net/ssl/client_cert_store_mac.cc - Issue 2910893002: Improved support for loading client certificates on smart cards on macOS

Side by Side Diff: net/ssl/client_cert_store_mac.cc

Issue 2910893002: Improved support for loading client certificates on smart cards on macOS

Patch Set: Improved support for loading client certificates on smart cards on macOS Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/ssl/client_cert_store_mac.h"	5 #include "net/ssl/client_cert_store_mac.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8 #include <CoreFoundation/CFArray.h>	8 #include <CoreFoundation/CFArray.h>

9 #include <CoreServices/CoreServices.h>	9 #include <CoreServices/CoreServices.h>

10 #include <Security/SecBase.h>	10 #include <Security/SecBase.h>

11 #include <Security/Security.h>	11 #include <Security/Security.h>

12	12

13 #include <algorithm>	13 #include <algorithm>

14 #include <string>	14 #include <string>

	15 #include <utility>

	16 #include <vector>

15	17

16 #include "base/callback.h"	18 #include "base/callback.h"

17 #include "base/logging.h"	19 #include "base/logging.h"

18 #include "base/mac/mac_logging.h"	20 #include "base/mac/mac_logging.h"

19 #include "base/mac/scoped_cftyperef.h"	21 #include "base/mac/scoped_cftyperef.h"

20 #include "base/strings/sys_string_conversions.h"	22 #include "base/strings/sys_string_conversions.h"

21 #include "base/synchronization/lock.h"	23 #include "base/synchronization/lock.h"

22 #include "crypto/mac_security_services_lock.h"	24 #include "crypto/mac_security_services_lock.h"

23 #include "net/base/host_port_pair.h"	25 #include "net/base/host_port_pair.h"

24 #include "net/cert/x509_util.h"	26 #include "net/cert/x509_util.h"

(...skipping 199 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
224 // sorting.	226 // sorting.

225 CertificateList::iterator sort_begin = selected_certs->begin();	227 CertificateList::iterator sort_begin = selected_certs->begin();

226 CertificateList::iterator sort_end = selected_certs->end();	228 CertificateList::iterator sort_end = selected_certs->end();

227 if (preferred_cert.get() && sort_begin != sort_end &&	229 if (preferred_cert.get() && sort_begin != sort_end &&

228 sort_begin->get() == preferred_cert.get()) {	230 sort_begin->get() == preferred_cert.get()) {

229 ++sort_begin;	231 ++sort_begin;

230 }	232 }

231 sort(sort_begin, sort_end, x509_util::ClientCertSorter());	233 sort(sort_begin, sort_end, x509_util::ClientCertSorter());

232 }	234 }

233	235

	236 // Given an \|identity\|, identifies its corresponding certificate, and either

	237 // adds it to \|regular_certs\| or assigns it to \|preferred_cert\|, if the

	238 // \|identity\| matches the \|preferred_identity\|.

	239 void AddIdentity(SecIdentityRef identity,

	240 SecIdentityRef preferred_identity,

	241 CertificateList* regular_certs,

	242 scoped_refptr<X509Certificate>* preferred_cert) {

	243 OSStatus err;

	244 ScopedCFTypeRef<SecCertificateRef> cert_handle;

	245 err = SecIdentityCopyCertificate(identity, cert_handle.InitializeInto());

	246 if (err != noErr)

	247 return;

	248

	249 if (!SupportsSSLClientAuth(cert_handle))

	250 return;

	251

	252 scoped_refptr<X509Certificate> cert(

	253 x509_util::CreateX509CertificateFromSecCertificate(

	254 cert_handle, std::vector<SecCertificateRef>()));

	255 if (!cert)

	256 return;

	257

	258 if (preferred_identity && CFEqual(preferred_identity, identity)) {

	259 // Only one certificate should match.

	260 DCHECK(!preferred_cert->get());

	261 *preferred_cert = cert;

	262 } else {

	263 regular_certs->push_back(cert);

	264 }

	265 }

	266

234 } // namespace	267 } // namespace

235	268

236 ClientCertStoreMac::ClientCertStoreMac() {}	269 ClientCertStoreMac::ClientCertStoreMac() {}

237	270

238 ClientCertStoreMac::~ClientCertStoreMac() {}	271 ClientCertStoreMac::~ClientCertStoreMac() {}

239	272

240 void ClientCertStoreMac::GetClientCerts(	273 void ClientCertStoreMac::GetClientCerts(

241 const SSLCertRequestInfo& request,	274 const SSLCertRequestInfo& request,

242 const ClientCertListCallback& callback) {	275 const ClientCertListCallback& callback) {

243 std::string server_domain = request.host_and_port.host();	276 std::string server_domain = request.host_and_port.host();

(...skipping 33 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
277 ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);	310 ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);

278 while (!err) {	311 while (!err) {

279 SecIdentityRef identity = NULL;	312 SecIdentityRef identity = NULL;

280 {	313 {

281 base::AutoLock lock(crypto::GetMacSecurityServicesLock());	314 base::AutoLock lock(crypto::GetMacSecurityServicesLock());

