Remove //net (except for Android test stuff) and sdch

net/ssl/client_cert_store_mac.cc

-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/ssl/client_cert_store_mac.h"
-
-#include <CommonCrypto/CommonDigest.h>
-#include <CoreFoundation/CFArray.h>
-#include <CoreServices/CoreServices.h>
-#include <Security/SecBase.h>
-#include <Security/Security.h>
-
-#include <algorithm>
-#include <string>
-
-#include "base/callback.h"
-#include "base/logging.h"
-#include "base/mac/mac_logging.h"
-#include "base/mac/scoped_cftyperef.h"
-#include "base/strings/sys_string_conversions.h"
-#include "base/synchronization/lock.h"
-#include "crypto/mac_security_services_lock.h"
-#include "net/base/host_port_pair.h"
-#include "net/cert/x509_util.h"
-#include "net/cert/x509_util_mac.h"
-
-using base::ScopedCFTypeRef;
-
-namespace net {
-
-namespace {
-
-// Gets the issuer for a given cert, starting with the cert itself and
-// including the intermediate and finally root certificates (if any).
-// This function calls SecTrust but doesn't actually pay attention to the trust
-// result: it shouldn't be used to determine trust, just to traverse the chain.
-// Caller is responsible for releasing the value stored into *out_cert_chain.
-OSStatus CopyCertChain(SecCertificateRef cert_handle,
-                       CFArrayRef* out_cert_chain) {
-  DCHECK(cert_handle);
-  DCHECK(out_cert_chain);
-
-  // Create an SSL policy ref configured for client cert evaluation.
-  SecPolicyRef ssl_policy;
-  OSStatus result = x509_util::CreateSSLClientPolicy(&ssl_policy);
-  if (result)
-    return result;
-  ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy);
-
-  // Create a SecTrustRef.
-  ScopedCFTypeRef<CFArrayRef> input_certs(CFArrayCreate(
-      NULL, const_cast<const void**>(reinterpret_cast<void**>(&cert_handle)),
-      1, &kCFTypeArrayCallBacks));
-  SecTrustRef trust_ref = NULL;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecTrustCreateWithCertificates(input_certs, ssl_policy,
-                                            &trust_ref);
-  }
-  if (result)
-    return result;
-  ScopedCFTypeRef<SecTrustRef> trust(trust_ref);
-
-  // Evaluate trust, which creates the cert chain.
-  SecTrustResultType status;
-  CSSM_TP_APPLE_EVIDENCE_INFO* status_chain;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecTrustEvaluate(trust, &status);
-  }
-  if (result)
-    return result;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecTrustGetResult(trust, &status, out_cert_chain, &status_chain);
-  }
-  return result;
-}
-
-// Returns true if |*cert| is issued by an authority in |valid_issuers|
-// according to Keychain Services, rather than using |cert|'s intermediate
-// certificates. If it is, |*cert| is updated to point to the completed
-// certificate
-bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
-                          scoped_refptr<X509Certificate>* cert) {
-  DCHECK(cert);
-  DCHECK(cert->get());
-
-  X509Certificate::OSCertHandle cert_handle = (*cert)->os_cert_handle();
-  CFArrayRef cert_chain = NULL;
-  OSStatus result = CopyCertChain(cert_handle, &cert_chain);
-  if (result) {
-    OSSTATUS_LOG(ERROR, result) << "CopyCertChain error";
-    return false;
-  }
-
-  if (!cert_chain)
-    return false;
-
-  X509Certificate::OSCertHandles intermediates;
-  for (CFIndex i = 1, chain_count = CFArrayGetCount(cert_chain);
-       i < chain_count; ++i) {
-    SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
-        const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
-    intermediates.push_back(cert);
-  }
-
-  scoped_refptr<X509Certificate> new_cert(X509Certificate::CreateFromHandle(
-      cert_handle, intermediates));
-  CFRelease(cert_chain);  // Also frees |intermediates|.
-
-  if (!new_cert->IsIssuedByEncoded(valid_issuers))
-    return false;
-
-  cert->swap(new_cert);
-  return true;
-}
-
-// Examines the certificates in |preferred_cert| and |regular_certs| to find
-// all certificates that match the client certificate request in |request|,
-// storing the matching certificates in |selected_certs|.
-// If |query_keychain| is true, Keychain Services will be queried to construct
-// full certificate chains. If it is false, only the the certificates and their
-// intermediates (available via X509Certificate::GetIntermediateCertificates())
-// will be considered.
-void GetClientCertsImpl(const scoped_refptr<X509Certificate>& preferred_cert,
-                        const CertificateList& regular_certs,
-                        const SSLCertRequestInfo& request,
-                        bool query_keychain,
-                        CertificateList* selected_certs) {
-  CertificateList preliminary_list;
-  if (preferred_cert.get())
-    preliminary_list.push_back(preferred_cert);
-  preliminary_list.insert(preliminary_list.end(), regular_certs.begin(),
-                          regular_certs.end());
-
-  selected_certs->clear();
-  for (size_t i = 0; i < preliminary_list.size(); ++i) {
-    scoped_refptr<X509Certificate>& cert = preliminary_list[i];
-    if (cert->HasExpired() || !cert->SupportsSSLClientAuth())
-      continue;
-
-    // Skip duplicates (a cert may be in multiple keychains).
