Chromium Code Reviews Chromium Code Reviews
Issue 83793006:
NSS: Handle unfriendly tokens in client auth. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/client_cert_store_impl.h" | 5 #include "net/ssl/client_cert_store_impl.h" |
| 6 | 6 |
| 7 #include <nss.h> | 7 #include <nss.h> |
| 8 #include <ssl.h> | 8 #include <ssl.h> |
| 9 | 9 |
| 10 #include "base/callback.h" | 10 #include "base/bind.h" |
| 11 #include "base/location.h" | |
| 11 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/memory/scoped_ptr.h" | |
| 14 #include "base/threading/worker_pool.h" | |
| 15 #include "crypto/crypto_module_blocking_password_delegate.h" | |
| 12 #include "net/cert/x509_util.h" | 16 #include "net/cert/x509_util.h" |
| 13 | 17 |
| 14 namespace net { | 18 namespace net { |
| 15 | 19 |
| 16 namespace { | 20 namespace { |
| 17 | 21 |
| 18 // Examines the certificates in |cert_list| to find all certificates that match | 22 // Examines the certificates in |cert_list| to find all certificates that match |
| 19 // the client certificate request in |request|, storing the matching | 23 // the client certificate request in |request|, storing the matching |
| 20 // certificates in |selected_certs|. | 24 // certificates in |selected_certs|. |
| 21 // If |query_nssdb| is true, NSS will be queried to construct full certificate | 25 // If |query_nssdb| is true, NSS will be queried to construct full certificate |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 68 (query_nssdb && | 72 (query_nssdb && |
| 69 NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) { | 73 NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) { |
| 70 selected_certs->push_back(cert); | 74 selected_certs->push_back(cert); |
| 71 } | 75 } |
| 72 } | 76 } |
| 73 | 77 |
| 74 std::sort(selected_certs->begin(), selected_certs->end(), | 78 std::sort(selected_certs->begin(), selected_certs->end(), |
| 75 x509_util::ClientCertSorter()); | 79 x509_util::ClientCertSorter()); |
| 76 } | 80 } |
| 77 | 81 |
| 82 void GetClientCertsOnWorkerThread( | |
| 83 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate, | |
| 84 const SSLCertRequestInfo* request, | |
| 85 CertificateList* selected_certs) { | |
| 86 CERTCertList* client_certs = CERT_FindUserCertsByUsage( | |
| 87 CERT_GetDefaultCertDB(), | |
| 88 certUsageSSLClient, | |
| 89 PR_FALSE, | |
| 90 PR_FALSE, | |
| 91 password_delegate.get()); | |
| 92 // It is ok for a user not to have any client certs. | |
| 93 if (!client_certs) { | |
| 94 selected_certs->clear(); | |
| 95 return; | |
| 96 } | |
| 97 | |
| 98 GetClientCertsImpl(client_certs, *request, true, selected_certs); | |
| 99 CERT_DestroyCertList(client_certs); | |
| 100 } | |
| 101 | |
| 78 } // namespace | 102 } // namespace |
| 79 | 103 |
| 104 ClientCertStoreImpl::ClientCertStoreImpl() {} | |
| 105 | |
| 106 ClientCertStoreImpl::~ClientCertStoreImpl() {} | |
| 107 | |
| 80 void ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request, | 108 void ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request, |
| 81 CertificateList* selected_certs, | 109 CertificateList* selected_certs, |
| 82 const base::Closure& callback) { | 110 const base::Closure& callback) { |
| 83 CERTCertList* client_certs = CERT_FindUserCertsByUsage( | 111 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate; |
| 84 CERT_GetDefaultCertDB(), certUsageSSLClient, | 112 if (!password_delegate_factory_.is_null()) |
| 85 PR_FALSE, PR_FALSE, NULL); | 113 password_delegate.reset( |
| 86 // It is ok for a user not to have any client certs. | 114 password_delegate_factory_.Run(request.host_and_port)); |
|
wtc
2013/11/26 23:28:17
Nit: curly braces should be used because the state
mattm
2013/11/26 23:47:56
Done.
| |
| 87 if (!client_certs) { | 115 if (!base::WorkerPool::PostTaskAndReply( |
| 116 FROM_HERE, | |
| 117 base::Bind(&GetClientCertsOnWorkerThread, | |
| 118 base::Passed(&password_delegate), | |
| 119 &request, | |
| 120 selected_certs), | |
| 121 callback, | |
| 122 true)) { | |
| 88 selected_certs->clear(); | 123 selected_certs->clear(); |
| 89 callback.Run(); | 124 callback.Run(); |
| 90 return; | |
| 91 } | 125 } |
| 126 } | |
| 92 | 127 |
| 93 GetClientCertsImpl(client_certs, request, true, selected_certs); | 128 void ClientCertStoreImpl::set_password_delegate_factory( |
| 94 CERT_DestroyCertList(client_certs); | 129 const PasswordDelegateFactory& password_delegate_factory) { |
| 95 callback.Run(); | 130 password_delegate_factory_ = password_delegate_factory; |
| 96 } | 131 } |
| 97 | 132 |
| 98 bool ClientCertStoreImpl::SelectClientCertsForTesting( | 133 bool ClientCertStoreImpl::SelectClientCertsForTesting( |
| 99 const CertificateList& input_certs, | 134 const CertificateList& input_certs, |
| 100 const SSLCertRequestInfo& request, | 135 const SSLCertRequestInfo& request, |
| 101 CertificateList* selected_certs) { | 136 CertificateList* selected_certs) { |
| 102 CERTCertList* cert_list = CERT_NewCertList(); | 137 CERTCertList* cert_list = CERT_NewCertList(); |
| 103 if (!cert_list) | 138 if (!cert_list) |
| 104 return false; | 139 return false; |
| 105 for (size_t i = 0; i < input_certs.size(); ++i) { | 140 for (size_t i = 0; i < input_certs.size(); ++i) { |
| 106 CERT_AddCertToListTail( | 141 CERT_AddCertToListTail( |
| 107 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); | 142 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); |
| 108 } | 143 } |
| 109 | 144 |
| 110 GetClientCertsImpl(cert_list, request, false, selected_certs); | 145 GetClientCertsImpl(cert_list, request, false, selected_certs); |
| 111 CERT_DestroyCertList(cert_list); | 146 CERT_DestroyCertList(cert_list); |
| 112 return true; | 147 return true; |
| 113 } | 148 } |
| 114 | 149 |
| 115 } // namespace net | 150 } // namespace net |
| OLD | NEW |
