OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 1518 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1529 CERTCertList** result_certs, | 1529 CERTCertList** result_certs, |
1530 void** result_private_key) { | 1530 void** result_private_key) { |
1531 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 1531 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
1532 | 1532 |
1533 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | 1533 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
1534 #if defined(OS_WIN) | 1534 #if defined(OS_WIN) |
1535 if (that->ssl_config_.send_client_cert) { | 1535 if (that->ssl_config_.send_client_cert) { |
1536 if (that->ssl_config_.client_cert) { | 1536 if (that->ssl_config_.client_cert) { |
1537 PCCERT_CONTEXT cert_context = | 1537 PCCERT_CONTEXT cert_context = |
1538 that->ssl_config_.client_cert->os_cert_handle(); | 1538 that->ssl_config_.client_cert->os_cert_handle(); |
1539 if (VLOG_IS_ON(1)) { | 1539 PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>( |
1540 do { | 1540 PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT))); |
1541 DWORD size_needed = 0; | 1541 if (!key_context) |
1542 BOOL got_info = CertGetCertificateContextProperty( | 1542 return SECFailure; |
1543 cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size_needed); | 1543 key_context->cbSize = sizeof(*key_context); |
1544 if (!got_info) { | |
1545 VLOG(1) << "Failed to get key prov info size " << GetLastError(); | |
1546 break; | |
1547 } | |
1548 std::vector<BYTE> raw_info(size_needed); | |
1549 got_info = CertGetCertificateContextProperty( | |
1550 cert_context, CERT_KEY_PROV_INFO_PROP_ID, &raw_info[0], | |
1551 &size_needed); | |
1552 if (!got_info) { | |
1553 VLOG(1) << "Failed to get key prov info " << GetLastError(); | |
1554 break; | |
1555 } | |
1556 PCRYPT_KEY_PROV_INFO info = | |
1557 reinterpret_cast<PCRYPT_KEY_PROV_INFO>(&raw_info[0]); | |
1558 VLOG(1) << "Container Name: " << info->pwszContainerName | |
1559 << "\nProvider Name: " << info->pwszProvName | |
1560 << "\nProvider Type: " << info->dwProvType | |
1561 << "\nFlags: " << info->dwFlags | |
1562 << "\nProvider Param Count: " << info->cProvParam | |
1563 << "\nKey Specifier: " << info->dwKeySpec; | |
1564 } while (false); | |
1565 | 1544 |
1566 do { | |
1567 DWORD size_needed = 0; | |
1568 BOOL got_identifier = CertGetCertificateContextProperty( | |
1569 cert_context, CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size_needed); | |
1570 if (!got_identifier) { | |
1571 VLOG(1) << "Failed to get key identifier size " | |
1572 << GetLastError(); | |
1573 break; | |
1574 } | |
1575 std::vector<BYTE> raw_id(size_needed); | |
1576 got_identifier = CertGetCertificateContextProperty( | |
1577 cert_context, CERT_KEY_IDENTIFIER_PROP_ID, &raw_id[0], | |
1578 &size_needed); | |
1579 if (!got_identifier) { | |
1580 VLOG(1) << "Failed to get key identifier " << GetLastError(); | |
1581 break; | |
1582 } | |
1583 VLOG(1) << "Key Identifier: " << base::HexEncode(&raw_id[0], | |
1584 size_needed); | |
1585 } while (false); | |
1586 } | |
1587 HCRYPTPROV provider = NULL; | |
1588 DWORD key_spec = AT_KEYEXCHANGE; | |
1589 BOOL must_free = FALSE; | 1545 BOOL must_free = FALSE; |
1590 BOOL acquired_key = CryptAcquireCertificatePrivateKey( | 1546 BOOL acquired_key = CryptAcquireCertificatePrivateKey( |
1591 cert_context, | 1547 cert_context, |
1592 CRYPT_ACQUIRE_CACHE_FLAG | CRYPT_ACQUIRE_COMPARE_KEY_FLAG, | 1548 CRYPT_ACQUIRE_CACHE_FLAG | CRYPT_ACQUIRE_COMPARE_KEY_FLAG, |
1593 NULL, &provider, &key_spec, &must_free); | 1549 NULL, &key_context->hCryptProv, &key_context->dwKeySpec, |
1594 if (acquired_key && provider) { | 1550 &must_free); |
1595 DCHECK_NE(key_spec, CERT_NCRYPT_KEY_SPEC); | 1551 if (acquired_key && key_context->hCryptProv) { |
| 1552 DCHECK_NE(key_context->dwKeySpec, CERT_NCRYPT_KEY_SPEC); |
1596 | 1553 |
1597 // The certificate cache may have been updated/used, in which case, | 1554 // The certificate cache may have been updated/used, in which case, |
1598 // duplicate the existing handle, since NSS will free it when no | 1555 // duplicate the existing handle, since NSS will free it when no |
1599 // longer in use. | 1556 // longer in use. |
1600 if (!must_free) | 1557 if (!must_free) |
1601 CryptContextAddRef(provider, NULL, 0); | 1558 CryptContextAddRef(key_context->hCryptProv, NULL, 0); |
1602 | 1559 |
1603 SECItem der_cert; | 1560 SECItem der_cert; |
1604 der_cert.type = siDERCertBuffer; | 1561 der_cert.type = siDERCertBuffer; |
1605 der_cert.data = cert_context->pbCertEncoded; | 1562 der_cert.data = cert_context->pbCertEncoded; |
1606 der_cert.len = cert_context->cbCertEncoded; | 1563 der_cert.len = cert_context->cbCertEncoded; |
1607 | 1564 |
1608 // TODO(rsleevi): Error checking for NSS allocation errors. | 1565 // TODO(rsleevi): Error checking for NSS allocation errors. |
1609 *result_certs = CERT_NewCertList(); | 1566 *result_certs = CERT_NewCertList(); |
