Chromium Code Reviews Chromium Code Reviews
Issue 994743003:
Support for client certs in ssl_server_socket.
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 #include <string.h> | 14 #include <string.h> |
| 15 | 15 |
| 16 #include "base/bind.h" | 16 #include "base/bind.h" |
| 17 #include "base/callback_helpers.h" | 17 #include "base/callback_helpers.h" |
| 18 #include "base/environment.h" | 18 #include "base/environment.h" |
| 19 #include "base/memory/singleton.h" | 19 #include "base/memory/singleton.h" |
| 20 #include "base/metrics/histogram.h" | 20 #include "base/metrics/histogram.h" |
| 21 #include "base/profiler/scoped_tracker.h" | 21 #include "base/profiler/scoped_tracker.h" |
| 22 #include "base/strings/string_piece.h" | 22 #include "base/strings/string_piece.h" |
| 23 #include "base/synchronization/lock.h" | 23 #include "base/synchronization/lock.h" |
| 24 #include "base/threading/thread_local.h" | 24 #include "base/threading/thread_local.h" |
| 25 #include "crypto/ec_private_key.h" | 25 #include "crypto/ec_private_key.h" |
| 26 #include "crypto/openssl_util.h" | 26 #include "crypto/openssl_util.h" |
| 27 #include "crypto/rsa_private_key.h" | |
| 27 #include "crypto/scoped_openssl_types.h" | 28 #include "crypto/scoped_openssl_types.h" |
| 28 #include "net/base/net_errors.h" | 29 #include "net/base/net_errors.h" |
| 29 #include "net/cert/cert_policy_enforcer.h" | 30 #include "net/cert/cert_policy_enforcer.h" |
| 30 #include "net/cert/cert_verifier.h" | 31 #include "net/cert/cert_verifier.h" |
| 31 #include "net/cert/ct_ev_whitelist.h" | 32 #include "net/cert/ct_ev_whitelist.h" |
| 32 #include "net/cert/ct_verifier.h" | 33 #include "net/cert/ct_verifier.h" |
| 33 #include "net/cert/single_request_cert_verifier.h" | 34 #include "net/cert/single_request_cert_verifier.h" |
| 34 #include "net/cert/x509_certificate_net_log_param.h" | 35 #include "net/cert/x509_certificate_net_log_param.h" |
| 35 #include "net/cert/x509_util_openssl.h" | 36 #include "net/cert/x509_util_openssl.h" |
| 36 #include "net/http/transport_security_state.h" | 37 #include "net/http/transport_security_state.h" |
| 37 #include "net/socket/ssl_session_cache_openssl.h" | 38 #include "net/socket/ssl_session_cache_openssl.h" |
| 39 #include "net/ssl/openssl_ssl_util.h" | |
| 38 #include "net/ssl/scoped_openssl_types.h" | 40 #include "net/ssl/scoped_openssl_types.h" |
| 39 #include "net/ssl/ssl_cert_request_info.h" | 41 #include "net/ssl/ssl_cert_request_info.h" |
| 40 #include "net/ssl/ssl_connection_status_flags.h" | 42 #include "net/ssl/ssl_connection_status_flags.h" |
| 41 #include "net/ssl/ssl_info.h" | 43 #include "net/ssl/ssl_info.h" |
| 42 | 44 |
| 43 #if defined(OS_WIN) | 45 #if defined(OS_WIN) |
| 44 #include "base/win/windows_version.h" | 46 #include "base/win/windows_version.h" |
| 45 #endif | 47 #endif |
| 46 | 48 |
| 47 #if defined(USE_OPENSSL_CERTS) | 49 #if defined(USE_OPENSSL_CERTS) |
| (...skipping 1759 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1807 } | 1809 } |
| 1808 | 1810 |
| 1809 ScopedX509Stack chain = OSCertHandlesToOpenSSL( | 1811 ScopedX509Stack chain = OSCertHandlesToOpenSSL( |
| 1810 ssl_config_.client_cert->GetIntermediateCertificates()); | 1812 ssl_config_.client_cert->GetIntermediateCertificates()); |
| 1811 if (!chain) { | 1813 if (!chain) { |
| 1812 LOG(WARNING) << "Failed to import intermediate certificates"; | 1814 LOG(WARNING) << "Failed to import intermediate certificates"; |
| 1813 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); | 1815 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT); |
| 1814 return -1; | 1816 return -1; |
| 1815 } | 1817 } |
| 1816 | 1818 |
| 1817 // TODO(davidben): With Linux client auth support, this should be | 1819 crypto::ScopedEVP_PKEY privkey; |
|
davidben
2015/03/25 00:05:33
This entire mess should be EVP_PKEY_dup (which bum
| |
| 1818 // conditioned on OS_ANDROID and then, with https://crbug.com/394131, | 1820 if (client_private_key_.get()) { |
|
Ryan Sleevi
2015/03/19 04:38:24
STYLE: Don't use .get() for scoped_ptr bool testin
| |
| 1819 // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the | 1821 privkey.reset(EVP_PKEY_new()); |
| 1820 // net/ client auth API lacking a private key handle. | 1822 crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(client_private_key_->key())); |
| 1823 if (!EVP_PKEY_set1_RSA(privkey.get(), rsa.get())) { | |
| 1824 privkey.reset(NULL); | |
| 1825 } | |
|
Ryan Sleevi
2015/03/19 04:38:24
STYLE: no braces for single-line if
STYLE: nullptr
| |
| 1826 } else { | |
| 1827 // TODO(davidben): With Linux client auth support, this should be | |
| 1828 // conditioned on OS_ANDROID and then, with https://crbug.com/394131, | |
| 1829 // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the | |
| 1830 // net/ client auth API lacking a private key handle. | |
|
Ryan Sleevi
2015/03/19 04:38:24
STYLE: This comment style is ugly.
