Chromium Code Reviews Chromium Code Reviews
Issue 1076063002:
Remove certificates from Channel ID (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 103 #include "net/cert_net/nss_ocsp.h" | 103 #include "net/cert_net/nss_ocsp.h" |
| 104 #include "net/http/transport_security_state.h" | 104 #include "net/http/transport_security_state.h" |
| 105 #include "net/log/net_log.h" | 105 #include "net/log/net_log.h" |
| 106 #include "net/socket/client_socket_handle.h" | 106 #include "net/socket/client_socket_handle.h" |
| 107 #include "net/socket/nss_ssl_util.h" | 107 #include "net/socket/nss_ssl_util.h" |
| 108 #include "net/ssl/ssl_cert_request_info.h" | 108 #include "net/ssl/ssl_cert_request_info.h" |
| 109 #include "net/ssl/ssl_cipher_suite_names.h" | 109 #include "net/ssl/ssl_cipher_suite_names.h" |
| 110 #include "net/ssl/ssl_connection_status_flags.h" | 110 #include "net/ssl/ssl_connection_status_flags.h" |
| 111 #include "net/ssl/ssl_info.h" | 111 #include "net/ssl/ssl_info.h" |
| 112 | 112 |
| 113 #if defined(USE_NSS_CERTS) | 113 #if defined(USE_NSS_CERTS) |
|
mattm
2015/04/27 20:55:53
When updating, it's generally appreciated to uploa
nharper
2015/04/29 22:07:15
I'll keep that in mind for future updates.
| |
| 114 #include <dlfcn.h> | 114 #include <dlfcn.h> |
| 115 #endif | 115 #endif |
| 116 | 116 |
| 117 namespace net { | 117 namespace net { |
| 118 | 118 |
| 119 // State machines are easier to debug if you log state transitions. | 119 // State machines are easier to debug if you log state transitions. |
| 120 // Enable these if you want to see what's going on. | 120 // Enable these if you want to see what's going on. |
| 121 #if 1 | 121 #if 1 |
| 122 #define EnterFunction(x) | 122 #define EnterFunction(x) |
| 123 #define LeaveFunction(x) | 123 #define LeaveFunction(x) |
| (...skipping 615 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 739 | 739 |
| 740 // The underlying transport to use for network IO. | 740 // The underlying transport to use for network IO. |
| 741 ClientSocketHandle* transport_; | 741 ClientSocketHandle* transport_; |
| 742 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_; | 742 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_; |
| 743 | 743 |
| 744 // The current handshake state. Mirrors |nss_handshake_state_|. | 744 // The current handshake state. Mirrors |nss_handshake_state_|. |
| 745 HandshakeState network_handshake_state_; | 745 HandshakeState network_handshake_state_; |
| 746 | 746 |
| 747 // The service for retrieving Channel ID keys. May be NULL. | 747 // The service for retrieving Channel ID keys. May be NULL. |
| 748 ChannelIDService* channel_id_service_; | 748 ChannelIDService* channel_id_service_; |
| 749 ChannelIDService::RequestHandle domain_bound_cert_request_handle_; | 749 ChannelIDService::RequestHandle channel_id_request_handle_; |
| 750 | 750 |
| 751 // The information about NSS task runner. | 751 // The information about NSS task runner. |
| 752 int unhandled_buffer_size_; | 752 int unhandled_buffer_size_; |
| 753 bool nss_waiting_read_; | 753 bool nss_waiting_read_; |
| 754 bool nss_waiting_write_; | 754 bool nss_waiting_write_; |
| 755 bool nss_is_closed_; | 755 bool nss_is_closed_; |
| 756 | 756 |
| 757 // Set when Read() or Write() successfully reads or writes data to or from the | 757 // Set when Read() or Write() successfully reads or writes data to or from the |
| 758 // network. | 758 // network. |
| 759 bool was_ever_used_; | 759 bool was_ever_used_; |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 824 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; | 824 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; |
| 825 | 825 |
| 826 // Dereferenced only on the network task runner, but bound to tasks destined | 826 // Dereferenced only on the network task runner, but bound to tasks destined |
