SSLCertRequestInfo: Add |valid_cas| and |valid_key_types|

net/base/x509_certificate_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/obj_mac.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs7.h>
 #include <openssl/sha.h>
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
 
 #include "base/memory/singleton.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "crypto/openssl_util.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
+#include "net/base/ssl_cert_request_info.h"
+#include "net/base/x509_cert_types.h"
 #include "net/base/x509_util_openssl.h"
 
 #if defined(OS_ANDROID)
 #include "base/logging.h"
 #include "net/android/network_library.h"
 #endif
 
 namespace net {
 
 namespace {
@@ skipping 430 matching lines @@
       *type = kPublicKeyTypeECDSA;
       *size_bits = EVP_PKEY_size(key);
       break;
     case EVP_PKEY_DH:
       *type = kPublicKeyTypeDH;
       *size_bits = EVP_PKEY_size(key) * 8;
       break;
   }
 }
 
+bool X509Certificate::IsValidClientCertificate(
+    const SSLCertRequestInfo& cert_info) {
+
+  bool cert_still_valid = true;
+
+  // Some unit tests can explicitely set |no_client_certs| to false
+  // and fill up |client_certs|, so handle this here.
+  if (!cert_info.no_client_certs) {
+    const std::vector<scoped_refptr<X509Certificate> >& client_certs =
+        cert_info.client_certs;
+    for (size_t i = 0; i < client_certs.size(); ++i) {
+      if (Equals(client_certs[i])) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  DCHECK(cert_info.no_client_certs == true);
+
+  // TODO(digit): Check certificate authorities.
+  // It's unclear what the best way to do this is, i.e. the specication
+  // states that about the "certificate_authorities" field of a
+  // CertificateRequest message:
+  //
+  //     A list of the distinguished names of acceptable certificate
+  //     authorities. These distinguished names may specify a desired
+  //     distinguished name for a root CA or for a subordinate CA;
+  //     thus, this message can be used both to describe known roots
+  //     and a desired authorization space.
+  //
+  // The "authorization space" seems to indicate that each listed
+  // distinguished name may only include a small set of strings that
+  // need to be matched against those in the certificate chain.
+  //
+  // For now, ignore this step, and assume that the server will
+  // perform the verification itself.
+  //
+
+  // Check the key type
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> scoped_key(
+      X509_get_pubkey(cert_handle_));
+  if (!scoped_key.get())
+    return false;
+
+  SSLClientCertType key_type;
+  switch (scoped_key.get()->type) {
+    case EVP_PKEY_RSA:
+      key_type = CLIENT_CERT_RSA_SIGN;
+      break;
+#if 0
+    // TODO(digit): Add CLIENT_CERT_DSA_SIGN to SSLClientCertType.
+    case EVP_PKEY_DSA:
+      key_type = CLIENT_CERT_DSA_SIGN;
+      break;
+#endif
+    case EVP_PKEY_EC:
+      key_type = CLIENT_CERT_ECDSA_SIGN;
+      break;
+    default:
+      // Unknown key type
+      return false;
+  }
+
+  cert_still_valid = false;
+  for (size_t n = 0; n < cert_info.valid_key_types.size(); ++n) {
+    if (cert_info.valid_key_types[n] == key_type) {
+      cert_still_valid = true;
+      break;
+    }
+  }
+
+  return cert_still_valid;
+}
+
 }  // namespace net