Move client certificates retrieval logic out of the SSL sockets.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 393 matching lines @@
 // that the network task runner can safely make a copy, which avoids the need
 // for locking.
 struct HandshakeState {
   HandshakeState() { Reset(); }
 
   void Reset() {
     next_proto_status = SSLClientSocket::kNextProtoUnsupported;
     next_proto.clear();
     server_protos.clear();
     channel_id_sent = false;
-    client_certs.clear();
     server_cert_chain.Reset(NULL);
     server_cert = NULL;
     resumed_handshake = false;
     ssl_connection_status = 0;
   }
 
   // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
   // negotiated protocol stored in |next_proto|.
   SSLClientSocket::NextProtoStatus next_proto_status;
   std::string next_proto;
   // If the server supports NPN, the protocols supported by the server.
   std::string server_protos;
 
   // True if a channel ID was sent.
   bool channel_id_sent;
 
-  // If the peer requests client certificate authentication, the set of
-  // certificates that matched the peer's criteria. This should be soon removed
-  // as being tracked in http://crbug.com/166642.
-  CertificateList client_certs;
-
   // List of DER-encoded X.509 DistinguishedName of certificate authorities
   // allowed by the server.
   std::vector<std::string> cert_authorities;
 
   // Set when the handshake fully completes.
   //
   // The server certificate is first received from NSS as an NSS certificate
   // chain (|server_cert_chain|) and then converted into a platform-specific
   // X509Certificate object (|server_cert|). It's possible for some
   // certificates to be successfully parsed by NSS, and not by the platform
@@ skipping 905 matching lines @@
         return SECSuccess;
       }
       LOG(WARNING) << "Client cert found without private key";
     }
 
     // Send no client certificate.
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
-  core->nss_handshake_state_.client_certs.clear();
   core->nss_handshake_state_.cert_authorities.clear();
 
   std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames);
   for (int i = 0; i < ca_names->nnames; ++i) {
     issuer_list[i].cbData = ca_names->names[i].len;
     issuer_list[i].pbData = ca_names->names[i].data;
     core->nss_handshake_state_.cert_authorities.push_back(std::string(
         reinterpret_cast<const char*>(ca_names->names[i].data),
         static_cast<size_t>(ca_names->names[i].len)));
   }
 
-  // Retrieve the list of matching client certificates. This is to be moved out
-  // of here as a part of refactoring effort being tracked in
-  // http://crbug.com/166642.
-
-  // Client certificates of the user are in the "MY" system certificate store.
-  HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY");
-  if (!my_cert_store) {
-    PLOG(ERROR) << "Could not open the \"MY\" system certificate store";
-
-    core->AddCertProvidedEvent(0);
-    return SECFailure;
-  }
-
-  // Enumerate the client certificates.
-  CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para;
-  memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para));
-  find_by_issuer_para.cbSize = sizeof(find_by_issuer_para);
-  find_by_issuer_para.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
-  find_by_issuer_para.cIssuer = ca_names->nnames;
-  find_by_issuer_para.rgIssuer = ca_names->nnames ? &issuer_list[0] : NULL;
-  find_by_issuer_para.pfnFindCallback = ClientCertFindCallback;
-
-  PCCERT_CHAIN_CONTEXT chain_context = NULL;
-  DWORD find_flags = CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG |
-                     CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG;
-
-  for (;;) {
-    // Find a certificate chain.
-    chain_context = CertFindChainInStore(my_cert_store,
-                                         X509_ASN_ENCODING,
-                                         find_flags,
-                                         CERT_CHAIN_FIND_BY_ISSUER,
-                                         &find_by_issuer_para,
-                                         chain_context);
-    if (!chain_context) {
-      DWORD err = GetLastError();
-      if (err != CRYPT_E_NOT_FOUND)
-        DLOG(ERROR) << "CertFindChainInStore failed: " << err;
-      break;
-    }
-
-    // Get the leaf certificate.
-    PCCERT_CONTEXT cert_context =
-        chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Create a copy the handle, so that we can close the "MY" certificate store
-    // before returning from this function.
-    PCCERT_CONTEXT cert_context2;
-    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
-                                               CERT_STORE_ADD_USE_EXISTING,
-                                               &cert_context2);
-    if (!ok) {
-      NOTREACHED();
-      continue;
-    }
-
-    // Copy the rest of the chain. Copying the chain stops gracefully if an
-    // error is encountered, with the partial chain being used as the
-    // intermediates, as opposed to failing to consider the client certificate
-    // at all.
-    net::X509Certificate::OSCertHandles intermediates;
-    for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) {
-      PCCERT_CONTEXT intermediate_copy;
-      ok = CertAddCertificateContextToStore(
-          NULL, chain_context->rgpChain[0]->rgpElement[i]->pCertContext,
-          CERT_STORE_ADD_USE_EXISTING, &intermediate_copy);
-      if (!ok) {
-        NOTREACHED();
-        break;
-      }
-      intermediates.push_back(intermediate_copy);
-    }
-
-    scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-        cert_context2, intermediates);
-    core->nss_handshake_state_.client_certs.push_back(cert);
-
-    X509Certificate::FreeOSCertHandle(cert_context2);
-    for (net::X509Certificate::OSCertHandles::iterator it =
-        intermediates.begin(); it != intermediates.end(); ++it) {
-      net::X509Certificate::FreeOSCertHandle(*it);
-    }
-  }
-
-  std::sort(core->nss_handshake_state_.client_certs.begin(),
-            core->nss_handshake_state_.client_certs.end(),
-            x509_util::ClientCertSorter());
-
-  BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG);
-  DCHECK(ok);
-
   // Update the network task runner's view of the handshake state now that
-  // client certs have been detected.
+  // server certificate request has been recorded.
   core->PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
                             core->nss_handshake_state_));
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 #elif defined(OS_MACOSX)
   if (core->ssl_config_.send_client_cert) {
     if (core->ssl_config_.client_cert) {
@@ skipping 63 matching lines @@
         CFRelease(private_key);
       if (chain)
         CFRelease(chain);
     }
 
