OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 2023 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2034 if (!chain_context) { | 2034 if (!chain_context) { |
2035 DWORD err = GetLastError(); | 2035 DWORD err = GetLastError(); |
2036 if (err != CRYPT_E_NOT_FOUND) | 2036 if (err != CRYPT_E_NOT_FOUND) |
2037 DLOG(ERROR) << "CertFindChainInStore failed: " << err; | 2037 DLOG(ERROR) << "CertFindChainInStore failed: " << err; |
2038 break; | 2038 break; |
2039 } | 2039 } |
2040 | 2040 |
2041 // Get the leaf certificate. | 2041 // Get the leaf certificate. |
2042 PCCERT_CONTEXT cert_context = | 2042 PCCERT_CONTEXT cert_context = |
2043 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; | 2043 chain_context->rgpChain[0]->rgpElement[0]->pCertContext; |
2044 // Copy it to our own certificate store, so that we can close the "MY" | 2044 // Copy the certificate into a NULL store, so that we can close the "MY" |
2045 // certificate store before returning from this function. | 2045 // store before returning from this function. |
2046 PCCERT_CONTEXT cert_context2; | 2046 PCCERT_CONTEXT cert_context2; |
2047 BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2047 BOOL ok = CertAddCertificateContextToStore(NULL, cert_context, |
2048 cert_context, | |
2049 CERT_STORE_ADD_USE_EXISTING, | 2048 CERT_STORE_ADD_USE_EXISTING, |
2050 &cert_context2); | 2049 &cert_context2); |
2051 if (!ok) { | 2050 if (!ok) { |
2052 NOTREACHED(); | 2051 NOTREACHED(); |
2053 continue; | 2052 continue; |
2054 } | 2053 } |
2055 | 2054 |
2056 // Copy the rest of the chain to our own store as well. Copying the chain | 2055 // Copy the rest of the chain to our own store as well. Copying the chain |
2057 // stops gracefully if an error is encountered, with the partial chain | 2056 // stops gracefully if an error is encountered, with the partial chain |
2058 // being used as the intermediates, rather than failing to consider the | 2057 // being used as the intermediates, rather than failing to consider the |
2059 // client certificate. | 2058 // client certificate. |
2060 net::X509Certificate::OSCertHandles intermediates; | 2059 net::X509Certificate::OSCertHandles intermediates; |
2061 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { | 2060 for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) { |
2062 PCCERT_CONTEXT intermediate_copy; | 2061 PCCERT_CONTEXT intermediate_copy; |
2063 ok = CertAddCertificateContextToStore(X509Certificate::cert_store(), | 2062 ok = CertAddCertificateContextToStore( |
2064 chain_context->rgpChain[0]->rgpElement[i]->pCertContext, | 2063 NULL, chain_context->rgpChain[0]->rgpElement[i]->pCertContext, |
2065 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); | 2064 CERT_STORE_ADD_USE_EXISTING, &intermediate_copy); |
2066 if (!ok) { | 2065 if (!ok) { |
2067 NOTREACHED(); | 2066 NOTREACHED(); |
2068 break; | 2067 break; |
2069 } | 2068 } |
2070 intermediates.push_back(intermediate_copy); | 2069 intermediates.push_back(intermediate_copy); |
2071 } | 2070 } |
2072 | 2071 |
2073 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( | 2072 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( |
2074 cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2073 cert_context2, intermediates); |
2075 intermediates); | |
2076 that->client_certs_.push_back(cert); | 2074 that->client_certs_.push_back(cert); |
2077 | 2075 |
2078 X509Certificate::FreeOSCertHandle(cert_context2); | 2076 X509Certificate::FreeOSCertHandle(cert_context2); |
2079 for (net::X509Certificate::OSCertHandles::iterator it = | 2077 for (net::X509Certificate::OSCertHandles::iterator it = |
2080 intermediates.begin(); it != intermediates.end(); ++it) { | 2078 intermediates.begin(); it != intermediates.end(); ++it) { |
2081 net::X509Certificate::FreeOSCertHandle(*it); | 2079 net::X509Certificate::FreeOSCertHandle(*it); |
2082 } | 2080 } |
2083 } | 2081 } |
2084 | 2082 |
2085 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); | 2083 BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG); |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2228 continue; | 2226 continue; |
2229 // Filter by issuer. | 2227 // Filter by issuer. |
2230 // | 2228 // |
2231 // TODO(davidben): This does a binary comparison of the DER-encoded | 2229 // TODO(davidben): This does a binary comparison of the DER-encoded |
2232 // issuers. We should match according to RFC 5280 sec. 7.1. We should find | 2230 // issuers. We should match according to RFC 5280 sec. 7.1. We should find |
2233 // an appropriate NSS function or add one if needbe. | 2231 // an appropriate NSS function or add one if needbe. |
2234 if (ca_names->nnames && | 2232 if (ca_names->nnames && |
2235 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) | 2233 NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) |
2236 continue; | 2234 continue; |
2237 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( | 2235 X509Certificate* x509_cert = X509Certificate::CreateFromHandle( |
2238 node->cert, X509Certificate::SOURCE_LONE_CERT_IMPORT, | 2236 node->cert, net::X509Certificate::OSCertHandles()); |
2239 net::X509Certificate::OSCertHandles()); | |
2240 that->client_certs_.push_back(x509_cert); | 2237 that->client_certs_.push_back(x509_cert); |
2241 } | 2238 } |
2242 CERT_DestroyCertList(client_certs); | 2239 CERT_DestroyCertList(client_certs); |
2243 } | 2240 } |
2244 | 2241 |
2245 // Tell NSS to suspend the client authentication. We will then abort the | 2242 // Tell NSS to suspend the client authentication. We will then abort the |
2246 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. | 2243 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. |
2247 return SECWouldBlock; | 2244 return SECWouldBlock; |
2248 } | 2245 } |
2249 #endif // NSS_PLATFORM_CLIENT_AUTH | 2246 #endif // NSS_PLATFORM_CLIENT_AUTH |
(...skipping 19 matching lines...) Expand all Loading... |
2269 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2266 valid_thread_id_ = base::PlatformThread::CurrentId(); |
2270 } | 2267 } |
2271 | 2268 |
2272 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2269 bool SSLClientSocketNSS::CalledOnValidThread() const { |
2273 EnsureThreadIdAssigned(); | 2270 EnsureThreadIdAssigned(); |
2274 base::AutoLock auto_lock(lock_); | 2271 base::AutoLock auto_lock(lock_); |
2275 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2272 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
2276 } | 2273 } |
2277 | 2274 |
2278 } // namespace net | 2275 } // namespace net |
OLD | NEW |