OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 429 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
440 transport_(transport_socket), | 440 transport_(transport_socket), |
441 host_and_port_(host_and_port), | 441 host_and_port_(host_and_port), |
442 ssl_config_(ssl_config), | 442 ssl_config_(ssl_config), |
443 user_read_buf_len_(0), | 443 user_read_buf_len_(0), |
444 user_write_buf_len_(0), | 444 user_write_buf_len_(0), |
445 server_cert_nss_(NULL), | 445 server_cert_nss_(NULL), |
446 server_cert_verify_result_(NULL), | 446 server_cert_verify_result_(NULL), |
447 ssl_connection_status_(0), | 447 ssl_connection_status_(0), |
448 client_auth_cert_needed_(false), | 448 client_auth_cert_needed_(false), |
449 cert_verifier_(context.cert_verifier), | 449 cert_verifier_(context.cert_verifier), |
450 ob_cert_xtn_negotiated_(false), | 450 domain_bound_cert_xtn_negotiated_(false), |
451 origin_bound_cert_service_(context.origin_bound_cert_service), | 451 server_bound_cert_service_(context.server_bound_cert_service), |
452 ob_cert_type_(CLIENT_CERT_INVALID_TYPE), | 452 domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE), |
453 ob_cert_request_handle_(NULL), | 453 domain_bound_cert_request_handle_(NULL), |
454 handshake_callback_called_(false), | 454 handshake_callback_called_(false), |
455 completed_handshake_(false), | 455 completed_handshake_(false), |
456 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 456 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
457 eset_mitm_detected_(false), | 457 eset_mitm_detected_(false), |
458 predicted_cert_chain_correct_(false), | 458 predicted_cert_chain_correct_(false), |
459 next_handshake_state_(STATE_NONE), | 459 next_handshake_state_(STATE_NONE), |
460 nss_fd_(NULL), | 460 nss_fd_(NULL), |
461 nss_bufs_(NULL), | 461 nss_bufs_(NULL), |
462 net_log_(transport_socket->socket()->NetLog()), | 462 net_log_(transport_socket->socket()->NetLog()), |
463 ssl_host_info_(ssl_host_info), | 463 ssl_host_info_(ssl_host_info), |
(...skipping 29 matching lines...) Expand all Loading... |
493 ssl_info->cert = server_cert_verify_result_->verified_cert; | 493 ssl_info->cert = server_cert_verify_result_->verified_cert; |
494 ssl_info->connection_status = ssl_connection_status_; | 494 ssl_info->connection_status = ssl_connection_status_; |
495 ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes; | 495 ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes; |
496 for (std::vector<SHA1Fingerprint>::const_iterator | 496 for (std::vector<SHA1Fingerprint>::const_iterator |
497 i = side_pinned_public_keys_.begin(); | 497 i = side_pinned_public_keys_.begin(); |
498 i != side_pinned_public_keys_.end(); i++) { | 498 i != side_pinned_public_keys_.end(); i++) { |
499 ssl_info->public_key_hashes.push_back(*i); | 499 ssl_info->public_key_hashes.push_back(*i); |
500 } | 500 } |
501 ssl_info->is_issued_by_known_root = | 501 ssl_info->is_issued_by_known_root = |
502 server_cert_verify_result_->is_issued_by_known_root; | 502 server_cert_verify_result_->is_issued_by_known_root; |
503 ssl_info->client_cert_sent = WasOriginBoundCertSent() || | 503 ssl_info->client_cert_sent = WasDomainBoundCertSent() || |
504 (ssl_config_.send_client_cert && ssl_config_.client_cert); | 504 (ssl_config_.send_client_cert && ssl_config_.client_cert); |
505 | 505 |
506 PRUint16 cipher_suite = | 506 PRUint16 cipher_suite = |
507 SSLConnectionStatusToCipherSuite(ssl_connection_status_); | 507 SSLConnectionStatusToCipherSuite(ssl_connection_status_); |
508 SSLCipherSuiteInfo cipher_info; | 508 SSLCipherSuiteInfo cipher_info; |
509 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, | 509 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, |
510 &cipher_info, sizeof(cipher_info)); | 510 &cipher_info, sizeof(cipher_info)); |
511 if (ok == SECSuccess) { | 511 if (ok == SECSuccess) { |
512 ssl_info->security_bits = cipher_info.effectiveKeyBits; | 512 ssl_info->security_bits = cipher_info.effectiveKeyBits; |
513 } else { | 513 } else { |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
