Chromium Code Reviews Chromium Code Reviews
Issue 1076063002:
Remove certificates from Channel ID (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 812 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 823 | 823 |
| 824 // The underlying transport to use for network IO. | 824 // The underlying transport to use for network IO. |
| 825 ClientSocketHandle* transport_; | 825 ClientSocketHandle* transport_; |
| 826 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_; | 826 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_; |
| 827 | 827 |
| 828 // The current handshake state. Mirrors |nss_handshake_state_|. | 828 // The current handshake state. Mirrors |nss_handshake_state_|. |
| 829 HandshakeState network_handshake_state_; | 829 HandshakeState network_handshake_state_; |
| 830 | 830 |
| 831 // The service for retrieving Channel ID keys. May be NULL. | 831 // The service for retrieving Channel ID keys. May be NULL. |
| 832 ChannelIDService* channel_id_service_; | 832 ChannelIDService* channel_id_service_; |
| 833 ChannelIDService::RequestHandle domain_bound_cert_request_handle_; | 833 ChannelIDService::RequestHandle channel_id_request_handle_; |
| 834 | 834 |
| 835 // The information about NSS task runner. | 835 // The information about NSS task runner. |
| 836 int unhandled_buffer_size_; | 836 int unhandled_buffer_size_; |
| 837 bool nss_waiting_read_; | 837 bool nss_waiting_read_; |
| 838 bool nss_waiting_write_; | 838 bool nss_waiting_write_; |
| 839 bool nss_is_closed_; | 839 bool nss_is_closed_; |
| 840 | 840 |
| 841 // Set when Read() or Write() successfully reads or writes data to or from the | 841 // Set when Read() or Write() successfully reads or writes data to or from the |
| 842 // network. | 842 // network. |
| 843 bool was_ever_used_; | 843 bool was_ever_used_; |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 908 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; | 908 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; |
| 909 | 909 |
| 910 // Dereferenced only on the network task runner, but bound to tasks destined | 910 // Dereferenced only on the network task runner, but bound to tasks destined |
| 911 // for the network task runner from the NSS task runner. | 911 // for the network task runner from the NSS task runner. |
| 912 base::WeakPtr<BoundNetLog> weak_net_log_; | 912 base::WeakPtr<BoundNetLog> weak_net_log_; |
| 913 | 913 |
| 914 // Written on the network task runner by the |channel_id_service_|, | 914 // Written on the network task runner by the |channel_id_service_|, |
| 915 // prior to invoking OnHandshakeIOComplete. | 915 // prior to invoking OnHandshakeIOComplete. |
| 916 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked | 916 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked |
| 917 // on the NSS task runner. | 917 // on the NSS task runner. |
| 918 std::string domain_bound_private_key_; | 918 scoped_ptr<crypto::ECPrivateKey> channel_id_key_; |
| 919 std::string domain_bound_cert_; | |
| 920 | 919 |
| 921 DISALLOW_COPY_AND_ASSIGN(Core); | 920 DISALLOW_COPY_AND_ASSIGN(Core); |
| 922 }; | 921 }; |
| 923 | 922 |
| 924 SSLClientSocketNSS::Core::Core( | 923 SSLClientSocketNSS::Core::Core( |
| 925 base::SequencedTaskRunner* network_task_runner, | 924 base::SequencedTaskRunner* network_task_runner, |
| 926 base::SequencedTaskRunner* nss_task_runner, | 925 base::SequencedTaskRunner* nss_task_runner, |
| 927 ClientSocketHandle* transport, | 926 ClientSocketHandle* transport, |
| 928 const HostPortPair& host_and_port, | 927 const HostPortPair& host_and_port, |
| 929 const SSLConfig& ssl_config, | 928 const SSLConfig& ssl_config, |
| (...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1084 | 1083 |
| 1085 void SSLClientSocketNSS::Core::Detach() { | 1084 void SSLClientSocketNSS::Core::Detach() { |
| 1086 DCHECK(OnNetworkTaskRunner()); | 1085 DCHECK(OnNetworkTaskRunner()); |
| 1087 | 1086 |
| 1088 detached_ = true; | 1087 detached_ = true; |
| 1089 transport_ = NULL; | 1088 transport_ = NULL; |
| 1090 weak_net_log_factory_.InvalidateWeakPtrs(); | 1089 weak_net_log_factory_.InvalidateWeakPtrs(); |
| 1091 | 1090 |
| 1092 network_handshake_state_.Reset(); | 1091 network_handshake_state_.Reset(); |
| 1093 | 1092 |
| 1094 domain_bound_cert_request_handle_.Cancel(); | 1093 channel_id_request_handle_.Cancel(); |
| 1095 } | 1094 } |
| 1096 | 1095 |
| 1097 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len, | 1096 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len, |
| 1098 const CompletionCallback& callback) { | 1097 const CompletionCallback& callback) { |
| 1099 if (!OnNSSTaskRunner()) { | 1098 if (!OnNSSTaskRunner()) { |
| 1100 DCHECK(OnNetworkTaskRunner()); | 1099 DCHECK(OnNetworkTaskRunner()); |
| 1101 DCHECK(!detached_); | 1100 DCHECK(!detached_); |
| 1102 DCHECK(transport_); | 1101 DCHECK(transport_); |
| 1103 DCHECK(!nss_waiting_read_); | 1102 DCHECK(!nss_waiting_read_); |
| 1104 | 1103 |
| (...skipping 1210 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2315 rv = SECFailure; | 2314 rv = SECFailure; |
| 2316 } else { | 2315 } else { |
| 2317 rv = SECFailure; | 2316 rv = SECFailure; |
| 2318 } | 2317 } |
| 2319 | 2318 |
| 2320 return rv; | 2319 return rv; |
| 2321 } | 2320 } |
| 2322 | 2321 |
| 2323 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key, | 2322 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key, |
| 2324 SECKEYPrivateKey** key) { | 2323 SECKEYPrivateKey** key) { |
| 2325 // Set the certificate. | 2324 if (channel_id_key_.get() == nullptr) |
|
Ryan Sleevi
2015/04/09 22:40:09
if (!channel_id_key_)
nharper
2015/04/10 00:32:08
Done.
