| OLD | NEW |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/client_cert_store_nss.h" | 5 #include "net/ssl/client_cert_store_nss.h" |
| 6 | 6 |
| 7 #include <nss.h> | 7 #include <nss.h> |
| 8 #include <ssl.h> | 8 #include <ssl.h> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| 11 #include "base/bind_helpers.h" |
| 11 #include "base/location.h" | 12 #include "base/location.h" |
| 12 #include "base/logging.h" | 13 #include "base/logging.h" |
| 13 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 14 #include "base/strings/string_piece.h" | 15 #include "base/strings/string_piece.h" |
| 15 #include "base/threading/worker_pool.h" | 16 #include "base/threading/worker_pool.h" |
| 16 #include "crypto/nss_crypto_module_delegate.h" | 17 #include "crypto/nss_crypto_module_delegate.h" |
| 17 #include "net/cert/x509_util.h" | 18 #include "net/cert/x509_util.h" |
| 19 #include "net/ssl/ssl_cert_request_info.h" |
| 18 | 20 |
| 19 namespace net { | 21 namespace net { |
| 20 | 22 |
| 21 ClientCertStoreNSS::ClientCertStoreNSS( | 23 ClientCertStoreNSS::ClientCertStoreNSS( |
| 22 const PasswordDelegateFactory& password_delegate_factory) | 24 const PasswordDelegateFactory& password_delegate_factory) |
| 23 : password_delegate_factory_(password_delegate_factory) {} | 25 : password_delegate_factory_(password_delegate_factory) {} |
| 24 | 26 |
| 25 ClientCertStoreNSS::~ClientCertStoreNSS() {} | 27 ClientCertStoreNSS::~ClientCertStoreNSS() {} |
| 26 | 28 |
| 27 void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request, | 29 void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request, |
| 28 CertificateList* selected_certs, | 30 CertificateList* selected_certs, |
| 29 const base::Closure& callback) { | 31 const base::Closure& callback) { |
| 30 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate; | 32 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate; |
| 31 if (!password_delegate_factory_.is_null()) { | 33 if (!password_delegate_factory_.is_null()) { |
| 32 password_delegate.reset( | 34 password_delegate.reset( |
| 33 password_delegate_factory_.Run(request.host_and_port)); | 35 password_delegate_factory_.Run(request.host_and_port)); |
| 34 } | 36 } |
| 35 if (base::WorkerPool::PostTaskAndReply( | 37 if (base::WorkerPool::PostTaskAndReply( |
| 36 FROM_HERE, | 38 FROM_HERE, |
| 37 base::Bind(&ClientCertStoreNSS::GetClientCertsOnWorkerThread, | 39 base::Bind(&ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread, |
| 38 // Caller is responsible for keeping the ClientCertStore | 40 // Caller is responsible for keeping the ClientCertStore |
| 39 // alive until the callback is run. | 41 // alive until the callback is run. |
| 40 base::Unretained(this), | 42 base::Unretained(this), base::Passed(&password_delegate), |
| 41 base::Passed(&password_delegate), | 43 &request, selected_certs), |
| 42 &request, | 44 callback, true)) { |
| 43 selected_certs), | |
| 44 callback, | |
| 45 true)) | |
| 46 return; | 45 return; |
| 46 } |
| 47 // If the task could not be posted, behave as if there were no certificates |
| 48 // which requires to clear |selected_certs|. |
| 47 selected_certs->clear(); | 49 selected_certs->clear(); |
| 48 callback.Run(); | 50 callback.Run(); |
| 49 } | 51 } |
| 50 | 52 |
| 51 void ClientCertStoreNSS::GetClientCertsImpl(CERTCertList* cert_list, | 53 // static |
| 52 const SSLCertRequestInfo& request, | 54 void ClientCertStoreNSS::FilterCertsOnWorkerThread( |
| 53 bool query_nssdb, | 55 const CertificateList& certs, |
| 54 CertificateList* selected_certs) { | 56 const SSLCertRequestInfo& request, |
