Change Origin bound certs -> Domain bound certs.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 429 matching lines @@
       transport_(transport_socket),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       server_cert_nss_(NULL),
       server_cert_verify_result_(NULL),
       ssl_connection_status_(0),
       client_auth_cert_needed_(false),
       cert_verifier_(context.cert_verifier),
-      ob_cert_xtn_negotiated_(false),
-      origin_bound_cert_service_(context.origin_bound_cert_service),
-      ob_cert_type_(CLIENT_CERT_INVALID_TYPE),
-      ob_cert_request_handle_(NULL),
+      domain_bound_cert_xtn_negotiated_(false),
+      server_bound_cert_service_(context.server_bound_cert_service),
+      domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE),
+      domain_bound_cert_request_handle_(NULL),
       handshake_callback_called_(false),
       completed_handshake_(false),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       eset_mitm_detected_(false),
       predicted_cert_chain_correct_(false),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL),
       net_log_(transport_socket->socket()->NetLog()),
       ssl_host_info_(ssl_host_info),
@@ skipping 29 matching lines @@
   ssl_info->cert = server_cert_verify_result_->verified_cert;
   ssl_info->connection_status = ssl_connection_status_;
   ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes;
   for (std::vector<SHA1Fingerprint>::const_iterator
        i = side_pinned_public_keys_.begin();
        i != side_pinned_public_keys_.end(); i++) {
     ssl_info->public_key_hashes.push_back(*i);
   }
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_->is_issued_by_known_root;
-  ssl_info->client_cert_sent = WasOriginBoundCertSent() ||
+  ssl_info->client_cert_sent = WasDomainBoundCertSent() ||
       (ssl_config_.send_client_cert && ssl_config_.client_cert);
 
   PRUint16 cipher_suite =
       SSLConnectionStatusToCipherSuite(ssl_connection_status_);
   SSLCipherSuiteInfo cipher_info;
   SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
                                         &cipher_info, sizeof(cipher_info));
   if (ok == SECSuccess) {
     ssl_info->security_bits = cipher_info.effectiveKeyBits;
   } else {
@@ skipping 101 matching lines @@
 
 void SSLClientSocketNSS::Disconnect() {
   EnterFunction("");
 
   CHECK(CalledOnValidThread());
 
   // Shut down anything that may call us back.
   verifier_.reset();
   transport_->socket()->Disconnect();
 
-  if (ob_cert_request_handle_ != NULL) {
-    origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_);
-    ob_cert_request_handle_ = NULL;
+  if (domain_bound_cert_request_handle_ != NULL) {
+    server_bound_cert_service_->CancelRequest(
+        domain_bound_cert_request_handle_);
+    domain_bound_cert_request_handle_ = NULL;
   }
 
   // TODO(wtc): Send SSL close_notify alert.
   if (nss_fd_ != NULL) {
     PR_Close(nss_fd_);
     nss_fd_ = NULL;
   }
 
   // Reset object state.
   user_connect_callback_.Reset();
@@ skipping 13 matching lines @@
   local_server_cert_verify_result_.Reset();
   server_cert_verify_result_ = NULL;
   ssl_connection_status_ = 0;
   completed_handshake_   = false;
   eset_mitm_detected_    = false;
   start_cert_verification_time_ = base::TimeTicks();
   predicted_cert_chain_correct_ = false;
   nss_bufs_              = NULL;
   client_certs_.clear();
   client_auth_cert_needed_ = false;
-  ob_cert_xtn_negotiated_ = false;
+  domain_bound_cert_xtn_negotiated_ = false;
 
   LeaveFunction("");
 }
 
 bool SSLClientSocketNSS::IsConnected() const {
   // Ideally, we should also check if we have received the close_notify alert
   // message from the server, and return false in that case.  We're not doing
   // that, so this function may return a false positive.  Since the upper
   // layer (HttpNetworkTransaction) needs to handle a persistent connection
   // closed by the server when we send a request anyway, a false positive in
@@ skipping 292 matching lines @@
 
 #ifdef SSL_ENABLE_CACHED_INFO
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO,
                      ssl_config_.cached_info_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_CACHED_INFO");
 #endif
 
 #ifdef SSL_ENABLE_OB_CERTS
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS,
-                     ssl_config_.origin_bound_certs_enabled);
+                     ssl_config_.domain_bound_certs_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS");
 #endif
 
 #ifdef SSL_ENCRYPT_CLIENT_CERTS
   // For now, enable the encrypted client certificates extension only if
-  // origin-bound certificates are enabled.
+  // server-bound certificates are enabled.
   rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS,
-                     ssl_config_.origin_bound_certs_enabled);
+                     ssl_config_.domain_bound_certs_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS");
 #endif
 
   rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
     return ERR_UNEXPECTED;
   }
 