     // Send no client certificate.
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
-  core->nss_handshake_state_.client_certs.clear();
   core->nss_handshake_state_.cert_authorities.clear();
 
-  // Retrieve the cert issuers accepted by the server. This information is
-  // currently (temporarily) being saved both in |valid_issuers| and
-  // |cert_authorities|, the latter being the target solution. The refactoring
-  // effort is being tracked in http://crbug.com/166642.
+  // Retrieve the cert issuers accepted by the server.
   std::vector<CertPrincipal> valid_issuers;
   int n = ca_names->nnames;
   for (int i = 0; i < n; i++) {
-    // Add the DER-encoded issuer DistinguishedName to |cert_authorities|.
     core->nss_handshake_state_.cert_authorities.push_back(std::string(
         reinterpret_cast<const char*>(ca_names->names[i].data),
         static_cast<size_t>(ca_names->names[i].len)));
-    // Add the CertPrincipal object representing the issuer to
-    // |valid_issuers|.
-    CertPrincipal p;
-    if (p.ParseDistinguishedName(ca_names->names[i].data,
-                                 ca_names->names[i].len)) {
-      valid_issuers.push_back(p);
-    }
   }
 
-  // Now get the available client certs whose issuers are allowed by the server.
-  X509Certificate::GetSSLClientCertificates(
-      core->host_and_port_.host(), valid_issuers,
-      &core->nss_handshake_state_.client_certs);
-
-  std::sort(core->nss_handshake_state_.client_certs.begin(),
-            core->nss_handshake_state_.client_certs.end(),
-            x509_util::ClientCertSorter());
-
   // Update the network task runner's view of the handshake state now that
-  // client certs have been detected.
+  // server certificate request has been recorded.
   core->PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
                             core->nss_handshake_state_));
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 #else
   return SECFailure;
 #endif
@@ skipping 64 matching lines @@
         return SECSuccess;
       }
       LOG(WARNING) << "Client cert found without private key";
     }
     // Send no client certificate.
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   // First pass: client certificate is needed.
-  core->nss_handshake_state_.client_certs.clear();
   core->nss_handshake_state_.cert_authorities.clear();
 
   // Retrieve the DER-encoded DistinguishedName of the cert issuers accepted by
   // the server and save them in |cert_authorities|.
   for (int i = 0; i < ca_names->nnames; i++) {
     core->nss_handshake_state_.cert_authorities.push_back(std::string(
         reinterpret_cast<const char*>(ca_names->names[i].data),
         static_cast<size_t>(ca_names->names[i].len)));
   }
 
-  // Iterate over all client certificates and put the ones matching the server
-  // criteria in |nss_handshake_state_.client_certs|. This is to be moved out of
-  // here as a part of refactoring effort being tracked in
-  // http://crbug.com/166642.
-  CERTCertList* client_certs = CERT_FindUserCertsByUsage(
-      CERT_GetDefaultCertDB(), certUsageSSLClient,
-      PR_FALSE, PR_FALSE, wincx);
-  if (client_certs) {
-    for (CERTCertListNode* node = CERT_LIST_HEAD(client_certs);
-         !CERT_LIST_END(node, client_certs);
-         node = CERT_LIST_NEXT(node)) {
-      // Only offer unexpired certificates.
-      if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
-          secCertTimeValid) {
-        continue;
-      }
-      // Filter by issuer.
-      //
-      // TODO(davidben): This does a binary comparison of the DER-encoded
-      // issuers. We should match according to RFC 5280 sec. 7.1. We should find
-      // an appropriate NSS function or add one if needbe.
-      if (ca_names->nnames &&
-          NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess) {
-        continue;
-      }
-
-      X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
-          node->cert, net::X509Certificate::OSCertHandles());
-      core->nss_handshake_state_.client_certs.push_back(x509_cert);
-    }
-    CERT_DestroyCertList(client_certs);
-  }
-
-  std::sort(core->nss_handshake_state_.client_certs.begin(),
-            core->nss_handshake_state_.client_certs.end(),
-            x509_util::ClientCertSorter());
-
   // Update the network task runner's view of the handshake state now that
-  // client certs have been detected.
+  // server certificate request has been recorded.
   core->PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
                             core->nss_handshake_state_));
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 }
 #endif  // NSS_PLATFORM_CLIENT_AUTH
 
@@ skipping 1191 matching lines @@
   LeaveFunction("");
   return true;
 }
 
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
   // TODO(rch): switch SSLCertRequestInfo.host_and_port to a HostPortPair
   cert_request_info->host_and_port = host_and_port_.ToString();
   cert_request_info->cert_authorities = core_->state().cert_authorities;
-  // This should be removed as being tracked in http://crbug.com/166642.
-  cert_request_info->client_certs = core_->state().client_certs;
-  LeaveFunction(cert_request_info->client_certs.size());
+  LeaveFunction("");
 }
 
 int SSLClientSocketNSS::ExportKeyingMaterial(const base::StringPiece& label,
                                              bool has_context,
                                              const base::StringPiece& context,
                                              unsigned char* out,
                                              unsigned int outlen) {
   if (!IsConnected())
     return ERR_SOCKET_NOT_CONNECTED;
 
@@ skipping 657 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net