Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(574)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/client_cert_store_impl_nss.cc

Issue 13866049: Fix client certificate authentication on Mac and Linux introduced in r178732 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Refresh key files for certs Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/ssl/client_cert_store_impl_mac.cc ('k') | net/ssl/client_cert_store_impl_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/client_cert_store_impl.h" 5 #include "net/ssl/client_cert_store_impl.h"
6 6
7 #include <nss.h> 7 #include <nss.h>
8 #include <ssl.h> 8 #include <ssl.h>
9 9
10 #include "base/logging.h" 10 #include "base/logging.h"
11 #include "net/cert/x509_util.h" 11 #include "net/cert/x509_util.h"
12 12
13 namespace net { 13 namespace net {
14 14
15 namespace { 15 namespace {
16 16
17 // Examines the certificates in |cert_list| to find all certificates that match
18 // the client certificate request in |request|, storing the matching
19 // certificates in |selected_certs|.
20 // If |query_nssdb| is true, NSS will be queried to construct full certificate
21 // chains. If it is false, only the certificate will be considered.
17 bool GetClientCertsImpl(CERTCertList* cert_list, 22 bool GetClientCertsImpl(CERTCertList* cert_list,
18 const SSLCertRequestInfo& request, 23 const SSLCertRequestInfo& request,
24 bool query_nssdb,
19 CertificateList* selected_certs) { 25 CertificateList* selected_certs) {
20 DCHECK(cert_list); 26 DCHECK(cert_list);
21 DCHECK(selected_certs); 27 DCHECK(selected_certs);
22 28
23 selected_certs->clear(); 29 selected_certs->clear();
30
31 // Create a "fake" CERTDistNames structure. No public API exists to create
32 // one from a list of issuers.
33 CERTDistNames ca_names;
34 ca_names.arena = NULL;
35 ca_names.nnames = 0;
36 ca_names.names = NULL;
37 ca_names.head = NULL;
38
39 std::vector<SECItem> ca_names_items(request.cert_authorities.size());
40 for (size_t i = 0; i < request.cert_authorities.size(); ++i) {
41 const std::string& authority = request.cert_authorities[i];
42 ca_names_items[i].type = siBuffer;
43 ca_names_items[i].data =
44 reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data()));
45 ca_names_items[i].len = static_cast<unsigned int>(authority.size());
46 }
47 ca_names.nnames = static_cast<int>(ca_names_items.size());
48 if (!ca_names_items.empty())
49 ca_names.names = &ca_names_items[0];
50
24 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 51 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
25 !CERT_LIST_END(node, cert_list); 52 !CERT_LIST_END(node, cert_list);
26 node = CERT_LIST_NEXT(node)) { 53 node = CERT_LIST_NEXT(node)) {
27 // Only offer unexpired certificates. 54 // Only offer unexpired certificates.
28 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) != 55 if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
29 secCertTimeValid) { 56 secCertTimeValid) {
30 continue; 57 continue;
31 } 58 }
32 59
33 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle( 60 scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
34 node->cert, X509Certificate::OSCertHandles()); 61 node->cert, X509Certificate::OSCertHandles());
35 62
36 // Check if the certificate issuer is allowed by the server. 63 // Check if the certificate issuer is allowed by the server.
37 if (!request.cert_authorities.empty() && 64 if (request.cert_authorities.empty() ||
38 !cert->IsIssuedByEncoded(request.cert_authorities)) { 65 (!query_nssdb &&
39 continue; 66 cert->IsIssuedByEncoded(request.cert_authorities)) ||
67 (query_nssdb &&
68 NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) {
69 selected_certs->push_back(cert);
40 } 70 }
41 selected_certs->push_back(cert);
42 } 71 }
43 72
44 std::sort(selected_certs->begin(), selected_certs->end(), 73 std::sort(selected_certs->begin(), selected_certs->end(),
45 x509_util::ClientCertSorter()); 74 x509_util::ClientCertSorter());
46 return true; 75 return true;
47 } 76 }
48 77
49 } // namespace 78 } // namespace
50 79
51 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request, 80 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request,
52 CertificateList* selected_certs) { 81 CertificateList* selected_certs) {
53 CERTCertList* client_certs = CERT_FindUserCertsByUsage( 82 CERTCertList* client_certs = CERT_FindUserCertsByUsage(
54 CERT_GetDefaultCertDB(), certUsageSSLClient, 83 CERT_GetDefaultCertDB(), certUsageSSLClient,
55 PR_FALSE, PR_FALSE, NULL); 84 PR_FALSE, PR_FALSE, NULL);
56 // It is ok for a user not to have any client certs. 85 // It is ok for a user not to have any client certs.
57 if (!client_certs) 86 if (!client_certs)
58 return true; 87 return true;
59 88
60 bool rv = GetClientCertsImpl(client_certs, request, selected_certs); 89 bool rv = GetClientCertsImpl(client_certs, request, true, selected_certs);
61 CERT_DestroyCertList(client_certs); 90 CERT_DestroyCertList(client_certs);
62 return rv; 91 return rv;
63 } 92 }
64 93
65 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs, 94 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs,
66 const SSLCertRequestInfo& request, 95 const SSLCertRequestInfo& request,
67 CertificateList* selected_certs) { 96 CertificateList* selected_certs) {
68 CERTCertList* cert_list = CERT_NewCertList(); 97 CERTCertList* cert_list = CERT_NewCertList();
69 if (!cert_list) 98 if (!cert_list)
70 return false; 99 return false;
71 for (size_t i = 0; i < input_certs.size(); ++i) { 100 for (size_t i = 0; i < input_certs.size(); ++i) {
72 CERT_AddCertToListTail( 101 CERT_AddCertToListTail(
73 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); 102 cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle()));
74 } 103 }
75 104
76 bool rv = GetClientCertsImpl(cert_list, request, selected_certs); 105 bool rv = GetClientCertsImpl(cert_list, request, false, selected_certs);
77 CERT_DestroyCertList(cert_list); 106 CERT_DestroyCertList(cert_list);
78 return rv; 107 return rv;
79 } 108 }
80 109
81 } // namespace net 110 } // namespace net
OLDNEW
« no previous file with comments | « net/ssl/client_cert_store_impl_mac.cc ('k') | net/ssl/client_cert_store_impl_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698