net/ssl/client_cert_store_mac.cc - Issue 2910893002: Improved support for loading client certificates on smart cards on macOS

Side by Side Diff: net/ssl/client_cert_store_mac.cc

Issue 2910893002: Improved support for loading client certificates on smart cards on macOS

Patch Set: Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/ssl/client_cert_store_mac.h"	5 #include "net/ssl/client_cert_store_mac.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8 #include <CoreFoundation/CFArray.h>	8 #include <CoreFoundation/CFArray.h>

9 #include <CoreServices/CoreServices.h>	9 #include <CoreServices/CoreServices.h>

10 #include <Security/SecBase.h>	10 #include <Security/SecBase.h>

(...skipping 266 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
277 ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);	277 ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);

278 while (!err) {	278 while (!err) {

279 SecIdentityRef identity = NULL;	279 SecIdentityRef identity = NULL;

280 {	280 {

281 base::AutoLock lock(crypto::GetMacSecurityServicesLock());	281 base::AutoLock lock(crypto::GetMacSecurityServicesLock());

282 err = SecIdentitySearchCopyNext(search, &identity);	282 err = SecIdentitySearchCopyNext(search, &identity);

283 }	283 }

284 if (err)	284 if (err)

285 break;	285 break;

286 ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);	286 ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);

287	287 AddIdentity(regular_certs, preferred_cert, preferred_identity.get(), identit y);

288 SecCertificateRef cert_handle;

289 err = SecIdentityCopyCertificate(identity, &cert_handle);

290 if (err != noErr)

291 continue;

292 ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);

293

294 if (!SupportsSSLClientAuth(cert_handle))

295 continue;

296

297 scoped_refptr<X509Certificate> cert(

298 x509_util::CreateX509CertificateFromSecCertificate(

299 cert_handle, std::vector<SecCertificateRef>()));

300 if (!cert)

301 continue;

302

303 if (preferred_identity && CFEqual(preferred_identity, identity)) {

304 // Only one certificate should match.

305 DCHECK(!preferred_cert.get());

306 preferred_cert = cert;

307 } else {

308 regular_certs.push_back(cert);

309 }

310 }	288 }

311	289

312 if (err != errSecItemNotFound) {	290 if (err != errSecItemNotFound) {

313 OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";	291 OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";

314 callback.Run(CertificateList());	292 callback.Run(CertificateList());

315 return;	293 return;