| 827 // for the network task runner from the NSS task runner. | 827 // for the network task runner from the NSS task runner. |
| 828 base::WeakPtr<BoundNetLog> weak_net_log_; | 828 base::WeakPtr<BoundNetLog> weak_net_log_; |
| 829 | 829 |
| 830 // Written on the network task runner by the |channel_id_service_|, | 830 // Written on the network task runner by the |channel_id_service_|, |
| 831 // prior to invoking OnHandshakeIOComplete. | 831 // prior to invoking OnHandshakeIOComplete. |
| 832 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked | 832 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked |
| 833 // on the NSS task runner. | 833 // on the NSS task runner. |
| 834 std::string domain_bound_private_key_; | 834 scoped_ptr<crypto::ECPrivateKey> channel_id_key_; |
| 835 std::string domain_bound_cert_; | |
| 836 | 835 |
| 837 DISALLOW_COPY_AND_ASSIGN(Core); | 836 DISALLOW_COPY_AND_ASSIGN(Core); |
| 838 }; | 837 }; |
| 839 | 838 |
| 840 SSLClientSocketNSS::Core::Core( | 839 SSLClientSocketNSS::Core::Core( |
| 841 base::SequencedTaskRunner* network_task_runner, | 840 base::SequencedTaskRunner* network_task_runner, |
| 842 base::SequencedTaskRunner* nss_task_runner, | 841 base::SequencedTaskRunner* nss_task_runner, |
| 843 ClientSocketHandle* transport, | 842 ClientSocketHandle* transport, |
| 844 const HostPortPair& host_and_port, | 843 const HostPortPair& host_and_port, |
| 845 const SSLConfig& ssl_config, | 844 const SSLConfig& ssl_config, |
| (...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 994 | 993 |
| 995 void SSLClientSocketNSS::Core::Detach() { | 994 void SSLClientSocketNSS::Core::Detach() { |
| 996 DCHECK(OnNetworkTaskRunner()); | 995 DCHECK(OnNetworkTaskRunner()); |
| 997 | 996 |
| 998 detached_ = true; | 997 detached_ = true; |
| 999 transport_ = NULL; | 998 transport_ = NULL; |
| 1000 weak_net_log_factory_.InvalidateWeakPtrs(); | 999 weak_net_log_factory_.InvalidateWeakPtrs(); |
| 1001 | 1000 |
| 1002 network_handshake_state_.Reset(); | 1001 network_handshake_state_.Reset(); |
| 1003 | 1002 |
| 1004 domain_bound_cert_request_handle_.Cancel(); | 1003 channel_id_request_handle_.Cancel(); |
| 1005 } | 1004 } |
| 1006 | 1005 |
| 1007 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len, | 1006 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len, |
| 1008 const CompletionCallback& callback) { | 1007 const CompletionCallback& callback) { |
| 1009 if (!OnNSSTaskRunner()) { | 1008 if (!OnNSSTaskRunner()) { |
| 1010 DCHECK(OnNetworkTaskRunner()); | 1009 DCHECK(OnNetworkTaskRunner()); |
| 1011 DCHECK(!detached_); | 1010 DCHECK(!detached_); |
| 1012 DCHECK(transport_); | 1011 DCHECK(transport_); |
| 1013 DCHECK(!nss_waiting_read_); | 1012 DCHECK(!nss_waiting_read_); |
| 1014 | 1013 |
| (...skipping 971 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1986 rv = SECFailure; | 1985 rv = SECFailure; |
| 1987 } else { | 1986 } else { |
| 1988 rv = SECFailure; | 1987 rv = SECFailure; |
| 1989 } | 1988 } |
| 1990 | 1989 |
| 1991 return rv; | 1990 return rv; |
| 1992 } | 1991 } |
| 1993 | 1992 |
| 1994 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key, | 1993 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key, |
| 1995 SECKEYPrivateKey** key) { | 1994 SECKEYPrivateKey** key) { |
| 1996 // Set the certificate. | 1995 if (!channel_id_key_) |
| 1997 SECItem cert_item; | 1996 return SECFailure; |
| 1998 cert_item.data = (unsigned char*) domain_bound_cert_.data(); | |
| 1999 cert_item.len = domain_bound_cert_.size(); | |
| 2000 ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), | |
| 2001 &cert_item, | |
| 2002 NULL, | |
| 2003 PR_FALSE, | |
| 2004 PR_TRUE)); | |
| 2005 if (cert == NULL) | |
| 2006 return MapNSSError(PORT_GetError()); | |
| 2007 | 1997 |
