Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(259)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 1076063002: Remove certificates from Channel ID (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 812 matching lines...) Expand 10 before | Expand all | Expand 10 after
823 823
824 // The underlying transport to use for network IO. 824 // The underlying transport to use for network IO.
825 ClientSocketHandle* transport_; 825 ClientSocketHandle* transport_;
826 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_; 826 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_;
827 827
828 // The current handshake state. Mirrors |nss_handshake_state_|. 828 // The current handshake state. Mirrors |nss_handshake_state_|.
829 HandshakeState network_handshake_state_; 829 HandshakeState network_handshake_state_;
830 830
831 // The service for retrieving Channel ID keys. May be NULL. 831 // The service for retrieving Channel ID keys. May be NULL.
832 ChannelIDService* channel_id_service_; 832 ChannelIDService* channel_id_service_;
833 ChannelIDService::RequestHandle domain_bound_cert_request_handle_; 833 ChannelIDService::RequestHandle channel_id_request_handle_;
834 834
835 // The information about NSS task runner. 835 // The information about NSS task runner.
836 int unhandled_buffer_size_; 836 int unhandled_buffer_size_;
837 bool nss_waiting_read_; 837 bool nss_waiting_read_;
838 bool nss_waiting_write_; 838 bool nss_waiting_write_;
839 bool nss_is_closed_; 839 bool nss_is_closed_;
840 840
841 // Set when Read() or Write() successfully reads or writes data to or from the 841 // Set when Read() or Write() successfully reads or writes data to or from the
842 // network. 842 // network.
843 bool was_ever_used_; 843 bool was_ever_used_;
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after
908 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; 908 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_;
909 909
910 // Dereferenced only on the network task runner, but bound to tasks destined 910 // Dereferenced only on the network task runner, but bound to tasks destined
911 // for the network task runner from the NSS task runner. 911 // for the network task runner from the NSS task runner.
912 base::WeakPtr<BoundNetLog> weak_net_log_; 912 base::WeakPtr<BoundNetLog> weak_net_log_;
913 913
914 // Written on the network task runner by the |channel_id_service_|, 914 // Written on the network task runner by the |channel_id_service_|,
915 // prior to invoking OnHandshakeIOComplete. 915 // prior to invoking OnHandshakeIOComplete.
916 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked 916 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
917 // on the NSS task runner. 917 // on the NSS task runner.
918 std::string domain_bound_private_key_; 918 scoped_ptr<crypto::ECPrivateKey> channel_id_key_;
919 std::string domain_bound_cert_;
920 919
921 DISALLOW_COPY_AND_ASSIGN(Core); 920 DISALLOW_COPY_AND_ASSIGN(Core);
922 }; 921 };
923 922
924 SSLClientSocketNSS::Core::Core( 923 SSLClientSocketNSS::Core::Core(
925 base::SequencedTaskRunner* network_task_runner, 924 base::SequencedTaskRunner* network_task_runner,
926 base::SequencedTaskRunner* nss_task_runner, 925 base::SequencedTaskRunner* nss_task_runner,
927 ClientSocketHandle* transport, 926 ClientSocketHandle* transport,
928 const HostPortPair& host_and_port, 927 const HostPortPair& host_and_port,
929 const SSLConfig& ssl_config, 928 const SSLConfig& ssl_config,
(...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after
1084 1083
1085 void SSLClientSocketNSS::Core::Detach() { 1084 void SSLClientSocketNSS::Core::Detach() {
1086 DCHECK(OnNetworkTaskRunner()); 1085 DCHECK(OnNetworkTaskRunner());
1087 1086
1088 detached_ = true; 1087 detached_ = true;
1089 transport_ = NULL; 1088 transport_ = NULL;
1090 weak_net_log_factory_.InvalidateWeakPtrs(); 1089 weak_net_log_factory_.InvalidateWeakPtrs();
1091 1090
1092 network_handshake_state_.Reset(); 1091 network_handshake_state_.Reset();
1093 1092
1094 domain_bound_cert_request_handle_.Cancel(); 1093 channel_id_request_handle_.Cancel();
1095 } 1094 }
1096 1095
1097 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len, 1096 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
1098 const CompletionCallback& callback) { 1097 const CompletionCallback& callback) {
1099 if (!OnNSSTaskRunner()) { 1098 if (!OnNSSTaskRunner()) {
1100 DCHECK(OnNetworkTaskRunner()); 1099 DCHECK(OnNetworkTaskRunner());
1101 DCHECK(!detached_); 1100 DCHECK(!detached_);
1102 DCHECK(transport_); 1101 DCHECK(transport_);
1103 DCHECK(!nss_waiting_read_); 1102 DCHECK(!nss_waiting_read_);
1104 1103
(...skipping 1210 matching lines...) Expand 10 before | Expand all | Expand 10 after
2315 rv = SECFailure; 2314 rv = SECFailure;
2316 } else { 2315 } else {
2317 rv = SECFailure; 2316 rv = SECFailure;
2318 } 2317 }
2319 2318
2320 return rv; 2319 return rv;
2321 } 2320 }
2322 2321
2323 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key, 2322 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key,
2324 SECKEYPrivateKey** key) { 2323 SECKEYPrivateKey** key) {
2325 // Set the certificate. 2324 if (channel_id_key_.get() == nullptr)
Ryan Sleevi 2015/04/09 22:40:09 if (!channel_id_key_)
nharper 2015/04/10 00:32:08 Done.
