OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/client_cert_store_impl.h" | 5 #include "net/ssl/client_cert_store_impl.h" |
6 | 6 |
7 #include <nss.h> | 7 #include <nss.h> |
8 #include <ssl.h> | 8 #include <ssl.h> |
9 | 9 |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "net/cert/x509_util.h" | 11 #include "net/cert/x509_util.h" |
12 | 12 |
13 namespace net { | 13 namespace net { |
14 | 14 |
15 namespace { | 15 namespace { |
16 | 16 |
17 bool GetClientCertsImpl(CERTCertList* cert_list, | 17 bool GetClientCertsImpl(CERTCertList* cert_list, |
18 const SSLCertRequestInfo& request, | 18 const SSLCertRequestInfo& request, |
19 bool query_nssdb, | |
19 CertificateList* selected_certs) { | 20 CertificateList* selected_certs) { |
20 DCHECK(cert_list); | 21 DCHECK(cert_list); |
21 DCHECK(selected_certs); | 22 DCHECK(selected_certs); |
22 | 23 |
23 selected_certs->clear(); | 24 selected_certs->clear(); |
25 | |
26 // Create a "fake" CERTDistNames structure. No public API exists to create | |
27 // one from a list of issuers. | |
28 CERTDistNames ca_names; | |
29 ca_names.arena = NULL; | |
30 ca_names.nnames = 0; | |
31 ca_names.names = NULL; | |
32 ca_names.head = NULL; | |
33 | |
34 std::vector<SECItem> ca_names_items(request.cert_authorities.size()); | |
35 for (size_t i = 0; i < request.cert_authorities.size(); ++i) { | |
36 const std::string& authority = request.cert_authorities[i]; | |
37 ca_names_items[i].type = siDERNameBuffer; | |
wtc
2013/04/16 18:50:32
This can be the default siBuffer, which seems to b
| |
38 ca_names_items[i].data = | |
39 reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data())); | |
40 ca_names_items[i].len = static_cast<unsigned int>(authority.size()); | |
41 } | |
42 ca_names.nnames = static_cast<int>(ca_names_items.size()); | |
43 if (!ca_names_items.empty()) | |
44 ca_names.names = &ca_names_items[0]; | |
45 | |
24 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 46 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
25 !CERT_LIST_END(node, cert_list); | 47 !CERT_LIST_END(node, cert_list); |
26 node = CERT_LIST_NEXT(node)) { | 48 node = CERT_LIST_NEXT(node)) { |
27 // Only offer unexpired certificates. | 49 // Only offer unexpired certificates. |
28 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) != | 50 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) != |
29 secCertTimeValid) { | 51 secCertTimeValid) { |
30 continue; | 52 continue; |
31 } | 53 } |
32 | 54 |
33 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 55 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
34 node->cert, X509Certificate::OSCertHandles()); | 56 node->cert, X509Certificate::OSCertHandles()); |
35 | 57 |
36 // Check if the certificate issuer is allowed by the server. | 58 // Check if the certificate issuer is allowed by the server. |
37 if (!request.cert_authorities.empty() && | 59 if (request.cert_authorities.empty() || |
38 !cert->IsIssuedByEncoded(request.cert_authorities)) { | 60 cert->IsIssuedByEncoded(request.cert_authorities) || |
39 continue; | 61 (query_nssdb && |
62 NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) { | |
wtc
2013/04/16 18:50:32
It seems that we only need to call one of cert->Is
Ryan Sleevi
2013/04/16 19:00:26
Yes, that is the (real) root of the bug, but the i
| |
63 selected_certs->push_back(cert); | |
40 } | 64 } |
41 selected_certs->push_back(cert); | |
42 } | 65 } |
43 | 66 |
44 std::sort(selected_certs->begin(), selected_certs->end(), | 67 std::sort(selected_certs->begin(), selected_certs->end(), |
45 x509_util::ClientCertSorter()); | 68 x509_util::ClientCertSorter()); |
46 return true; | 69 return true; |
47 } | 70 } |
48 | 71 |
49 } // namespace | 72 } // namespace |
50 | 73 |
51 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request, | 74 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request, |
52 CertificateList* selected_certs) { | 75 CertificateList* selected_certs) { |
53 CERTCertList* client_certs = CERT_FindUserCertsByUsage( | 76 CERTCertList* client_certs = CERT_FindUserCertsByUsage( |
54 CERT_GetDefaultCertDB(), certUsageSSLClient, | 77 CERT_GetDefaultCertDB(), certUsageSSLClient, |
55 PR_FALSE, PR_FALSE, NULL); | 78 PR_FALSE, PR_FALSE, NULL); |
56 // It is ok for a user not to have any client certs. | 79 // It is ok for a user not to have any client certs. |
57 if (!client_certs) | 80 if (!client_certs) |
58 return true; | 81 return true; |
59 | 82 |
60 bool rv = GetClientCertsImpl(client_certs, request, selected_certs); | 83 bool rv = GetClientCertsImpl(client_certs, request, true, selected_certs); |
61 CERT_DestroyCertList(client_certs); | 84 CERT_DestroyCertList(client_certs); |
62 return rv; | 85 return rv; |
63 } | 86 } |
64 | 87 |
65 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs, | 88 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs, |
66 const SSLCertRequestInfo& request, | 89 const SSLCertRequestInfo& request, |
67 CertificateList* selected_certs) { | 90 CertificateList* selected_certs) { |
68 CERTCertList* cert_list = CERT_NewCertList(); | 91 CERTCertList* cert_list = CERT_NewCertList(); |
69 if (!cert_list) | 92 if (!cert_list) |
70 return false; | 93 return false; |
71 for (size_t i = 0; i < input_certs.size(); ++i) { | 94 for (size_t i = 0; i < input_certs.size(); ++i) { |
72 CERT_AddCertToListTail( | 95 CERT_AddCertToListTail( |
73 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); | 96 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); |
74 } | 97 } |
75 | 98 |
76 bool rv = GetClientCertsImpl(cert_list, request, selected_certs); | 99 bool rv = GetClientCertsImpl(cert_list, request, false, selected_certs); |
77 CERT_DestroyCertList(cert_list); | 100 CERT_DestroyCertList(cert_list); |
78 return rv; | 101 return rv; |
79 } | 102 } |
80 | 103 |
81 } // namespace net | 104 } // namespace net |
OLD | NEW |