| Index: net/socket/ssl_client_socket_nss.cc
|
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
|
| index 2b9c73dca20f69c3559f49b30bd89e6598843a95..0d712e38754903bf5cfb4e7e51dd42bb28f3fb25 100644
|
| --- a/net/socket/ssl_client_socket_nss.cc
|
| +++ b/net/socket/ssl_client_socket_nss.cc
|
| @@ -447,10 +447,10 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
|
| ssl_connection_status_(0),
|
| client_auth_cert_needed_(false),
|
| cert_verifier_(context.cert_verifier),
|
| - ob_cert_xtn_negotiated_(false),
|
| - origin_bound_cert_service_(context.origin_bound_cert_service),
|
| - ob_cert_type_(CLIENT_CERT_INVALID_TYPE),
|
| - ob_cert_request_handle_(NULL),
|
| + domain_bound_cert_xtn_negotiated_(false),
|
| + server_bound_cert_service_(context.server_bound_cert_service),
|
| + domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE),
|
| + domain_bound_cert_request_handle_(NULL),
|
| handshake_callback_called_(false),
|
| completed_handshake_(false),
|
| ssl_session_cache_shard_(context.ssl_session_cache_shard),
|
| @@ -500,7 +500,7 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
|
| }
|
| ssl_info->is_issued_by_known_root =
|
| server_cert_verify_result_->is_issued_by_known_root;
|
| - ssl_info->client_cert_sent = WasOriginBoundCertSent() ||
|
| + ssl_info->client_cert_sent = WasDomainBoundCertSent() ||
|
| (ssl_config_.send_client_cert && ssl_config_.client_cert);
|
|
|
| PRUint16 cipher_suite =
|
| @@ -622,9 +622,10 @@ void SSLClientSocketNSS::Disconnect() {
|
| verifier_.reset();
|
| transport_->socket()->Disconnect();
|
|
|
| - if (ob_cert_request_handle_ != NULL) {
|
| - origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_);
|
| - ob_cert_request_handle_ = NULL;
|
| + if (domain_bound_cert_request_handle_ != NULL) {
|
| + server_bound_cert_service_->CancelRequest(
|
| + domain_bound_cert_request_handle_);
|
| + domain_bound_cert_request_handle_ = NULL;
|
| }
|
|
|
| // TODO(wtc): Send SSL close_notify alert.
|
| @@ -658,7 +659,7 @@ void SSLClientSocketNSS::Disconnect() {
|
| nss_bufs_ = NULL;
|
| client_certs_.clear();
|
| client_auth_cert_needed_ = false;
|
| - ob_cert_xtn_negotiated_ = false;
|
| + domain_bound_cert_xtn_negotiated_ = false;
|
|
|
| LeaveFunction("");
|
| }
|
| @@ -971,16 +972,16 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
|
|
|
| #ifdef SSL_ENABLE_OB_CERTS
|
| rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS,
|
| - ssl_config_.origin_bound_certs_enabled);
|
| + ssl_config_.domain_bound_certs_enabled);
|
| if (rv != SECSuccess)
|
| LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS");
|
| #endif
|
|
|
| #ifdef SSL_ENCRYPT_CLIENT_CERTS
|
| // For now, enable the encrypted client certificates extension only if
|
| - // origin-bound certificates are enabled.
|
| + // server-bound certificates are enabled.
|
| rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS,
|
| - ssl_config_.origin_bound_certs_enabled);
|
| + ssl_config_.domain_bound_certs_enabled);
|
| if (rv != SECSuccess)
|
| LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS");
|
| #endif
|
| @@ -1282,8 +1283,8 @@ int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) {
|
| case STATE_HANDSHAKE:
|
| rv = DoHandshake();
|
| break;
|
| - case STATE_GET_OB_CERT_COMPLETE:
|
| - rv = DoGetOBCertComplete(rv);
|
| + case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE:
|
| + rv = DoGetDBCertComplete(rv);
|
| break;
|
| case STATE_VERIFY_DNSSEC:
|
| rv = DoVerifyDNSSEC(rv);
|
| @@ -1430,14 +1431,14 @@ int SSLClientSocketNSS::DoHandshake() {
|
| int net_error = net::OK;
|
| SECStatus rv = SSL_ForceHandshake(nss_fd_);
|
|
|
| - // TODO(rkn): Handle the case in which origin-bound cert generation takes
|
| + // TODO(rkn): Handle the case in which server-bound cert generation takes
|
| // too long and the server has closed the connection. Report some new error
|
| // code so that the higher level code will attempt to delete the socket and
|
| // redo the handshake.
|
|
|
| if (client_auth_cert_needed_) {
|
| - if (ob_cert_xtn_negotiated_) {
|
| - GotoState(STATE_GET_OB_CERT_COMPLETE);
|
| + if (domain_bound_cert_xtn_negotiated_) {
|
| + GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
|
| net_error = ERR_IO_PENDING;
|
| } else {
|
| net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
|
| @@ -1552,12 +1553,12 @@ int SSLClientSocketNSS::DoHandshake() {
|
| return net_error;
|
| }
|
|
|
| -int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert,
|
| +int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert,
|
| SECKEYPrivateKey** key) {
|
| // Set the certificate.
