle_ = NULL; 626 domain_bound_cert_request_handle_);
627 domain_bound_cert_request_handle_ = NULL;
627 } 628 }
628 629
629 // TODO(wtc): Send SSL close_notify alert. 630 // TODO(wtc): Send SSL close_notify alert.
630 if (nss_fd_ != NULL) { 631 if (nss_fd_ != NULL) {
631 PR_Close(nss_fd_); 632 PR_Close(nss_fd_);
632 nss_fd_ = NULL; 633 nss_fd_ = NULL;
633 } 634 }
634 635
635 // Reset object state. 636 // Reset object state.
636 user_connect_callback_.Reset(); 637 user_connect_callback_.Reset();
(...skipping 13 matching lines...) Expand all
650 local_server_cert_verify_result_.Reset(); 651 local_server_cert_verify_result_.Reset();
651 server_cert_verify_result_ = NULL; 652 server_cert_verify_result_ = NULL;
652 ssl_connection_status_ = 0; 653 ssl_connection_status_ = 0;
653 completed_handshake_ = false; 654 completed_handshake_ = false;
654 eset_mitm_detected_ = false; 655 eset_mitm_detected_ = false;
655 start_cert_verification_time_ = base::TimeTicks(); 656 start_cert_verification_time_ = base::TimeTicks();
656 predicted_cert_chain_correct_ = false; 657 predicted_cert_chain_correct_ = false;
657 nss_bufs_ = NULL; 658 nss_bufs_ = NULL;
658 client_certs_.clear(); 659 client_certs_.clear();
659 client_auth_cert_needed_ = false; 660 client_auth_cert_needed_ = false;
660 ob_cert_xtn_negotiated_ = false; 661 domain_bound_cert_xtn_negotiated_ = false;
661 662
662 LeaveFunction(""); 663 LeaveFunction("");
663 } 664 }
664 665
665 bool SSLClientSocketNSS::IsConnected() const { 666 bool SSLClientSocketNSS::IsConnected() const {
666 // Ideally, we should also check if we have received the close_notify alert 667 // Ideally, we should also check if we have received the close_notify alert
667 // message from the server, and return false in that case. We're not doing 668 // message from the server, and return false in that case. We're not doing
668 // that, so this function may return a false positive. Since the upper 669 // that, so this function may return a false positive. Since the upper
669 // layer (HttpNetworkTransaction) needs to handle a persistent connection 670 // layer (HttpNetworkTransaction) needs to handle a persistent connection
670 // closed by the server when we send a request anyway, a false positive in 671 // closed by the server when we send a request anyway, a false positive in
(...skipping 290 matching lines...) Expand 10 before | Expand all | Expand 10 after
961 962
962 #ifdef SSL_ENABLE_CACHED_INFO 963 #ifdef SSL_ENABLE_CACHED_INFO
963 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, 964 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO,
964 ssl_config_.cached_info_enabled); 965 ssl_config_.cached_info_enabled);
965 if (rv != SECSuccess) 966 if (rv != SECSuccess)
966 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); 967 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO");
967 #endif 968 #endif
968 969
969 #ifdef SSL_ENABLE_OB_CERTS 970 #ifdef SSL_ENABLE_OB_CERTS
970 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, 971 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS,
971 ssl_config_.origin_bound_certs_enabled); 972 ssl_config_.server_bound_certs_enabled);
972 if (rv != SECSuccess) 973 if (rv != SECSuccess)
973 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); 974 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS");
974 #endif 975 #endif
975 976
976 #ifdef SSL_ENCRYPT_CLIENT_CERTS 977 #ifdef SSL_ENCRYPT_CLIENT_CERTS
977 // For now, enable the encrypted client certificates extension only if 978 // For now, enable the encrypted client certificates extension only if
978 // origin-bound certificates are enabled. 979 // server-bound certificates are enabled.