615 | 615 |
616 void SSLClientSocketNSS::Disconnect() { | 616 void SSLClientSocketNSS::Disconnect() { |
617 EnterFunction(""); | 617 EnterFunction(""); |
618 | 618 |
619 CHECK(CalledOnValidThread()); | 619 CHECK(CalledOnValidThread()); |
620 | 620 |
621 // Shut down anything that may call us back. | 621 // Shut down anything that may call us back. |
622 verifier_.reset(); | 622 verifier_.reset(); |
623 transport_->socket()->Disconnect(); | 623 transport_->socket()->Disconnect(); |
624 | 624 |
625 if (ob_cert_request_handle_ != NULL) { | 625 if (domain_bound_cert_request_handle_ != NULL) { |
626 origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_); | 626 server_bound_cert_service_->CancelRequest( |
627 ob_cert_request_handle_ = NULL; | 627 domain_bound_cert_request_handle_); |
| 628 domain_bound_cert_request_handle_ = NULL; |
628 } | 629 } |
629 | 630 |
630 // TODO(wtc): Send SSL close_notify alert. | 631 // TODO(wtc): Send SSL close_notify alert. |
631 if (nss_fd_ != NULL) { | 632 if (nss_fd_ != NULL) { |
632 PR_Close(nss_fd_); | 633 PR_Close(nss_fd_); |
633 nss_fd_ = NULL; | 634 nss_fd_ = NULL; |
634 } | 635 } |
635 | 636 |
636 // Reset object state. | 637 // Reset object state. |
637 user_connect_callback_.Reset(); | 638 user_connect_callback_.Reset(); |
(...skipping 13 matching lines...) Expand all Loading... |
651 local_server_cert_verify_result_.Reset(); | 652 local_server_cert_verify_result_.Reset(); |
652 server_cert_verify_result_ = NULL; | 653 server_cert_verify_result_ = NULL; |
653 ssl_connection_status_ = 0; | 654 ssl_connection_status_ = 0; |
654 completed_handshake_ = false; | 655 completed_handshake_ = false; |
655 eset_mitm_detected_ = false; | 656 eset_mitm_detected_ = false; |
656 start_cert_verification_time_ = base::TimeTicks(); | 657 start_cert_verification_time_ = base::TimeTicks(); |
657 predicted_cert_chain_correct_ = false; | 658 predicted_cert_chain_correct_ = false; |
658 nss_bufs_ = NULL; | 659 nss_bufs_ = NULL; |
659 client_certs_.clear(); | 660 client_certs_.clear(); |
660 client_auth_cert_needed_ = false; | 661 client_auth_cert_needed_ = false; |
661 ob_cert_xtn_negotiated_ = false; | 662 domain_bound_cert_xtn_negotiated_ = false; |
662 | 663 |
663 LeaveFunction(""); | 664 LeaveFunction(""); |
664 } | 665 } |
665 | 666 |
666 bool SSLClientSocketNSS::IsConnected() const { | 667 bool SSLClientSocketNSS::IsConnected() const { |
667 // Ideally, we should also check if we have received the close_notify alert | 668 // Ideally, we should also check if we have received the close_notify alert |
668 // message from the server, and return false in that case. We're not doing | 669 // message from the server, and return false in that case. We're not doing |
669 // that, so this function may return a false positive. Since the upper | 670 // that, so this function may return a false positive. Since the upper |
670 // layer (HttpNetworkTransaction) needs to handle a persistent connection | 671 // layer (HttpNetworkTransaction) needs to handle a persistent connection |
671 // closed by the server when we send a request anyway, a false positive in | 672 // closed by the server when we send a request anyway, a false positive in |
(...skipping 292 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
964 | 965 |
965 #ifdef SSL_ENABLE_CACHED_INFO | 966 #ifdef SSL_ENABLE_CACHED_INFO |
966 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, | 967 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, |
967 ssl_config_.cached_info_enabled); | 968 ssl_config_.cached_info_enabled); |
968 if (rv != SECSuccess) | 969 if (rv != SECSuccess) |
969 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); | 970 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO"); |
970 #endif | 971 #endif |
971 | 972 |
972 #ifdef SSL_ENABLE_OB_CERTS | 973 #ifdef SSL_ENABLE_OB_CERTS |
973 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, | 974 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, |
974 ssl_config_.origin_bound_certs_enabled); | 975 ssl_config_.domain_bound_certs_enabled); |
