NSS: Handle unfriendly tokens in client auth.

net/ssl/client_cert_store_impl_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/client_cert_store_impl.h"
 
 #include <nss.h>
 #include <ssl.h>
 
-#include "base/callback.h"
+#include "base/bind.h"
+#include "base/location.h"
 #include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/threading/worker_pool.h"
+#include "crypto/crypto_module_blocking_password_delegate.h"
 #include "net/cert/x509_util.h"
 
 namespace net {
 
 namespace {
 
 // Examines the certificates in |cert_list| to find all certificates that match
 // the client certificate request in |request|, storing the matching
 // certificates in |selected_certs|.
 // If |query_nssdb| is true, NSS will be queried to construct full certificate
@@ skipping 46 matching lines @@
         (query_nssdb &&
          NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) {
       selected_certs->push_back(cert);
     }
   }
 
   std::sort(selected_certs->begin(), selected_certs->end(),
             x509_util::ClientCertSorter());
 }
 
+void GetClientCertsOnWorkerThread(
+    scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,
+    const SSLCertRequestInfo* request,
+    CertificateList* selected_certs) {
+  CERTCertList* client_certs = CERT_FindUserCertsByUsage(
+      CERT_GetDefaultCertDB(),
+      certUsageSSLClient,
+      PR_FALSE,
+      PR_FALSE,
+      password_delegate.get());
+  // It is ok for a user not to have any client certs.
+  if (!client_certs) {
+    selected_certs->clear();
+    return;
+  }
+
+  GetClientCertsImpl(client_certs, *request, true, selected_certs);
+  CERT_DestroyCertList(client_certs);
+}
+
 }  // namespace
 
+ClientCertStoreImpl::ClientCertStoreImpl() {}
+
+ClientCertStoreImpl::~ClientCertStoreImpl() {}
+
 void ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request,
                                          CertificateList* selected_certs,
                                          const base::Closure& callback) {
-  CERTCertList* client_certs = CERT_FindUserCertsByUsage(
-      CERT_GetDefaultCertDB(), certUsageSSLClient,
-      PR_FALSE, PR_FALSE, NULL);
-  // It is ok for a user not to have any client certs.
-  if (!client_certs) {
+  scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate;
+  if (!password_delegate_factory_.is_null()) {
+    password_delegate.reset(
+        password_delegate_factory_.Run(request.host_and_port));
+  }
+  if (!base::WorkerPool::PostTaskAndReply(
+           FROM_HERE,
+           base::Bind(&GetClientCertsOnWorkerThread,
+                      base::Passed(&password_delegate),
+                      &request,
+                      selected_certs),
+           callback,
+           true)) {
     selected_certs->clear();
     callback.Run();
-    return;
   }
+}
 
-  GetClientCertsImpl(client_certs, request, true, selected_certs);
-  CERT_DestroyCertList(client_certs);
-  callback.Run();
+void ClientCertStoreImpl::set_password_delegate_factory(
+      const PasswordDelegateFactory& password_delegate_factory) {
+  password_delegate_factory_ = password_delegate_factory;
 }
 
 bool ClientCertStoreImpl::SelectClientCertsForTesting(
     const CertificateList& input_certs,
     const SSLCertRequestInfo& request,
     CertificateList* selected_certs) {
   CERTCertList* cert_list = CERT_NewCertList();
   if (!cert_list)
     return false;
   for (size_t i = 0; i < input_certs.size(); ++i) {
     CERT_AddCertToListTail(
         cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle()));
   }
 
   GetClientCertsImpl(cert_list, request, false, selected_certs);
   CERT_DestroyCertList(cert_list);
   return true;
 }
 
 }  // namespace net