Support for using OS-native certificates for SSL client auth....

net/third_party/nss/ssl/sslimpl.h

 /*
  * This file is PRIVATE to SSL and should be the first thing included by
  * any SSL implementation file.
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 47 matching lines @@
 #include "nssilock.h"
 #include "pkcs11t.h"
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unistd.h"
 #endif
 #include "nssrwlk.h"
 #include "prthread.h"
 
 #include "sslt.h" /* for some formerly private types, now public */
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+#if defined(XP_WIN32)
+#include <windows.h>
+#include <wincrypt.h>
+#elif defined(XP_MACOSX)
+#include <Security/Security.h>
+#endif
+#endif
+
 /* to make some of these old enums public without namespace pollution,
 ** it was necessary to prepend ssl_ to the names.
 ** These #defines preserve compatibility with the old code here in libssl.
 */
 typedef SSLKEAType      SSL3KEAType;
 typedef SSLMACAlgorithm SSL3MACAlgorithm;
 typedef SSLSignType     SSL3SignType;
 
 #define sign_null       ssl_sign_null
 #define sign_rsa        ssl_sign_rsa
@@ skipping 488 matching lines @@
 } ssl3CipherSpec;
 
 typedef enum {  never_cached, 
                 in_client_cache, 
                 in_server_cache, 
                 invalid_cache           /* no longer in any cache. */
 } Cached;
 
 #define MAX_PEER_CERT_CHAIN_SIZE 8
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+typedef struct {
+#if defined(XP_WIN32)
+    char * provider;
+    char * container;
+    DWORD  provType;
+    PRBool removable;
+#elif defined(XP_MACOSX)
+    SecKeychainRef keychain;
+    CFDataRef persistentKey;
+#endif
+} PlatformAuthInfo;
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
+
 struct sslSessionIDStr {
     sslSessionID *        next;   /* chain used for client sockets, only */
 
     CERTCertificate *     peerCert;
     CERTCertificate *     peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
     const char *          peerID;     /* client only */
     const char *          urlSvrName; /* client only */
     CERTCertificate *     localCert;
 
     PRIPv6Addr            addr;
@@ skipping 64 matching lines @@
             /* The following values pertain to the slot that did the signature
             ** for client auth.   (used only in client)
             */
             SECMODModuleID    clAuthModuleID;
             CK_SLOT_ID        clAuthSlotID;
             PRUint16          clAuthSeries;
 
             char              masterValid;
             char              clAuthValid;
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+            PlatformAuthInfo  clPlatformAuthInfo;
+            char              clPlatformAuthValid;
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
+
             /* Session ticket if we have one, is sent as an extension in the
              * ClientHello message.  This field is used by clients.
              */
             NewSessionTicket  sessionTicket;
             SECItem           srvName;
         } ssl3;
     } u;
 };
 
 
@@ skipping 139 matching lines @@
      * our Snap Start attempt, then it will hash the whole ClientHello. Thus we
      * store the original ClientHello that we sent in case we need to reset our
      * Finished hash to cover it. */
     SECItem               origClientHello;
 #ifdef NSS_ENABLE_ECC
     PRUint32              negotiatedECCurves; /* bit mask */
 #endif /* NSS_ENABLE_ECC */
     PRBool                nextProtoNego;/* Our peer has sent this extension */
 } SSL3HandshakeState;
 
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+#if defined(XP_WIN32)
+typedef HCRYPTPROV PlatformKey;
+#elif defined(XP_MACOSX)
+typedef SecKeyRef PlatformKey;
+#else
+typedef void *PlatformKey;
+#endif
+#endif
 
 
 /*
 ** This is the "ssl3" struct, as in "ss->ssl3".
 ** note:
 ** usually,   crSpec == cwSpec and prSpec == pwSpec.  
 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
 ** But there are never more than 2 actual specs.  
 ** No spec must ever be modified if either "current" pointer points to it.
 */
 struct ssl3StateStr {
 
     /*
     ** The following Specs and Spec pointers must be protected using the 
     ** Spec Lock.
     */
     ssl3CipherSpec *     crSpec;        /* current read spec. */
     ssl3CipherSpec *     prSpec;        /* pending read spec. */
     ssl3CipherSpec *     cwSpec;        /* current write spec. */
     ssl3CipherSpec *     pwSpec;        /* pending write spec. */
 
