Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(8)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/client_cert_store_impl_nss.cc

Issue 13866049: Fix client certificate authentication on Mac and Linux introduced in r178732 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/ssl/client_cert_store_impl_mac.cc ('K') | « net/ssl/client_cert_store_impl_mac.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/client_cert_store_impl.h" 5 #include "net/ssl/client_cert_store_impl.h"
6 6
7 #include <nss.h> 7 #include <nss.h>
8 #include <ssl.h> 8 #include <ssl.h>
9 9
10 #include "base/logging.h" 10 #include "base/logging.h"
11 #include "net/cert/x509_util.h" 11 #include "net/cert/x509_util.h"
12 12
13 namespace net { 13 namespace net {
14 14
15 namespace { 15 namespace {
16 16
17 bool GetClientCertsImpl(CERTCertList* cert_list, 17 bool GetClientCertsImpl(CERTCertList* cert_list,
18 const SSLCertRequestInfo& request, 18 const SSLCertRequestInfo& request,
19 bool query_nssdb,
19 CertificateList* selected_certs) { 20 CertificateList* selected_certs) {
20 DCHECK(cert_list); 21 DCHECK(cert_list);
21 DCHECK(selected_certs); 22 DCHECK(selected_certs);
22 23
23 selected_certs->clear(); 24 selected_certs->clear();
25
26 // Create a "fake" CERTDistNames structure. No public API exists to create
27 // one from a list of issuers.
28 CERTDistNames ca_names;
29 ca_names.arena = NULL;
30 ca_names.nnames = 0;
31 ca_names.names = NULL;
32 ca_names.head = NULL;
33
34 std::vector<SECItem> ca_names_items(request.cert_authorities.size());
35 for (size_t i = 0; i < request.cert_authorities.size(); ++i) {
36 const std::string& authority = request.cert_authorities[i];
37 ca_names_items[i].type = siDERNameBuffer;
wtc 2013/04/16 18:50:32 This can be the default siBuffer, which seems to b
38 ca_names_items[i].data =
39 reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data()));
40 ca_names_items[i].len = static_cast<unsigned int>(authority.size());
41 }
42 ca_names.nnames = static_cast<int>(ca_names_items.size());
43 if (!ca_names_items.empty())
44 ca_names.names = &ca_names_items[0];
45
24 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 46 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
25 !CERT_LIST_END(node, cert_list); 47 !CERT_LIST_END(node, cert_list);
26 node = CERT_LIST_NEXT(node)) { 48 node = CERT_LIST_NEXT(node)) {
27 // Only offer unexpired certificates. 49 // Only offer unexpired certificates.
28 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) != 50 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
29 secCertTimeValid) { 51 secCertTimeValid) {
30 continue; 52 continue;
31 } 53 }
32 54
33 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( 55 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
34 node->cert, X509Certificate::OSCertHandles()); 56 node->cert, X509Certificate::OSCertHandles());
35 57
36 // Check if the certificate issuer is allowed by the server. 58 // Check if the certificate issuer is allowed by the server.
37 if (!request.cert_authorities.empty() && 59 if (request.cert_authorities.empty() ||
38 !cert->IsIssuedByEncoded(request.cert_authorities)) { 60 cert->IsIssuedByEncoded(request.cert_authorities) ||
39 continue; 61 (query_nssdb &&
62 NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) {
wtc 2013/04/16 18:50:32 It seems that we only need to call one of cert->Is
Ryan Sleevi 2013/04/16 19:00:26 Yes, that is the (real) root of the bug, but the i
63 selected_certs->push_back(cert);
40 } 64 }
41 selected_certs->push_back(cert);
42 } 65 }
43 66
44 std::sort(selected_certs->begin(), selected_certs->end(), 67 std::sort(selected_certs->begin(), selected_certs->end(),
45 x509_util::ClientCertSorter()); 68 x509_util::ClientCertSorter());
46 return true; 69 return true;
47 } 70 }
48 71
49 } // namespace 72 } // namespace
50 73
51 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request, 74 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request,
52 CertificateList* selected_certs) { 75 CertificateList* selected_certs) {
53 CERTCertList* client_certs = CERT_FindUserCertsByUsage( 76 CERTCertList* client_certs = CERT_FindUserCertsByUsage(
54 CERT_GetDefaultCertDB(), certUsageSSLClient, 77 CERT_GetDefaultCertDB(), certUsageSSLClient,
55 PR_FALSE, PR_FALSE, NULL); 78 PR_FALSE, PR_FALSE, NULL);
56 // It is ok for a user not to have any client certs. 79 // It is ok for a user not to have any client certs.
57 if (!client_certs) 80 if (!client_certs)
58 return true; 81 return true;
59 82
60 bool rv = GetClientCertsImpl(client_certs, request, selected_certs); 83 bool rv = GetClientCertsImpl(client_certs, request, true, selected_certs);
61 CERT_DestroyCertList(client_certs); 84 CERT_DestroyCertList(client_certs);
62 return rv; 85 return rv;
63 } 86 }
64 87
65 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs, 88 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs,
66 const SSLCertRequestInfo& request, 89 const SSLCertRequestInfo& request,
67 CertificateList* selected_certs) { 90 CertificateList* selected_certs) {
68 CERTCertList* cert_list = CERT_NewCertList(); 91 CERTCertList* cert_list = CERT_NewCertList();
69 if (!cert_list) 92 if (!cert_list)
70 return false; 93 return false;
71 for (size_t i = 0; i < input_certs.size(); ++i) { 94 for (size_t i = 0; i < input_certs.size(); ++i) {
72 CERT_AddCertToListTail( 95 CERT_AddCertToListTail(
73 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); 96 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle()));
74 } 97 }
75 98
76 bool rv = GetClientCertsImpl(cert_list, request, selected_certs); 99 bool rv = GetClientCertsImpl(cert_list, request, false, selected_certs);
77 CERT_DestroyCertList(cert_list); 100 CERT_DestroyCertList(cert_list);
78 return rv; 101 return rv;
79 } 102 }
80 103
81 } // namespace net 104 } // namespace net
OLDNEW
« net/ssl/client_cert_store_impl_mac.cc ('K') | « net/ssl/client_cert_store_impl_mac.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698