| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 207 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 218 return buffer_size; | 218 return buffer_size; |
| 219 } | 219 } |
| 220 | 220 |
| 221 scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * | 221 scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * |
| 222 openssl_chain) { | 222 openssl_chain) { |
| 223 if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) { | 223 if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) { |
| 224 NOTREACHED(); | 224 NOTREACHED(); |
| 225 return nullptr; | 225 return nullptr; |
| 226 } | 226 } |
| 227 | 227 |
| 228 #if BUILDFLAG(USE_BYTE_CERTS) |
| 229 std::vector<CRYPTO_BUFFER*> intermediate_chain; |
| 230 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) |
| 231 intermediate_chain.push_back(sk_CRYPTO_BUFFER_value(openssl_chain, i)); |
| 232 return X509Certificate::CreateFromHandle( |
| 233 sk_CRYPTO_BUFFER_value(openssl_chain, 0), intermediate_chain); |
| 234 #else |
| 228 // Convert the certificate chains to a platform certificate handle. | 235 // Convert the certificate chains to a platform certificate handle. |
| 229 std::vector<base::StringPiece> der_chain; | 236 std::vector<base::StringPiece> der_chain; |
| 230 der_chain.reserve(sk_CRYPTO_BUFFER_num(openssl_chain)); | 237 der_chain.reserve(sk_CRYPTO_BUFFER_num(openssl_chain)); |
| 231 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) { | 238 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(openssl_chain); ++i) { |
| 232 const CRYPTO_BUFFER* cert = sk_CRYPTO_BUFFER_value(openssl_chain, i); | 239 const CRYPTO_BUFFER* cert = sk_CRYPTO_BUFFER_value(openssl_chain, i); |
| 233 base::StringPiece der; | 240 base::StringPiece der; |
| 234 der_chain.push_back(base::StringPiece( | 241 der_chain.push_back(base::StringPiece( |
| 235 reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)), | 242 reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)), |
| 236 CRYPTO_BUFFER_len(cert))); | 243 CRYPTO_BUFFER_len(cert))); |
| 237 } | 244 } |
| 238 return X509Certificate::CreateFromDERCertChain(der_chain); | 245 return X509Certificate::CreateFromDERCertChain(der_chain); |
| 246 #endif |
| 239 } | 247 } |
| 240 | 248 |
| 241 #if !defined(OS_IOS) | 249 #if !defined(OS_IOS) && !BUILDFLAG(USE_BYTE_CERTS) |
| 242 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( | 250 bssl::UniquePtr<CRYPTO_BUFFER> OSCertHandleToBuffer( |
| 243 X509Certificate::OSCertHandle os_handle) { | 251 X509Certificate::OSCertHandle os_handle) { |
| 244 std::string der_encoded; | 252 std::string der_encoded; |
| 245 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | 253 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) |
| 246 return nullptr; | 254 return nullptr; |
| 247 return x509_util::CreateCryptoBuffer(der_encoded); | 255 return x509_util::CreateCryptoBuffer(der_encoded); |
| 248 } | 256 } |
| 249 #endif | 257 #endif |
| 250 | 258 |
| 251 } // namespace | 259 } // namespace |
| (...skipping 1323 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1575 // Second pass: a client certificate should have been selected. | 1583 // Second pass: a client certificate should have been selected. |
| 1576 if (ssl_config_.client_cert.get()) { | 1584 if (ssl_config_.client_cert.get()) { |
| 1577 if (!ssl_config_.client_private_key) { | 1585 if (!ssl_config_.client_private_key) { |
| 1578 // The caller supplied a null private key. Fail the handshake and surface | 1586 // The caller supplied a null private key. Fail the handshake and surface |
| 1579 // an appropriate error to the caller. | 1587 // an appropriate error to the caller. |
| 1580 LOG(WARNING) << "Client cert found without private key"; | 1588 LOG(WARNING) << "Client cert found without private key"; |
| 1581 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1589 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1582 return -1; | 1590 return -1; |
| 1583 } | 1591 } |
| 1584 | 1592 |
| 1593 #if BUILDFLAG(USE_BYTE_CERTS) |
| 1594 std::vector<CRYPTO_BUFFER*> chain_raw; |
| 1595 chain_raw.push_back(ssl_config_.client_cert->os_cert_handle()); |
| 1596 for (X509Certificate::OSCertHandle cert : |
| 1597 ssl_config_.client_cert->GetIntermediateCertificates()) { |
| 1598 chain_raw.push_back(cert); |
| 1599 } |
| 1600 #else |
| 1585 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> chain; | 1601 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> chain; |
