Remove certificates from Channel ID

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 676 matching lines @@
 
   // The underlying transport to use for network IO.
   ClientSocketHandle* transport_;
   base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_;
 
   // The current handshake state. Mirrors |nss_handshake_state_|.
   HandshakeState network_handshake_state_;
 
   // The service for retrieving Channel ID keys.  May be NULL.
   ChannelIDService* channel_id_service_;
-  ChannelIDService::RequestHandle domain_bound_cert_request_handle_;
+  ChannelIDService::RequestHandle channel_id_request_handle_;
 
   // The information about NSS task runner.
   int unhandled_buffer_size_;
   bool nss_waiting_read_;
   bool nss_waiting_write_;
   bool nss_is_closed_;
 
   // Set when Read() or Write() successfully reads or writes data to or from the
   // network.
   bool was_ever_used_;
@@ skipping 64 matching lines @@
   scoped_refptr<base::SequencedTaskRunner> nss_task_runner_;
 
   // Dereferenced only on the network task runner, but bound to tasks destined
   // for the network task runner from the NSS task runner.
   base::WeakPtr<BoundNetLog> weak_net_log_;
 
   // Written on the network task runner by the |channel_id_service_|,
   // prior to invoking OnHandshakeIOComplete.
   // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
   // on the NSS task runner.
-  std::string domain_bound_private_key_;
-  std::string domain_bound_cert_;
+  scoped_ptr<crypto::ECPrivateKey> channel_id_key_;
 
   DISALLOW_COPY_AND_ASSIGN(Core);
 };
 
 SSLClientSocketNSS::Core::Core(
     base::SequencedTaskRunner* network_task_runner,
     base::SequencedTaskRunner* nss_task_runner,
     ClientSocketHandle* transport,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
@@ skipping 148 matching lines @@
 
 void SSLClientSocketNSS::Core::Detach() {
   DCHECK(OnNetworkTaskRunner());
 
   detached_ = true;
   transport_ = NULL;
   weak_net_log_factory_.InvalidateWeakPtrs();
 
   network_handshake_state_.Reset();
 
-  domain_bound_cert_request_handle_.Cancel();
+  channel_id_request_handle_.Cancel();
 }
 
 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
                                    const CompletionCallback& callback) {
   if (!OnNSSTaskRunner()) {
     DCHECK(OnNetworkTaskRunner());
     DCHECK(!detached_);
     DCHECK(transport_);
     DCHECK(!nss_waiting_read_);
 
@@ skipping 971 matching lines @@
       rv = SECFailure;
   } else {
     rv = SECFailure;
   }
 
   return rv;
 }
 
 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key,
                                                   SECKEYPrivateKey** key) {
-  // Set the certificate.
-  SECItem cert_item;
-  cert_item.data = (unsigned char*) domain_bound_cert_.data();
-  cert_item.len = domain_bound_cert_.size();
-  ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                                     &cert_item,
-                                                     NULL,
-                                                     PR_FALSE,
-                                                     PR_TRUE));
-  if (cert == NULL)
-    return MapNSSError(PORT_GetError());
+  if (!channel_id_key_)
+    return SECFailure;
 
-  crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
-  // Set the private key.
-  if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
-          slot.get(),
-          ChannelIDService::kEPKIPassword,
-          reinterpret_cast<const unsigned char*>(
-              domain_bound_private_key_.data()),
-          domain_bound_private_key_.size(),
-          &cert->subjectPublicKeyInfo,
-          false,
-          false,
-          key,
-          public_key)) {
-    int error = MapNSSError(PORT_GetError());
-    return error;
-  }
+  *public_key = SECKEY_CopyPublicKey(channel_id_key_->public_key());
+  *key = SECKEY_CopyPrivateKey(channel_id_key_->key());
 
   return OK;
 }
 
 void SSLClientSocketNSS::Core::UpdateServerCert() {
   nss_handshake_state_.server_cert_chain.Reset(nss_fd_);
   nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain(
       nss_handshake_state_.server_cert_chain.AsStringPieceVector());
   if (nss_handshake_state_.server_cert.get()) {
     // Since this will be called asynchronously on another thread, it needs to
@@ skipping 214 matching lines @@
 
 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) {
   DCHECK(OnNetworkTaskRunner());
 
   if (detached_)
     return ERR_ABORTED;
 
   weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
 
   int rv = channel_id_service_->GetOrCreateChannelID(
-      host,
-      &domain_bound_private_key_,
-      &domain_bound_cert_,
+      host, &channel_id_key_,
       base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)),
-      &domain_bound_cert_request_handle_);
+      &channel_id_request_handle_);
 
   if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) {
     nss_task_runner_->PostTask(
         FROM_HERE,
         base::Bind(&Core::OnHandshakeIOComplete, this, rv));
     return ERR_IO_PENDING;
   }
 
   return rv;
 }
@@ skipping 954 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net