-    const SHA1HashValue& fingerprint = cert->fingerprint();
-    size_t pos;
-    for (pos = 0; pos < selected_certs->size(); ++pos) {
-      if ((*selected_certs)[pos]->fingerprint().Equals(fingerprint))
-        break;
-    }
-    if (pos < selected_certs->size())
-      continue;
-
-    // Check if the certificate issuer is allowed by the server.
-    if (request.cert_authorities.empty() ||
-        cert->IsIssuedByEncoded(request.cert_authorities) ||
-        (query_keychain &&
-         IsIssuedByInKeychain(request.cert_authorities, &cert))) {
-      selected_certs->push_back(cert);
-    }
-  }
-
-  // Preferred cert should appear first in the ui, so exclude it from the
-  // sorting.
-  CertificateList::iterator sort_begin = selected_certs->begin();
-  CertificateList::iterator sort_end = selected_certs->end();
-  if (preferred_cert.get() && sort_begin != sort_end &&
-      sort_begin->get() == preferred_cert.get()) {
-    ++sort_begin;
-  }
-  sort(sort_begin, sort_end, x509_util::ClientCertSorter());
-}
-
-}  // namespace
-
-ClientCertStoreMac::ClientCertStoreMac() {}
-
-ClientCertStoreMac::~ClientCertStoreMac() {}
-
-void ClientCertStoreMac::GetClientCerts(const SSLCertRequestInfo& request,
-                                         CertificateList* selected_certs,
-                                         const base::Closure& callback) {
-  std::string server_domain = request.host_and_port.host();
-
-  ScopedCFTypeRef<SecIdentityRef> preferred_identity;
-  if (!server_domain.empty()) {
-    // See if there's an identity preference for this domain:
-    ScopedCFTypeRef<CFStringRef> domain_str(
-        base::SysUTF8ToCFStringRef("https://" + server_domain));
-    SecIdentityRef identity = NULL;
-    // While SecIdentityCopyPreferences appears to take a list of CA issuers
-    // to restrict the identity search to, within Security.framework the
-    // argument is ignored and filtering unimplemented. See
-    // SecIdentity.cpp in libsecurity_keychain, specifically
-    // _SecIdentityCopyPreferenceMatchingName().
-    {
-      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-      if (SecIdentityCopyPreference(domain_str, 0, NULL, &identity) == noErr)
-        preferred_identity.reset(identity);
-    }
-  }
-
-  // Now enumerate the identities in the available keychains.
-  scoped_refptr<X509Certificate> preferred_cert = NULL;
-  CertificateList regular_certs;
-
-  SecIdentitySearchRef search = NULL;
-  OSStatus err;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_SIGN, &search);
-  }
-  if (err) {
-    selected_certs->clear();
-    callback.Run();
-    return;
-  }
-  ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);
-  while (!err) {
-    SecIdentityRef identity = NULL;
-    {
-      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-      err = SecIdentitySearchCopyNext(search, &identity);
-    }
-    if (err)
-      break;
-    ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);
-
-    SecCertificateRef cert_handle;
-    err = SecIdentityCopyCertificate(identity, &cert_handle);
-    if (err != noErr)
-      continue;
-    ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
-
-    scoped_refptr<X509Certificate> cert(
-        X509Certificate::CreateFromHandle(cert_handle,
-                                          X509Certificate::OSCertHandles()));
-
-    if (preferred_identity && CFEqual(preferred_identity, identity)) {
-      // Only one certificate should match.
-      DCHECK(!preferred_cert.get());
-      preferred_cert = cert;
-    } else {
-      regular_certs.push_back(cert);
-    }
-  }
-
-  if (err != errSecItemNotFound) {
-    OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";
-    selected_certs->clear();
-    callback.Run();
-    return;
-  }
-
-  GetClientCertsImpl(preferred_cert, regular_certs, request, true,
-                     selected_certs);
-  callback.Run();
-}
-
-bool ClientCertStoreMac::SelectClientCertsForTesting(
-    const CertificateList& input_certs,
-    const SSLCertRequestInfo& request,
-    CertificateList* selected_certs) {
-  GetClientCertsImpl(NULL, input_certs, request, false, selected_certs);
-  return true;
-}
-
-bool ClientCertStoreMac::SelectClientCertsGivenPreferredForTesting(
-    const scoped_refptr<X509Certificate>& preferred_cert,
-    const CertificateList& regular_certs,
-    const SSLCertRequestInfo& request,
-    CertificateList* selected_certs) {
-  GetClientCertsImpl(
-      preferred_cert, regular_certs, request, false, selected_certs);
-  return true;
-}
-
-}  // namespace net