Look up client certificates in ClientAuthHandler to get rid of manual CA...

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code GetDefaultCertNickname(), derived from
 // nsNSSCertificate::defaultServerNickName()
 // in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp
 // and SSLClientSocketNSS::DoVerifyCertComplete() derived from
 // AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
@@ skipping 191 matching lines @@
       transport_recv_busy_(false),
       handshake_io_callback_(this, &SSLClientSocketNSS::OnHandshakeIOComplete),
       transport_(transport_socket),
       hostname_(hostname),
       ssl_config_(ssl_config),
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
       user_write_callback_(NULL),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
-      client_auth_ca_names_(NULL),
       client_auth_cert_needed_(false),
       completed_handshake_(false),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL) {
   EnterFunction("");
 }
 
 SSLClientSocketNSS::~SSLClientSocketNSS() {
   EnterFunction("");
@@ skipping 153 matching lines @@
   user_read_callback_    = NULL;
   user_write_callback_   = NULL;
   user_read_buf_         = NULL;
   user_read_buf_len_     = 0;
   user_write_buf_        = NULL;
   user_write_buf_len_    = 0;
   server_cert_           = NULL;
   server_cert_verify_result_.Reset();
   completed_handshake_   = false;
   nss_bufs_              = NULL;
-  if (client_auth_ca_names_) {
-    CERT_FreeDistNames(client_auth_ca_names_);
-    client_auth_ca_names_ = NULL;
-  }
+  client_certs_.clear();
   client_auth_cert_needed_ = false;
 
   LeaveFunction("");
 }
 
 bool SSLClientSocketNSS::IsConnected() const {
   // Ideally, we should also check if we have received the close_notify alert
   // message from the server, and return false in that case.  We're not doing
   // that, so this function may return a false positive.  Since the upper
   // layer (HttpNetworkTransaction) needs to handle a persistent connection
@@ skipping 118 matching lines @@
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   DCHECK(server_cert_ != NULL);
   ssl_info->cert = server_cert_;
   LeaveFunction("");
 }
 
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
   cert_request_info->host_and_port = hostname_;
-  cert_request_info->client_certs.clear();
-
-  void* wincx = SSL_RevealPinArg(nss_fd_);
-
-  CERTCertNicknames* names = CERT_GetCertNicknames(
-      CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, wincx);
-
-  if (names) {
-    for (int i = 0; i < names->numnicknames; ++i) {
-      CERTCertificate* cert = CERT_FindUserCertByUsage(
-          CERT_GetDefaultCertDB(), names->nicknames[i],
-          certUsageSSLClient, PR_FALSE, wincx);
-      if (!cert)
-        continue;
-      // Only check unexpired certs.
-      if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) ==
-          secCertTimeValid &&
-          NSS_CmpCertChainWCANames(cert, client_auth_ca_names_) ==
-          SECSuccess) {
-        SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
-        if (privkey) {
-          X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
-              cert, X509Certificate::SOURCE_LONE_CERT_IMPORT);
-          cert_request_info->client_certs.push_back(x509_cert);
-          SECKEY_DestroyPrivateKey(privkey);
-          continue;
-        }
-      }
-      CERT_DestroyCertificate(cert);
-    }
-    CERT_FreeNicknames(names);
-  }
+  cert_request_info->client_certs = client_certs_;
   LeaveFunction(cert_request_info->client_certs.size());
 }
 
 void SSLClientSocketNSS::DoReadCallback(int rv) {
   EnterFunction(rv);
   DCHECK(rv != ERR_IO_PENDING);
   DCHECK(user_read_callback_);
 
   // Since Run may result in Read being called, clear |user_read_callback_|
   // up front.
@@ skipping 305 matching lines @@
 SECStatus SSLClientSocketNSS::ClientAuthHandler(
     void* arg,
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
 
+  CERTCertificate* cert = NULL;
+  SECKEYPrivateKey* privkey = NULL;
+  void* wincx  = SSL_RevealPinArg(socket);
+
   // Second pass: a client certificate should have been selected.
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
-      void* wincx = SSL_RevealPinArg(socket);
-      CERTCertificate* cert = CERT_DupCertificate(
+      cert = CERT_DupCertificate(
           that->ssl_config_.client_cert->os_cert_handle());
-      SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
+      privkey = PK11_FindKeyByAnyCert(cert, wincx);
       if (privkey) {
         // TODO(jsorianopastor): We should wait for server certificate
         // verification before sending our credentials.  See
         // http://crbug.com/13934.
         *result_certificate = cert;
         *result_private_key = privkey;
         return SECSuccess;
       }
       LOG(WARNING) << "Client cert found without private key";
     }
     // Send no client certificate.
     return SECFailure;
   }
 
-  PRArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  CERTDistNames* ca_names_copy = PORT_ArenaZNew(arena, CERTDistNames);
+  CERTCertNicknames* names = CERT_GetCertNicknames(
+      CERT_GetDefaultCertDB(), SEC_CERT_NICKNAMES_USER, wincx);
+  if (names) {
+    for (int i = 0; i < names->numnicknames; ++i) {
+      cert = CERT_FindUserCertByUsage(
+          CERT_GetDefaultCertDB(), names->nicknames[i],
+          certUsageSSLClient, PR_FALSE, wincx);
+      if (!cert)
+        continue;
+      // Only check unexpired certs.
+      if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) ==
+          secCertTimeValid &&
+          NSS_CmpCertChainWCANames(cert, ca_names) == SECSuccess) {
+        privkey = PK11_FindKeyByAnyCert(cert, wincx);
+        if (privkey) {
+          X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
+              cert, X509Certificate::SOURCE_LONE_CERT_IMPORT);
+          that->client_certs_.push_back(x509_cert);
+          SECKEY_DestroyPrivateKey(privkey);
+          continue;
+        }
+      }
+      CERT_DestroyCertificate(cert);
+    }
+    CERT_FreeNicknames(names);
+  }
 
-  ca_names_copy->arena = arena;
-  ca_names_copy->head = NULL;
-  ca_names_copy->nnames = ca_names->nnames;
-  ca_names_copy->names = PORT_ArenaZNewArray(arena, SECItem,
-                                             ca_names->nnames);
-  for (int i = 0; i < ca_names->nnames; ++i)
-    SECITEM_CopyItem(arena, &ca_names_copy->names[i], &ca_names->names[i]);
-
-  that->client_auth_ca_names_ = ca_names_copy;
   return SECFailure;
 }
 
 // static
 // NSS calls this when handshake is completed.
 // After the SSL handshake is finished, use CertVerifier to verify
 // the saved server certificate.
 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket,
                                            void* arg) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
@@ skipping 157 matching lines @@
   }
   PRErrorCode prerr = PR_GetError();
   if (prerr == PR_WOULD_BLOCK_ERROR) {
     return ERR_IO_PENDING;
   }
   LeaveFunction("");
   return NetErrorFromNSPRError(prerr);
 }
 
 }  // namespace net