| 55 DCHECK(cert_list); | 57 bool query_nssdb, |
| 56 DCHECK(selected_certs); | 58 CertificateList* filtered_certs) { |
| 59 DCHECK(filtered_certs); |
| 57 | 60 |
| 58 selected_certs->clear(); | 61 filtered_certs->clear(); |
| 59 | 62 |
| 60 // Create a "fake" CERTDistNames structure. No public API exists to create | 63 // Create a "fake" CERTDistNames structure. No public API exists to create |
| 61 // one from a list of issuers. | 64 // one from a list of issuers. |
| 62 CERTDistNames ca_names; | 65 CERTDistNames ca_names; |
| 63 ca_names.arena = NULL; | 66 ca_names.arena = NULL; |
| 64 ca_names.nnames = 0; | 67 ca_names.nnames = 0; |
| 65 ca_names.names = NULL; | 68 ca_names.names = NULL; |
| 66 ca_names.head = NULL; | 69 ca_names.head = NULL; |
| 67 | 70 |
| 68 std::vector<SECItem> ca_names_items(request.cert_authorities.size()); | 71 std::vector<SECItem> ca_names_items(request.cert_authorities.size()); |
| 69 for (size_t i = 0; i < request.cert_authorities.size(); ++i) { | 72 for (size_t i = 0; i < request.cert_authorities.size(); ++i) { |
| 70 const std::string& authority = request.cert_authorities[i]; | 73 const std::string& authority = request.cert_authorities[i]; |
| 71 ca_names_items[i].type = siBuffer; | 74 ca_names_items[i].type = siBuffer; |
| 72 ca_names_items[i].data = | 75 ca_names_items[i].data = |
| 73 reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data())); | 76 reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data())); |
| 74 ca_names_items[i].len = static_cast<unsigned int>(authority.size()); | 77 ca_names_items[i].len = static_cast<unsigned int>(authority.size()); |
| 75 } | 78 } |
| 76 ca_names.nnames = static_cast<int>(ca_names_items.size()); | 79 ca_names.nnames = static_cast<int>(ca_names_items.size()); |
| 77 if (!ca_names_items.empty()) | 80 if (!ca_names_items.empty()) |
| 78 ca_names.names = &ca_names_items[0]; | 81 ca_names.names = &ca_names_items[0]; |
| 79 | 82 |
| 80 size_t num_raw = 0; | 83 size_t num_raw = 0; |
| 81 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 84 for (const auto& cert : certs) { |
| 82 !CERT_LIST_END(node, cert_list); | |
| 83 node = CERT_LIST_NEXT(node)) { | |
| 84 ++num_raw; | 85 ++num_raw; |
| 86 X509Certificate::OSCertHandle handle = cert->os_cert_handle(); |
| 87 |
| 85 // Only offer unexpired certificates. | 88 // Only offer unexpired certificates. |
| 86 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) != | 89 if (CERT_CheckCertValidTimes(handle, PR_Now(), PR_TRUE) != |
| 87 secCertTimeValid) { | 90 secCertTimeValid) { |
| 88 DVLOG(2) << "skipped expired cert: " | 91 DVLOG(2) << "skipped expired cert: " |
| 89 << base::StringPiece(node->cert->nickname); | 92 << base::StringPiece(handle->nickname); |
| 90 continue; | 93 continue; |
| 91 } | 94 } |
| 92 | 95 |
| 93 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | |
| 94 node->cert, X509Certificate::OSCertHandles()); | |
| 95 | |
| 96 // Check if the certificate issuer is allowed by the server. | 96 // Check if the certificate issuer is allowed by the server. |
| 97 if (request.cert_authorities.empty() || | 97 if (request.cert_authorities.empty() || |
| 98 (!query_nssdb && | 98 (!query_nssdb && cert->IsIssuedByEncoded(request.cert_authorities)) || |
| 99 cert->IsIssuedByEncoded(request.cert_authorities)) || | |
| 100 (query_nssdb && | 99 (query_nssdb && |
| 101 NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) { | 100 NSS_CmpCertChainWCANames(handle, &ca_names) == SECSuccess)) { |
