OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/client_cert_store_nss.h" | 5 #include "net/ssl/client_cert_store_nss.h" |
6 | 6 |
7 #include <nss.h> | 7 #include <nss.h> |
8 #include <ssl.h> | 8 #include <ssl.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
11 #include <memory> | 11 #include <memory> |
12 #include <utility> | 12 #include <utility> |
13 #include <vector> | 13 #include <vector> |
14 | 14 |
15 #include "base/bind.h" | 15 #include "base/bind.h" |
16 #include "base/bind_helpers.h" | 16 #include "base/bind_helpers.h" |
17 #include "base/location.h" | 17 #include "base/location.h" |
18 #include "base/logging.h" | 18 #include "base/logging.h" |
| 19 #include "base/memory/ptr_util.h" |
19 #include "base/strings/string_piece.h" | 20 #include "base/strings/string_piece.h" |
20 #include "base/task_runner_util.h" | 21 #include "base/task_runner_util.h" |
21 #include "base/threading/worker_pool.h" | 22 #include "base/threading/worker_pool.h" |
22 #include "crypto/nss_crypto_module_delegate.h" | 23 #include "crypto/nss_crypto_module_delegate.h" |
23 #include "net/cert/scoped_nss_types.h" | 24 #include "net/cert/scoped_nss_types.h" |
24 #include "net/cert/x509_util.h" | 25 #include "net/cert/x509_util.h" |
25 #include "net/ssl/ssl_cert_request_info.h" | 26 #include "net/ssl/ssl_cert_request_info.h" |
| 27 #include "net/ssl/ssl_platform_key_nss.h" |
| 28 #include "net/ssl/threaded_ssl_private_key.h" |
26 #include "net/third_party/nss/ssl/cmpcert.h" | 29 #include "net/third_party/nss/ssl/cmpcert.h" |
27 | 30 |
28 namespace net { | 31 namespace net { |
29 | 32 |
| 33 namespace { |
| 34 |
| 35 class ClientCertIdentityNSS : public ClientCertIdentity { |
| 36 public: |
| 37 ClientCertIdentityNSS( |
| 38 scoped_refptr<net::X509Certificate> cert, |
| 39 scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> |
| 40 password_delegate) |
| 41 : ClientCertIdentity(std::move(cert)), |
| 42 password_delegate_(std::move(password_delegate)) {} |
| 43 ~ClientCertIdentityNSS() override = default; |
| 44 |
| 45 void AcquirePrivateKey( |
| 46 const base::Callback<void(scoped_refptr<SSLPrivateKey>)>& |
| 47 private_key_callback) override; |
| 48 |
| 49 private: |
| 50 scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> |
| 51 password_delegate_; |
| 52 }; |
| 53 |
| 54 void ClientCertIdentityNSS::AcquirePrivateKey( |
| 55 const base::Callback<void(scoped_refptr<SSLPrivateKey>)>& |
| 56 private_key_callback) { |
| 57 if (base::PostTaskAndReplyWithResult( |
| 58 base::WorkerPool::GetTaskRunner(true /* task_is_slow */).get(), |
| 59 FROM_HERE, |
| 60 base::Bind(&FetchClientCertPrivateKey, |
| 61 base::RetainedRef(certificate()), |
| 62 base::RetainedRef(password_delegate_)), |
| 63 private_key_callback)) { |
| 64 return; |
| 65 } |
| 66 // If the task could not be posted, behave as if there was no key. |
| 67 private_key_callback.Run(nullptr); |
| 68 } |
| 69 |
| 70 } // namespace |
| 71 |
30 ClientCertStoreNSS::ClientCertStoreNSS( | 72 ClientCertStoreNSS::ClientCertStoreNSS( |
31 const PasswordDelegateFactory& password_delegate_factory) | 73 const PasswordDelegateFactory& password_delegate_factory) |
32 : password_delegate_factory_(password_delegate_factory) {} | 74 : password_delegate_factory_(password_delegate_factory) {} |
33 | 75 |
34 ClientCertStoreNSS::~ClientCertStoreNSS() {} | 76 ClientCertStoreNSS::~ClientCertStoreNSS() {} |
35 | 77 |
36 void ClientCertStoreNSS::GetClientCerts( | 78 void ClientCertStoreNSS::GetClientCerts( |
37 const SSLCertRequestInfo& request, | 79 const SSLCertRequestInfo& request, |
38 const ClientCertListCallback& callback) { | 80 const ClientCertListCallback& callback) { |
39 std::unique_ptr<crypto::CryptoModuleBlockingPasswordDelegate> | 81 scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate; |
40 password_delegate; | 82 if (!password_delegate_factory_.is_null()) |
41 if (!password_delegate_factory_.is_null()) { | 83 password_delegate = password_delegate_factory_.Run(request.host_and_port); |
42 password_delegate.reset( | |
43 password_delegate_factory_.Run(request.host_and_port)); | |
44 } | |
45 if (base::PostTaskAndReplyWithResult( | 84 if (base::PostTaskAndReplyWithResult( |
46 base::WorkerPool::GetTaskRunner(true /* task_is_slow */).get(), | 85 base::WorkerPool::GetTaskRunner(true /* task_is_slow */).get(), |
47 FROM_HERE, | 86 FROM_HERE, |
48 base::Bind(&ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread, | 87 base::Bind(&ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread, |
49 // Caller is responsible for keeping the ClientCertStore | 88 // Caller is responsible for keeping the ClientCertStore |
50 // alive until the callback is run. | 89 // alive until the callback is run. |
51 base::Unretained(this), base::Passed(&password_delegate), | 90 base::Unretained(this), std::move(password_delegate), |
52 &request), | 91 &request), |
53 callback)) { | 92 callback)) { |
54 return; | 93 return; |
55 } | 94 } |
56 // If the task could not be posted, behave as if there were no certificates. | 95 // If the task could not be posted, behave as if there were no certificates. |
57 callback.Run(CertificateList()); | 96 callback.Run(ClientCertIdentityList()); |
58 } | 97 } |
59 | 98 |
60 // static | 99 // static |
61 void ClientCertStoreNSS::FilterCertsOnWorkerThread( | 100 void ClientCertStoreNSS::FilterCertsOnWorkerThread( |
62 const CertificateList& certs, | 101 ClientCertIdentityList* identities, |
63 const SSLCertRequestInfo& request, | 102 const SSLCertRequestInfo& request) { |
64 CertificateList* filtered_certs) { | 103 size_t num_raw = 0; |
65 DCHECK(filtered_certs); | |
66 | 104 |
67 filtered_certs->clear(); | 105 auto keep_iter = identities->begin(); |
68 | 106 |
69 size_t num_raw = 0; | 107 for (auto examine_iter = identities->begin(); |
70 for (const auto& cert : certs) { | 108 examine_iter != identities->end(); ++examine_iter) { |
71 ++num_raw; | 109 ++num_raw; |
72 X509Certificate::OSCertHandle handle = cert->os_cert_handle(); | 110 X509Certificate::OSCertHandle handle = |
| 111 (*examine_iter)->certificate()->os_cert_handle(); |
73 | 112 |
74 // Only offer unexpired certificates. | 113 // Only offer unexpired certificates. |
75 if (CERT_CheckCertValidTimes(handle, PR_Now(), PR_TRUE) != | 114 if (CERT_CheckCertValidTimes(handle, PR_Now(), PR_TRUE) != |
76 secCertTimeValid) { | 115 secCertTimeValid) { |
77 DVLOG(2) << "skipped expired cert: " | 116 DVLOG(2) << "skipped expired cert: " |
78 << base::StringPiece(handle->nickname); | 117 << base::StringPiece(handle->nickname); |
79 continue; | 118 continue; |
80 } | 119 } |
81 | 120 |
82 std::vector<ScopedCERTCertificate> intermediates; | 121 std::vector<ScopedCERTCertificate> intermediates; |
83 if (!MatchClientCertificateIssuers(handle, request.cert_authorities, | 122 if (!MatchClientCertificateIssuers(handle, request.cert_authorities, |
84 &intermediates)) { | 123 &intermediates)) { |
85 DVLOG(2) << "skipped non-matching cert: " | 124 DVLOG(2) << "skipped non-matching cert: " |
86 << base::StringPiece(handle->nickname); | 125 << base::StringPiece(handle->nickname); |
87 continue; | 126 continue; |
88 } | 127 } |
89 | 128 |
90 DVLOG(2) << "matched cert: " << base::StringPiece(handle->nickname); | 129 DVLOG(2) << "matched cert: " << base::StringPiece(handle->nickname); |
91 | 130 |
92 X509Certificate::OSCertHandles intermediates_raw; | 131 X509Certificate::OSCertHandles intermediates_raw; |
93 for (const auto& intermediate : intermediates) { | 132 for (const auto& intermediate : intermediates) { |
94 intermediates_raw.push_back(intermediate.get()); | 133 intermediates_raw.push_back(intermediate.get()); |
95 } | 134 } |
96 | 135 |
97 // Retain a copy of the intermediates. Some deployments expect the client to | 136 // Retain a copy of the intermediates. Some deployments expect the client to |