| 2008 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); | 1998 *public_key = SECKEY_CopyPublicKey(channel_id_key_->public_key()); |
| 2009 // Set the private key. | 1999 *key = SECKEY_CopyPrivateKey(channel_id_key_->key()); |
| 2010 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( | |
| 2011 slot.get(), | |
| 2012 ChannelIDService::kEPKIPassword, | |
| 2013 reinterpret_cast<const unsigned char*>( | |
| 2014 domain_bound_private_key_.data()), | |
| 2015 domain_bound_private_key_.size(), | |
| 2016 &cert->subjectPublicKeyInfo, | |
| 2017 false, | |
| 2018 false, | |
| 2019 key, | |
| 2020 public_key)) { | |
| 2021 int error = MapNSSError(PORT_GetError()); | |
| 2022 return error; | |
| 2023 } | |
| 2024 | 2000 |
| 2025 return OK; | 2001 return OK; |
| 2026 } | 2002 } |
| 2027 | 2003 |
| 2028 void SSLClientSocketNSS::Core::UpdateServerCert() { | 2004 void SSLClientSocketNSS::Core::UpdateServerCert() { |
| 2029 nss_handshake_state_.server_cert_chain.Reset(nss_fd_); | 2005 nss_handshake_state_.server_cert_chain.Reset(nss_fd_); |
| 2030 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( | 2006 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( |
| 2031 nss_handshake_state_.server_cert_chain.AsStringPieceVector()); | 2007 nss_handshake_state_.server_cert_chain.AsStringPieceVector()); |
| 2032 if (nss_handshake_state_.server_cert.get()) { | 2008 if (nss_handshake_state_.server_cert.get()) { |
| 2033 // Since this will be called asynchronously on another thread, it needs to | 2009 // Since this will be called asynchronously on another thread, it needs to |
| (...skipping 226 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2260 | 2236 |
| 2261 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) { | 2237 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) { |
| 2262 DCHECK(OnNetworkTaskRunner()); | 2238 DCHECK(OnNetworkTaskRunner()); |
| 2263 | 2239 |
| 2264 if (detached_) | 2240 if (detached_) |
| 2265 return ERR_ABORTED; | 2241 return ERR_ABORTED; |
| 2266 | 2242 |
| 2267 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); | 2243 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); |
| 2268 | 2244 |
| 2269 int rv = channel_id_service_->GetOrCreateChannelID( | 2245 int rv = channel_id_service_->GetOrCreateChannelID( |
| 2270 host, | 2246 host, &channel_id_key_, |
| 2271 &domain_bound_private_key_, | |
| 2272 &domain_bound_cert_, | |
| 2273 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)), | 2247 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)), |
| 2274 &domain_bound_cert_request_handle_); | 2248 &channel_id_request_handle_); |
| 2275 | 2249 |
| 2276 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) { | 2250 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) { |
| 2277 nss_task_runner_->PostTask( | 2251 nss_task_runner_->PostTask( |
| 2278 FROM_HERE, | 2252 FROM_HERE, |
| 2279 base::Bind(&Core::OnHandshakeIOComplete, this, rv)); | 2253 base::Bind(&Core::OnHandshakeIOComplete, this, rv)); |
| 2280 return ERR_IO_PENDING; | 2254 return ERR_IO_PENDING; |
| 2281 } | 2255 } |
| 2282 | 2256 |
| 2283 return rv; | 2257 return rv; |
| 2284 } | 2258 } |
| (...skipping 953 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3238 scoped_refptr<X509Certificate> | 3212 scoped_refptr<X509Certificate> |
| 3239 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3213 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
| 3240 return core_->state().server_cert.get(); | 3214 return core_->state().server_cert.get(); |
| 3241 } | 3215 } |
| 3242 | 3216 |
| 3243 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3217 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
| 3244 return channel_id_service_; | 3218 return channel_id_service_; |
| 3245 } | 3219 } |
| 3246 | 3220 |
| 3247 } // namespace net | 3221 } // namespace net |
| OLD | NEW |
