OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/ssl/client_cert_identity.h" |
| 6 |
| 7 #include "base/bind.h" |
| 8 #include "net/ssl/ssl_private_key.h" |
| 9 |
| 10 namespace net { |
| 11 |
| 12 namespace { |
| 13 |
| 14 void IdentityOwningPrivateKeyCallback( |
| 15 std::unique_ptr<ClientCertIdentity> identity, |
| 16 const base::Callback<void(scoped_refptr<SSLPrivateKey>)>& |
| 17 private_key_callback, |
| 18 scoped_refptr<SSLPrivateKey> private_key) { |
| 19 private_key_callback.Run(std::move(private_key)); |
| 20 } |
| 21 |
| 22 } // namespace |
| 23 |
| 24 ClientCertIdentity::ClientCertIdentity(scoped_refptr<net::X509Certificate> cert) |
| 25 : cert_(std::move(cert)) {} |
| 26 ClientCertIdentity::~ClientCertIdentity() = default; |
| 27 |
| 28 // static |
| 29 void ClientCertIdentity::SelfOwningAcquirePrivateKey( |
| 30 std::unique_ptr<ClientCertIdentity> self, |
| 31 const base::Callback<void(scoped_refptr<SSLPrivateKey>)>& |
| 32 private_key_callback) { |
| 33 ClientCertIdentity* self_ptr = self.get(); |
| 34 auto wrapped_private_key_callback = |
| 35 base::Bind(&IdentityOwningPrivateKeyCallback, base::Passed(&self), |
| 36 private_key_callback); |
| 37 self_ptr->AcquirePrivateKey(wrapped_private_key_callback); |
| 38 } |
| 39 |
| 40 void ClientCertIdentity::SetIntermediates( |
| 41 X509Certificate::OSCertHandles intermediates) { |
| 42 cert_ = |
| 43 X509Certificate::CreateFromHandle(cert_->os_cert_handle(), intermediates); |
| 44 // |cert_->os_cert_handle()| was already successfully parsed, so this should |
| 45 // never fail. |
| 46 DCHECK(cert_); |
| 47 } |
| 48 |
| 49 ClientCertIdentitySorter::ClientCertIdentitySorter() |
| 50 : now_(base::Time::Now()) {} |
| 51 |
| 52 bool ClientCertIdentitySorter::operator()( |
| 53 const std::unique_ptr<ClientCertIdentity>& a_identity, |
| 54 const std::unique_ptr<ClientCertIdentity>& b_identity) const { |
| 55 X509Certificate* a = a_identity->certificate(); |
| 56 X509Certificate* b = b_identity->certificate(); |
| 57 DCHECK(a); |
| 58 DCHECK(b); |
| 59 |
| 60 // Certificates that are expired/not-yet-valid are sorted last. |
| 61 bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry(); |
| 62 bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry(); |
| 63 if (a_is_valid != b_is_valid) |
| 64 return a_is_valid && !b_is_valid; |
| 65 |
| 66 // Certificates with longer expirations appear as higher priority (less |
| 67 // than) certificates with shorter expirations. |
| 68 if (a->valid_expiry() != b->valid_expiry()) |
| 69 return a->valid_expiry() > b->valid_expiry(); |
| 70 |
| 71 // If the expiration dates are equivalent, certificates that were issued |
| 72 // more recently should be prioritized over older certificates. |
| 73 if (a->valid_start() != b->valid_start()) |
| 74 return a->valid_start() > b->valid_start(); |
| 75 |
| 76 // Otherwise, prefer client certificates with shorter chains. |
| 77 const X509Certificate::OSCertHandles& a_intermediates = |
| 78 a->GetIntermediateCertificates(); |
| 79 const X509Certificate::OSCertHandles& b_intermediates = |
| 80 b->GetIntermediateCertificates(); |
| 81 return a_intermediates.size() < b_intermediates.size(); |
| 82 } |
| 83 |
| 84 } // namespace net |
OLD | NEW |