| 1586 std::vector<CRYPTO_BUFFER*> chain_raw; | 1602 std::vector<CRYPTO_BUFFER*> chain_raw; |
| 1587 bssl::UniquePtr<CRYPTO_BUFFER> buf = | 1603 bssl::UniquePtr<CRYPTO_BUFFER> buf = |
| 1588 OSCertHandleToBuffer(ssl_config_.client_cert->os_cert_handle()); | 1604 OSCertHandleToBuffer(ssl_config_.client_cert->os_cert_handle()); |
| 1589 if (!buf) { | 1605 if (!buf) { |
| 1590 LOG(WARNING) << "Failed to import certificate"; | 1606 LOG(WARNING) << "Failed to import certificate"; |
| 1591 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1607 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
| 1592 return -1; | 1608 return -1; |
| 1593 } | 1609 } |
| 1594 chain_raw.push_back(buf.get()); | 1610 chain_raw.push_back(buf.get()); |
| 1595 chain.push_back(std::move(buf)); | 1611 chain.push_back(std::move(buf)); |
| 1596 | 1612 |
| 1597 for (X509Certificate::OSCertHandle cert : | 1613 for (X509Certificate::OSCertHandle cert : |
| 1598 ssl_config_.client_cert->GetIntermediateCertificates()) { | 1614 ssl_config_.client_cert->GetIntermediateCertificates()) { |
| 1599 bssl::UniquePtr<CRYPTO_BUFFER> buf = OSCertHandleToBuffer(cert); | 1615 bssl::UniquePtr<CRYPTO_BUFFER> buf = OSCertHandleToBuffer(cert); |
| 1600 if (!buf) { | 1616 if (!buf) { |
| 1601 LOG(WARNING) << "Failed to import intermediate"; | 1617 LOG(WARNING) << "Failed to import intermediate"; |
| 1602 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1618 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
| 1603 return -1; | 1619 return -1; |
| 1604 } | 1620 } |
| 1605 chain_raw.push_back(buf.get()); | 1621 chain_raw.push_back(buf.get()); |
| 1606 chain.push_back(std::move(buf)); | 1622 chain.push_back(std::move(buf)); |
| 1607 } | 1623 } |
| 1624 #endif |
| 1608 | 1625 |
| 1609 if (!SSL_set_chain_and_key(ssl_.get(), chain_raw.data(), chain_raw.size(), | 1626 if (!SSL_set_chain_and_key(ssl_.get(), chain_raw.data(), chain_raw.size(), |
| 1610 nullptr, &SSLContext::kPrivateKeyMethod)) { | 1627 nullptr, &SSLContext::kPrivateKeyMethod)) { |
| 1611 LOG(WARNING) << "Failed to set client certificate"; | 1628 LOG(WARNING) << "Failed to set client certificate"; |
| 1612 return -1; | 1629 return -1; |
| 1613 } | 1630 } |
| 1614 | 1631 |
| 1615 std::vector<SSLPrivateKey::Hash> digest_prefs = | 1632 std::vector<SSLPrivateKey::Hash> digest_prefs = |
| 1616 ssl_config_.client_private_key->GetDigestPreferences(); | 1633 ssl_config_.client_private_key->GetDigestPreferences(); |
| 1617 | 1634 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 1634 case SSLPrivateKey::Hash::MD5_SHA1: | 1651 case SSLPrivateKey::Hash::MD5_SHA1: |
| 1635 // MD5-SHA1 is not used in TLS 1.2. | 1652 // MD5-SHA1 is not used in TLS 1.2. |
| 1636 break; | 1653 break; |
| 1637 } | 1654 } |
| 1638 } | 1655 } |
| 1639 | 1656 |
| 1640 SSL_set_private_key_digest_prefs(ssl_.get(), digests.data(), | 1657 SSL_set_private_key_digest_prefs(ssl_.get(), digests.data(), |
| 1641 digests.size()); | 1658 digests.size()); |
| 1642 | 1659 |
| 1643 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, | 1660 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, |
| 1644 NetLog::IntCallback("cert_count", chain.size())); | 1661 NetLog::IntCallback("cert_count", chain_raw.size())); |
| 1645 return 1; | 1662 return 1; |
| 1646 } | 1663 } |
| 1647 #endif // defined(OS_IOS) | 1664 #endif // defined(OS_IOS) |
| 1648 | 1665 |
| 1649 // Send no client certificate. | 1666 // Send no client certificate. |
| 1650 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, | 1667 net_log_.AddEvent(NetLogEventType::SSL_CLIENT_CERT_PROVIDED, |
| 1651 NetLog::IntCallback("cert_count", 0)); | 1668 NetLog::IntCallback("cert_count", 0)); |
| 1652 return 1; | 1669 return 1; |
| 1653 } | 1670 } |
| 1654 | 1671 |
| (...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1943 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 1960 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
| 1944 !certificate_requested_) { | 1961 !certificate_requested_) { |
| 1945 net_error = ERR_SSL_PROTOCOL_ERROR; | 1962 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 1946 } | 1963 } |
| 1947 } | 1964 } |
| 1948 | 1965 |
| 1949 return net_error; | 1966 return net_error; |
| 1950 } | 1967 } |
| 1951 | 1968 |
| 1952 } // namespace net | 1969 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2746103003:
Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types. (Closed)