979 rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, 980 rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS,
980 ssl_config_.origin_bound_certs_enabled); 981 ssl_config_.server_bound_certs_enabled);
981 if (rv != SECSuccess) 982 if (rv != SECSuccess)
982 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); 983 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS");
983 #endif 984 #endif
984 985
985 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); 986 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
986 if (rv != SECSuccess) { 987 if (rv != SECSuccess) {
987 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT"); 988 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
988 return ERR_UNEXPECTED; 989 return ERR_UNEXPECTED;
989 } 990 }
990 991
(...skipping 281 matching lines...) Expand 10 before | Expand all | Expand 10 after
1272 State state = next_handshake_state_; 1273 State state = next_handshake_state_;
1273 GotoState(STATE_NONE); 1274 GotoState(STATE_NONE);
1274 switch (state) { 1275 switch (state) {
1275 case STATE_LOAD_SSL_HOST_INFO: 1276 case STATE_LOAD_SSL_HOST_INFO:
1276 DCHECK(rv == OK || rv == ERR_IO_PENDING); 1277 DCHECK(rv == OK || rv == ERR_IO_PENDING);
1277 rv = DoLoadSSLHostInfo(); 1278 rv = DoLoadSSLHostInfo();
1278 break; 1279 break;
1279 case STATE_HANDSHAKE: 1280 case STATE_HANDSHAKE:
1280 rv = DoHandshake(); 1281 rv = DoHandshake();
1281 break; 1282 break;
1282 case STATE_GET_OB_CERT_COMPLETE: 1283 case STATE_GET_DB_CERT_COMPLETE:
1283 rv = DoGetOBCertComplete(rv); 1284 rv = DoGetDBCertComplete(rv);
1284 break; 1285 break;
1285 case STATE_VERIFY_DNSSEC: 1286 case STATE_VERIFY_DNSSEC:
1286 rv = DoVerifyDNSSEC(rv); 1287 rv = DoVerifyDNSSEC(rv);
1287 break; 1288 break;
1288 case STATE_VERIFY_CERT: 1289 case STATE_VERIFY_CERT:
1289 DCHECK(rv == OK); 1290 DCHECK(rv == OK);
1290 rv = DoVerifyCert(rv); 1291 rv = DoVerifyCert(rv);
1291 break; 1292 break;
1292 case STATE_VERIFY_CERT_COMPLETE: 1293 case STATE_VERIFY_CERT_COMPLETE:
1293 rv = DoVerifyCertComplete(rv); 1294 rv = DoVerifyCertComplete(rv);
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after
1420 1421
1421 LeaveFunction(""); 1422 LeaveFunction("");
1422 return rv; 1423 return rv;
1423 } 1424 }
1424 1425
1425 int SSLClientSocketNSS::DoHandshake() { 1426 int SSLClientSocketNSS::DoHandshake() {
1426 EnterFunction(""); 1427 EnterFunction("");
1427 int net_error = net::OK; 1428 int net_error = net::OK;
1428 SECStatus rv = SSL_ForceHandshake(nss_fd_); 1429 SECStatus rv = SSL_ForceHandshake(nss_fd_);
1429 1430
1430 // TODO(rkn): Handle the case in which origin-bound cert generation takes 1431 // TODO(rkn): Handle the case in which server-bound cert generation takes
1431 // too long and the server has closed the connection. Report some new error 1432 // too long and the server has closed the connection. Report some new error
1432 // code so that the higher level code will attempt to delete the socket and 1433 // code so that the higher level code will attempt to delete the socket and
1433 // redo the handshake. 1434 // redo the handshake.