| |
| 2326 SECItem cert_item; | 2325 return SECFailure; |
| 2327 cert_item.data = (unsigned char*) domain_bound_cert_.data(); | |
| 2328 cert_item.len = domain_bound_cert_.size(); | |
| 2329 ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), | |
| 2330 &cert_item, | |
| 2331 NULL, | |
| 2332 PR_FALSE, | |
| 2333 PR_TRUE)); | |
| 2334 if (cert == NULL) | |
| 2335 return MapNSSError(PORT_GetError()); | |
| 2336 | 2326 |
| 2337 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); | 2327 *public_key = channel_id_key_->public_key(); |
| 2338 // Set the private key. | 2328 *key = channel_id_key_->key(); |
|
mattm
2015/04/10 01:00:27
Need to SECKEY_CopyPrivateKey and SECKEY_CopyPubli
nharper
2015/04/25 02:59:18
Done.
| |
| 2339 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( | |
| 2340 slot.get(), | |
| 2341 ChannelIDService::kEPKIPassword, | |
| 2342 reinterpret_cast<const unsigned char*>( | |
| 2343 domain_bound_private_key_.data()), | |
| 2344 domain_bound_private_key_.size(), | |
| 2345 &cert->subjectPublicKeyInfo, | |
| 2346 false, | |
| 2347 false, | |
| 2348 key, | |
| 2349 public_key)) { | |
| 2350 int error = MapNSSError(PORT_GetError()); | |
| 2351 return error; | |
| 2352 } | |
| 2353 | 2329 |
| 2354 return OK; | 2330 return OK; |
| 2355 } | 2331 } |
| 2356 | 2332 |
| 2357 void SSLClientSocketNSS::Core::UpdateServerCert() { | 2333 void SSLClientSocketNSS::Core::UpdateServerCert() { |
| 2358 nss_handshake_state_.server_cert_chain.Reset(nss_fd_); | 2334 nss_handshake_state_.server_cert_chain.Reset(nss_fd_); |
| 2359 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( | 2335 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( |
| 2360 nss_handshake_state_.server_cert_chain.AsStringPieceVector()); | 2336 nss_handshake_state_.server_cert_chain.AsStringPieceVector()); |
| 2361 if (nss_handshake_state_.server_cert.get()) { | 2337 if (nss_handshake_state_.server_cert.get()) { |
| 2362 // Since this will be called asynchronously on another thread, it needs to | 2338 // Since this will be called asynchronously on another thread, it needs to |
| (...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2604 | 2580 |
| 2605 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) { | 2581 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) { |
| 2606 DCHECK(OnNetworkTaskRunner()); | 2582 DCHECK(OnNetworkTaskRunner()); |
| 2607 | 2583 |
| 2608 if (detached_) | 2584 if (detached_) |
| 2609 return ERR_ABORTED; | 2585 return ERR_ABORTED; |
| 2610 | 2586 |
| 2611 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); | 2587 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); |
| 2612 | 2588 |
| 2613 int rv = channel_id_service_->GetOrCreateChannelID( | 2589 int rv = channel_id_service_->GetOrCreateChannelID( |
| 2614 host, | 2590 host, &channel_id_key_, |
| 2615 &domain_bound_private_key_, | |
| 2616 &domain_bound_cert_, | |
| 2617 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)), | 2591 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)), |
| 2618 &domain_bound_cert_request_handle_); | 2592 &channel_id_request_handle_); |
| 2619 | 2593 |
| 2620 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) { | 2594 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) { |
| 2621 nss_task_runner_->PostTask( | 2595 nss_task_runner_->PostTask( |
| 2622 FROM_HERE, | 2596 FROM_HERE, |
| 2623 base::Bind(&Core::OnHandshakeIOComplete, this, rv)); | 2597 base::Bind(&Core::OnHandshakeIOComplete, this, rv)); |
| 2624 return ERR_IO_PENDING; | 2598 return ERR_IO_PENDING; |
| 2625 } | 2599 } |
| 2626 | 2600 |
| 2627 return rv; | 2601 return rv; |
| 2628 } | 2602 } |
| (...skipping 953 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3582 scoped_refptr<X509Certificate> | 3556 scoped_refptr<X509Certificate> |
| 3583 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3557 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
| 3584 return core_->state().server_cert.get(); | 3558 return core_->state().server_cert.get(); |
| 3585 } | 3559 } |
| 3586 | 3560 |
| 3587 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3561 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
| 3588 return channel_id_service_; | 3562 return channel_id_service_; |
| 3589 } | 3563 } |
| 3590 | 3564 |
| 3591 } // namespace net | 3565 } // namespace net |
| OLD | NEW |
