net/ssl/ssl_platform_key_mac.cc - Issue 2898573002: Refactor client cert private key handling.

Unified Diff: net/ssl/ssl_platform_key_mac.cc

Issue 2898573002: Refactor client cert private key handling. (Closed)

Patch Set: . Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/ssl/ssl_platform_key_mac.cc

diff --git a/net/ssl/ssl_platform_key_mac.cc b/net/ssl/ssl_platform_key_mac.cc

index c4be83d30b1bf9a3456056a283a07d245d390f5f..356f1e39df2fcf3523156ad1ee36327b0d493125 100644

--- a/net/ssl/ssl_platform_key_mac.cc

+++ b/net/ssl/ssl_platform_key_mac.cc

@@ -31,7 +31,6 @@

#include "net/base/net_errors.h"

#include "net/cert/x509_certificate.h"

#include "net/cert/x509_util_mac.h"

-#include "net/ssl/ssl_platform_key.h"

#include "net/ssl/ssl_platform_key_util.h"

#include "net/ssl/ssl_private_key.h"

#include "net/ssl/threaded_ssl_private_key.h"

@@ -78,37 +77,6 @@ class ScopedCSSM_CC_HANDLE {

DISALLOW_COPY_AND_ASSIGN(ScopedCSSM_CC_HANDLE);

};

-// Looks up the private key for |certificate| in |keychain| and returns

-// a SecKeyRef or nullptr on failure. The caller takes ownership of the

-// result.

-SecKeyRef FetchSecKeyRefForCertificate(const X509Certificate* certificate,

- SecKeychainRef keychain) {

- OSStatus status;

- base::ScopedCFTypeRef<SecIdentityRef> identity;

- {

- base::ScopedCFTypeRef<SecCertificateRef> os_cert(

- x509_util::CreateSecCertificateFromX509Certificate(certificate));

- if (!os_cert)

- return nullptr;

- base::AutoLock lock(crypto::GetMacSecurityServicesLock());

- status = SecIdentityCreateWithCertificate(keychain, os_cert.get(),

- identity.InitializeInto());

- }

- if (status != noErr) {

- OSSTATUS_LOG(WARNING, status);

- return nullptr;

- }

- base::ScopedCFTypeRef<SecKeyRef> private_key;

- status = SecIdentityCopyPrivateKey(identity, private_key.InitializeInto());

- if (status != noErr) {

- OSSTATUS_LOG(WARNING, status);

- return nullptr;

- }

- return private_key.release();

// These symbols were added in the 10.12 SDK, but we currently use an older SDK,

// so look them up with dlsym.

@@ -376,17 +344,9 @@ class SSLPlatformKeySecKey : public ThreadedSSLPrivateKey::Delegate {

DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeySecKey);

};

-} // namespace

-scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKeyFromKeychain(

+scoped_refptr<SSLPrivateKey> CreateSSLPrivateKeyForSecKey(

const X509Certificate* certificate,

- SecKeychainRef keychain) {

- // Look up the private key.

- base::ScopedCFTypeRef<SecKeyRef> private_key(

- FetchSecKeyRefForCertificate(certificate, keychain));

- if (!private_key)

- return nullptr;

+ SecKeyRef private_key) {

int key_type;

size_t max_length;

if (!GetClientCertInfo(certificate, &key_type, &max_length))

@@ -395,26 +355,37 @@ scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKeyFromKeychain(

if (base::mac::IsAtLeastOS10_12()) {

return make_scoped_refptr(

new ThreadedSSLPrivateKey(base::MakeUnique<SSLPlatformKeySecKey>(

- key_type, max_length, private_key.get()),

+ key_type, max_length, private_key),

GetSSLPlatformKeyTaskRunner()));

}

const CSSM_KEY* cssm_key;

- OSStatus status = SecKeyGetCSSMKey(private_key.get(), &cssm_key);

+ OSStatus status = SecKeyGetCSSMKey(private_key, &cssm_key);

if (status != noErr) {

OSSTATUS_LOG(WARNING, status);

return nullptr;

}

return make_scoped_refptr(new ThreadedSSLPrivateKey(

- base::MakeUnique<SSLPlatformKeyCSSM>(key_type, max_length,

- private_key.get(), cssm_key),

+ base::MakeUnique<SSLPlatformKeyCSSM>(key_type, max_length, private_key,

+ cssm_key),

GetSSLPlatformKeyTaskRunner()));

}

-scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(

- const X509Certificate* certificate) {

- return FetchClientCertPrivateKeyFromKeychain(certificate, nullptr);

+} // namespace

+scoped_refptr<SSLPrivateKey> CreateSSLPrivateKeyForSecIdentity(

+ const X509Certificate* certificate,

+ SecIdentityRef identity) {

+ base::ScopedCFTypeRef<SecKeyRef> private_key;

+ OSStatus status =

+ SecIdentityCopyPrivateKey(identity, private_key.InitializeInto());

+ if (status != noErr) {

+ OSSTATUS_LOG(WARNING, status);

+ return nullptr;

+ }

+ return CreateSSLPrivateKeyForSecKey(certificate, private_key.get());

}

#pragma clang diagnostic pop // "-Wdeprecated-declarations"

« net/ssl/ssl_cert_request_info.h ('K') | « net/ssl/ssl_platform_key_mac.h ('k') | net/ssl/ssl_platform_key_mac_unittest.cc » ('j') | net/ssl/ssl_platform_key_nss.cc » ('J')