282 err = SecIdentitySearchCopyNext(search, &identity);	315 err = SecIdentitySearchCopyNext(search, &identity);

283 }	316 }

284 if (err)	317 if (err)

285 break;	318 break;

286 ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);	319 ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);

287	320 AddIdentity(identity, preferred_identity, &regular_certs, &preferred_cert);

288 SecCertificateRef cert_handle;

289 err = SecIdentityCopyCertificate(identity, &cert_handle);

290 if (err != noErr)

291 continue;

292 ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);

293

294 if (!SupportsSSLClientAuth(cert_handle))

295 continue;

296

297 scoped_refptr<X509Certificate> cert(

298 x509_util::CreateX509CertificateFromSecCertificate(

299 cert_handle, std::vector<SecCertificateRef>()));

300 if (!cert)

301 continue;

302

303 if (preferred_identity && CFEqual(preferred_identity, identity)) {

304 // Only one certificate should match.

305 DCHECK(!preferred_cert.get());

306 preferred_cert = cert;

307 } else {

308 regular_certs.push_back(cert);

309 }

310 }	321 }

311	322

312 if (err != errSecItemNotFound) {	323 if (err != errSecItemNotFound) {

313 OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";	324 OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";

314 callback.Run(CertificateList());	325 callback.Run(CertificateList());

315 return;	326 return;

316 }	327 }

317	328

	329 // macOS provides two ways to search for identities. SecIdentitySearchCreate()

	330 // is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated

	331 // CDSM/CSSA implementation), but is necessary to return some certificates

	332 // that would otherwise not be returned by SecItemCopyMatching(), which is the

	333 // non-deprecated way. However, SecIdentitySearchCreate() will not return all

	334 // items, particularly smart-card based identities, so it's necessary to call

	335 // both functions.

	336 static const void* kKeys[] = {

	337 kSecClass, kSecMatchLimit, kSecReturnRef, kSecAttrCanSign,

	338 };

	339 static const void* kValues[] = {

	340 kSecClassIdentity, kSecMatchLimitAll, kCFBooleanTrue, kCFBooleanTrue,

	341 };

	342 ScopedCFTypeRef<CFDictionaryRef> query(CFDictionaryCreate(

	343 kCFAllocatorDefault, kKeys, kValues, arraysize(kValues),

	344 &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));

	345 ScopedCFTypeRef<CFArrayRef> result;

	346 {

	347 base::AutoLock lock(crypto::GetMacSecurityServicesLock());

	348 err = SecItemCopyMatching(

	349 query, reinterpret_cast<CFTypeRef*>(result.InitializeInto()));

	350 }

	351 if (!err) {

	352 for (CFIndex i = 0; i < CFArrayGetCount(result); i++) {

	353 void* item = const_cast<void*>(CFArrayGetValueAtIndex(result, i));

	354 AddIdentity(reinterpret_cast<SecIdentityRef>(item), preferred_identity,

	355 &regular_certs, &preferred_cert);

	356 }

	357 }

	358

318 CertificateList selected_certs;	359 CertificateList selected_certs;

319 GetClientCertsImpl(preferred_cert, regular_certs, request, true,	360 GetClientCertsImpl(preferred_cert, regular_certs, request, true,

320 &selected_certs);	361 &selected_certs);

321 callback.Run(std::move(selected_certs));	362 callback.Run(std::move(selected_certs));

322 }	363 }

323	364

324 bool ClientCertStoreMac::SelectClientCertsForTesting(	365 bool ClientCertStoreMac::SelectClientCertsForTesting(

325 const CertificateList& input_certs,	366 const CertificateList& input_certs,

326 const SSLCertRequestInfo& request,	367 const SSLCertRequestInfo& request,

327 CertificateList* selected_certs) {	368 CertificateList* selected_certs) {

328 GetClientCertsImpl(NULL, input_certs, request, false, selected_certs);	369 GetClientCertsImpl(NULL, input_certs, request, false, selected_certs);

329 return true;	370 return true;

330 }	371 }

331	372

332 bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting(	373 bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting(

333 const scoped_refptr<X509Certificate>& preferred_cert,	374 const scoped_refptr<X509Certificate>& preferred_cert,

334 const CertificateList& regular_certs,	375 const CertificateList& regular_certs,

335 const SSLCertRequestInfo& request,	376 const SSLCertRequestInfo& request,

336 CertificateList* selected_certs) {	377 CertificateList* selected_certs) {

337 GetClientCertsImpl(	378 GetClientCertsImpl(

338 preferred_cert, regular_certs, request, false, selected_certs);	379 preferred_cert, regular_certs, request, false, selected_certs);

339 return true;	380 return true;

340 }	381 }

341	382

342 #pragma clang diagnostic pop // "-Wdeprecated-declarations"	383 #pragma clang diagnostic pop // "-Wdeprecated-declarations"

343	384

344 } // namespace net	385 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »