Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(595)

Unified Diff: net/ssl/client_cert_store_nss.cc

Issue 112533002: Add ClientCertStoreChromeOS which only returns the certs for a given user. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: explicits Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/ssl/client_cert_store_nss.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/ssl/client_cert_store_nss.cc
diff --git a/net/ssl/client_cert_store_nss.cc b/net/ssl/client_cert_store_nss.cc
index 9df561271c765c19fa07dd7fe1dd1a7ea4dd753d..1b44bce92daf1c346137b8385aff5d8973cb555b 100644
--- a/net/ssl/client_cert_store_nss.cc
+++ b/net/ssl/client_cert_store_nss.cc
@@ -11,23 +11,47 @@
#include "base/location.h"
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
+#include "base/strings/string_piece.h"
#include "base/threading/worker_pool.h"
#include "crypto/nss_crypto_module_delegate.h"
#include "net/cert/x509_util.h"
namespace net {
-namespace {
-
-// Examines the certificates in |cert_list| to find all certificates that match
-// the client certificate request in |request|, storing the matching
-// certificates in |selected_certs|.
-// If |query_nssdb| is true, NSS will be queried to construct full certificate
-// chains. If it is false, only the certificate will be considered.
-void GetClientCertsImpl(CERTCertList* cert_list,
- const SSLCertRequestInfo& request,
- bool query_nssdb,
- CertificateList* selected_certs) {
+ClientCertStoreNSS::ClientCertStoreNSS(
+ const PasswordDelegateFactory& password_delegate_factory)
+ : password_delegate_factory_(password_delegate_factory) {}
+
+ClientCertStoreNSS::~ClientCertStoreNSS() {}
+
+void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request,
+ CertificateList* selected_certs,
+ const base::Closure& callback) {
+ scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate;
+ if (!password_delegate_factory_.is_null()) {
+ password_delegate.reset(
+ password_delegate_factory_.Run(request.host_and_port));
+ }
+ if (base::WorkerPool::PostTaskAndReply(
+ FROM_HERE,
+ base::Bind(&ClientCertStoreNSS::GetClientCertsOnWorkerThread,
+ // Caller is responsible for keeping the ClientCertStore
+ // alive until the callback is run.
+ base::Unretained(this),
+ base::Passed(&password_delegate),
+ &request,
+ selected_certs),
+ callback,
+ true))
+ return;
+ selected_certs->clear();
+ callback.Run();
+}
+
+void ClientCertStoreNSS::GetClientCertsImpl(CERTCertList* cert_list,
+ const SSLCertRequestInfo& request,
+ bool query_nssdb,
+ CertificateList* selected_certs) {
DCHECK(cert_list);
DCHECK(selected_certs);
@@ -53,12 +77,16 @@ void GetClientCertsImpl(CERTCertList* cert_list,
if (!ca_names_items.empty())
ca_names.names = &ca_names_items[0];
+ size_t num_raw = 0;
for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
!CERT_LIST_END(node, cert_list);
node = CERT_LIST_NEXT(node)) {
+ ++num_raw;
// Only offer unexpired certificates.
if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
secCertTimeValid) {
+ DVLOG(2) << "skipped expired cert: "
+ << base::StringPiece(node->cert->nickname);
continue;
}
@@ -71,15 +99,21 @@ void GetClientCertsImpl(CERTCertList* cert_list,
cert->IsIssuedByEncoded(request.cert_authorities)) ||
(query_nssdb &&
NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) {
+ DVLOG(2) << "matched cert: " << base::StringPiece(node->cert->nickname);
selected_certs->push_back(cert);
}
+ else
+ DVLOG(2) << "skipped non-matching cert: "
+ << base::StringPiece(node->cert->nickname);
}
+ DVLOG(2) << "num_raw:" << num_raw
+ << " num_selected:" << selected_certs->size();
std::sort(selected_certs->begin(), selected_certs->end(),
x509_util::ClientCertSorter());
}
-void GetClientCertsOnWorkerThread(
+void ClientCertStoreNSS::GetClientCertsOnWorkerThread(
scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,
const SSLCertRequestInfo* request,
CertificateList* selected_certs) {
@@ -91,6 +125,7 @@ void GetClientCertsOnWorkerThread(
password_delegate.get());
// It is ok for a user not to have any client certs.
if (!client_certs) {
+ DVLOG(2) << "No client certs found.";
selected_certs->clear();
return;
}
@@ -99,35 +134,6 @@ void GetClientCertsOnWorkerThread(
CERT_DestroyCertList(client_certs);
}
-} // namespace
-
-ClientCertStoreNSS::ClientCertStoreNSS(
- const PasswordDelegateFactory& password_delegate_factory)
- : password_delegate_factory_(password_delegate_factory) {}
-
-ClientCertStoreNSS::~ClientCertStoreNSS() {}
-
-void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request,
- CertificateList* selected_certs,
- const base::Closure& callback) {
- scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate;
- if (!password_delegate_factory_.is_null()) {
- password_delegate.reset(
- password_delegate_factory_.Run(request.host_and_port));
- }
- if (!base::WorkerPool::PostTaskAndReply(
- FROM_HERE,
- base::Bind(&GetClientCertsOnWorkerThread,
- base::Passed(&password_delegate),
- &request,
- selected_certs),
- callback,
- true)) {
- selected_certs->clear();
- callback.Run();
- }
-}
-
bool ClientCertStoreNSS::SelectClientCertsForTesting(
const CertificateList& input_certs,
const SSLCertRequestInfo& request,
« no previous file with comments | « net/ssl/client_cert_store_nss.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698