975 if (rv != SECSuccess) | 976 if (rv != SECSuccess) |
976 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); | 977 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); |
977 #endif | 978 #endif |
978 | 979 |
979 #ifdef SSL_ENCRYPT_CLIENT_CERTS | 980 #ifdef SSL_ENCRYPT_CLIENT_CERTS |
980 // For now, enable the encrypted client certificates extension only if | 981 // For now, enable the encrypted client certificates extension only if |
981 // origin-bound certificates are enabled. | 982 // server-bound certificates are enabled. |
982 rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, | 983 rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, |
983 ssl_config_.origin_bound_certs_enabled); | 984 ssl_config_.domain_bound_certs_enabled); |
984 if (rv != SECSuccess) | 985 if (rv != SECSuccess) |
985 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); | 986 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); |
986 #endif | 987 #endif |
987 | 988 |
988 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); | 989 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); |
989 if (rv != SECSuccess) { | 990 if (rv != SECSuccess) { |
990 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT"); | 991 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT"); |
991 return ERR_UNEXPECTED; | 992 return ERR_UNEXPECTED; |
992 } | 993 } |
993 | 994 |
(...skipping 281 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1275 State state = next_handshake_state_; | 1276 State state = next_handshake_state_; |
1276 GotoState(STATE_NONE); | 1277 GotoState(STATE_NONE); |
1277 switch (state) { | 1278 switch (state) { |
1278 case STATE_LOAD_SSL_HOST_INFO: | 1279 case STATE_LOAD_SSL_HOST_INFO: |
1279 DCHECK(rv == OK || rv == ERR_IO_PENDING); | 1280 DCHECK(rv == OK || rv == ERR_IO_PENDING); |
1280 rv = DoLoadSSLHostInfo(); | 1281 rv = DoLoadSSLHostInfo(); |
1281 break; | 1282 break; |
1282 case STATE_HANDSHAKE: | 1283 case STATE_HANDSHAKE: |
1283 rv = DoHandshake(); | 1284 rv = DoHandshake(); |
1284 break; | 1285 break; |
1285 case STATE_GET_OB_CERT_COMPLETE: | 1286 case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE: |
1286 rv = DoGetOBCertComplete(rv); | 1287 rv = DoGetDBCertComplete(rv); |
1287 break; | 1288 break; |
1288 case STATE_VERIFY_DNSSEC: | 1289 case STATE_VERIFY_DNSSEC: |
1289 rv = DoVerifyDNSSEC(rv); | 1290 rv = DoVerifyDNSSEC(rv); |
1290 break; | 1291 break; |
1291 case STATE_VERIFY_CERT: | 1292 case STATE_VERIFY_CERT: |
1292 DCHECK(rv == OK); | 1293 DCHECK(rv == OK); |
1293 rv = DoVerifyCert(rv); | 1294 rv = DoVerifyCert(rv); |
1294 break; | 1295 break; |
1295 case STATE_VERIFY_CERT_COMPLETE: | 1296 case STATE_VERIFY_CERT_COMPLETE: |
1296 rv = DoVerifyCertComplete(rv); | 1297 rv = DoVerifyCertComplete(rv); |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1423 | 1424 |
1424 LeaveFunction(""); | 1425 LeaveFunction(""); |
1425 return rv; | 1426 return rv; |
1426 } | 1427 } |
1427 | 1428 |
1428 int SSLClientSocketNSS::DoHandshake() { | 1429 int SSLClientSocketNSS::DoHandshake() { |
1429 EnterFunction(""); | 1430 EnterFunction(""); |
1430 int net_error = net::OK; | 1431 int net_error = net::OK; |
1431 SECStatus rv = SSL_ForceHandshake(nss_fd_); | 1432 SECStatus rv = SSL_ForceHandshake(nss_fd_); |
1432 | 1433 |
1433 // TODO(rkn): Handle the case in which origin-bound cert generation takes | 1434 // TODO(rkn): Handle the case in which server-bound cert generation takes |
1434 // too long and the server has closed the connection. Report some new error | 1435 // too long and the server has closed the connection. Report some new error |
1435 // code so that the higher level code will attempt to delete the socket and | 1436 // code so that the higher level code will attempt to delete the socket and |
1436 // redo the handshake. | 1437 // redo the handshake. |
1437 | 1438 |
1438 if (client_auth_cert_needed_) { | 1439 if (client_auth_cert_needed_) { |
1439 if (ob_cert_xtn_negotiated_) { | 1440 if (domain_bound_cert_xtn_negotiated_) { |