316 }	294 }

317	295

	296 // For reasons I don't understand, macOS has two different ways of querying

	297 // for client certificate identities. The way we just tried will miss some

	298 // smart card based certificates, and this way misses some soft certificates.
	Ryan Sleevi 2017/05/30 18:00:01 We try to avoid pronouns in comments (I/we) and tr We try to avoid pronouns in comments (I/we) and try to explain/document the root cause (e.g. via discussion from opensource.apple.com - see line 251 for an example) More complete documentation may be: // macOS provides two ways to search for identities. // SecIdentitySearchCreate() is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated CDSM/CSSA implementation), but // is necessary to return some certificates that would otherwise not // be returned by SecItemCopyMatching(), which is the non-deprecated // way. // However, SecIdentitySearchCreate() will not return all items, particularly smart-card based identities, so it's necessary to // call both functions. agaynor 2017/05/31 02:37:33 Done. Show quoted text On 2017/05/30 18:00:01, Ryan Sleevi wrote: > We try to avoid pronouns in comments (I/we) and try to explain/document the root > cause (e.g. via discussion from http://opensource.apple.com - see line 251 for an > example) > > More complete documentation may be: > > // macOS provides two ways to search for identities. > // SecIdentitySearchCreate() is deprecated, as it relies on CSSM_KEYUSE_SIGN > (part of the deprecated CDSM/CSSA implementation), but > // is necessary to return some certificates that would otherwise not > // be returned by SecItemCopyMatching(), which is the non-deprecated > // way. > // However, SecIdentitySearchCreate() will not return all items, particularly > smart-card based identities, so it's necessary to > // call both functions. Done.
	299 const void *keys[] = {
	Ryan Sleevi 2017/05/30 18:00:01 You can use "git cl format" to ensure this is prop You can use "git cl format" to ensure this is properly formatted, but Chrome groups the * to the type rather than the identifier ("void* keys" vs "void keys") https://google.github.io/styleguide/cppguide.html#Pointer_and_Reference_Expre... permits both, but https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md specifies for Chromium :) Ryan Sleevi* 2017/05/30 18:00:01 So, I _believe_ for correctness, that kSecAttrCanS So, I _believe_ for correctness, that kSecAttrCanSign should be kCFBooleanTrue (if RSA) or kSecAttrCanDerive should be kCFBooleanTrue (if ECDSA/ECDH) Could you describe what type of key you have? I'd be willing to bet it's an ECDSA/ECDH key, which is why the CSSM_KEYUSE_SIGN isn't sufficient. I'd be willing to bet that if we also passed CSSM_KEYUSE_DERIVE, your cert would be returned. Context is that https://opensource.apple.com/source/Security/Security-57740.51.3/OSX/libsecur... shows that SecItemCopyMatching punts to SecItemCopyMatching_osx which then maps the kSecAttrCan* flags into CSSM keyusage fields, and then just calls SecIdentitySearchCreate(). The difference in your invocation here and the existing invocation is you're not supplying a kSecAttrCan* parameter, and so you're getting all keyUsages, by virtue of _CssmKeyUsageFromQuery agaynor 2017/05/31 02:37:33 Done. Show quoted text On 2017/05/30 18:00:01, Ryan Sleevi wrote: > You can use "git cl format" to ensure this is properly formatted, but Chrome > groups the * to the type rather than the identifier ("void* keys" vs "void > keys") > > https://google.github.io/styleguide/cppguide.html#Pointer_and_Reference_Expre... > permits both, but > https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md > specifies for Chromium :) Done. agaynor* 2017/05/31 02:37:33 It's a boring old RSA key. I've added \|kSecAttrCan It's a boring old RSA key. I've added \|kSecAttrCanSign=kCFBooleanTrue\| and this patch continues to fix this issue for me. mattm 2017/06/05 23:34:27 Looking at that code a bit, it seems that SecItemC Show quoted text On 2017/05/30 18:00:01, Ryan Sleevi wrote: > So, I _believe_ for correctness, that kSecAttrCanSign should be kCFBooleanTrue > (if RSA) or kSecAttrCanDerive should be kCFBooleanTrue (if ECDSA/ECDH) > > Could you describe what type of key you have? I'd be willing to bet it's an > ECDSA/ECDH key, which is why the CSSM_KEYUSE_SIGN isn't sufficient. I'd be > willing to bet that if we also passed CSSM_KEYUSE_DERIVE, your cert would be > returned. > > Context is that > https://opensource.apple.com/source/Security/Security-57740.51.3/OSX/libsecur... > shows that SecItemCopyMatching punts to SecItemCopyMatching_osx which then maps > the kSecAttrCan* flags into CSSM keyusage fields, and then just calls > SecIdentitySearchCreate(). The difference in your invocation here and the > existing invocation is you're not supplying a kSecAttrCan* parameter, and so > you're getting all keyUsages, by virtue of _CssmKeyUsageFromQuery Looking at that code a bit, it seems that SecItemCategorizeQuery is used to decide whether to do the SecItemCopyMatching_ios and/or SecItemCopyMatching_osx, and the default is to do both. It looks like this query doesn't have any of the params that would exclude either type, so that can explain how this produces different results. (I guess that also means that if we were confident about which versions of OSX that translation code is fully implemented on, we could get rid of the SecIdentitySearch... code from here entirely. I looked at the 10.9 version, it appears to have similar stuff, though with some differences. (https://opensource.apple.com/source/Security/Security-55471/libsecurity_keych...) I didn't dig in enough to really be confident about it though. Just to be safe keeping both seems fine.)
	300 kSecClass,

	301 kSecMatchLimit,

	302 kSecReturnRef,

	303 };

	304 const void *values[] = {

	305 kSecClassIdentity,

	306 kSecMatchLimitAll,

	307 kCFBooleanTrue,

	308 };

	309 CFDictionaryRef query = CFDictionaryCreate(
	Ryan Sleevi 2017/05/30 18:00:01 You can see we used the ScopedCFTypeRef C++ helper You can see we used the ScopedCFTypeRef C++ helpers here to ensure RAII agaynor 2017/05/31 02:37:33 Done. Show quoted text On 2017/05/30 18:00:01, Ryan Sleevi wrote: > You can see we used the ScopedCFTypeRef C++ helpers here to ensure RAII Done.
	310 kCFAllocatorDefault,

	311 keys,

	312 values,

	313 sizeof(values) / sizeof(values[0]),

	314 &kCFTypeDictionaryKeyCallBacks,

	315 &kCFTypeDictionaryValueCallBacks

	316 );

