Chromium Code Reviews Chromium Code Reviews
Issue 1304143010:
Plumbing SSLPrivateKey
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 53 #include "net/socket/client_socket_factory.h" | 53 #include "net/socket/client_socket_factory.h" |
| 54 #include "net/socket/socks_client_socket_pool.h" | 54 #include "net/socket/socks_client_socket_pool.h" |
| 55 #include "net/socket/ssl_client_socket.h" | 55 #include "net/socket/ssl_client_socket.h" |
| 56 #include "net/socket/ssl_client_socket_pool.h" | 56 #include "net/socket/ssl_client_socket_pool.h" |
| 57 #include "net/socket/transport_client_socket_pool.h" | 57 #include "net/socket/transport_client_socket_pool.h" |
| 58 #include "net/spdy/spdy_http_stream.h" | 58 #include "net/spdy/spdy_http_stream.h" |
| 59 #include "net/spdy/spdy_session.h" | 59 #include "net/spdy/spdy_session.h" |
| 60 #include "net/spdy/spdy_session_pool.h" | 60 #include "net/spdy/spdy_session_pool.h" |
| 61 #include "net/ssl/ssl_cert_request_info.h" | 61 #include "net/ssl/ssl_cert_request_info.h" |
| 62 #include "net/ssl/ssl_connection_status_flags.h" | 62 #include "net/ssl/ssl_connection_status_flags.h" |
| 63 #include "net/ssl/ssl_private_key.h" | |
|
davidben
2015/09/25 20:10:11
[THIS one is actually necessary]
svaldez
2015/09/28 16:54:52
Done.
| |
| 63 #include "url/gurl.h" | 64 #include "url/gurl.h" |
| 64 #include "url/url_canon.h" | 65 #include "url/url_canon.h" |
| 65 | 66 |
| 66 namespace net { | 67 namespace net { |
| 67 | 68 |
| 68 namespace { | 69 namespace { |
| 69 | 70 |
| 70 void ProcessAlternativeServices(HttpNetworkSession* session, | 71 void ProcessAlternativeServices(HttpNetworkSession* session, |
| 71 const HttpResponseHeaders& headers, | 72 const HttpResponseHeaders& headers, |
| 72 const HostPortPair& http_host_port_pair) { | 73 const HostPortPair& http_host_port_pair) { |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 212 | 213 |
| 213 next_state_ = STATE_CREATE_STREAM; | 214 next_state_ = STATE_CREATE_STREAM; |
| 214 | 215 |
| 215 int rv = DoLoop(OK); | 216 int rv = DoLoop(OK); |
| 216 if (rv == ERR_IO_PENDING) | 217 if (rv == ERR_IO_PENDING) |
| 217 callback_ = callback; | 218 callback_ = callback; |
| 218 return rv; | 219 return rv; |
| 219 } | 220 } |
| 220 | 221 |
| 221 int HttpNetworkTransaction::RestartWithCertificate( | 222 int HttpNetworkTransaction::RestartWithCertificate( |
| 222 X509Certificate* client_cert, const CompletionCallback& callback) { | 223 X509Certificate* client_cert, |
| 224 SSLPrivateKey* client_pkey, | |
| 225 const CompletionCallback& callback) { | |
| 223 // In HandleCertificateRequest(), we always tear down existing stream | 226 // In HandleCertificateRequest(), we always tear down existing stream |
| 224 // requests to force a new connection. So we shouldn't have one here. | 227 // requests to force a new connection. So we shouldn't have one here. |
| 225 DCHECK(!stream_request_.get()); | 228 DCHECK(!stream_request_.get()); |
| 226 DCHECK(!stream_.get()); | 229 DCHECK(!stream_.get()); |
| 227 DCHECK_EQ(STATE_NONE, next_state_); | 230 DCHECK_EQ(STATE_NONE, next_state_); |
| 228 | 231 |
| 229 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? | 232 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? |
| 230 &proxy_ssl_config_ : &server_ssl_config_; | 233 &proxy_ssl_config_ : &server_ssl_config_; |
| 231 ssl_config->send_client_cert = true; | 234 ssl_config->send_client_cert = true; |
| 232 ssl_config->client_cert = client_cert; | 235 ssl_config->client_cert = client_cert; |
| 236 ssl_config->client_pkey = client_pkey; | |
| 233 session_->ssl_client_auth_cache()->Add( | 237 session_->ssl_client_auth_cache()->Add( |
| 234 response_.cert_request_info->host_and_port, client_cert); | 238 response_.cert_request_info->host_and_port, client_cert, client_pkey); |
| 235 // Reset the other member variables. | 239 // Reset the other member variables. |
| 236 // Note: this is necessary only with SSL renegotiation. | 240 // Note: this is necessary only with SSL renegotiation. |
| 237 ResetStateForRestart(); | 241 ResetStateForRestart(); |
| 238 next_state_ = STATE_CREATE_STREAM; | 242 next_state_ = STATE_CREATE_STREAM; |
| 239 int rv = DoLoop(OK); | 243 int rv = DoLoop(OK); |
| 240 if (rv == ERR_IO_PENDING) | 244 if (rv == ERR_IO_PENDING) |
| 241 callback_ = callback; | 245 callback_ = callback; |
| 242 return rv; | 246 return rv; |
| 243 } | 247 } |
| 244 | 248 |
| (...skipping 962 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1207 } | 1211 } |
| 1208 | 1212 |
| 1209 // The server is asking for a client certificate during the initial | 1213 // The server is asking for a client certificate during the initial |