1610 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); | 1567 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); |
1611 CERTCertificate* user_cert = CERT_NewTempCertificate( | 1568 CERTCertificate* user_cert = CERT_NewTempCertificate( |
1612 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); | 1569 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); |
1613 CERT_AddCertToListTail(*result_certs, user_cert); | 1570 CERT_AddCertToListTail(*result_certs, user_cert); |
1614 | 1571 |
1615 // Add the intermediates. | 1572 // Add the intermediates. |
1616 X509Certificate::OSCertHandles intermediates = | 1573 X509Certificate::OSCertHandles intermediates = |
1617 that->ssl_config_.client_cert->GetIntermediateCertificates(); | 1574 that->ssl_config_.client_cert->GetIntermediateCertificates(); |
1618 for (X509Certificate::OSCertHandles::const_iterator it = | 1575 for (X509Certificate::OSCertHandles::const_iterator it = |
1619 intermediates.begin(); it != intermediates.end(); ++it) { | 1576 intermediates.begin(); it != intermediates.end(); ++it) { |
1620 der_cert.data = (*it)->pbCertEncoded; | 1577 der_cert.data = (*it)->pbCertEncoded; |
1621 der_cert.len = (*it)->cbCertEncoded; | 1578 der_cert.len = (*it)->cbCertEncoded; |
1622 | 1579 |
1623 CERTCertificate* intermediate = CERT_NewTempCertificate( | 1580 CERTCertificate* intermediate = CERT_NewTempCertificate( |
1624 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); | 1581 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); |
1625 CERT_AddCertToListTail(*result_certs, intermediate); | 1582 CERT_AddCertToListTail(*result_certs, intermediate); |
1626 } | 1583 } |
1627 // TODO(wtc): |key_spec| should be passed along with |provider|. | 1584 *result_private_key = key_context; |
1628 *result_private_key = reinterpret_cast<void*>(provider); | |
1629 return SECSuccess; | 1585 return SECSuccess; |
1630 } | 1586 } |
| 1587 PORT_Free(key_context); |
1631 LOG(WARNING) << "Client cert found without private key"; | 1588 LOG(WARNING) << "Client cert found without private key"; |
1632 } | 1589 } |
1633 // Send no client certificate. | 1590 // Send no client certificate. |
1634 return SECFailure; | 1591 return SECFailure; |
1635 } | 1592 } |
1636 | 1593 |
1637 that->client_certs_.clear(); | 1594 that->client_certs_.clear(); |
1638 | 1595 |
1639 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames); | 1596 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames); |
1640 for (int i = 0; i < ca_names->nnames; ++i) { | 1597 for (int i = 0; i < ca_names->nnames; ++i) { |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1737 if (chain) { | 1694 if (chain) { |
1738 identity = reinterpret_cast<SecIdentityRef>( | 1695 identity = reinterpret_cast<SecIdentityRef>( |
1739 const_cast<void*>(CFArrayGetValueAtIndex(chain, 0))); | 1696 const_cast<void*>(CFArrayGetValueAtIndex(chain, 0))); |
1740 } | 1697 } |
1741 if (identity) | 1698 if (identity) |
1742 os_error = SecIdentityCopyPrivateKey(identity, &private_key); | 1699 os_error = SecIdentityCopyPrivateKey(identity, &private_key); |
1743 | 1700 |
1744 if (chain && identity && os_error == noErr) { | 1701 if (chain && identity && os_error == noErr) { |
1745 // TODO(rsleevi): Error checking for NSS allocation errors. | 1702 // TODO(rsleevi): Error checking for NSS allocation errors. |
1746 *result_certs = CERT_NewCertList(); | 1703 *result_certs = CERT_NewCertList(); |
1747 *result_private_key = reinterpret_cast<void*>(private_key); | 1704 *result_private_key = private_key; |
1748 | 1705 |
1749 for (CFIndex i = 0; i < CFArrayGetCount(chain); ++i) { | 1706 for (CFIndex i = 0; i < CFArrayGetCount(chain); ++i) { |
1750 CSSM_DATA cert_data; | 1707 CSSM_DATA cert_data; |
1751 SecCertificateRef cert_ref; | 1708 SecCertificateRef cert_ref; |
1752 if (i == 0) { | 1709 if (i == 0) { |
1753 cert_ref = that->ssl_config_.client_cert->os_cert_handle(); | 1710 cert_ref = that->ssl_config_.client_cert->os_cert_handle(); |
1754 } else { | 1711 } else { |
1755 cert_ref = reinterpret_cast<SecCertificateRef>( | 1712 cert_ref = reinterpret_cast<SecCertificateRef>( |
1756 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); | 1713 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); |
1757 } | 1714 } |
(...skipping 748 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2506 case SSL_CONNECTION_VERSION_TLS1_1: | 2463 case SSL_CONNECTION_VERSION_TLS1_1: |
2507 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); | 2464 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); |
2508 break; | 2465 break; |
2509 case SSL_CONNECTION_VERSION_TLS1_2: | 2466 case SSL_CONNECTION_VERSION_TLS1_2: |
2510 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); | 2467 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); |
2511 break; | 2468 break; |
2512 }; | 2469 }; |
2513 } | 2470 } |
2514 | 2471 |
2515 } // namespace net | 2472 } // namespace net |
OLD | NEW |