Implement TLS client auth in the OS X OpenSSL port.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/synchronization/lock.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
-#include "net/socket/openssl_ssl_util.h"
 #include "net/socket/ssl_error_params.h"
 #include "net/socket/ssl_session_cache_openssl.h"
-#include "net/ssl/openssl_client_key_store.h"
+#include "net/ssl/openssl_ssl_util.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 
+#if defined(USE_OPENSSL_CERTS)

[Ryan Sleevi, 2014/07/23 22:38:47]

USE_OPENSSL_CERTS is only meant to apply to the representation of an
X509Certificate object, not keys.

I'm not sure I understand why this #ifdef

+#include "net/ssl/openssl_client_key_store.h"
+#else
+#include "net/ssl/openssl_platform_key.h"
+#endif
+
 namespace net {
 
 namespace {
 
 // Enable this to see logging for state machine state transitions.
 #if 0
 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
                            " jump to state " << s; \
                            next_handshake_state_ = s; } while (0)
 #else
@@ skipping 1272 matching lines @@
   return result;
 }
 
 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
                                                       X509** x509,
                                                       EVP_PKEY** pkey) {
   DVLOG(3) << "OpenSSL ClientCertRequestCallback called";
   DCHECK(ssl == ssl_);
   DCHECK(*x509 == NULL);
   DCHECK(*pkey == NULL);
+
+#if defined(OS_IOS)
+  // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
+  LOG(WARNING) << "Client auth is not supported";
+#else  // !defined(OS_IOS)
   if (!ssl_config_.send_client_cert) {
     // First pass: we know that a client certificate is needed, but we do not
     // have one at hand.
     client_auth_cert_needed_ = true;
     STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl);
     for (size_t i = 0; i < sk_X509_NAME_num(authorities); i++) {
       X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i);
       unsigned char* str = NULL;
       int length = i2d_X509_NAME(ca_name, &str);
       cert_authorities_.push_back(std::string(
@@ skipping 18 matching lines @@
   if (ssl_config_.client_cert.get()) {
     // TODO(davidben): Configure OpenSSL to also send the intermediates.
     ScopedX509 leaf_x509 =
         OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle());
     if (!leaf_x509) {
       LOG(WARNING) << "Failed to import certificate";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
       return -1;
     }
 
-    crypto::ScopedEVP_PKEY privkey;
+    // TODO(davidben): With Linux client auth support, this should be
+    // conditioned on OS_ANDROID and then, with https://crbug.com/394131,
+    // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the
+    // net/ client auth API lacking a private key handle.
 #if defined(USE_OPENSSL_CERTS)
-    // A note about ownership: FetchClientCertPrivateKey() increments
-    // the reference count of the EVP_PKEY. Ownership of this reference
-    // is passed directly to OpenSSL, which will release the reference
-    // using EVP_PKEY_free() when the SSL object is destroyed.
-    if (!OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
-            ssl_config_.client_cert.get(), &privkey)) {
+    crypto::ScopedEVP_PKEY privkey =
+        OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
+            ssl_config_.client_cert.get());
+#else  // !defined(USE_OPENSSL_CERTS)
+    crypto::ScopedEVP_PKEY privkey =
+        FetchClientCertPrivateKey(ssl_config_.client_cert.get());
+#endif  // defined(USE_OPENSSL_CERTS)
+    if (!privkey) {
       // Could not find the private key. Fail the handshake and surface an
       // appropriate error to the caller.
       LOG(WARNING) << "Client cert found without private key";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
       return -1;
     }
-#else  // !defined(USE_OPENSSL_CERTS)
-    // OS handling of private keys is not yet implemented.
-    NOTIMPLEMENTED();
-    return 0;
-#endif  // defined(USE_OPENSSL_CERTS)
 
     // TODO(joth): (copied from NSS) We should wait for server certificate
     // verification before sending our credentials. See http://crbug.com/13934
     *x509 = leaf_x509.release();
     *pkey = privkey.release();
     return 1;
   }
+#endif  // defined(OS_IOS)
 
   // Send no client certificate.
   return 0;
 }
 
 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) {
   if (!completed_handshake_) {
     // If the first handshake hasn't completed then we accept any certificates
     // because we verify after the handshake.
     return 1;
@@ skipping 106 matching lines @@
   return socket->MaybeReplayTransportError(
       bio, cmd, argp, argi, argl, retvalue);
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
 }  // namespace net