Chromium Code Reviews Chromium Code Reviews
Issue 2910893002:
Improved support for loading client certificates on smart cards on macOS
| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/client_cert_store_mac.h" | 5 #include "net/ssl/client_cert_store_mac.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreFoundation/CFArray.h> | 8 #include <CoreFoundation/CFArray.h> |
| 9 #include <CoreServices/CoreServices.h> | 9 #include <CoreServices/CoreServices.h> |
| 10 #include <Security/SecBase.h> | 10 #include <Security/SecBase.h> |
| 11 #include <Security/Security.h> | 11 #include <Security/Security.h> |
| 12 | 12 |
| 13 #include <algorithm> | 13 #include <algorithm> |
| 14 #include <string> | 14 #include <string> |
| 15 #include <utility> | |
| 16 #include <vector> | |
| 15 | 17 |
| 16 #include "base/callback.h" | 18 #include "base/callback.h" |
| 17 #include "base/logging.h" | 19 #include "base/logging.h" |
| 18 #include "base/mac/mac_logging.h" | 20 #include "base/mac/mac_logging.h" |
| 19 #include "base/mac/scoped_cftyperef.h" | 21 #include "base/mac/scoped_cftyperef.h" |
| 20 #include "base/strings/sys_string_conversions.h" | 22 #include "base/strings/sys_string_conversions.h" |
| 21 #include "base/synchronization/lock.h" | 23 #include "base/synchronization/lock.h" |
| 22 #include "crypto/mac_security_services_lock.h" | 24 #include "crypto/mac_security_services_lock.h" |
| 23 #include "net/base/host_port_pair.h" | 25 #include "net/base/host_port_pair.h" |
| 24 #include "net/cert/x509_util.h" | 26 #include "net/cert/x509_util.h" |
| (...skipping 199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 224 // sorting. | 226 // sorting. |
| 225 CertificateList::iterator sort_begin = selected_certs->begin(); | 227 CertificateList::iterator sort_begin = selected_certs->begin(); |
| 226 CertificateList::iterator sort_end = selected_certs->end(); | 228 CertificateList::iterator sort_end = selected_certs->end(); |
| 227 if (preferred_cert.get() && sort_begin != sort_end && | 229 if (preferred_cert.get() && sort_begin != sort_end && |
| 228 sort_begin->get() == preferred_cert.get()) { | 230 sort_begin->get() == preferred_cert.get()) { |
| 229 ++sort_begin; | 231 ++sort_begin; |
| 230 } | 232 } |
| 231 sort(sort_begin, sort_end, x509_util::ClientCertSorter()); | 233 sort(sort_begin, sort_end, x509_util::ClientCertSorter()); |
| 232 } | 234 } |
| 233 | 235 |
| 236 // Given an |identity|, identifies its corresponding certificate, and either | |
| 237 // adds it to |regular_certs| or assigns it to |preferred_cert|, if the | |
| 238 // |identity| matches the |preferred_identity|. | |
| 239 void AddIdentity(SecIdentityRef identity, | |
| 240 SecIdentityRef preferred_identity, | |
| 241 CertificateList* regular_certs, | |
| 242 scoped_refptr<X509Certificate>* preferred_cert) { | |
| 243 OSStatus err; | |
| 244 ScopedCFTypeRef<SecCertificateRef> cert_handle; | |
| 245 err = SecIdentityCopyCertificate(identity, cert_handle.InitializeInto()); | |
| 246 if (err != noErr) | |
| 247 return; | |
| 248 | |
| 249 if (!SupportsSSLClientAuth(cert_handle)) | |
| 250 return; | |
| 251 | |
| 252 scoped_refptr<X509Certificate> cert( | |
| 253 x509_util::CreateX509CertificateFromSecCertificate( | |
| 254 cert_handle, std::vector<SecCertificateRef>())); | |
| 255 if (!cert) | |
| 256 return; | |
| 257 | |
| 258 if (preferred_identity && CFEqual(preferred_identity, identity)) { | |
| 259 // Only one certificate should match. | |
| 260 DCHECK(!preferred_cert->get()); | |
| 261 *preferred_cert = cert; | |
| 262 } else { | |
| 263 regular_certs->push_back(cert); | |
| 264 } | |
| 265 } | |
| 266 | |
| 234 } // namespace | 267 } // namespace |
| 235 | 268 |
| 236 ClientCertStoreMac::ClientCertStoreMac() {} | 269 ClientCertStoreMac::ClientCertStoreMac() {} |
| 237 | 270 |
| 238 ClientCertStoreMac::~ClientCertStoreMac() {} | 271 ClientCertStoreMac::~ClientCertStoreMac() {} |
| 239 | 272 |
| 240 void ClientCertStoreMac::GetClientCerts( | 273 void ClientCertStoreMac::GetClientCerts( |
| 241 const SSLCertRequestInfo& request, | 274 const SSLCertRequestInfo& request, |
| 242 const ClientCertListCallback& callback) { | 275 const ClientCertListCallback& callback) { |
| 243 std::string server_domain = request.host_and_port.host(); | 276 std::string server_domain = request.host_and_port.host(); |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 277 ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search); | 310 ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search); |
| 278 while (!err) { | 311 while (!err) { |
| 279 SecIdentityRef identity = NULL; | 312 SecIdentityRef identity = NULL; |
| 280 { | 313 { |
| 281 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | 314 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); |
| 282 err = SecIdentitySearchCopyNext(search, &identity); | 315 err = SecIdentitySearchCopyNext(search, &identity); |
| 283 } | 316 } |
| 284 if (err) | 317 if (err) |
| 285 break; | 318 break; |