1440 GotoState(STATE_GET_OB_CERT_COMPLETE); | 1441 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); |
1441 net_error = ERR_IO_PENDING; | 1442 net_error = ERR_IO_PENDING; |
1442 } else { | 1443 } else { |
1443 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1444 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; |
1444 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1445 net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1445 make_scoped_refptr(new SSLErrorParams(net_error, 0))); | 1446 make_scoped_refptr(new SSLErrorParams(net_error, 0))); |
1446 // If the handshake already succeeded (because the server requests but | 1447 // If the handshake already succeeded (because the server requests but |
1447 // doesn't require a client cert), we need to invalidate the SSL session | 1448 // doesn't require a client cert), we need to invalidate the SSL session |
1448 // so that we won't try to resume the non-client-authenticated session in | 1449 // so that we won't try to resume the non-client-authenticated session in |
1449 // the next handshake. This will cause the server to ask for a client | 1450 // the next handshake. This will cause the server to ask for a client |
1450 // cert again. | 1451 // cert again. |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1545 net_log_.AddEvent( | 1546 net_log_.AddEvent( |
1546 NetLog::TYPE_SSL_HANDSHAKE_ERROR, | 1547 NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
1547 make_scoped_refptr(new SSLErrorParams(net_error, prerr))); | 1548 make_scoped_refptr(new SSLErrorParams(net_error, prerr))); |
1548 } | 1549 } |
1549 } | 1550 } |
1550 | 1551 |
1551 LeaveFunction(""); | 1552 LeaveFunction(""); |
1552 return net_error; | 1553 return net_error; |
1553 } | 1554 } |
1554 | 1555 |
1555 int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, | 1556 int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert, |
1556 SECKEYPrivateKey** key) { | 1557 SECKEYPrivateKey** key) { |
1557 // Set the certificate. | 1558 // Set the certificate. |
1558 SECItem cert_item; | 1559 SECItem cert_item; |
1559 cert_item.data = (unsigned char*) ob_cert_.data(); | 1560 cert_item.data = (unsigned char*) domain_bound_cert_.data(); |
1560 cert_item.len = ob_cert_.size(); | 1561 cert_item.len = domain_bound_cert_.size(); |
1561 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), | 1562 *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), |
1562 &cert_item, | 1563 &cert_item, |
1563 NULL, | 1564 NULL, |
1564 PR_FALSE, | 1565 PR_FALSE, |
1565 PR_TRUE); | 1566 PR_TRUE); |
1566 if (*cert == NULL) | 1567 if (*cert == NULL) |
1567 return MapNSSError(PORT_GetError()); | 1568 return MapNSSError(PORT_GetError()); |
1568 | 1569 |
1569 // Set the private key. | 1570 // Set the private key. |
1570 switch (ob_cert_type_) { | 1571 switch (domain_bound_cert_type_) { |
1571 case CLIENT_CERT_ECDSA_SIGN: { | 1572 case CLIENT_CERT_ECDSA_SIGN: { |
1572 SECKEYPublicKey* public_key = NULL; | 1573 SECKEYPublicKey* public_key = NULL; |
1573 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( | 1574 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( |
1574 OriginBoundCertService::kEPKIPassword, | 1575 ServerBoundCertService::kEPKIPassword, |
1575 reinterpret_cast<const unsigned char*>(ob_private_key_.data()), | 1576 reinterpret_cast<const unsigned char*>( |
1576 ob_private_key_.size(), | 1577 domain_bound_private_key_.data()), |
| 1578 domain_bound_private_key_.size(), |
1577 &(*cert)->subjectPublicKeyInfo, | 1579 &(*cert)->subjectPublicKeyInfo, |
1578 false, | 1580 false, |
1579 false, | 1581 false, |
1580 key, | 1582 key, |
1581 &public_key)) { | 1583 &public_key)) { |
1582 CERT_DestroyCertificate(*cert); | 1584 CERT_DestroyCertificate(*cert); |
1583 *cert = NULL; | 1585 *cert = NULL; |
1584 return MapNSSError(PORT_GetError()); | 1586 return MapNSSError(PORT_GetError()); |
1585 } | 1587 } |
1586 SECKEY_DestroyPublicKey(public_key); | 1588 SECKEY_DestroyPublicKey(public_key); |
1587 break; | 1589 break; |
1588 } | 1590 } |
1589 | 1591 |
1590 default: | 1592 default: |
1591 NOTREACHED(); | 1593 NOTREACHED(); |
