Enable SSLClientSocketTest unit tests on Mac OS X by implementing our own cer...

net/socket/ssl_client_socket_mac.cc

 // Copyright (c) 2008-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_mac.h"
 
+#include "base/scoped_cftyperef.h"
 #include "base/singleton.h"
 #include "base/string_util.h"
+#include "net/base/cert_verifier.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_info.h"
 
 // Welcome to Mac SSL. We've been waiting for you.
 //
 // The Mac SSL implementation is, like the Windows and NSS implementations, a
 // giant state machine. This design constraint is due to the asynchronous nature
 // of our underlying transport mechanism. We can call down to read/write on the
 // network, but what happens is that either it completes immediately or returns
@@ skipping 250 matching lines @@
                                        const std::string& hostname,
                                        const SSLConfig& ssl_config)
     : io_callback_(this, &SSLClientSocketMac::OnIOComplete),
       write_callback_(this, &SSLClientSocketMac::OnWriteComplete),
       transport_(transport_socket),
       hostname_(hostname),
       ssl_config_(ssl_config),
       user_callback_(NULL),
       next_state_(STATE_NONE),
       next_io_state_(STATE_NONE),
-      server_cert_status_(0),
       completed_handshake_(false),
       ssl_context_(NULL),
       pending_send_error_(OK),
       recv_buffer_head_slop_(0),
       recv_buffer_tail_slop_(0) {
 }
 
 SSLClientSocketMac::~SSLClientSocketMac() {
   Disconnect();
 }
@@ skipping 28 matching lines @@
     return NetErrorFromOSStatus(status);
 
   status = SSLSetIOFuncs(ssl_context_, SSLReadCallback, SSLWriteCallback);
   if (status)
     return NetErrorFromOSStatus(status);
 
   status = SSLSetConnection(ssl_context_, this);
   if (status)
     return NetErrorFromOSStatus(status);
 
-  if (ssl_config_.allowed_bad_certs.empty()) {
-    // We're going to use the default certificate verification that the system
-    // does, and accept its answer for the cert status.
-    status = SSLSetPeerDomainName(ssl_context_, hostname_.data(),
-                                  hostname_.length());
-    if (status)
-      return NetErrorFromOSStatus(status);
-
-    // TODO(wtc): for now, always check revocation.
-    server_cert_status_ = CERT_STATUS_REV_CHECKING_ENABLED;
-  } else {
-    // Disable certificate chain validation.  We will only allow the certs in
-    // ssl_config_.allowed_bad_certs.
-    status = SSLSetEnableCertVerify(ssl_context_, false);
-    if (status)
-      return NetErrorFromOSStatus(status);
-  }
+  // Disable certificate verification within Secure Transport; we'll
+  // be handling that ourselves.
+  status = SSLSetEnableCertVerify(ssl_context_, false);
+  if (status)
+    return NetErrorFromOSStatus(status);
 
   next_state_ = STATE_HANDSHAKE;
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     user_callback_ = callback;
   return rv;
 }
 
 void SSLClientSocketMac::Disconnect() {
   completed_handshake_ = false;
@@ skipping 68 matching lines @@
   return rv;
 }
 
 void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->Reset();
 
   // set cert
   ssl_info->cert = server_cert_;
 
   // update status
-  ssl_info->cert_status = server_cert_status_;
+  ssl_info->cert_status = server_cert_verify_result_.cert_status;
 
   // security info
   SSLCipherSuite suite;
   OSStatus status = SSLGetNegotiatedCipher(ssl_context_, &suite);
   if (!status)
     ssl_info->security_bits = KeySizeOfCipherSuite(suite);
 }
 
 void SSLClientSocketMac::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
@@ skipping 32 matching lines @@
   DCHECK(next_state_ != STATE_NONE);
   int rv = last_io_result;
   do {
     State state = next_state_;
     next_state_ = STATE_NONE;
     switch (state) {
       case STATE_HANDSHAKE:
         // Do the SSL/TLS handshake.
         rv = DoHandshake();
         break;
+      case STATE_VERIFY_CERT:
+        // Kick off server certificate validation.
+        rv = DoVerifyCert();
+        break;
+      case STATE_VERIFY_CERT_COMPLETE:
+        // Check the results of the  server certificate validation.
+        rv = DoVerifyCertComplete(rv);
+        break;
       case STATE_READ_COMPLETE:
         // A read off the network is complete; do the paperwork.
         rv = DoReadComplete(rv);
         break;
       case STATE_PAYLOAD_READ:
         // Do a read of data from the network.
         rv = DoPayloadRead();
         break;
       case STATE_PAYLOAD_WRITE:
         // Do a write of data to the network.
         rv = DoPayloadWrite();
         break;
       default:
         rv = ERR_UNEXPECTED;
         NOTREACHED() << "unexpected state";
         break;
     }
   } while (rv != ERR_IO_PENDING && next_state_ != STATE_NONE);
   return rv;
 }
 
 int SSLClientSocketMac::DoHandshake() {
   OSStatus status = SSLHandshake(ssl_context_);
-  int net_error = NetErrorFromOSStatus(status);
 
