ClientCertStoreWin: do client cert and key lookup on SSLPlatformKeyTaskRunner.

net/ssl/client_cert_store_win.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/client_cert_store_win.h"
 
 #include <algorithm>
 #include <string>
 
 #define SECURITY_WIN32  // Needs to be defined before including security.h
 #include <windows.h>
 #include <security.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/task_runner_util.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "crypto/wincrypt_shim.h"
 #include "net/cert/x509_util.h"
 #include "net/cert/x509_util_win.h"
+#include "net/ssl/ssl_platform_key_util.h"
 #include "net/ssl/ssl_platform_key_win.h"
 #include "net/ssl/ssl_private_key.h"
 
 namespace net {
 
 namespace {
 
 class ClientCertIdentityWin : public ClientCertIdentity {
  public:
   // Takes ownership of |cert_context|.
@@ skipping 63 matching lines @@
   // CertFindChainInStore()?
   DWORD size = 0;
   if (!CertGetCertificateContextProperty(
           cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) {
     return FALSE;
   }
 
   return TRUE;
 }
 
-void GetClientCertsImpl(HCERTSTORE cert_store,
-                        const SSLCertRequestInfo& request,
-                        ClientCertIdentityList* selected_identities) {
-  selected_identities->clear();
+ClientCertIdentityList GetClientCertsImpl(HCERTSTORE cert_store,
+                                          const SSLCertRequestInfo& request) {
+  ClientCertIdentityList selected_identities;
 
   scoped_refptr<base::SingleThreadTaskRunner> current_thread =
       base::ThreadTaskRunnerHandle::Get();
 
   const size_t auth_count = request.cert_authorities.size();
   std::vector<CERT_NAME_BLOB> issuers(auth_count);
   for (size_t i = 0; i < auth_count; ++i) {
     issuers[i].cbData = static_cast<DWORD>(request.cert_authorities[i].size());
     issuers[i].pbData = reinterpret_cast<BYTE*>(
         const_cast<char*>(request.cert_authorities[i].data()));
@@ skipping 69 matching lines @@
     // USE_BYTE_CERTS. Remove it once the non-byte-certs code is also removed.
     // TODO(svaldez): cert currently wraps cert_context2 which may be backed
     // by a smartcard with threading difficulties. Instead, create a fresh
     // X509Certificate with CreateFromBytes and route cert_context2 into the
     // SSLPrivateKey. Probably changing CertificateList to be a
     // pair<X509Certificate, SSLPrivateKeyCallback>.
     scoped_refptr<X509Certificate> cert =
         x509_util::CreateX509CertificateFromCertContexts(cert_context2,
                                                          intermediates);
     if (cert) {
-      selected_identities->push_back(base::MakeUnique<ClientCertIdentityWin>(
+      selected_identities.push_back(base::MakeUnique<ClientCertIdentityWin>(
           std::move(cert),
           cert_context2,     // Takes ownership of |cert_context2|.
           current_thread));  // The key must be acquired on the same thread, as
                              // the PCCERT_CONTEXT may not be thread safe.
     }
     for (size_t i = 0; i < intermediates.size(); ++i)
       CertFreeCertificateContext(intermediates[i]);
   }
 
-  std::sort(selected_identities->begin(), selected_identities->end(),
+  std::sort(selected_identities.begin(), selected_identities.end(),
             ClientCertIdentitySorter());
+  return selected_identities;
 }
 
 }  // namespace
 
 ClientCertStoreWin::ClientCertStoreWin() {}
 
 ClientCertStoreWin::ClientCertStoreWin(HCERTSTORE cert_store) {
   DCHECK(cert_store);
   cert_store_.reset(cert_store);
 }
 
 ClientCertStoreWin::~ClientCertStoreWin() {}
 
 void ClientCertStoreWin::GetClientCerts(
     const SSLCertRequestInfo& request,
     const ClientCertListCallback& callback) {
-  ClientCertIdentityList selected_identities;
   if (cert_store_) {
     // Use the existing client cert store. Note: Under some situations,
     // it's possible for this to return certificates that aren't usable
     // (see below).
-    GetClientCertsImpl(cert_store_, request, &selected_identities);
-    callback.Run(std::move(selected_identities));
+    // When using caller provided HCERTSTORE, assume that it should be accessed
+    // on the current thread.
+    callback.Run(GetClientCertsImpl(cert_store_, request));
     return;
   }
 
+#if BUILDFLAG(USE_BYTE_CERTS)
+  if (base::PostTaskAndReplyWithResult(
+          GetSSLPlatformKeyTaskRunner().get(), FROM_HERE,
+          // Caller is responsible for keeping the |request| alive
+          // until the callback is run, so ConstRef is safe.
+          base::Bind(&ClientCertStoreWin::GetClientCertsWithMyCertStore,
+                     base::ConstRef(request)),
+          callback)) {
+    return;
+  }
+
+  // If the task could not be posted, behave as if there were no certificates.
+  callback.Run(ClientCertIdentityList());
+#else
+  // When using PCERT_CONTEXT based X509Certificate, must do this on the same
+  // thread.
+  callback.Run(GetClientCertsWithMyCertStore(request));
+#endif
+}
+
+// static
+ClientCertIdentityList ClientCertStoreWin::GetClientCertsWithMyCertStore(
+    const SSLCertRequestInfo& request) {
   // Always open a new instance of the "MY" store, to ensure that there
   // are no previously cached certificates being reused after they're
   // no longer available (some smartcard providers fail to update the "MY"
   // store handles and instead interpose CertOpenSystemStore).
   ScopedHCERTSTORE my_cert_store(CertOpenSystemStore(NULL, L"MY"));
   if (!my_cert_store) {
     PLOG(ERROR) << "Could not open the \"MY\" system certificate store: ";
-    callback.Run(ClientCertIdentityList());
-    return;
+    return ClientCertIdentityList();
   }
-
-  GetClientCertsImpl(my_cert_store, request, &selected_identities);
-  callback.Run(std::move(selected_identities));
+  return GetClientCertsImpl(my_cert_store, request);
 }
 
 bool ClientCertStoreWin::SelectClientCertsForTesting(
     const CertificateList& input_certs,
     const SSLCertRequestInfo& request,
     ClientCertIdentityList* selected_identities) {
   ScopedHCERTSTORE test_store(CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0,
                                             NULL));
   if (!test_store)
     return false;
@@ skipping 18 matching lines @@
     // would be discarded by the filtering routines.
     CRYPT_KEY_PROV_INFO private_key_data;
     memset(&private_key_data, 0, sizeof(private_key_data));
     if (!CertSetCertificateContextProperty(cert,
                                            CERT_KEY_PROV_INFO_PROP_ID,
                                            0, &private_key_data)) {
       return false;
     }
   }
 
-  GetClientCertsImpl(test_store.get(), request, selected_identities);
+  *selected_identities = GetClientCertsImpl(test_store.get(), request);
   return true;
 }
 
 }  // namespace net