98 // supply intermediates out of the local store. See | 137 // supply intermediates out of the local store. See |
99 // https://crbug.com/548631. | 138 // https://crbug.com/548631. |
100 filtered_certs->push_back( | 139 (*examine_iter)->SetIntermediates(intermediates_raw); |
101 X509Certificate::CreateFromHandle(handle, intermediates_raw)); | 140 |
102 // |handle| was successfully parsed by |cert|, so this should never fail. | 141 if (examine_iter == keep_iter) |
103 DCHECK(filtered_certs->back()); | 142 ++keep_iter; |
| 143 else |
| 144 *keep_iter++ = std::move(*examine_iter); |
104 } | 145 } |
105 DVLOG(2) << "num_raw:" << num_raw | 146 identities->erase(keep_iter, identities->end()); |
106 << " num_filtered:" << filtered_certs->size(); | |
107 | 147 |
108 std::sort(filtered_certs->begin(), filtered_certs->end(), | 148 DVLOG(2) << "num_raw:" << num_raw << " num_filtered:" << identities->size(); |
109 x509_util::ClientCertSorter()); | 149 |
| 150 std::sort(identities->begin(), identities->end(), ClientCertIdentitySorter()); |
110 } | 151 } |
111 | 152 |
112 CertificateList ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread( | 153 ClientCertIdentityList ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread( |
113 std::unique_ptr<crypto::CryptoModuleBlockingPasswordDelegate> | 154 scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> |
114 password_delegate, | 155 password_delegate, |
115 const SSLCertRequestInfo* request) { | 156 const SSLCertRequestInfo* request) { |
116 CertificateList platform_certs; | 157 ClientCertIdentityList selected_identities; |
117 GetPlatformCertsOnWorkerThread(std::move(password_delegate), &platform_certs); | 158 GetPlatformCertsOnWorkerThread(std::move(password_delegate), |
118 CertificateList selected_certs; | 159 &selected_identities); |
119 FilterCertsOnWorkerThread(platform_certs, *request, &selected_certs); | 160 FilterCertsOnWorkerThread(&selected_identities, *request); |
120 return selected_certs; | 161 return selected_identities; |
121 } | 162 } |
122 | 163 |
123 // static | 164 // static |
124 void ClientCertStoreNSS::GetPlatformCertsOnWorkerThread( | 165 void ClientCertStoreNSS::GetPlatformCertsOnWorkerThread( |
125 std::unique_ptr<crypto::CryptoModuleBlockingPasswordDelegate> | 166 scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> |
126 password_delegate, | 167 password_delegate, |
127 net::CertificateList* certs) { | 168 ClientCertIdentityList* identities) { |
128 CERTCertList* found_certs = | 169 CERTCertList* found_certs = |
129 CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient, | 170 CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient, |
130 PR_FALSE, PR_FALSE, password_delegate.get()); | 171 PR_FALSE, PR_FALSE, password_delegate.get()); |
131 if (!found_certs) { | 172 if (!found_certs) { |
132 DVLOG(2) << "No client certs found."; | 173 DVLOG(2) << "No client certs found."; |
133 return; | 174 return; |
134 } | 175 } |
135 for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs); | 176 for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs); |
136 !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) { | 177 !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) { |
137 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 178 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
138 node->cert, X509Certificate::OSCertHandles()); | 179 node->cert, X509Certificate::OSCertHandles()); |
139 if (!cert) { | 180 if (!cert) { |
140 DVLOG(2) << "X509Certificate::CreateFromHandle failed"; | 181 DVLOG(2) << "X509Certificate::CreateFromHandle failed"; |
141 continue; | 182 continue; |
142 } | 183 } |
143 certs->push_back(std::move(cert)); | 184 identities->push_back( |
| 185 base::MakeUnique<ClientCertIdentityNSS>(cert, password_delegate)); |
144 } | 186 } |
145 CERT_DestroyCertList(found_certs); | 187 CERT_DestroyCertList(found_certs); |
146 } | 188 } |
147 | 189 |
148 } // namespace net | 190 } // namespace net |
OLD | NEW |