1434 1435
1435 if (client_auth_cert_needed_) { 1436 if (client_auth_cert_needed_) {
1436 if (ob_cert_xtn_negotiated_) { 1437 if (domain_bound_cert_xtn_negotiated_) {
1437 GotoState(STATE_GET_OB_CERT_COMPLETE); 1438 GotoState(STATE_GET_DB_CERT_COMPLETE);
1438 net_error = ERR_IO_PENDING; 1439 net_error = ERR_IO_PENDING;
1439 } else { 1440 } else {
1440 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; 1441 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1441 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, 1442 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1442 make_scoped_refptr(new SSLErrorParams(net_error, 0))); 1443 make_scoped_refptr(new SSLErrorParams(net_error, 0)));
1443 // If the handshake already succeeded (because the server requests but 1444 // If the handshake already succeeded (because the server requests but
1444 // doesn't require a client cert), we need to invalidate the SSL session 1445 // doesn't require a client cert), we need to invalidate the SSL session
1445 // so that we won't try to resume the non-client-authenticated session in 1446 // so that we won't try to resume the non-client-authenticated session in
1446 // the next handshake. This will cause the server to ask for a client 1447 // the next handshake. This will cause the server to ask for a client
1447 // cert again. 1448 // cert again.
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after
1542 net_log_.AddEvent( 1543 net_log_.AddEvent(
1543 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 1544 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1544 make_scoped_refptr(new SSLErrorParams(net_error, prerr))); 1545 make_scoped_refptr(new SSLErrorParams(net_error, prerr)));
1545 } 1546 }
1546 } 1547 }
1547 1548
1548 LeaveFunction(""); 1549 LeaveFunction("");
1549 return net_error; 1550 return net_error;
1550 } 1551 }
1551 1552
1552 int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, 1553 int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert,
1553 SECKEYPrivateKey** key) { 1554 SECKEYPrivateKey** key) {
1554 // Set the certificate. 1555 // Set the certificate.
1555 SECItem cert_item; 1556 SECItem cert_item;
1556 cert_item.data = (unsigned char*) ob_cert_.data(); 1557 cert_item.data = (unsigned char*) domain_bound_cert_.data();
1557 cert_item.len = ob_cert_.size(); 1558 cert_item.len = domain_bound_cert_.size();
1558 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 1559 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
1559 &cert_item, 1560 &cert_item,
1560 NULL, 1561 NULL,
1561 PR_FALSE, 1562 PR_FALSE,
1562 PR_TRUE); 1563 PR_TRUE);
1563 if (*cert == NULL) 1564 if (*cert == NULL)
1564 return MapNSSError(PORT_GetError()); 1565 return MapNSSError(PORT_GetError());
1565 1566
1566 // Set the private key. 1567 // Set the private key.
1567 switch (ob_cert_type_) { 1568 switch (domain_bound_cert_type_) {
1568 case CLIENT_CERT_ECDSA_SIGN: { 1569 case CLIENT_CERT_ECDSA_SIGN: {
1569 SECKEYPublicKey* public_key = NULL; 1570 SECKEYPublicKey* public_key = NULL;
1570 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( 1571 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
1571 OriginBoundCertService::kEPKIPassword, 1572 ServerBoundCertService::kEPKIPassword,
1572 reinterpret_cast<const unsigned char*>(ob_private_key_.data()), 1573 reinterpret_cast<const unsigned char*>(
1573 ob_private_key_.size(), 1574 domain_bound_private_key_.data()),
1575 domain_bound_private_key_.size(),
1574 &(*cert)->subjectPublicKeyInfo, 1576 &(*cert)->subjectPublicKeyInfo,
1575 false, 1577 false,
1576 false, 1578 false,
1577 key, 1579 key,