1592 return ERR_INVALID_ARGUMENT; | 1594 return ERR_INVALID_ARGUMENT; |
1593 } | 1595 } |
1594 | 1596 |
1595 return OK; | 1597 return OK; |
1596 } | 1598 } |
1597 | 1599 |
1598 int SSLClientSocketNSS::DoGetOBCertComplete(int result) { | 1600 int SSLClientSocketNSS::DoGetDBCertComplete(int result) { |
1599 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, | 1601 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, |
1600 result); | 1602 result); |
1601 client_auth_cert_needed_ = false; | 1603 client_auth_cert_needed_ = false; |
1602 ob_cert_request_handle_ = NULL; | 1604 domain_bound_cert_request_handle_ = NULL; |
1603 | 1605 |
1604 if (result != OK) | 1606 if (result != OK) |
1605 return result; | 1607 return result; |
1606 | 1608 |
1607 CERTCertificate* cert; | 1609 CERTCertificate* cert; |
1608 SECKEYPrivateKey* key; | 1610 SECKEYPrivateKey* key; |
1609 int error = ImportOBCertAndKey(&cert, &key); | 1611 int error = ImportDBCertAndKey(&cert, &key); |
1610 if (error != OK) | 1612 if (error != OK) |
1611 return error; | 1613 return error; |
1612 | 1614 |
1613 CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert, | 1615 CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert, |
1614 certUsageSSLClient, | 1616 certUsageSSLClient, |
1615 PR_FALSE); | 1617 PR_FALSE); |
1616 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | 1618 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
1617 make_scoped_refptr(new NetLogIntegerParameter("cert_count", | 1619 make_scoped_refptr(new NetLogIntegerParameter("cert_count", |
1618 cert_chain->len))); | 1620 cert_chain->len))); |
1619 SECStatus rv; | 1621 SECStatus rv; |
1620 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); | 1622 rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain); |
1621 if (rv != SECSuccess) | 1623 if (rv != SECSuccess) |
1622 return MapNSSError(PORT_GetError()); | 1624 return MapNSSError(PORT_GetError()); |
1623 | 1625 |
1624 GotoState(STATE_HANDSHAKE); | 1626 GotoState(STATE_HANDSHAKE); |
1625 set_origin_bound_cert_type(ob_cert_type_); | 1627 set_domain_bound_cert_type(domain_bound_cert_type_); |
1626 return OK; | 1628 return OK; |
1627 } | 1629 } |
1628 | 1630 |
1629 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { | 1631 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { |
1630 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), | 1632 DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), |
1631 server_cert_nss_, | 1633 server_cert_nss_, |
1632 host_and_port_.port()); | 1634 host_and_port_.port()); |
1633 if (r == DNSVR_SUCCESS) { | 1635 if (r == DNSVR_SUCCESS) { |
1634 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; | 1636 local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; |
1635 local_server_cert_verify_result_.verified_cert = server_cert_; | 1637 local_server_cert_verify_result_.verified_cert = server_cert_; |
(...skipping 530 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2166 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), | 2168 base::TimeDelta::FromMilliseconds(kCorkTimeoutMs), |
2167 that, &SSLClientSocketNSS::UncorkAfterTimeout); | 2169 that, &SSLClientSocketNSS::UncorkAfterTimeout); |
2168 } | 2170 } |
2169 #endif | 2171 #endif |
2170 | 2172 |
2171 // Tell NSS to not verify the certificate. | 2173 // Tell NSS to not verify the certificate. |
2172 return SECSuccess; | 2174 return SECSuccess; |
2173 } | 2175 } |
2174 | 2176 |
2175 // static | 2177 // static |
2176 bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { | 2178 bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) { |
2177 PRBool xtn_negotiated = PR_FALSE; | 2179 PRBool xtn_negotiated = PR_FALSE; |
2178 SECStatus rv = SSL_HandshakeNegotiatedExtension( | 2180 SECStatus rv = SSL_HandshakeNegotiatedExtension( |
2179 socket, ssl_ob_cert_xtn, &xtn_negotiated); | 2181 socket, ssl_ob_cert_xtn, &xtn_negotiated); |
2180 DCHECK_EQ(SECSuccess, rv); | 2182 DCHECK_EQ(SECSuccess, rv); |
2181 | 2183 |
2182 return xtn_negotiated ? true : false; | 2184 return xtn_negotiated ? true : false; |
