net/ssl/ssl_platform_key_nss.cc - Issue 2898573002: Refactor client cert private key handling.

Side by Side Diff: net/ssl/ssl_platform_key_nss.cc

Issue 2898573002: Refactor client cert private key handling. (Closed)

Patch Set: . Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

	5 #include "net/ssl/ssl_platform_key_nss.h"

	6

5 #include <cert.h>	7 #include <cert.h>

6 #include <keyhi.h>	8 #include <keyhi.h>

7 #include <pk11pub.h>	9 #include <pk11pub.h>

8 #include <prerror.h>	10 #include <prerror.h>

9	11

10 #include <utility>	12 #include <utility>

11	13

12 #include "base/logging.h"	14 #include "base/logging.h"

13 #include "base/macros.h"	15 #include "base/macros.h"

14 #include "base/memory/ptr_util.h"	16 #include "base/memory/ptr_util.h"

	17 #include "crypto/nss_crypto_module_delegate.h"

15 #include "crypto/scoped_nss_types.h"	18 #include "crypto/scoped_nss_types.h"

16 #include "net/cert/x509_certificate.h"	19 #include "net/cert/x509_certificate.h"

17 #include "net/ssl/client_key_store.h"

18 #include "net/ssl/ssl_platform_key.h"

19 #include "net/ssl/ssl_platform_key_util.h"	20 #include "net/ssl/ssl_platform_key_util.h"

20 #include "net/ssl/ssl_private_key.h"	21 #include "net/ssl/ssl_private_key.h"

21 #include "net/ssl/threaded_ssl_private_key.h"	22 #include "net/ssl/threaded_ssl_private_key.h"

22 #include "third_party/boringssl/src/include/openssl/bn.h"	23 #include "third_party/boringssl/src/include/openssl/bn.h"

23 #include "third_party/boringssl/src/include/openssl/bytestring.h"	24 #include "third_party/boringssl/src/include/openssl/bytestring.h"

24 #include "third_party/boringssl/src/include/openssl/ec.h"	25 #include "third_party/boringssl/src/include/openssl/ec.h"

25 #include "third_party/boringssl/src/include/openssl/ec_key.h"	26 #include "third_party/boringssl/src/include/openssl/ec_key.h"

26 #include "third_party/boringssl/src/include/openssl/ecdsa.h"	27 #include "third_party/boringssl/src/include/openssl/ecdsa.h"

27 #include "third_party/boringssl/src/include/openssl/evp.h"	28 #include "third_party/boringssl/src/include/openssl/evp.h"

28 #include "third_party/boringssl/src/include/openssl/mem.h"	29 #include "third_party/boringssl/src/include/openssl/mem.h"

(...skipping 117 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
146 private:	147 private:

147 int type_;	148 int type_;

148 crypto::ScopedSECKEYPrivateKey key_;	149 crypto::ScopedSECKEYPrivateKey key_;

149	150

150 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyNSS);	151 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyNSS);

151 };	152 };

152	153

153 } // namespace	154 } // namespace

154	155

155 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(	156 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(

156 const X509Certificate* certificate) {	157 const X509Certificate* certificate,

	158 crypto::CryptoModuleBlockingPasswordDelegate* password_delegate) {

	159 void* wincx = password_delegate ? password_delegate->wincx() : nullptr;

157 crypto::ScopedSECKEYPrivateKey key(	160 crypto::ScopedSECKEYPrivateKey key(

158 PK11_FindKeyByAnyCert(certificate->os_cert_handle(), nullptr));	161 PK11_FindKeyByAnyCert(certificate->os_cert_handle(), wincx));
	davidben 2017/06/01 23:41:25 Huh. We didn't manage to pass this in before, did Huh. We didn't manage to pass this in before, did we? Do you know in what cases this might matter? I guess now that we're finally running this step on a background thread, we can afford to do this. mattm 2017/06/02 04:04:20 Previously we had that ugly UnlockSlot thing where Show quoted text On 2017/06/01 23:41:25, davidben wrote: > Huh. We didn't manage to pass this in before, did we? Do you know in what cases > this might matter? I guess now that we're finally running this step on a > background thread, we can afford to do this. Previously we had that ugly UnlockSlot thing where the client cert selector dialog would try to unlock the slot before calling the result callback and hope that was good enough. I manually tested that this still works if you have a password on your NSSDB, should also apply if you have a password protected smart card though I didn't test that.
159 if (!key) {	162 if (!key)

160 return ClientKeyStore::GetInstance()->FetchClientCertPrivateKey(	163 return nullptr;

161 *certificate);

162 }

163	164

164 int type;	165 int type;

165 size_t max_length;	166 size_t max_length;

166 if (!GetClientCertInfo(certificate, &type, &max_length))	167 if (!GetClientCertInfo(certificate, &type, &max_length))

167 return nullptr;	168 return nullptr;

168	169

169 return make_scoped_refptr(new ThreadedSSLPrivateKey(	170 return make_scoped_refptr(new ThreadedSSLPrivateKey(

170 base::MakeUnique<SSLPlatformKeyNSS>(type, std::move(key)),	171 base::MakeUnique<SSLPlatformKeyNSS>(type, std::move(key)),

171 GetSSLPlatformKeyTaskRunner()));	172 GetSSLPlatformKeyTaskRunner()));

172 }	173 }

173	174

174 } // namespace net	175 } // namespace net

OLD	NEW

« net/ssl/ssl_cert_request_info.h ('K') | « net/ssl/ssl_platform_key_nss.h ('k') | net/ssl/ssl_platform_key_nss_unittest.cc » ('j') | no next file with comments »