1578 &public_key)) { 1580 &public_key)) {
1579 CERT_DestroyCertificate(*cert); 1581 CERT_DestroyCertificate(*cert);
1580 *cert = NULL; 1582 *cert = NULL;
1581 return MapNSSError(PORT_GetError()); 1583 return MapNSSError(PORT_GetError());
1582 } 1584 }
1583 SECKEY_DestroyPublicKey(public_key); 1585 SECKEY_DestroyPublicKey(public_key);
1584 break; 1586 break;
1585 } 1587 }
1586 1588
1587 default: 1589 default:
1588 NOTREACHED(); 1590 NOTREACHED();
1589 return ERR_INVALID_ARGUMENT; 1591 return ERR_INVALID_ARGUMENT;
1590 } 1592 }
1591 1593
1592 return OK; 1594 return OK;
1593 } 1595 }
1594 1596
1595 int SSLClientSocketNSS::DoGetOBCertComplete(int result) { 1597 int SSLClientSocketNSS::DoGetDBCertComplete(int result) {
1596 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, 1598 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
1597 result); 1599 result);
1598 client_auth_cert_needed_ = false; 1600 client_auth_cert_needed_ = false;
1599 ob_cert_request_handle_ = NULL; 1601 domain_bound_cert_request_handle_ = NULL;
1600 1602
1601 if (result != OK) 1603 if (result != OK)
1602 return result; 1604 return result;
1603 1605
1604 CERTCertificate* cert; 1606 CERTCertificate* cert;
1605 SECKEYPrivateKey* key; 1607 SECKEYPrivateKey* key;
1606 int error = ImportOBCertAndKey(&cert, &key); 1608 int error = ImportDBCertAndKey(&cert, &key);
1607 if (error != OK) 1609 if (error != OK)
1608 return error; 1610 return error;
1609 1611
1610 CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert, 1612 CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert,
1611 certUsageSSLClient, 1613 certUsageSSLClient,
1612 PR_FALSE); 1614 PR_FALSE);
1613 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 1615 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1614 make_scoped_refptr(new NetLogIntegerParameter("cert_count", 1616 make_scoped_refptr(new NetLogIntegerParameter("cert_count",
1615 cert_chain->len))); 1617 cert_chain->len)));
1616 SECStatus rv; 1618 SECStatus rv;
1617 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); 1619 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain);
1618 if (rv != SECSuccess) 1620 if (rv != SECSuccess)
1619 return MapNSSError(PORT_GetError()); 1621 return MapNSSError(PORT_GetError());
1620 1622
1621 GotoState(STATE_HANDSHAKE); 1623 GotoState(STATE_HANDSHAKE);
1622 set_origin_bound_cert_type(ob_cert_type_); 1624 set_domain_bound_cert_type(domain_bound_cert_type_);
1623 return OK; 1625 return OK;
1624 } 1626 }
1625 1627
1626 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { 1628 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
1627 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), 1629 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
1628 server_cert_nss_, 1630 server_cert_nss_,
1629 host_and_port_.port()); 1631 host_and_port_.port());
1630 if (r == DNSVR_SUCCESS) { 1632 if (r == DNSVR_SUCCESS) {
1631 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; 1633 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
1632 local_server_cert_verify_result_.verified_cert = server_cert_; 1634 local_server_cert_verify_result_.verified_cert = server_cert_;
(...skipping 528 matching lines...) Expand 10 before | Expand all | Expand 10 after
2161 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), 2163 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
2162 that, &SSLClientSocketNSS::UncorkAfterTimeout); 2164 that, &SSLClientSocketNSS::UncorkAfterTimeout);
2163 } 2165 }
2164 #endif 2166 #endif
2165 2167
2166 // Tell NSS to not verify the certificate. 2168 // Tell NSS to not verify the certificate.