	317 CFArrayRef result = NULL;

	318 err = SecItemCopyMatching(query, (CFTypeRef *)&result);
	Ryan Sleevi 2017/05/30 18:00:00 Note: Chromium explicitly uses C++ casts rather th Note: Chromium explicitly uses C++ casts rather than C casts - see https://google.github.io/styleguide/cppguide.html#Casting If you're using ScopedCFTypeRef, you can use .InitializeInto() to return an acceptable pointer for this :) agaynor 2017/05/31 02:37:33 Done. Show quoted text On 2017/05/30 18:00:00, Ryan Sleevi wrote: > Note: Chromium explicitly uses C++ casts rather than C casts - see > https://google.github.io/styleguide/cppguide.html#Casting > > If you're using ScopedCFTypeRef, you can use .InitializeInto() to return an > acceptable pointer for this :) Done.
	319 if (!err) {
	Ryan Sleevi 2017/05/30 18:00:01 In general, we try to handle the error case first, In general, we try to handle the error case first, to avoid too much nesting. You can see this in line 273 or 284, for example.
	320 for (CFIndex i = 0; i < CFArrayGetCount(result); i++) {

	321 CFTypeRef item = CFArrayGetValueAtIndex(result, i);

	322 AddIdentity(regular_certs, preferred_cert, preferred_identity, (SecIdentit yRef)item);

	323 }

	324 }

	325 CFRelease(query);

	326 CFRelease(result);

	327

318 CertificateList selected_certs;	328 CertificateList selected_certs;

319 GetClientCertsImpl(preferred_cert, regular_certs, request, true,	329 GetClientCertsImpl(preferred_cert, regular_certs, request, true,

320 &selected_certs);	330 &selected_certs);

321 callback.Run(std::move(selected_certs));	331 callback.Run(std::move(selected_certs));

322 }	332 }

323	333

	334 void ClientCertStoreMac::AddIdentity(

	335 CertificateList& regular_certs,

	336 scoped_refptr<X509Certificate>& preferred_cert,

	337 SecIdentityRef preferred_identity,

	338 SecIdentityRef identity) {

	339 OSStatus err;

	340 SecCertificateRef cert_handle;
	Ryan Sleevi 2017/05/30 18:00:01 .InitializeInto :) .InitializeInto :) agaynor 2017/05/31 02:37:33 Done. Show quoted text On 2017/05/30 18:00:01, Ryan Sleevi wrote: > .InitializeInto :) Done.
	341 err = SecIdentityCopyCertificate(identity, &cert_handle);

	342 if (err != noErr)

	343 return;

	344 ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);

	345

	346 if (!SupportsSSLClientAuth(cert_handle))

	347 return;

	348

	349 scoped_refptr<X509Certificate> cert(

	350 x509_util::CreateX509CertificateFromSecCertificate(

	351 cert_handle, std::vector<SecCertificateRef>()));

	352 if (!cert)

	353 return;

	354

	355 if (preferred_identity && CFEqual(preferred_identity, identity)) {

	356 // Only one certificate should match.

	357 DCHECK(!preferred_cert.get());

	358 preferred_cert = cert;

	359 } else {

	360 regular_certs.push_back(cert);

	361 }

	362 }

	363

324 bool ClientCertStoreMac::SelectClientCertsForTesting(	364 bool ClientCertStoreMac::SelectClientCertsForTesting(

325 const CertificateList& input_certs,	365 const CertificateList& input_certs,

326 const SSLCertRequestInfo& request,	366 const SSLCertRequestInfo& request,

327 CertificateList* selected_certs) {	367 CertificateList* selected_certs) {

328 GetClientCertsImpl(NULL, input_certs, request, false, selected_certs);	368 GetClientCertsImpl(NULL, input_certs, request, false, selected_certs);

329 return true;	369 return true;

330 }	370 }

331	371

332 bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting(	372 bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting(

333 const scoped_refptr<X509Certificate>& preferred_cert,	373 const scoped_refptr<X509Certificate>& preferred_cert,

334 const CertificateList& regular_certs,	374 const CertificateList& regular_certs,

335 const SSLCertRequestInfo& request,	375 const SSLCertRequestInfo& request,

336 CertificateList* selected_certs) {	376 CertificateList* selected_certs) {

337 GetClientCertsImpl(	377 GetClientCertsImpl(

338 preferred_cert, regular_certs, request, false, selected_certs);	378 preferred_cert, regular_certs, request, false, selected_certs);

339 return true;	379 return true;

340 }	380 }

341	381

342 #pragma clang diagnostic pop // "-Wdeprecated-declarations"	382 #pragma clang diagnostic pop // "-Wdeprecated-declarations"

343	383

344 } // namespace net	384 } // namespace net

OLD	NEW

« net/ssl/client_cert_store_mac.h ('K') | « net/ssl/client_cert_store_mac.h ('k') | no next file » | no next file with comments »