-  if (status == errSSLWouldBlock) {
+  if (status == errSSLWouldBlock)
     next_state_ = STATE_HANDSHAKE;
-  } else if (status == noErr) {
-    completed_handshake_ = true;  // We have a connection.
 
+  if (status == noErr) {
     server_cert_ = GetServerCert(ssl_context_);
-    DCHECK(server_cert_);
-    if (!ssl_config_.allowed_bad_certs.empty()) {
-      // Check server_cert_ because SecureTransport didn't verify it.
-      // TODO(wtc): If server_cert_ is not one of the allowed bad certificates,
-      // we should verify server_cert_ ourselves.  Since we don't know how to
-      // do that yet, treat it as an invalid certificate.
-      net_error = ERR_CERT_INVALID;
-      server_cert_status_ |= CERT_STATUS_INVALID;
-
-      for (size_t i = 0; i < ssl_config_.allowed_bad_certs.size(); ++i) {
-        if (server_cert_ == ssl_config_.allowed_bad_certs[i].cert) {
-          net_error = OK;
-          server_cert_status_ = ssl_config_.allowed_bad_certs[i].cert_status;
-          break;
-        }
-      }
-    }
-  } else if (IsCertificateError(net_error)) {
-    server_cert_ = GetServerCert(ssl_context_);
-    DCHECK(server_cert_);
-    server_cert_status_ |= MapNetErrorToCertStatus(net_error);
+    if (!server_cert_)
+      return ERR_UNEXPECTED;
+    next_state_ = STATE_VERIFY_CERT;
   }
 
-  return net_error;
+  return NetErrorFromOSStatus(status);
+}
+
+int SSLClientSocketMac::DoVerifyCert() {
+  next_state_ = STATE_VERIFY_CERT_COMPLETE;
+
+  if (!server_cert_)
+    return ERR_UNEXPECTED;
+
+  // Add each of the intermediate certificates in the server's chain to the
+  // server's X509Certificate object. This makes them available to
+  // X509Certificate::Verify() for chain building.
+  CFArrayRef certs;
+  OSStatus status = SSLCopyPeerCertificates(ssl_context_, &certs);
+  if (status != noErr || !certs)
+    return ERR_UNEXPECTED;
+  scoped_cftyperef<CFArrayRef> scoped_certs(certs);
+  CFIndex certs_length = CFArrayGetCount(certs);
+  for (CFIndex i = 1; i < certs_length; ++i) {
+    SecCertificateRef cert_ref = reinterpret_cast<SecCertificateRef>(
+        const_cast<void*>(CFArrayGetValueAtIndex(certs, i)));
+    server_cert_->AddIntermediateCertificate(cert_ref);
+  }
+
+  // TODO(hawk): set flags based on the SSLConfig, once SSLConfig is

[wtc, 2009/08/27 00:14:18]

Nit: the second "SSLConfig" should be "SSLConfigService".

+  // fully fleshed out on Mac OS X.
+  int flags = 0;
+  verifier_.reset(new CertVerifier);
+  return verifier_->Verify(server_cert_, hostname_, flags,
+                           &server_cert_verify_result_, &io_callback_);
+}
+
+int SSLClientSocketMac::DoVerifyCertComplete(int result) {
+  DCHECK(verifier_.get());
+  verifier_.reset();
+
+  if (IsCertificateError(result) && ssl_config_.IsAllowedBadCert(server_cert_))
+    result = OK;
+
+  completed_handshake_ = true;
+  DCHECK(next_state_ == STATE_NONE);
+
+  return result;
 }
 
 int SSLClientSocketMac::DoReadComplete(int result) {
   if (result < 0) {
     read_io_buf_ = NULL;
     return result;
   }
 
   char* buffer = &recv_buffer_[recv_buffer_.size() - recv_buffer_tail_slop_];
   memcpy(buffer, read_io_buf_->data(), result);
@@ skipping 250 matching lines @@
 
   if (rv < 0 && rv != ERR_IO_PENDING) {
     return OSStatusFromNetError(rv);
   }
 
   // always lie to our caller
   return noErr;
 }
 
 }  // namespace net