Move client certificates retrieval logic out of the SSL sockets.

net/base/x509_certificate_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
@@ skipping 694 matching lines @@
   if (status == CSSM_OK && key_usage.field()) {
     const CSSM_X509_EXTENSION* ext = key_usage.GetAs<CSSM_X509_EXTENSION>();
     const CE_ExtendedKeyUsage* ext_key_usage =
         reinterpret_cast<const CE_ExtendedKeyUsage*>(ext->value.parsedValue);
     if (!ExtendedKeyUsageAllows(ext_key_usage, &CSSMOID_ClientAuth))
       return false;
   }
   return true;
 }
 
-bool X509Certificate::IsIssuedBy(
-    const std::vector<CertPrincipal>& valid_issuers) {
-  // Get the cert's issuer chain.
-  CFArrayRef cert_chain = NULL;
-  OSStatus result = CopyCertChain(os_cert_handle(), &cert_chain);
-  if (result)
-    return false;
-  ScopedCFTypeRef<CFArrayRef> scoped_cert_chain(cert_chain);
-
-  // Check all the certs in the chain for a match.
-  int n = CFArrayGetCount(cert_chain);
-  for (int i = 0; i < n; ++i) {
-    SecCertificateRef cert_handle = reinterpret_cast<SecCertificateRef>(
-        const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
-    scoped_refptr<X509Certificate> cert(X509Certificate::CreateFromHandle(
-        cert_handle, X509Certificate::OSCertHandles()));
-    for (unsigned j = 0; j < valid_issuers.size(); j++) {
-      if (cert->issuer().Matches(valid_issuers[j]))
-        return true;
-    }
-  }
-  return false;
-}
-
-// static
-bool X509Certificate::GetSSLClientCertificates(
-    const std::string& server_domain,
-    const std::vector<CertPrincipal>& valid_issuers,
-    CertificateList* certs) {
-  ScopedCFTypeRef<SecIdentityRef> preferred_identity;
-  if (!server_domain.empty()) {
-    // See if there's an identity preference for this domain:
-    ScopedCFTypeRef<CFStringRef> domain_str(
-        base::SysUTF8ToCFStringRef("https://" + server_domain));
-    SecIdentityRef identity = NULL;
-    // While SecIdentityCopyPreferences appears to take a list of CA issuers
-    // to restrict the identity search to, within Security.framework the
-    // argument is ignored and filtering unimplemented. See
-    // SecIdentity.cpp in libsecurity_keychain, specifically
-    // _SecIdentityCopyPreferenceMatchingName().
-    {
-      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-      if (SecIdentityCopyPreference(domain_str, 0, NULL, &identity) == noErr)
-        preferred_identity.reset(identity);
-    }
-  }
-
-  // Now enumerate the identities in the available keychains.
-  SecIdentitySearchRef search = NULL;
-  OSStatus err;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_SIGN, &search);
-  }
-  if (err)
-    return false;
-  ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);
-  while (!err) {
-    SecIdentityRef identity = NULL;
-    {
-      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-      err = SecIdentitySearchCopyNext(search, &identity);
-    }
-    if (err)
-      break;
-    ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);
-
-    SecCertificateRef cert_handle;
-    err = SecIdentityCopyCertificate(identity, &cert_handle);
-    if (err != noErr)
-      continue;
-    ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
-
-    scoped_refptr<X509Certificate> cert(
-        CreateFromHandle(cert_handle, OSCertHandles()));
-    if (cert->HasExpired() || !cert->SupportsSSLClientAuth())
-      continue;
-
-    // Skip duplicates (a cert may be in multiple keychains).
-    const SHA1HashValue& fingerprint = cert->fingerprint();
-    unsigned i;
-    for (i = 0; i < certs->size(); ++i) {
-      if ((*certs)[i]->fingerprint().Equals(fingerprint))
-        break;
-    }
-    if (i < certs->size())
-      continue;
-
-    bool is_preferred = preferred_identity &&
-        CFEqual(preferred_identity, identity);
-
-    // Make sure the issuer matches valid_issuers, if given.
-    if (!valid_issuers.empty() && !cert->IsIssuedBy(valid_issuers))
-      continue;
-
-    // The cert passes, so add it to the vector.
-    // If it's the preferred identity, add it at the start (so it'll be
-    // selected by default in the UI.)
-    if (is_preferred)
-      certs->insert(certs->begin(), cert);
-    else
-      certs->push_back(cert);
-  }
-
-  if (err != errSecItemNotFound) {
-    OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";
-    return false;
-  }
-  return true;
-}
-
 CFArrayRef X509Certificate::CreateClientCertificateChain() const {
   // Initialize the result array with just the IdentityRef of the receiver:
   SecIdentityRef identity;
   OSStatus result;
   {
     base::AutoLock lock(crypto::GetMacSecurityServicesLock());
     result = SecIdentityCreateWithCertificate(NULL, cert_handle_, &identity);
   }
   if (result) {
     OSSTATUS_LOG(ERROR, result) << "SecIdentityCreateWithCertificate error";
@@ skipping 100 matching lines @@
       *type = kPublicKeyTypeDH;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
 }  // namespace net