Index: net/base/origin_bound_cert_service.cc |
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc |
index 8901e26b9c2a031a83fdb283eb4e862b016527c9..1177c396bbe7c0dbc80afb67006d071dd8cf2e6f 100644 |
--- a/net/base/origin_bound_cert_service.cc |
+++ b/net/base/origin_bound_cert_service.cc |
@@ -19,6 +19,7 @@ |
#include "base/stl_util.h" |
#include "base/threading/worker_pool.h" |
#include "crypto/ec_private_key.h" |
+#include "googleurl/src/gurl.h" |
#include "net/base/net_errors.h" |
#include "net/base/origin_bound_cert_store.h" |
#include "net/base/registry_controlled_domain.h" |
@@ -98,10 +99,10 @@ class OriginBoundCertServiceRequest { |
class OriginBoundCertServiceWorker { |
public: |
OriginBoundCertServiceWorker( |
- const std::string& origin, |
+ const std::string& domain, |
SSLClientCertType type, |
OriginBoundCertService* origin_bound_cert_service) |
- : origin_(origin), |
+ : domain_(domain), |
type_(type), |
serial_number_(base::RandInt(0, std::numeric_limits<int>::max())), |
origin_loop_(MessageLoop::current()), |
@@ -130,7 +131,7 @@ class OriginBoundCertServiceWorker { |
private: |
void Run() { |
// Runs on a worker thread. |
- error_ = OriginBoundCertService::GenerateCert(origin_, |
+ error_ = OriginBoundCertService::GenerateCert(domain_, |
type_, |
serial_number_, |
&creation_time_, |
@@ -161,7 +162,7 @@ class OriginBoundCertServiceWorker { |
base::AutoLock locked(lock_); |
if (!canceled_) { |
origin_bound_cert_service_->HandleResult( |
- origin_, error_, type_, creation_time_, expiration_time_, |
+ domain_, error_, type_, creation_time_, expiration_time_, |
private_key_, cert_); |
} |
} |
@@ -193,7 +194,7 @@ class OriginBoundCertServiceWorker { |
delete this; |
} |
- const std::string origin_; |
+ const std::string domain_; |
const SSLClientCertType type_; |
// Note that serial_number_ must be initialized on a non-worker thread |
// (see documentation for OriginBoundCertService::GenerateCert). |
@@ -320,6 +321,8 @@ int OriginBoundCertService::GetOriginBoundCert( |
return ERR_INVALID_ARGUMENT; |
} |
+ std::string domain = GetDomainForHost(GURL(origin).host()); |
wtc
2012/03/08 02:13:45
Should we also check domain.empty()? See the orig
mattm
2012/03/15 01:48:44
Done.
|
+ |
SSLClientCertType preferred_type = CLIENT_CERT_INVALID_TYPE; |
for (size_t i = 0; i < requested_types.size(); ++i) { |
if (IsSupportedCertType(requested_types[i])) { |
@@ -334,35 +337,35 @@ int OriginBoundCertService::GetOriginBoundCert( |
requests_++; |
- // Check if an origin bound cert of an acceptable type already exists for this |
- // origin, and that it has not expired. |
+ // Check if a domain bound cert of an acceptable type already exists for this |
+ // domain, and that it has not expired. |
base::Time now = base::Time::Now(); |
base::Time creation_time; |
base::Time expiration_time; |
- if (origin_bound_cert_store_->GetOriginBoundCert(origin, |
+ if (origin_bound_cert_store_->GetOriginBoundCert(domain, |
type, |
&creation_time, |
&expiration_time, |
private_key, |
cert)) { |
if (expiration_time < now) { |
- DVLOG(1) << "Cert store had expired cert for " << origin; |
+ DVLOG(1) << "Cert store had expired cert for " << domain; |
} else if (!IsSupportedCertType(*type) || |
std::find(requested_types.begin(), requested_types.end(), |
*type) == requested_types.end()) { |
DVLOG(1) << "Cert store had cert of wrong type " << *type << " for " |
- << origin; |
+ << domain; |
} else { |
cert_store_hits_++; |
return OK; |
} |
} |
- // |origin_bound_cert_store_| has no cert for this origin. See if an |
+ // |origin_bound_cert_store_| has no cert for this domain. See if an |
// identical request is currently in flight. |
OriginBoundCertServiceJob* job = NULL; |
std::map<std::string, OriginBoundCertServiceJob*>::const_iterator j; |
- j = inflight_.find(origin); |
+ j = inflight_.find(domain); |
if (j != inflight_.end()) { |
// An identical request is in flight already. We'll just attach our |
// callback. |
@@ -371,10 +374,10 @@ int OriginBoundCertService::GetOriginBoundCert( |
if (std::find(requested_types.begin(), requested_types.end(), job->type()) |
== requested_types.end()) { |
DVLOG(1) << "Found inflight job of wrong type " << job->type() |
- << " for " << origin; |
+ << " for " << domain; |
// If we get here, the server is asking for different types of certs in |
// short succession. This probably means the server is broken or |
- // misconfigured. Since we only store one type of cert per origin, we |
+ // misconfigured. Since we only store one type of cert per domain, we |
// are unable to handle this well. Just return an error and let the first |
// job finish. |
return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH; |
@@ -383,7 +386,7 @@ int OriginBoundCertService::GetOriginBoundCert( |
} else { |
// Need to make a new request. |
OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker( |
- origin, |
+ domain, |
preferred_type, |
this); |
job = new OriginBoundCertServiceJob(worker, preferred_type); |
@@ -394,7 +397,7 @@ int OriginBoundCertService::GetOriginBoundCert( |
LOG(ERROR) << "OriginBoundCertServiceWorker couldn't be started."; |
return ERR_INSUFFICIENT_RESOURCES; // Just a guess. |
} |
- inflight_[origin] = job; |
+ inflight_[domain] = job; |
} |
OriginBoundCertServiceRequest* request = |
@@ -409,7 +412,7 @@ OriginBoundCertStore* OriginBoundCertService::GetCertStore() { |
} |
// static |
-int OriginBoundCertService::GenerateCert(const std::string& origin, |
+int OriginBoundCertService::GenerateCert(const std::string& domain, |
SSLClientCertType type, |
uint32 serial_number, |
base::Time* creation_time, |
@@ -430,7 +433,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, |
} |
if (!x509_util::CreateOriginBoundCertEC( |
key.get(), |
- origin, |
+ domain, |
serial_number, |
now, |
not_valid_after, |
@@ -471,7 +474,7 @@ void OriginBoundCertService::CancelRequest(RequestHandle req) { |
// HandleResult is called by OriginBoundCertServiceWorker on the origin message |
// loop. It deletes OriginBoundCertServiceJob. |
-void OriginBoundCertService::HandleResult(const std::string& origin, |
+void OriginBoundCertService::HandleResult(const std::string& domain, |
int error, |
SSLClientCertType type, |
base::Time creation_time, |
@@ -481,10 +484,10 @@ void OriginBoundCertService::HandleResult(const std::string& origin, |
DCHECK(CalledOnValidThread()); |
origin_bound_cert_store_->SetOriginBoundCert( |
- origin, type, creation_time, expiration_time, private_key, cert); |
+ domain, type, creation_time, expiration_time, private_key, cert); |
std::map<std::string, OriginBoundCertServiceJob*>::iterator j; |
- j = inflight_.find(origin); |
+ j = inflight_.find(domain); |
if (j == inflight_.end()) { |
NOTREACHED(); |
return; |