| 102 DVLOG(2) << "matched cert: " << base::StringPiece(node->cert->nickname); | 101 DVLOG(2) << "matched cert: " << base::StringPiece(handle->nickname); |
| 103 selected_certs->push_back(cert); | 102 filtered_certs->push_back(cert); |
| 103 } else { |
| 104 DVLOG(2) << "skipped non-matching cert: " |
| 105 << base::StringPiece(handle->nickname); |
| 104 } | 106 } |
| 105 else | |
| 106 DVLOG(2) << "skipped non-matching cert: " | |
| 107 << base::StringPiece(node->cert->nickname); | |
| 108 } | 107 } |
| 109 DVLOG(2) << "num_raw:" << num_raw | 108 DVLOG(2) << "num_raw:" << num_raw |
| 110 << " num_selected:" << selected_certs->size(); | 109 << " num_filtered:" << filtered_certs->size(); |
| 111 | 110 |
| 112 std::sort(selected_certs->begin(), selected_certs->end(), | 111 std::sort(filtered_certs->begin(), filtered_certs->end(), |
| 113 x509_util::ClientCertSorter()); | 112 x509_util::ClientCertSorter()); |
| 114 } | 113 } |
| 115 | 114 |
| 116 void ClientCertStoreNSS::GetClientCertsOnWorkerThread( | 115 void ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread( |
| 117 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate, | 116 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate, |
| 118 const SSLCertRequestInfo* request, | 117 const SSLCertRequestInfo* request, |
| 119 CertificateList* selected_certs) { | 118 CertificateList* selected_certs) { |
| 120 CERTCertList* client_certs = CERT_FindUserCertsByUsage( | 119 CertificateList platform_certs; |
| 121 CERT_GetDefaultCertDB(), | 120 GetPlatformCertsOnWorkerThread(password_delegate.Pass(), &platform_certs); |
| 122 certUsageSSLClient, | 121 FilterCertsOnWorkerThread(platform_certs, *request, true, selected_certs); |
| 123 PR_FALSE, | 122 } |
| 124 PR_FALSE, | 123 |
| 125 password_delegate.get()); | 124 // static |
| 126 // It is ok for a user not to have any client certs. | 125 void ClientCertStoreNSS::GetPlatformCertsOnWorkerThread( |
| 127 if (!client_certs) { | 126 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate, |
| 127 net::CertificateList* certs) { |
| 128 CERTCertList* found_certs = |
| 129 CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient, |
| 130 PR_FALSE, PR_FALSE, password_delegate.get()); |
| 131 if (!found_certs) { |
| 128 DVLOG(2) << "No client certs found."; | 132 DVLOG(2) << "No client certs found."; |
| 129 selected_certs->clear(); | |
| 130 return; | 133 return; |
| 131 } | 134 } |
| 132 | 135 for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs); |
| 133 GetClientCertsImpl(client_certs, *request, true, selected_certs); | 136 !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) { |
| 134 CERT_DestroyCertList(client_certs); | 137 certs->push_back(X509Certificate::CreateFromHandle( |
| 135 } | 138 node->cert, X509Certificate::OSCertHandles())); |
| 136 | |
| 137 bool ClientCertStoreNSS::SelectClientCertsForTesting( | |
| 138 const CertificateList& input_certs, | |
| 139 const SSLCertRequestInfo& request, | |
| 140 CertificateList* selected_certs) { | |
| 141 CERTCertList* cert_list = CERT_NewCertList(); | |
| 142 if (!cert_list) | |
| 143 return false; | |
| 144 for (size_t i = 0; i < input_certs.size(); ++i) { | |
| 145 CERT_AddCertToListTail( | |
| 146 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); | |
| 147 } | 139 } |
| 148 | 140 CERT_DestroyCertList(found_certs); |
| 149 GetClientCertsImpl(cert_list, request, false, selected_certs); | |
| 150 CERT_DestroyCertList(cert_list); | |
| 151 return true; | |
| 152 } | 141 } |
| 153 | 142 |
| 154 } // namespace net | 143 } // namespace net |
| OLD | NEW |