| 1210 // handshake. | 1214 // handshake. |
| 1211 stream_request_.reset(); | 1215 stream_request_.reset(); |
| 1212 | 1216 |
| 1213 // If the user selected one of the certificates in client_certs or declined | 1217 // If the user selected one of the certificates in client_certs or declined |
| 1214 // to provide one for this server before, use the past decision | 1218 // to provide one for this server before, use the past decision |
| 1215 // automatically. | 1219 // automatically. |
| 1216 scoped_refptr<X509Certificate> client_cert; | 1220 scoped_refptr<X509Certificate> client_cert; |
| 1221 scoped_refptr<SSLPrivateKey> client_pkey; | |
| 1217 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( | 1222 bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup( |
| 1218 response_.cert_request_info->host_and_port, &client_cert); | 1223 response_.cert_request_info->host_and_port, &client_cert, &client_pkey); |
| 1219 if (!found_cached_cert) | 1224 if (!found_cached_cert) |
| 1220 return error; | 1225 return error; |
| 1221 | 1226 |
| 1222 // Check that the certificate selected is still a certificate the server | 1227 // Check that the certificate selected is still a certificate the server |
| 1223 // is likely to accept, based on the criteria supplied in the | 1228 // is likely to accept, based on the criteria supplied in the |
| 1224 // CertificateRequest message. | 1229 // CertificateRequest message. |
| 1225 if (client_cert.get()) { | 1230 if (client_cert.get()) { |
| 1226 const std::vector<std::string>& cert_authorities = | 1231 const std::vector<std::string>& cert_authorities = |
| 1227 response_.cert_request_info->cert_authorities; | 1232 response_.cert_request_info->cert_authorities; |
| 1228 | 1233 |
| 1229 bool cert_still_valid = cert_authorities.empty() || | 1234 bool cert_still_valid = cert_authorities.empty() || |
| 1230 client_cert->IsIssuedByEncoded(cert_authorities); | 1235 client_cert->IsIssuedByEncoded(cert_authorities); |
| 1231 if (!cert_still_valid) | 1236 if (!cert_still_valid) |
| 1232 return error; | 1237 return error; |
| 1233 } | 1238 } |
| 1234 | 1239 |
| 1235 // TODO(davidben): Add a unit test which covers this path; we need to be | 1240 // TODO(davidben): Add a unit test which covers this path; we need to be |
| 1236 // able to send a legitimate certificate and also bypass/clear the | 1241 // able to send a legitimate certificate and also bypass/clear the |
| 1237 // SSL session cache. | 1242 // SSL session cache. |
| 1238 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? | 1243 SSLConfig* ssl_config = response_.cert_request_info->is_proxy ? |
| 1239 &proxy_ssl_config_ : &server_ssl_config_; | 1244 &proxy_ssl_config_ : &server_ssl_config_; |
| 1240 ssl_config->send_client_cert = true; | 1245 ssl_config->send_client_cert = true; |
| 1241 ssl_config->client_cert = client_cert; | 1246 ssl_config->client_cert = client_cert; |
| 1247 ssl_config->client_pkey = client_pkey; | |
| 1242 next_state_ = STATE_CREATE_STREAM; | 1248 next_state_ = STATE_CREATE_STREAM; |
| 1243 // Reset the other member variables. | 1249 // Reset the other member variables. |
| 1244 // Note: this is necessary only with SSL renegotiation. | 1250 // Note: this is necessary only with SSL renegotiation. |
| 1245 ResetStateForRestart(); | 1251 ResetStateForRestart(); |
| 1246 return OK; | 1252 return OK; |
| 1247 } | 1253 } |
| 1248 | 1254 |
| 1249 int HttpNetworkTransaction::HandleHttp11Required(int error) { | 1255 int HttpNetworkTransaction::HandleHttp11Required(int error) { |
| 1250 DCHECK(error == ERR_HTTP_1_1_REQUIRED || | 1256 DCHECK(error == ERR_HTTP_1_1_REQUIRED || |
| 1251 error == ERR_PROXY_HTTP_1_1_REQUIRED); | 1257 error == ERR_PROXY_HTTP_1_1_REQUIRED); |
| (...skipping 408 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1660 DCHECK(stream_request_); | 1666 DCHECK(stream_request_); |
| 1661 | 1667 |
| 1662 // Since the transaction can restart with auth credentials, it may create a | 1668 // Since the transaction can restart with auth credentials, it may create a |
| 1663 // stream more than once. Accumulate all of the connection attempts across | 1669 // stream more than once. Accumulate all of the connection attempts across |
| 1664 // those streams by appending them to the vector: | 1670 // those streams by appending them to the vector: |
| 1665 for (const auto& attempt : stream_request_->connection_attempts()) | 1671 for (const auto& attempt : stream_request_->connection_attempts()) |
| 1666 connection_attempts_.push_back(attempt); | 1672 connection_attempts_.push_back(attempt); |
| 1667 } | 1673 } |
| 1668 | 1674 |
| 1669 } // namespace net | 1675 } // namespace net |
| OLD | NEW |