If nececessary
| |
| 1821 #if defined(USE_OPENSSL_CERTS) | 1831 #if defined(USE_OPENSSL_CERTS) |
| 1822 crypto::ScopedEVP_PKEY privkey = | 1832 privkey = OpenSSLClientKeyStore::GetInstance() |
| 1823 OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey( | 1833 ->FetchClientCertPrivateKey(ssl_config_.client_cert.get()) |
| 1824 ssl_config_.client_cert.get()); | 1834 .Pass(); |
| 1825 #else // !defined(USE_OPENSSL_CERTS) | 1835 #else // !defined(USE_OPENSSL_CERTS) |
| 1826 crypto::ScopedEVP_PKEY privkey = | 1836 privkey = FetchClientCertPrivateKey(ssl_config_.client_cert.get()).Pass(); |
| 1827 FetchClientCertPrivateKey(ssl_config_.client_cert.get()); | |
| 1828 #endif // defined(USE_OPENSSL_CERTS) | 1837 #endif // defined(USE_OPENSSL_CERTS) |
| 1838 } | |
| 1829 if (!privkey) { | 1839 if (!privkey) { |
| 1830 // Could not find the private key. Fail the handshake and surface an | 1840 // Could not find the private key. Fail the handshake and surface an |
| 1831 // appropriate error to the caller. | 1841 // appropriate error to the caller. |
| 1832 LOG(WARNING) << "Client cert found without private key"; | 1842 LOG(WARNING) << "Client cert found without private key"; |
| 1833 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); | 1843 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY); |
| 1834 return -1; | 1844 return -1; |
| 1835 } | 1845 } |
| 1836 | 1846 |
| 1837 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || | 1847 if (!SSL_use_certificate(ssl_, leaf_x509.get()) || |
| 1838 !SSL_use_PrivateKey(ssl_, privkey.get()) || | 1848 !SSL_use_PrivateKey(ssl_, privkey.get()) || |
| (...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2042 SignedCertificateTimestampAndStatus(*iter, | 2052 SignedCertificateTimestampAndStatus(*iter, |
| 2043 ct::SCT_STATUS_LOG_UNKNOWN)); | 2053 ct::SCT_STATUS_LOG_UNKNOWN)); |
| 2044 } | 2054 } |
| 2045 } | 2055 } |
| 2046 | 2056 |
| 2047 scoped_refptr<X509Certificate> | 2057 scoped_refptr<X509Certificate> |
| 2048 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 2058 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 2049 return server_cert_; | 2059 return server_cert_; |
| 2050 } | 2060 } |
| 2051 | 2061 |
| 2062 void SSLClientSocketOpenSSL::ForceClientCertificateAndKeyForTest( | |
| 2063 scoped_refptr<X509Certificate> client_cert, | |
| 2064 scoped_ptr<crypto::RSAPrivateKey> client_private_key) { | |
| 2065 ssl_config_.send_client_cert = true; | |
| 2066 ssl_config_.client_cert = client_cert; | |
| 2067 client_private_key_ = client_private_key.Pass(); | |
| 2068 } | |
| 2069 | |
| 2052 } // namespace net | 2070 } // namespace net |
| OLD | NEW |