2326 SECItem cert_item; 2325 return SECFailure;
2327 cert_item.data = (unsigned char*) domain_bound_cert_.data();
2328 cert_item.len = domain_bound_cert_.size();
2329 ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
2330 &cert_item,
2331 NULL,
2332 PR_FALSE,
2333 PR_TRUE));
2334 if (cert == NULL)
2335 return MapNSSError(PORT_GetError());
2336 2326
2337 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); 2327 *public_key = channel_id_key_->public_key();
2338 // Set the private key. 2328 *key = channel_id_key_->key();
mattm 2015/04/10 01:00:27 Need to SECKEY_CopyPrivateKey and SECKEY_CopyPubli
nharper 2015/04/25 02:59:18 Done.
2339 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
2340 slot.get(),
2341 ChannelIDService::kEPKIPassword,
2342 reinterpret_cast<const unsigned char*>(
2343 domain_bound_private_key_.data()),
2344 domain_bound_private_key_.size(),
2345 &cert->subjectPublicKeyInfo,
2346 false,
2347 false,
2348 key,
2349 public_key)) {
2350 int error = MapNSSError(PORT_GetError());
2351 return error;
2352 }
2353 2329
2354 return OK; 2330 return OK;
2355 } 2331 }
2356 2332
2357 void SSLClientSocketNSS::Core::UpdateServerCert() { 2333 void SSLClientSocketNSS::Core::UpdateServerCert() {
2358 nss_handshake_state_.server_cert_chain.Reset(nss_fd_); 2334 nss_handshake_state_.server_cert_chain.Reset(nss_fd_);
2359 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( 2335 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain(
2360 nss_handshake_state_.server_cert_chain.AsStringPieceVector()); 2336 nss_handshake_state_.server_cert_chain.AsStringPieceVector());
2361 if (nss_handshake_state_.server_cert.get()) { 2337 if (nss_handshake_state_.server_cert.get()) {
2362 // Since this will be called asynchronously on another thread, it needs to 2338 // Since this will be called asynchronously on another thread, it needs to
(...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after
2604 2580
2605 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) { 2581 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) {
2606 DCHECK(OnNetworkTaskRunner()); 2582 DCHECK(OnNetworkTaskRunner());
2607 2583
2608 if (detached_) 2584 if (detached_)
2609 return ERR_ABORTED; 2585 return ERR_ABORTED;
2610 2586
2611 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); 2587 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
2612 2588
2613 int rv = channel_id_service_->GetOrCreateChannelID( 2589 int rv = channel_id_service_->GetOrCreateChannelID(
2614 host, 2590 host, &channel_id_key_,
2615 &domain_bound_private_key_,
2616 &domain_bound_cert_,
2617 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)), 2591 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)),
2618 &domain_bound_cert_request_handle_); 2592 &channel_id_request_handle_);
2619 2593
2620 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) { 2594 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) {
2621 nss_task_runner_->PostTask( 2595 nss_task_runner_->PostTask(
2622 FROM_HERE, 2596 FROM_HERE,
2623 base::Bind(&Core::OnHandshakeIOComplete, this, rv)); 2597 base::Bind(&Core::OnHandshakeIOComplete, this, rv));
2624 return ERR_IO_PENDING; 2598 return ERR_IO_PENDING;
2625 } 2599 }
2626 2600
2627 return rv; 2601 return rv;
2628 } 2602 }
(...skipping 953 matching lines...) Expand 10 before | Expand all | Expand 10 after
3582 scoped_refptr<X509Certificate> 3556 scoped_refptr<X509Certificate>
3583 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { 3557 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3584 return core_->state().server_cert.get(); 3558 return core_->state().server_cert.get();
3585 } 3559 }
3586 3560
3587 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { 3561 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
3588 return channel_id_service_; 3562 return channel_id_service_;
3589 } 3563 }
3590 3564
3591 } // namespace net 3565 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698