| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 2023 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2034 if (!chain_context) { | 2034 if (!chain_context) { |
| 2035 DWORD err = GetLastError(); | 2035 DWORD err = GetLastError(); |
| 2036 if (err != CRYPT_E_NOT_FOUND) | 2036 if (err != CRYPT_E_NOT_FOUND) |
| 2037 DLOG(ERROR) << "CertFindChainInStore failed: " << err; | 2037 DLOG(ERROR) << "CertFindChainInStore failed: " << err; |
| 2038 break; | 2038 break; |
| 2039 } | 2039 } |
| 2040 | 2040 |
| 2041 // Get the leaf certificate. | 2041 // Get the leaf certificate. |
| 2042 PCCERT_CONTEXT cert_context = | 2042 PCCERT_CONTEXT cert_context = |
| 2043 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; | 2043 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; |
| 2044 // Copy it to our own certificate store, so that we can close the "MY" | 2044 // Copy the certificate into a NULL store, so that we can close the "MY" |
| 2045 // certificate store before returning from this function. | 2045 // store before returning from this function. |
| 2046 PCCERT_CONTEXT cert_context2; | 2046 PCCERT_CONTEXT cert_context2; |
| 2047 BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2047 BOOL ok = CertAddCertificateContextToStore(NULL, cert_context, |
| 2048 cert_context, | |
| 2049 CERT_STORE_ADD_USE_EXISTING, | 2048 CERT_STORE_ADD_USE_EXISTING, |
| 2050 &cert_context2); | 2049 &cert_context2); |
| 2051 if (!ok) { | 2050 if (!ok) { |
| 2052 NOTREACHED(); | 2051 NOTREACHED(); |
| 2053 continue; | 2052 continue; |
| 2054 } | 2053 } |
| 2055 | 2054 |
| 2056 // Copy the rest of the chain to our own store as well. Copying the chain | 2055 // Copy the rest of the chain to our own store as well. Copying the chain |
| 2057 // stops gracefully if an error is encountered, with the partial chain | 2056 // stops gracefully if an error is encountered, with the partial chain |
| 2058 // being used as the intermediates, rather than failing to consider the | 2057 // being used as the intermediates, rather than failing to consider the |
| 2059 // client certificate. | 2058 // client certificate. |
| 2060 net::X509Certificate::OSCertHandles intermediates; | 2059 net::X509Certificate::OSCertHandles intermediates; |
| 2061 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { | 2060 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { |
| 2062 PCCERT_CONTEXT intermediate_copy; | 2061 PCCERT_CONTEXT intermediate_copy; |
| 2063 ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2062 ok = CertAddCertificateContextToStore( |
| 2064 chain_context->rgpChain[0]->rgpElement[i]->pCertContext, | 2063 NULL, chain_context->rgpChain[0]->rgpElement[i]->pCertContext, |
| 2065 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); | 2064 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); |
| 2066 if (!ok) { | 2065 if (!ok) { |
| 2067 NOTREACHED(); | 2066 NOTREACHED(); |
| 2068 break; | 2067 break; |
| 2069 } | 2068 } |
| 2070 intermediates.push_back(intermediate_copy); | 2069 intermediates.push_back(intermediate_copy); |
| 2071 } | 2070 } |
| 2072 | 2071 |
| 2073 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 2072 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
| 2074 cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2073 cert_context2, intermediates); |
| 2075 intermediates); | |
| 2076 that->client_certs_.push_back(cert); | 2074 that->client_certs_.push_back(cert); |
| 2077 | 2075 |
| 2078 X509Certificate::FreeOSCertHandle(cert_context2); | 2076 X509Certificate::FreeOSCertHandle(cert_context2); |
| 2079 for (net::X509Certificate::OSCertHandles::iterator it = | 2077 for (net::X509Certificate::OSCertHandles::iterator it = |
| 2080 intermediates.begin(); it != intermediates.end(); ++it) { | 2078 intermediates.begin(); it != intermediates.end(); ++it) { |
| 2081 net::X509Certificate::FreeOSCertHandle(*it); | 2079 net::X509Certificate::FreeOSCertHandle(*it); |
| 2082 } | 2080 } |
| 2083 } | 2081 } |
| 2084 | 2082 |
| 2085 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); | 2083 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2228 continue; | 2226 continue; |
| 2229 // Filter by issuer. | 2227 // Filter by issuer. |
| 2230 // | 2228 // |
| 2231 // TODO(davidben): This does a binary comparison of the DER-encoded | 2229 // TODO(davidben): This does a binary comparison of the DER-encoded |
| 2232 // issuers. We should match according to RFC 5280 sec. 7.1. We should find | 2230 // issuers. We should match according to RFC 5280 sec. 7.1. We should find |
| 2233 // an appropriate NSS function or add one if needbe. | 2231 // an appropriate NSS function or add one if needbe. |
| 2234 if (ca_names->nnames && | 2232 if (ca_names->nnames && |
| 2235 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) | 2233 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) |
| 2236 continue; | 2234 continue; |
| 2237 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( | 2235 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( |
| 2238 node->cert, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2236 node->cert, net::X509Certificate::OSCertHandles()); |
| 2239 net::X509Certificate::OSCertHandles()); | |
| 2240 that->client_certs_.push_back(x509_cert); | 2237 that->client_certs_.push_back(x509_cert); |
| 2241 } | 2238 } |
| 2242 CERT_DestroyCertList(client_certs); | 2239 CERT_DestroyCertList(client_certs); |
| 2243 } | 2240 } |
| 2244 | 2241 |
| 2245 // Tell NSS to suspend the client authentication. We will then abort the | 2242 // Tell NSS to suspend the client authentication. We will then abort the |
| 2246 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. | 2243 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. |
| 2247 return SECWouldBlock; | 2244 return SECWouldBlock; |
| 2248 } | 2245 } |
| 2249 #endif // NSS_PLATFORM_CLIENT_AUTH | 2246 #endif // NSS_PLATFORM_CLIENT_AUTH |
| (...skipping 19 matching lines...) Expand all Loading... |
| 2269 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2266 valid_thread_id_ = base::PlatformThread::CurrentId(); |
| 2270 } | 2267 } |
| 2271 | 2268 |
| 2272 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2269 bool SSLClientSocketNSS::CalledOnValidThread() const { |
| 2273 EnsureThreadIdAssigned(); | 2270 EnsureThreadIdAssigned(); |
| 2274 base::AutoLock auto_lock(lock_); | 2271 base::AutoLock auto_lock(lock_); |
| 2275 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2272 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 2276 } | 2273 } |
| 2277 | 2274 |
| 2278 } // namespace net | 2275 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2944008:
Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate (Closed)
