| Index: net/base/x509_certificate_mac.cc
|
| diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
|
| index f4aaf924b0cc979783c3f16e3c628d19522a3af3..9e2565aa8e3bfb7a87c903b639025996ca63c86e 100644
|
| --- a/net/base/x509_certificate_mac.cc
|
| +++ b/net/base/x509_certificate_mac.cc
|
| @@ -712,117 +712,6 @@ bool X509Certificate::SupportsSSLClientAuth() const {
|
| return true;
|
| }
|
|
|
| -bool X509Certificate::IsIssuedBy(
|
| - const std::vector<CertPrincipal>& valid_issuers) {
|
| - // Get the cert's issuer chain.
|
| - CFArrayRef cert_chain = NULL;
|
| - OSStatus result = CopyCertChain(os_cert_handle(), &cert_chain);
|
| - if (result)
|
| - return false;
|
| - ScopedCFTypeRef<CFArrayRef> scoped_cert_chain(cert_chain);
|
| -
|
| - // Check all the certs in the chain for a match.
|
| - int n = CFArrayGetCount(cert_chain);
|
| - for (int i = 0; i < n; ++i) {
|
| - SecCertificateRef cert_handle = reinterpret_cast<SecCertificateRef>(
|
| - const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
|
| - scoped_refptr<X509Certificate> cert(X509Certificate::CreateFromHandle(
|
| - cert_handle, X509Certificate::OSCertHandles()));
|
| - for (unsigned j = 0; j < valid_issuers.size(); j++) {
|
| - if (cert->issuer().Matches(valid_issuers[j]))
|
| - return true;
|
| - }
|
| - }
|
| - return false;
|
| -}
|
| -
|
| -// static
|
| -bool X509Certificate::GetSSLClientCertificates(
|
| - const std::string& server_domain,
|
| - const std::vector<CertPrincipal>& valid_issuers,
|
| - CertificateList* certs) {
|
| - ScopedCFTypeRef<SecIdentityRef> preferred_identity;
|
| - if (!server_domain.empty()) {
|
| - // See if there's an identity preference for this domain:
|
| - ScopedCFTypeRef<CFStringRef> domain_str(
|
| - base::SysUTF8ToCFStringRef("https://" + server_domain));
|
| - SecIdentityRef identity = NULL;
|
| - // While SecIdentityCopyPreferences appears to take a list of CA issuers
|
| - // to restrict the identity search to, within Security.framework the
|
| - // argument is ignored and filtering unimplemented. See
|
| - // SecIdentity.cpp in libsecurity_keychain, specifically
|
| - // _SecIdentityCopyPreferenceMatchingName().
|
| - {
|
| - base::AutoLock lock(crypto::GetMacSecurityServicesLock());
|
| - if (SecIdentityCopyPreference(domain_str, 0, NULL, &identity) == noErr)
|
| - preferred_identity.reset(identity);
|
| - }
|
| - }
|
| -
|
| - // Now enumerate the identities in the available keychains.
|
| - SecIdentitySearchRef search = NULL;
|
| - OSStatus err;
|
| - {
|
| - base::AutoLock lock(crypto::GetMacSecurityServicesLock());
|
| - err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_SIGN, &search);
|
| - }
|
| - if (err)
|
| - return false;
|
| - ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);
|
| - while (!err) {
|
| - SecIdentityRef identity = NULL;
|
| - {
|
| - base::AutoLock lock(crypto::GetMacSecurityServicesLock());
|
| - err = SecIdentitySearchCopyNext(search, &identity);
|
| - }
|
| - if (err)
|
| - break;
|
| - ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);
|
| -
|
| - SecCertificateRef cert_handle;
|
| - err = SecIdentityCopyCertificate(identity, &cert_handle);
|
| - if (err != noErr)
|
| - continue;
|
| - ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
|
| -
|
| - scoped_refptr<X509Certificate> cert(
|
| - CreateFromHandle(cert_handle, OSCertHandles()));
|
| - if (cert->HasExpired() || !cert->SupportsSSLClientAuth())
|
| - continue;
|
| -
|
| - // Skip duplicates (a cert may be in multiple keychains).
|
| - const SHA1HashValue& fingerprint = cert->fingerprint();
|
| - unsigned i;
|
| - for (i = 0; i < certs->size(); ++i) {
|
| - if ((*certs)[i]->fingerprint().Equals(fingerprint))
|
| - break;
|
| - }
|
| - if (i < certs->size())
|
| - continue;
|
| -
|
| - bool is_preferred = preferred_identity &&
|
| - CFEqual(preferred_identity, identity);
|
| -
|
| - // Make sure the issuer matches valid_issuers, if given.
|
| - if (!valid_issuers.empty() && !cert->IsIssuedBy(valid_issuers))
|
| - continue;
|
| -
|
| - // The cert passes, so add it to the vector.
|
| - // If it's the preferred identity, add it at the start (so it'll be
|
| - // selected by default in the UI.)
|
| - if (is_preferred)
|
| - certs->insert(certs->begin(), cert);
|
| - else
|
| - certs->push_back(cert);
|
| - }
|
| -
|
| - if (err != errSecItemNotFound) {
|
| - OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";
|
| - return false;
|
| - }
|
| - return true;
|
| -}
|
| -
|
| CFArrayRef X509Certificate::CreateClientCertificateChain() const {
|
| // Initialize the result array with just the IdentityRef of the receiver:
|
| SecIdentityRef identity;
|
|
|
Chromium Code Reviews
Issue 12035105:
Move client certificates retrieval logic out of the SSL sockets. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master