2167 return SECSuccess; 2169 return SECSuccess;
2168 } 2170 }
2169 2171
2170 // static 2172 // static
2171 bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { 2173 bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) {
2172 PRBool xtn_negotiated = PR_FALSE; 2174 PRBool xtn_negotiated = PR_FALSE;
2173 SECStatus rv = SSL_HandshakeNegotiatedExtension( 2175 SECStatus rv = SSL_HandshakeNegotiatedExtension(
2174 socket, ssl_ob_cert_xtn, &xtn_negotiated); 2176 socket, ssl_ob_cert_xtn, &xtn_negotiated);
2175 DCHECK_EQ(SECSuccess, rv); 2177 DCHECK_EQ(SECSuccess, rv);
2176 2178
2177 return xtn_negotiated ? true : false; 2179 return xtn_negotiated ? true : false;
2178 } 2180 }
2179 2181
2180 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( 2182 SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler(
2181 const SECItem* cert_types, 2183 const SECItem* cert_types,
2182 CERTCertificate** result_certificate, 2184 CERTCertificate** result_certificate,
2183 SECKEYPrivateKey** result_private_key) { 2185 SECKEYPrivateKey** result_private_key) {
2184 ob_cert_xtn_negotiated_ = true; 2186 domain_bound_cert_xtn_negotiated_ = true;
2185 2187
2186 // We have negotiated the origin-bound certificate extension. 2188 // We have negotiated the domain-bound certificate extension.
2187 std::string origin = "https://" + host_and_port_.ToString(); 2189 std::string origin = "https://" + host_and_port_.ToString();
2188 std::vector<uint8> requested_cert_types(cert_types->data, 2190 std::vector<uint8> requested_cert_types(cert_types->data,
2189 cert_types->data + cert_types->len); 2191 cert_types->data + cert_types->len);
2190 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); 2192 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL);
2191 int error = origin_bound_cert_service_->GetOriginBoundCert( 2193 int error = server_bound_cert_service_->GetDomainBoundCert(
2192 origin, 2194 origin,
2193 requested_cert_types, 2195 requested_cert_types,
2194 &ob_cert_type_, 2196 &domain_bound_cert_type_,
2195 &ob_private_key_, 2197 &domain_bound_private_key_,
2196 &ob_cert_, 2198 &domain_bound_cert_,
2197 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, 2199 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
2198 base::Unretained(this)), 2200 base::Unretained(this)),
2199 &ob_cert_request_handle_); 2201 &domain_bound_cert_request_handle_);
2200 2202
2201 if (error == ERR_IO_PENDING) { 2203 if (error == ERR_IO_PENDING) {
2202 // Asynchronous case. 2204 // Asynchronous case.
2203 client_auth_cert_needed_ = true; 2205 client_auth_cert_needed_ = true;
2204 return SECWouldBlock; 2206 return SECWouldBlock;
2205 } 2207 }
2206 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, 2208 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
2207 error); 2209 error);
2208 2210
2209 SECStatus rv = SECSuccess; 2211 SECStatus rv = SECSuccess;
2210 if (error == OK) { 2212 if (error == OK) {
2211 // Synchronous success. 2213 // Synchronous success.
2212 int result = ImportOBCertAndKey(result_certificate, 2214 int result = ImportDBCertAndKey(result_certificate,
2213 result_private_key); 2215 result_private_key);
2214 if (result == OK) { 2216 if (result == OK) {
2215 set_origin_bound_cert_type(ob_cert_type_); 2217 set_domain_bound_cert_type(domain_bound_cert_type_);
2216 } else { 2218 } else {
2217 rv = SECFailure; 2219 rv = SECFailure;
2218 } 2220 }
2219 } else { 2221 } else {
2220 rv = SECFailure; // Synchronous failure. 2222 rv = SECFailure; // Synchronous failure.
2221 } 2223 }
2222 2224
2223 int cert_count = (rv == SECSuccess) ? 1 : 0; 2225 int cert_count = (rv == SECSuccess) ? 1 : 0;
2224 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, 2226 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
2225 make_scoped_refptr(new NetLogIntegerParameter("cert_count", 2227 make_scoped_refptr(new NetLogIntegerParameter("cert_count",
(...skipping 11 matching lines...) Expand all
2237 CERTCertList** result_certs, 2239 CERTCertList** result_certs,
2238 void** result_private_key, 2240 void** result_private_key,
2239 CERTCertificate** result_nss_certificate, 2241 CERTCertificate** result_nss_certificate,
2240 SECKEYPrivateKey** result_nss_private_key) { 2242 SECKEYPrivateKey** result_nss_private_key) {
2241 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); 2243 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
2242 2244
2243 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); 2245 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
2244 2246
2245 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); 2247 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
2246 2248
2247 // Check if an origin-bound certificate is requested. 2249 // Check if an domain-bound certificate is requested.
