Add server certificate request parameters to be stored in SSLCertRequestInfo.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 411 matching lines @@
   // negotiated protocol stored in |next_proto|.
   SSLClientSocket::NextProtoStatus next_proto_status;
   std::string next_proto;
   // If the server supports NPN, the protocols supported by the server.
   std::string server_protos;
 
   // True if a channel ID was sent.
   bool channel_id_sent;
 
   // If the peer requests client certificate authentication, the set of
-  // certificates that matched the peer's criteria.
+  // certificates that matched the peer's criteria. This should be soon removed
+  // as being tracked in http://crbug.com/166642.
   CertificateList client_certs;
 
+  // List of DER-encoded X.509 DistinguishedName of certificate authorities
+  // allowed by the server.
+  std::vector<std::string> cert_authorities;
+
   // Set when the handshake fully completes.
   //
   // The server certificate is first received from NSS as an NSS certificate
   // chain (|server_cert_chain|) and then converted into a platform-specific
   // X509Certificate object (|server_cert|). It's possible for some
   // certificates to be successfully parsed by NSS, and not by the platform
   // libraries (i.e.: when running within a sandbox, different parsing
   // algorithms, etc), so it's not safe to assume that |server_cert| will
   // always be non-NULL.
   PeerCertificateChain server_cert_chain;
@@ skipping 849 matching lines @@
       }
       LOG(WARNING) << "Client cert found without private key";
     }
 
     // Send no client certificate.
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   core->nss_handshake_state_.client_certs.clear();
+  core->nss_handshake_state_.cert_authorities.clear();
 
   std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames);
   for (int i = 0; i < ca_names->nnames; ++i) {
     issuer_list[i].cbData = ca_names->names[i].len;
     issuer_list[i].pbData = ca_names->names[i].data;
+    core->nss_handshake_state_.cert_authorities.push_back(std::string(
+        reinterpret_cast<const char*>(ca_names->names[i].data),
+        static_cast<size_t>(ca_names->names[i].len)));
   }
 
+  // Retrieve the list of matching client certificates. This is to be moved out
+  // of here as a part of refactoring effort being tracked in
+  // http://crbug.com/166642.
+
   // Client certificates of the user are in the "MY" system certificate store.
   HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY");
   if (!my_cert_store) {
     PLOG(ERROR) << "Could not open the \"MY\" system certificate store";
 
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   // Enumerate the client certificates.
@@ skipping 152 matching lines @@
       if (chain)
         CFRelease(chain);
     }
 
     // Send no client certificate.
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   core->nss_handshake_state_.client_certs.clear();
+  core->nss_handshake_state_.cert_authorities.clear();
 
-  // First, get the cert issuer names allowed by the server.
+  // Retrieve the cert issuers accepted by the server. This information is
+  // currently (temporarily) being saved both in |valid_issuers| and
+  // |cert_authorities|, the latter being the target solution. The refactoring
+  // effort is being tracked in http://crbug.com/166642.
   std::vector<CertPrincipal> valid_issuers;
   int n = ca_names->nnames;
   for (int i = 0; i < n; i++) {
-    // Parse each name into a CertPrincipal object.
+    // Add the DER-encoded issuer DistinguishedName to |cert_authorities|.
+    core->nss_handshake_state_.cert_authorities.push_back(std::string(
+        reinterpret_cast<const char*>(ca_names->names[i].data),
+        static_cast<size_t>(ca_names->names[i].len)));
+    // Add the CertPrincipal object representing the issuer to
+    // |valid_issuers|.
     CertPrincipal p;
     if (p.ParseDistinguishedName(ca_names->names[i].data,
                                  ca_names->names[i].len)) {
       valid_issuers.push_back(p);
     }
   }
 
   // Now get the available client certs whose issuers are allowed by the server.
   X509Certificate::GetSSLClientCertificates(
       core->host_and_port_.host(), valid_issuers,
@@ skipping 56 matching lines @@
 
   core->PostOrRunCallback(
       FROM_HERE,
       base::Bind(&AddLogEvent, core->weak_net_log_,
                  NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
 
   // Regular client certificate requested.
   core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
   void* wincx  = SSL_RevealPinArg(socket);
 
-  // Second pass: a client certificate should have been selected.
   if (core->ssl_config_.send_client_cert) {
+    // Second pass: a client certificate should have been selected.
     if (core->ssl_config_.client_cert) {
       CERTCertificate* cert = CERT_DupCertificate(
           core->ssl_config_.client_cert->os_cert_handle());
       SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
       if (privkey) {
         // TODO(jsorianopastor): We should wait for server certificate
         // verification before sending our credentials.  See
         // http://crbug.com/13934.
         *result_certificate = cert;
         *result_private_key = privkey;
         // A cert_count of -1 means the number of certificates is unknown.
         // NSS will construct the certificate chain.
         core->AddCertProvidedEvent(-1);
 
         return SECSuccess;
       }
       LOG(WARNING) << "Client cert found without private key";
     }
     // Send no client certificate.
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
+  // First pass: client certificate is needed.
   core->nss_handshake_state_.client_certs.clear();
+  core->nss_handshake_state_.cert_authorities.clear();
 
-  // Iterate over all client certificates.
+  // Retrieve the DER-encoded DistinguishedName of the cert issuers accepted by
+  // the server and save them in |cert_authorities|.
+  for (int i = 0; i < ca_names->nnames; i++) {
+    core->nss_handshake_state_.cert_authorities.push_back(std::string(
+        reinterpret_cast<const char*>(ca_names->names[i].data),
+        static_cast<size_t>(ca_names->names[i].len)));
+  }
+
+  // Iterate over all client certificates and put the ones matching the server
+  // criteria in |nss_handshake_state_.client_certs|. This is to be moved out of
+  // here as a part of refactoring effort being tracked in
+  // http://crbug.com/166642.
   CERTCertList* client_certs = CERT_FindUserCertsByUsage(
       CERT_GetDefaultCertDB(), certUsageSSLClient,
       PR_FALSE, PR_FALSE, wincx);
   if (client_certs) {
     for (CERTCertListNode* node = CERT_LIST_HEAD(client_certs);
          !CERT_LIST_END(node, client_certs);
          node = CERT_LIST_NEXT(node)) {
       // Only offer unexpired certificates.
       if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
           secCertTimeValid) {
@@ skipping 1169 matching lines @@
 
   LeaveFunction("");
   return true;
 }
 
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
   // TODO(rch): switch SSLCertRequestInfo.host_and_port to a HostPortPair
   cert_request_info->host_and_port = host_and_port_.ToString();
+  cert_request_info->cert_authorities = core_->state().cert_authorities;
+  // This should be removed as being tracked in http://crbug.com/166642.
   cert_request_info->client_certs = core_->state().client_certs;
   LeaveFunction(cert_request_info->client_certs.size());
 }
 
 int SSLClientSocketNSS::ExportKeyingMaterial(const base::StringPiece& label,
                                              bool has_context,
                                              const base::StringPiece& context,
                                              unsigned char* out,
                                              unsigned int outlen) {
   if (!IsConnected())
@@ skipping 668 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net