2183 } | 2185 } |
2184 | 2186 |
2185 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( | 2187 SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler( |
2186 const SECItem* cert_types, | 2188 const SECItem* cert_types, |
2187 CERTCertificate** result_certificate, | 2189 CERTCertificate** result_certificate, |
2188 SECKEYPrivateKey** result_private_key) { | 2190 SECKEYPrivateKey** result_private_key) { |
2189 ob_cert_xtn_negotiated_ = true; | 2191 domain_bound_cert_xtn_negotiated_ = true; |
2190 | 2192 |
2191 // We have negotiated the origin-bound certificate extension. | 2193 // We have negotiated the domain-bound certificate extension. |
2192 std::string origin = "https://" + host_and_port_.ToString(); | 2194 std::string origin = "https://" + host_and_port_.ToString(); |
2193 std::vector<uint8> requested_cert_types(cert_types->data, | 2195 std::vector<uint8> requested_cert_types(cert_types->data, |
2194 cert_types->data + cert_types->len); | 2196 cert_types->data + cert_types->len); |
2195 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); | 2197 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL); |
2196 int error = origin_bound_cert_service_->GetOriginBoundCert( | 2198 int error = server_bound_cert_service_->GetDomainBoundCert( |
2197 origin, | 2199 origin, |
2198 requested_cert_types, | 2200 requested_cert_types, |
2199 &ob_cert_type_, | 2201 &domain_bound_cert_type_, |
2200 &ob_private_key_, | 2202 &domain_bound_private_key_, |
2201 &ob_cert_, | 2203 &domain_bound_cert_, |
2202 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, | 2204 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, |
2203 base::Unretained(this)), | 2205 base::Unretained(this)), |
2204 &ob_cert_request_handle_); | 2206 &domain_bound_cert_request_handle_); |
2205 | 2207 |
2206 if (error == ERR_IO_PENDING) { | 2208 if (error == ERR_IO_PENDING) { |
2207 // Asynchronous case. | 2209 // Asynchronous case. |
2208 client_auth_cert_needed_ = true; | 2210 client_auth_cert_needed_ = true; |
2209 return SECWouldBlock; | 2211 return SECWouldBlock; |
2210 } | 2212 } |
2211 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, | 2213 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, |
2212 error); | 2214 error); |
2213 | 2215 |
2214 SECStatus rv = SECSuccess; | 2216 SECStatus rv = SECSuccess; |
2215 if (error == OK) { | 2217 if (error == OK) { |
2216 // Synchronous success. | 2218 // Synchronous success. |
2217 int result = ImportOBCertAndKey(result_certificate, | 2219 int result = ImportDBCertAndKey(result_certificate, |
2218 result_private_key); | 2220 result_private_key); |
2219 if (result == OK) { | 2221 if (result == OK) { |
2220 set_origin_bound_cert_type(ob_cert_type_); | 2222 set_domain_bound_cert_type(domain_bound_cert_type_); |
2221 } else { | 2223 } else { |
2222 rv = SECFailure; | 2224 rv = SECFailure; |
2223 } | 2225 } |
2224 } else { | 2226 } else { |
2225 rv = SECFailure; // Synchronous failure. | 2227 rv = SECFailure; // Synchronous failure. |
2226 } | 2228 } |
2227 | 2229 |
2228 int cert_count = (rv == SECSuccess) ? 1 : 0; | 2230 int cert_count = (rv == SECSuccess) ? 1 : 0; |
2229 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, | 2231 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, |
2230 make_scoped_refptr(new NetLogIntegerParameter("cert_count", | 2232 make_scoped_refptr(new NetLogIntegerParameter("cert_count", |
(...skipping 11 matching lines...) Expand all Loading... |
2242 CERTCertList** result_certs, | 2244 CERTCertList** result_certs, |
2243 void** result_private_key, | 2245 void** result_private_key, |
2244 CERTCertificate** result_nss_certificate, | 2246 CERTCertificate** result_nss_certificate, |
2245 SECKEYPrivateKey** result_nss_private_key) { | 2247 SECKEYPrivateKey** result_nss_private_key) { |
2246 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 2248 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
2247 | 2249 |
2248 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); | 2250 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); |
2249 | 2251 |
