Index: net/socket/ssl_client_socket_nss.cc |
=================================================================== |
--- net/socket/ssl_client_socket_nss.cc (revisiĆ³n: 29395) |
+++ net/socket/ssl_client_socket_nss.cc (copia de trabajo) |
@@ -209,7 +209,6 @@ |
user_write_callback_(NULL), |
user_read_buf_len_(0), |
user_write_buf_len_(0), |
- client_auth_ca_names_(NULL), |
client_auth_cert_needed_(false), |
completed_handshake_(false), |
next_handshake_state_(STATE_NONE), |
@@ -383,10 +382,7 @@ |
server_cert_verify_result_.Reset(); |
completed_handshake_ = false; |
nss_bufs_ = NULL; |
- if (client_auth_ca_names_) { |
- CERT_FreeDistNames(client_auth_ca_names_); |
- client_auth_ca_names_ = NULL; |
- } |
+ client_certs_.clear(); |
client_auth_cert_needed_ = false; |
LeaveFunction(""); |
@@ -525,38 +521,7 @@ |
SSLCertRequestInfo* cert_request_info) { |
EnterFunction(""); |
cert_request_info->host_and_port = hostname_; |
- cert_request_info->client_certs.clear(); |
- |
- void* wincx = SSL_RevealPinArg(nss_fd_); |
- |
- CERTCertNicknames* names = CERT_GetCertNicknames( |
- CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, wincx); |
- |
- if (names) { |
- for (int i = 0; i < names->numnicknames; ++i) { |
- CERTCertificate* cert = CERT_FindUserCertByUsage( |
- CERT_GetDefaultCertDB(), names->nicknames[i], |
- certUsageSSLClient, PR_FALSE, wincx); |
- if (!cert) |
- continue; |
- // Only check unexpired certs. |
- if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) == |
- secCertTimeValid && |
- NSS_CmpCertChainWCANames(cert, client_auth_ca_names_) == |
- SECSuccess) { |
- SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx); |
- if (privkey) { |
- X509Certificate* x509_cert = X509Certificate::CreateFromHandle( |
- cert, X509Certificate::SOURCE_LONE_CERT_IMPORT); |
- cert_request_info->client_certs.push_back(x509_cert); |
- SECKEY_DestroyPrivateKey(privkey); |
- continue; |
- } |
- } |
- CERT_DestroyCertificate(cert); |
- } |
- CERT_FreeNicknames(names); |
- } |
+ cert_request_info->client_certs = client_certs_; |
LeaveFunction(cert_request_info->client_certs.size()); |
} |
@@ -879,6 +844,11 @@ |
CERTCertificate** result_certificate, |
SECKEYPrivateKey** result_private_key) { |
SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
+ CERTCertificate* cert = NULL; |
+ X509Certificate* x509_cert = NULL; |
+ SECKEYPrivateKey* privkey = NULL; |
+ void* proto_win = NULL; |
+ CERTCertNicknames* names; |
that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
@@ -902,19 +872,39 @@ |
// Send no client certificate. |
return SECFailure; |
} |
+ names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), |
+ SEC_CERT_NICKNAMES_USER, proto_win); |
- PRArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
- CERTDistNames* ca_names_copy = PORT_ArenaZNew(arena, CERTDistNames); |
+ if (names != NULL) { |
+ for (int i = 0; i < names->numnicknames; i++) { |
+ cert = CERT_FindUserCertByUsage( |
+ CERT_GetDefaultCertDB(), |
+ names->nicknames[i], |
+ certUsageSSLClient, |
+ PR_FALSE, |
+ proto_win); |
+ if ( !cert ) |
+ continue; |
+ // Only check unexpired certs |
+ if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != |
+ secCertTimeValid ) { |
+ CERT_DestroyCertificate(cert); |
+ continue; |
+ } |
+ if ( NSS_CmpCertChainWCANames(cert, ca_names) == SECSuccess ) { |
+ if ( PK11_FindKeyByAnyCert(cert, proto_win) ) { |
+ x509_cert = X509Certificate::CreateFromHandle( |
+ cert, X509Certificate::SOURCE_LONE_CERT_IMPORT); |
+ that->client_certs_.push_back(x509_cert); |
+ SECKEY_DestroyPrivateKey(privkey); |
+ continue; |
+ } |
+ } |
+ CERT_DestroyCertificate(cert); |
+ } |
+ CERT_FreeNicknames(names); |
+ } |
- ca_names_copy->arena = arena; |
- ca_names_copy->head = NULL; |
- ca_names_copy->nnames = ca_names->nnames; |
- ca_names_copy->names = PORT_ArenaZNewArray(arena, SECItem, |
- ca_names->nnames); |
- for (int i = 0; i < ca_names->nnames; ++i) |
- SECITEM_CopyItem(arena, &ca_names_copy->names[i], &ca_names->names[i]); |
- |
- that->client_auth_ca_names_ = ca_names_copy; |
return SECFailure; |
} |