     CERTCertificate *    clientCertificate;  /* used by client */
     SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    PlatformKey          platformClientKey;  /* used by client */
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
     CERTCertificateList *clientCertChain;    /* used by client */
     PRBool               sendEmptyCert;      /* used by client */
 
     /* TLS Snap Start: */
     CERTCertificate **   predictedCertChain;
                             /* An array terminated with a NULL. */
     SECItem              serverHelloPredictionData;
     PRBool               serverHelloPredictionDataValid;
                             /* data needed to predict the ServerHello from
                              * this server. */
@@ skipping 241 matching lines @@
     unsigned int     sizeCipherSpecs;
 const unsigned char *  preferredCipher;
 
     ssl3KeyPair *         stepDownKeyPair;      /* RSA step down keys */
 
     /* Callbacks */
     SSLAuthCertificate        authCertificate;
     void                     *authCertificateArg;
     SSLGetClientAuthData      getClientAuthData;
     void                     *getClientAuthDataArg;
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+    SSLGetPlatformClientAuthData getPlatformClientAuthData;
+    void                        *getPlatformClientAuthDataArg;
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
     SSLSNISocketConfig        sniSocketConfig;
     void                     *sniSocketConfigArg;
     SSLBadCertHandler         handleBadCert;
     void                     *badCertArg;
     SSLHandshakeCallback      handshakeCallback;
     void                     *handshakeCallbackData;
     void                     *pkcs11PinArg;
 
     PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
     PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
@@ skipping 571 matching lines @@
 extern SECStatus SSL3_ShutdownServerCache(void);
 
 extern SECStatus ssl_InitSymWrapKeysLock(void);
 
 extern SECStatus ssl_FreeSymWrapKeysLock(void);
 
 extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
 
 extern SECStatus ssl_FreeSessionCacheLocks(void);
 
+/***************** platform client auth ****************/
+
+#ifdef NSS_PLATFORM_CLIENT_AUTH
+// Releases the platform key.
+extern void ssl_FreePlatformKey(PlatformKey key);
+
+// Frees any memory allocated to store a persistent reference to the
+// platform key.
+extern void ssl_FreePlatformAuthInfo(PlatformAuthInfo* info);
+
+// Initializes the PlatformAuthInfo to empty/invalid values.
+extern void ssl_InitPlatformAuthInfo(PlatformAuthInfo* info);
+
+// Determine if the given key is still present in the system. This is used
+// to check for things like smart cards being ejected after handshaking,
+// since no further operations on the key will happen which would detect this.
+extern PRBool ssl_PlatformAuthTokenPresent(PlatformAuthInfo* info);
+
+// Obtain a persistent reference to a key, sufficient for
+// ssl_PlatformAuthTokenPresent to determine if the key is still present.
+extern void ssl_GetPlatformAuthInfoForKey(PlatformKey key,
+                                          PlatformAuthInfo* info);
+
+// Implement the client CertificateVerify message for SSL3/TLS1.0
+extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
+                                         PlatformKey key, SECItem *buf,
+                                         PRBool isTLS);
+
+// Converts a CERTCertList* (A collection of CERTCertificates) into a
+// CERTCertificateList* (A collection of SECItems), or returns NULL if
+// it cannot be converted.
+// This is to allow the platform-supplied chain to be created with purely
+// public API functions, using the preferred CERTCertList mutators, rather
+// pushing this hack to clients.
+extern CERTCertificateList* hack_NewCertificateListFromCertList(
+        CERTCertList* list);
+#endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
 /********************** misc calls *********************/
 
 extern int ssl_MapLowLevelError(int hiLevelError);
 
 extern PRUint32 ssl_Time(void);
 
 extern void SSL_AtomicIncrementLong(long * x);
 
 SECStatus SSL_DisableDefaultExportCipherSuites(void);
@@ skipping 22 matching lines @@
 #elif defined(_WIN32_WCE)
 #define SSL_GETPID GetCurrentProcessId
 #elif defined(WIN32)
 extern int __cdecl _getpid(void);
 #define SSL_GETPID _getpid
 #else
 #define SSL_GETPID() 0
 #endif
 
 #endif /* __sslimpl_h_ */