| 286 ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity); | 319 ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity); |
| 287 | 320 AddIdentity(identity, preferred_identity, ®ular_certs, &preferred_cert); |
| 288 SecCertificateRef cert_handle; | |
| 289 err = SecIdentityCopyCertificate(identity, &cert_handle); | |
| 290 if (err != noErr) | |
| 291 continue; | |
| 292 ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle); | |
| 293 | |
| 294 if (!SupportsSSLClientAuth(cert_handle)) | |
| 295 continue; | |
| 296 | |
| 297 scoped_refptr<X509Certificate> cert( | |
| 298 x509_util::CreateX509CertificateFromSecCertificate( | |
| 299 cert_handle, std::vector<SecCertificateRef>())); | |
| 300 if (!cert) | |
| 301 continue; | |
| 302 | |
| 303 if (preferred_identity && CFEqual(preferred_identity, identity)) { | |
| 304 // Only one certificate should match. | |
| 305 DCHECK(!preferred_cert.get()); | |
| 306 preferred_cert = cert; | |
| 307 } else { | |
| 308 regular_certs.push_back(cert); | |
| 309 } | |
| 310 } | 321 } |
| 311 | 322 |
| 312 if (err != errSecItemNotFound) { | 323 if (err != errSecItemNotFound) { |
| 313 OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error"; | 324 OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error"; |
| 314 callback.Run(CertificateList()); | 325 callback.Run(CertificateList()); |
| 315 return; | 326 return; |
| 316 } | 327 } |
| 317 | 328 |
| 329 // macOS provides two ways to search for identities. SecIdentitySearchCreate() | |
| 330 // is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated | |
| 331 // CDSM/CSSA implementation), but is necessary to return some certificates | |
| 332 // that would otherwise not be returned by SecItemCopyMatching(), which is the | |
| 333 // non-deprecated way. However, SecIdentitySearchCreate() will not return all | |
| 334 // items, particularly smart-card based identities, so it's necessary to call | |
| 335 // both functions. | |
| 336 static const void* keys[] = { | |
|
awong
2017/06/07 21:21:08
Oh yeah...and if it's a constant, call it kKeys an
agaynor
2017/06/09 00:32:05
Done.
| |
| 337 kSecClass, kSecMatchLimit, kSecReturnRef, kSecAttrCanSign, | |
| 338 }; | |
| 339 static const void* values[] = { | |
| 340 kSecClassIdentity, kSecMatchLimitAll, kCFBooleanTrue, kCFBooleanTrue, | |
| 341 }; | |
| 342 ScopedCFTypeRef<CFDictionaryRef> query(CFDictionaryCreate( | |
| 343 kCFAllocatorDefault, keys, values, arraysize(values), | |
| 344 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); | |
| 345 ScopedCFTypeRef<CFArrayRef> result; | |
| 346 { | |
| 347 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | |
| 348 err = SecItemCopyMatching( | |
| 349 query, reinterpret_cast<CFTypeRef*>(result.InitializeInto())); | |
| 350 } | |
| 351 if (!err) { | |
| 352 for (CFIndex i = 0; i < CFArrayGetCount(result); i++) { | |
| 353 void* item = const_cast<void*>(CFArrayGetValueAtIndex(result, i)); | |
| 354 AddIdentity(reinterpret_cast<SecIdentityRef>(item), preferred_identity, | |
| 355 ®ular_certs, &preferred_cert); | |
| 356 } | |
| 357 } | |
| 358 | |
| 318 CertificateList selected_certs; | 359 CertificateList selected_certs; |
| 319 GetClientCertsImpl(preferred_cert, regular_certs, request, true, | 360 GetClientCertsImpl(preferred_cert, regular_certs, request, true, |
| 320 &selected_certs); | 361 &selected_certs); |
| 321 callback.Run(std::move(selected_certs)); | 362 callback.Run(std::move(selected_certs)); |
| 322 } | 363 } |
| 323 | 364 |
| 324 bool ClientCertStoreMac::SelectClientCertsForTesting( | 365 bool ClientCertStoreMac::SelectClientCertsForTesting( |
| 325 const CertificateList& input_certs, | 366 const CertificateList& input_certs, |
| 326 const SSLCertRequestInfo& request, | 367 const SSLCertRequestInfo& request, |
| 327 CertificateList* selected_certs) { | 368 CertificateList* selected_certs) { |
| 328 GetClientCertsImpl(NULL, input_certs, request, false, selected_certs); | 369 GetClientCertsImpl(NULL, input_certs, request, false, selected_certs); |
| 329 return true; | 370 return true; |
| 330 } | 371 } |
| 331 | 372 |
| 332 bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting( | 373 bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting( |
| 333 const scoped_refptr<X509Certificate>& preferred_cert, | 374 const scoped_refptr<X509Certificate>& preferred_cert, |
| 334 const CertificateList& regular_certs, | 375 const CertificateList& regular_certs, |
| 335 const SSLCertRequestInfo& request, | 376 const SSLCertRequestInfo& request, |
| 336 CertificateList* selected_certs) { | 377 CertificateList* selected_certs) { |
| 337 GetClientCertsImpl( | 378 GetClientCertsImpl( |
| 338 preferred_cert, regular_certs, request, false, selected_certs); | 379 preferred_cert, regular_certs, request, false, selected_certs); |
| 339 return true; | 380 return true; |
| 340 } | 381 } |
| 341 | 382 |
| 342 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 383 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| 343 | 384 |
| 344 } // namespace net | 385 } // namespace net |
| OLD | NEW |