2250 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); | 2252 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); |
2251 | 2253 |
2252 // Check if an origin-bound certificate is requested. | 2254 // Check if a domain-bound certificate is requested. |
2253 if (OriginBoundCertNegotiated(socket)) { | 2255 if (DomainBoundCertNegotiated(socket)) { |
2254 return that->OriginBoundClientAuthHandler( | 2256 return that->DomainBoundClientAuthHandler( |
2255 cert_types, result_nss_certificate, result_nss_private_key); | 2257 cert_types, result_nss_certificate, result_nss_private_key); |
2256 } | 2258 } |
2257 | 2259 |
2258 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | 2260 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
2259 #if defined(OS_WIN) | 2261 #if defined(OS_WIN) |
2260 if (that->ssl_config_.send_client_cert) { | 2262 if (that->ssl_config_.send_client_cert) { |
2261 if (that->ssl_config_.client_cert) { | 2263 if (that->ssl_config_.client_cert) { |
2262 PCCERT_CONTEXT cert_context = | 2264 PCCERT_CONTEXT cert_context = |
2263 that->ssl_config_.client_cert->os_cert_handle(); | 2265 that->ssl_config_.client_cert->os_cert_handle(); |
2264 | 2266 |
(...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2548 PRFileDesc* socket, | 2550 PRFileDesc* socket, |
2549 CERTDistNames* ca_names, | 2551 CERTDistNames* ca_names, |
2550 CERTCertificate** result_certificate, | 2552 CERTCertificate** result_certificate, |
2551 SECKEYPrivateKey** result_private_key) { | 2553 SECKEYPrivateKey** result_private_key) { |
2552 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); | 2554 SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
2553 | 2555 |
2554 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); | 2556 that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); |
2555 | 2557 |
2556 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); | 2558 const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); |
2557 | 2559 |
2558 // Check if an origin-bound certificate is requested. | 2560 // Check if a domain-bound certificate is requested. |
2559 if (OriginBoundCertNegotiated(socket)) { | 2561 if (DomainBoundCertNegotiated(socket)) { |
2560 return that->OriginBoundClientAuthHandler( | 2562 return that->DomainBoundClientAuthHandler( |
2561 cert_types, result_certificate, result_private_key); | 2563 cert_types, result_certificate, result_private_key); |
2562 } | 2564 } |
2563 | 2565 |
2564 // Regular client certificate requested. | 2566 // Regular client certificate requested. |
2565 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; | 2567 that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; |
2566 void* wincx = SSL_RevealPinArg(socket); | 2568 void* wincx = SSL_RevealPinArg(socket); |
2567 | 2569 |
2568 // Second pass: a client certificate should have been selected. | 2570 // Second pass: a client certificate should have been selected. |
2569 if (that->ssl_config_.send_client_cert) { | 2571 if (that->ssl_config_.send_client_cert) { |
2570 if (that->ssl_config_.client_cert) { | 2572 if (that->ssl_config_.client_cert) { |
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2704 return; | 2706 return; |
2705 valid_thread_id_ = base::PlatformThread::CurrentId(); | 2707 valid_thread_id_ = base::PlatformThread::CurrentId(); |
2706 } | 2708 } |
2707 | 2709 |
2708 bool SSLClientSocketNSS::CalledOnValidThread() const { | 2710 bool SSLClientSocketNSS::CalledOnValidThread() const { |
2709 EnsureThreadIdAssigned(); | 2711 EnsureThreadIdAssigned(); |
2710 base::AutoLock auto_lock(lock_); | 2712 base::AutoLock auto_lock(lock_); |
2711 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2713 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
2712 } | 2714 } |
2713 | 2715 |
2714 OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const { | 2716 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
2715 return origin_bound_cert_service_; | 2717 return server_bound_cert_service_; |
2716 } | 2718 } |
2717 | 2719 |
2718 } // namespace net | 2720 } // namespace net |
OLD | NEW |