@@ skipping 281 matching lines @@
     State state = next_handshake_state_;
     GotoState(STATE_NONE);
     switch (state) {
       case STATE_LOAD_SSL_HOST_INFO:
         DCHECK(rv == OK || rv == ERR_IO_PENDING);
         rv = DoLoadSSLHostInfo();
         break;
       case STATE_HANDSHAKE:
         rv = DoHandshake();
         break;
-      case STATE_GET_OB_CERT_COMPLETE:
-        rv = DoGetOBCertComplete(rv);
+      case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE:
+        rv = DoGetDBCertComplete(rv);
         break;
       case STATE_VERIFY_DNSSEC:
         rv = DoVerifyDNSSEC(rv);
         break;
       case STATE_VERIFY_CERT:
         DCHECK(rv == OK);
         rv = DoVerifyCert(rv);
         break;
       case STATE_VERIFY_CERT_COMPLETE:
         rv = DoVerifyCertComplete(rv);
@@ skipping 126 matching lines @@
 
   LeaveFunction("");
   return rv;
 }
 
 int SSLClientSocketNSS::DoHandshake() {
   EnterFunction("");
   int net_error = net::OK;
   SECStatus rv = SSL_ForceHandshake(nss_fd_);
 
-  // TODO(rkn): Handle the case in which origin-bound cert generation takes
+  // TODO(rkn): Handle the case in which server-bound cert generation takes
   // too long and the server has closed the connection. Report some new error
   // code so that the higher level code will attempt to delete the socket and
   // redo the handshake.
 
   if (client_auth_cert_needed_) {
-    if (ob_cert_xtn_negotiated_) {
-      GotoState(STATE_GET_OB_CERT_COMPLETE);
+    if (domain_bound_cert_xtn_negotiated_) {
+      GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
       net_error = ERR_IO_PENDING;
     } else {
       net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
       net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR,
                         make_scoped_refptr(new SSLErrorParams(net_error, 0)));
       // If the handshake already succeeded (because the server requests but
       // doesn't require a client cert), we need to invalidate the SSL session
       // so that we won't try to resume the non-client-authenticated session in
       // the next handshake.  This will cause the server to ask for a client
       // cert again.
@@ skipping 94 matching lines @@
       net_log_.AddEvent(
           NetLog::TYPE_SSL_HANDSHAKE_ERROR,
           make_scoped_refptr(new SSLErrorParams(net_error, prerr)));
     }
   }
 
   LeaveFunction("");
   return net_error;
 }
 
-int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert,
+int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert,
                                            SECKEYPrivateKey** key) {
   // Set the certificate.
   SECItem cert_item;
-  cert_item.data = (unsigned char*) ob_cert_.data();
-  cert_item.len = ob_cert_.size();
+  cert_item.data = (unsigned char*) domain_bound_cert_.data();
+  cert_item.len = domain_bound_cert_.size();
   *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                   &cert_item,
                                   NULL,
                                   PR_FALSE,
                                   PR_TRUE);
   if (*cert == NULL)
     return MapNSSError(PORT_GetError());
 
   // Set the private key.
-  switch (ob_cert_type_) {
+  switch (domain_bound_cert_type_) {
     case CLIENT_CERT_ECDSA_SIGN: {
       SECKEYPublicKey* public_key = NULL;
       if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
-          OriginBoundCertService::kEPKIPassword,
-          reinterpret_cast<const unsigned char*>(ob_private_key_.data()),
-          ob_private_key_.size(),
+          ServerBoundCertService::kEPKIPassword,
+          reinterpret_cast<const unsigned char*>(
+              domain_bound_private_key_.data()),
+          domain_bound_private_key_.size(),
           &(*cert)->subjectPublicKeyInfo,
           false,
           false,
           key,
           &public_key)) {
         CERT_DestroyCertificate(*cert);
         *cert = NULL;
         return MapNSSError(PORT_GetError());
       }
       SECKEY_DestroyPublicKey(public_key);
       break;
     }
 
     default:
       NOTREACHED();
       return ERR_INVALID_ARGUMENT;
   }
 
   return OK;
 }
 
-int SSLClientSocketNSS::DoGetOBCertComplete(int result) {
-  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT,
+int SSLClientSocketNSS::DoGetDBCertComplete(int result) {
+  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
                                     result);
   client_auth_cert_needed_ = false;
-  ob_cert_request_handle_ = NULL;
+  domain_bound_cert_request_handle_ = NULL;
 
   if (result != OK)
     return result;
 
   CERTCertificate* cert;
   SECKEYPrivateKey* key;
-  int error = ImportOBCertAndKey(&cert, &key);
+  int error = ImportDBCertAndKey(&cert, &key);
   if (error != OK)
     return error;
 