2248 if (OriginBoundCertNegotiated(socket)) { 2250 if (DomainBoundCertNegotiated(socket)) {
2249 return that->OriginBoundClientAuthHandler( 2251 return that->DomainBoundClientAuthHandler(
2250 cert_types, result_nss_certificate, result_nss_private_key); 2252 cert_types, result_nss_certificate, result_nss_private_key);
2251 } 2253 }
2252 2254
2253 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; 2255 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
2254 #if defined(OS_WIN) 2256 #if defined(OS_WIN)
2255 if (that->ssl_config_.send_client_cert) { 2257 if (that->ssl_config_.send_client_cert) {
2256 if (that->ssl_config_.client_cert) { 2258 if (that->ssl_config_.client_cert) {
2257 PCCERT_CONTEXT cert_context = 2259 PCCERT_CONTEXT cert_context =
2258 that->ssl_config_.client_cert->os_cert_handle(); 2260 that->ssl_config_.client_cert->os_cert_handle();
2259 2261
(...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after
2543 PRFileDesc* socket, 2545 PRFileDesc* socket,
2544 CERTDistNames* ca_names, 2546 CERTDistNames* ca_names,
2545 CERTCertificate** result_certificate, 2547 CERTCertificate** result_certificate,
2546 SECKEYPrivateKey** result_private_key) { 2548 SECKEYPrivateKey** result_private_key) {
2547 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); 2549 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
2548 2550
2549 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); 2551 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
2550 2552
2551 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); 2553 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
2552 2554
2553 // Check if an origin-bound certificate is requested. 2555 // Check if an domain-bound certificate is requested.
2554 if (OriginBoundCertNegotiated(socket)) { 2556 if (DomainBoundCertNegotiated(socket)) {
2555 return that->OriginBoundClientAuthHandler( 2557 return that->DomainBoundClientAuthHandler(
2556 cert_types, result_certificate, result_private_key); 2558 cert_types, result_certificate, result_private_key);
2557 } 2559 }
2558 2560
2559 // Regular client certificate requested. 2561 // Regular client certificate requested.
2560 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; 2562 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
2561 void* wincx = SSL_RevealPinArg(socket); 2563 void* wincx = SSL_RevealPinArg(socket);
2562 2564
2563 // Second pass: a client certificate should have been selected. 2565 // Second pass: a client certificate should have been selected.
2564 if (that->ssl_config_.send_client_cert) { 2566 if (that->ssl_config_.send_client_cert) {
2565 if (that->ssl_config_.client_cert) { 2567 if (that->ssl_config_.client_cert) {
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after
2699 return; 2701 return;
2700 valid_thread_id_ = base::PlatformThread::CurrentId(); 2702 valid_thread_id_ = base::PlatformThread::CurrentId();
2701 } 2703 }
2702 2704
2703 bool SSLClientSocketNSS::CalledOnValidThread() const { 2705 bool SSLClientSocketNSS::CalledOnValidThread() const {
2704 EnsureThreadIdAssigned(); 2706 EnsureThreadIdAssigned();
2705 base::AutoLock auto_lock(lock_); 2707 base::AutoLock auto_lock(lock_);
2706 return valid_thread_id_ == base::PlatformThread::CurrentId(); 2708 return valid_thread_id_ == base::PlatformThread::CurrentId();
2707 } 2709 }
2708 2710
2709 OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const { 2711 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
2710 return origin_bound_cert_service_; 2712 return server_bound_cert_service_;
2711 } 2713 }
2712 2714
2713 } // namespace net 2715 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698