Pass the client certificate into OpenSSL in common code.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/err.h>
@@ skipping 34 matching lines @@
 #endif
 
 // This constant can be any non-negative/non-zero value (eg: it does not
 // overlap with any value of the net::Error range, including net::OK).
 const int kNoPendingReadResult = 1;
 
 // If a client doesn't have a list of protocols that it supports, but
 // the server supports NPN, choosing "http/1.1" is the best answer.
 const char kDefaultSupportedNPNProtocol[] = "http/1.1";
 
+typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
+
 #if OPENSSL_VERSION_NUMBER < 0x1000103fL
 // This method doesn't seem to have made it into the OpenSSL headers.
 unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; }
 #endif
 
 // Used for encoding the |connection_status| field of an SSLInfo object.
 int EncodeSSLConnectionStatus(int cipher_suite,
                               int compression,
                               int version) {
   return ((cipher_suite & SSL_CONNECTION_CIPHERSUITE_MASK) <<
@@ skipping 25 matching lines @@
 
 // Compute a unique key string for the SSL session cache. |socket| is an
 // input socket object. Return a string.
 std::string GetSocketSessionCacheKey(const SSLClientSocketOpenSSL& socket) {
   std::string result = socket.host_and_port().ToString();
   result.append("/");
   result.append(socket.ssl_session_cache_shard());
   return result;
 }
 
-static void FreeX509Stack(STACK_OF(X509) * ptr) {
+void FreeX509Stack(STACK_OF(X509) * ptr) {
   sk_X509_pop_free(ptr, X509_free);
 }
 
+ScopedX509 OSCertHandleToOpenSSL(
+    X509Certificate::OSCertHandle os_handle) {
+#if defined(USE_OPENSSL_CERTS)
+  return ScopedX509(X509Certificate::DupOSCertHandle(os_handle));
+#else  // !defined(USE_OPENSSL_CERTS)
+  std::string der_encoded;
+  if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded))
+    return ScopedX509();
+  const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
+  return ScopedX509(d2i_X509(NULL, &bytes, der_encoded.size()));
+#endif  // defined(USE_OPENSSL_CERTS)
+}
+
 }  // namespace
 
 class SSLClientSocketOpenSSL::SSLContext {
  public:
   static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); }
   SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
   SSLSessionCacheOpenSSL* session_cache() { return &session_cache_; }
 
   SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) {
     DCHECK(ssl);
@@ skipping 1228 matching lines @@
     for (size_t i = 0; i < num_client_cert_types; i++) {
       cert_key_types_.push_back(
           static_cast<SSLClientCertType>(client_cert_types[i]));
     }
 
     return -1;  // Suspends handshake.
   }
 
   // Second pass: a client certificate should have been selected.
   if (ssl_config_.client_cert.get()) {
+    // TODO(davidben): Configure OpenSSL to also send the intermediates.
+    ScopedX509 leaf_x509 =
+        OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle());
+    if (!leaf_x509) {
+      LOG(WARNING) << "Failed to import certificate";
+      OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);

[Ryan Sleevi, 2014/07/11 18:20:14]

Update NSS to use this code too?

[davidben, 2014/07/11 18:32:20]

Hrm. So it doesn't look like NSS actually gives you a way to return an error
code from that callback (plus we'd have to round-trip through NSPR's error
codes). I think we could SECWouldBlock, store the error code elsewhere, and then
route around. That's probably enough effort that it should be separate.

+      return -1;
+    }
+
+    OpenSSLClientKeyStore::ScopedEVP_PKEY privkey;
 #if defined(USE_OPENSSL_CERTS)
     // A note about ownership: FetchClientCertPrivateKey() increments
     // the reference count of the EVP_PKEY. Ownership of this reference
     // is passed directly to OpenSSL, which will release the reference
     // using EVP_PKEY_free() when the SSL object is destroyed.
-    OpenSSLClientKeyStore::ScopedEVP_PKEY privkey;
-    if (OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
+    if (!OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
             ssl_config_.client_cert.get(), &privkey)) {
-      // TODO(joth): (copied from NSS) We should wait for server certificate
-      // verification before sending our credentials. See http://crbug.com/13934
-      *x509 = X509Certificate::DupOSCertHandle(
-          ssl_config_.client_cert->os_cert_handle());
-      *pkey = privkey.release();
-      return 1;
+      // Could not find the private key. Fail the handshake and surface an
+      // appropriate error to the caller.
+      LOG(WARNING) << "Client cert found without private key";
+      OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
+      return -1;
     }
+#else  // !defined(USE_OPENSSL_CERTS)
+    // OS handling of private keys is not yet implemented.
+    NOTIMPLEMENTED();
+    return 0;
+#endif  // defined(USE_OPENSSL_CERTS)
 
-    // Could not find the private key. Fail the handshake and surface an
-    // appropriate error to the caller.
-    LOG(WARNING) << "Client cert found without private key";
-    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
-    return -1;
-#else  // !defined(USE_OPENSSL_CERTS)
-    // OS handling of client certificates is not yet implemented.
-    NOTIMPLEMENTED();
-#endif  // defined(USE_OPENSSL_CERTS)
+    // TODO(joth): (copied from NSS) We should wait for server certificate
+    // verification before sending our credentials. See http://crbug.com/13934
+    *x509 = leaf_x509.release();
+    *pkey = privkey.release();
+    return 1;
   }
 
   // Send no client certificate.
   return 0;
 }
 
 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) {
   if (!completed_handshake_) {
     // If the first handshake hasn't completed then we accept any certificates
     // because we verify after the handshake.
@@ skipping 62 matching lines @@
   DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_;
   return SSL_TLSEXT_ERR_OK;
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
 }  // namespace net