   CERTCertificateList* cert_chain = CERT_CertChainFromCert(cert,
                                                            certUsageSSLClient,
                                                            PR_FALSE);
   net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
       make_scoped_refptr(new NetLogIntegerParameter("cert_count",
                                                     cert_chain->len)));
   SECStatus rv;
   rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain);
   if (rv != SECSuccess)
     return MapNSSError(PORT_GetError());
 
   GotoState(STATE_HANDSHAKE);
-  set_origin_bound_cert_type(ob_cert_type_);
+  set_domain_bound_cert_type(domain_bound_cert_type_);
   return OK;
 }
 
 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
   DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
                                            server_cert_nss_,
                                            host_and_port_.port());
   if (r == DNSVR_SUCCESS) {
     local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
     local_server_cert_verify_result_.verified_cert = server_cert_;
@@ skipping 530 matching lines @@
         base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
         that, &SSLClientSocketNSS::UncorkAfterTimeout);
   }
 #endif
 
   // Tell NSS to not verify the certificate.
   return SECSuccess;
 }
 
 // static
-bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
+bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) {
   PRBool xtn_negotiated = PR_FALSE;
   SECStatus rv = SSL_HandshakeNegotiatedExtension(
       socket, ssl_ob_cert_xtn, &xtn_negotiated);
   DCHECK_EQ(SECSuccess, rv);
 
   return xtn_negotiated ? true : false;
 }
 
-SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
+SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler(
     const SECItem* cert_types,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
-  ob_cert_xtn_negotiated_ = true;
+  domain_bound_cert_xtn_negotiated_ = true;
 
-  // We have negotiated the origin-bound certificate extension.
+  // We have negotiated the domain-bound certificate extension.
   std::string origin = "https://" + host_and_port_.ToString();
   std::vector<uint8> requested_cert_types(cert_types->data,
                                           cert_types->data + cert_types->len);
-  net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
-  int error = origin_bound_cert_service_->GetOriginBoundCert(
+  net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL);
+  int error = server_bound_cert_service_->GetDomainBoundCert(
       origin,
       requested_cert_types,
-      &ob_cert_type_,
-      &ob_private_key_,
-      &ob_cert_,
+      &domain_bound_cert_type_,
+      &domain_bound_private_key_,
+      &domain_bound_cert_,
       base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
                  base::Unretained(this)),
-      &ob_cert_request_handle_);
+      &domain_bound_cert_request_handle_);
 
   if (error == ERR_IO_PENDING) {
     // Asynchronous case.
     client_auth_cert_needed_ = true;
     return SECWouldBlock;
   }
-  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT,
+  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
                                     error);
 
   SECStatus rv = SECSuccess;
   if (error == OK) {
     // Synchronous success.
-    int result = ImportOBCertAndKey(result_certificate,
+    int result = ImportDBCertAndKey(result_certificate,
                                     result_private_key);
     if (result == OK) {
-      set_origin_bound_cert_type(ob_cert_type_);
+      set_domain_bound_cert_type(domain_bound_cert_type_);
     } else {
       rv = SECFailure;
     }
   } else {
     rv = SECFailure;  // Synchronous failure.
   }
 
   int cert_count = (rv == SECSuccess) ? 1 : 0;
   net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
       make_scoped_refptr(new NetLogIntegerParameter("cert_count",
@@ skipping 11 matching lines @@
     CERTCertList** result_certs,
     void** result_private_key,
     CERTCertificate** result_nss_certificate,
     SECKEYPrivateKey** result_nss_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
   const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
 
-  // Check if an origin-bound certificate is requested.
-  if (OriginBoundCertNegotiated(socket)) {
-    return that->OriginBoundClientAuthHandler(
+  // Check if a domain-bound certificate is requested.
+  if (DomainBoundCertNegotiated(socket)) {
+    return that->DomainBoundClientAuthHandler(
         cert_types, result_nss_certificate, result_nss_private_key);
   }
 
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
 #if defined(OS_WIN)
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
       PCCERT_CONTEXT cert_context =
           that->ssl_config_.client_cert->os_cert_handle();
 
@@ skipping 283 matching lines @@
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
   const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
 
-  // Check if an origin-bound certificate is requested.
-  if (OriginBoundCertNegotiated(socket)) {
-    return that->OriginBoundClientAuthHandler(
+  // Check if a domain-bound certificate is requested.
+  if (DomainBoundCertNegotiated(socket)) {
+    return that->DomainBoundClientAuthHandler(
         cert_types, result_certificate, result_private_key);
   }
 
   // Regular client certificate requested.
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
   void* wincx  = SSL_RevealPinArg(socket);
 
   // Second pass: a client certificate should have been selected.
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
@@ skipping 133 matching lines @@
     return;
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
-OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const {
-  return origin_bound_cert_service_;
+ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
+  return server_bound_cert_service_;
 }
 
 }  // namespace net