|
| SECItem cert_item;
|
| - cert_item.data = (unsigned char*) ob_cert_.data();
|
| - cert_item.len = ob_cert_.size();
|
| + cert_item.data = (unsigned char*) domain_bound_cert_.data();
|
| + cert_item.len = domain_bound_cert_.size();
|
| *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
|
| &cert_item,
|
| NULL,
|
| @@ -1567,13 +1568,14 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert,
|
| return MapNSSError(PORT_GetError());
|
|
|
| // Set the private key.
|
| - switch (ob_cert_type_) {
|
| + switch (domain_bound_cert_type_) {
|
| case CLIENT_CERT_ECDSA_SIGN: {
|
| SECKEYPublicKey* public_key = NULL;
|
| if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
|
| - OriginBoundCertService::kEPKIPassword,
|
| - reinterpret_cast<const unsigned char*>(ob_private_key_.data()),
|
| - ob_private_key_.size(),
|
| + ServerBoundCertService::kEPKIPassword,
|
| + reinterpret_cast<const unsigned char*>(
|
| + domain_bound_private_key_.data()),
|
| + domain_bound_private_key_.size(),
|
| &(*cert)->subjectPublicKeyInfo,
|
| false,
|
| false,
|
| @@ -1595,18 +1597,18 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert,
|
| return OK;
|
| }
|
|
|
| -int SSLClientSocketNSS::DoGetOBCertComplete(int result) {
|
| - net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT,
|
| +int SSLClientSocketNSS::DoGetDBCertComplete(int result) {
|
| + net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
|
| result);
|
| client_auth_cert_needed_ = false;
|
| - ob_cert_request_handle_ = NULL;
|
| + domain_bound_cert_request_handle_ = NULL;
|
|
|
| if (result != OK)
|
| return result;
|
|
|
| CERTCertificate* cert;
|
| SECKEYPrivateKey* key;
|
| - int error = ImportOBCertAndKey(&cert, &key);
|
| + int error = ImportDBCertAndKey(&cert, &key);
|
| if (error != OK)
|
| return error;
|
|
|
| @@ -1622,7 +1624,7 @@ int SSLClientSocketNSS::DoGetOBCertComplete(int result) {
|
| return MapNSSError(PORT_GetError());
|
|
|
| GotoState(STATE_HANDSHAKE);
|
| - set_origin_bound_cert_type(ob_cert_type_);
|
| + set_domain_bound_cert_type(domain_bound_cert_type_);
|
| return OK;
|
| }
|
|
|
| @@ -2173,7 +2175,7 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
|
| }
|
|
|
| // static
|
| -bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
|
| +bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) {
|
| PRBool xtn_negotiated = PR_FALSE;
|
| SECStatus rv = SSL_HandshakeNegotiatedExtension(
|
| socket, ssl_ob_cert_xtn, &xtn_negotiated);
|
| @@ -2182,42 +2184,42 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
|
| return xtn_negotiated ? true : false;
|
| }
|
|
|
| -SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
|
| +SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler(
|
| const SECItem* cert_types,
|
| CERTCertificate** result_certificate,
|
| SECKEYPrivateKey** result_private_key) {
|
| - ob_cert_xtn_negotiated_ = true;
|
| + domain_bound_cert_xtn_negotiated_ = true;
|
|
|
| - // We have negotiated the origin-bound certificate extension.
|
| + // We have negotiated the domain-bound certificate extension.
|
| std::string origin = "https://" + host_and_port_.ToString();
|
| std::vector<uint8> requested_cert_types(cert_types->data,
|
| cert_types->data + cert_types->len);
|
| - net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
|
| - int error = origin_bound_cert_service_->GetOriginBoundCert(
|
| + net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL);
|
| + int error = server_bound_cert_service_->GetDomainBoundCert(
|
| origin,
|
| requested_cert_types,
|
| - &ob_cert_type_,
|
| - &ob_private_key_,
|
| - &ob_cert_,
|
| + &domain_bound_cert_type_,
|
| + &domain_bound_private_key_,
|
| + &domain_bound_cert_,
|
| base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
|
| base::Unretained(this)),
|
| - &ob_cert_request_handle_);
|
| + &domain_bound_cert_request_handle_);
|
|
|
| if (error == ERR_IO_PENDING) {
|
| // Asynchronous case.
|
| client_auth_cert_needed_ = true;
|
| return SECWouldBlock;
|
| }
|
| - net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT,
|
| + net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
|
| error);
|
|
|
| SECStatus rv = SECSuccess;
|
| if (error == OK) {
|
| // Synchronous success.
|
| - int result = ImportOBCertAndKey(result_certificate,
|
| + int result = ImportDBCertAndKey(result_certificate,
|
| result_private_key);
|
| if (result == OK) {
|
| - set_origin_bound_cert_type(ob_cert_type_);
|
| + set_domain_bound_cert_type(domain_bound_cert_type_);
|
| } else {
|
| rv = SECFailure;
|
| }
|
| @@ -2249,9 +2251,9 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
|
|
|
| const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
|
|
|
| - // Check if an origin-bound certificate is requested.
|
| - if (OriginBoundCertNegotiated(socket)) {
|
| - return that->OriginBoundClientAuthHandler(
|
| + // Check if a domain-bound certificate is requested.
|
| + if (DomainBoundCertNegotiated(socket)) {
|
| + return that->DomainBoundClientAuthHandler(
|
| cert_types, result_nss_certificate, result_nss_private_key);
|
| }
|
|
|
| @@ -2555,9 +2557,9 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
|
|
|
| const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
|
|
|
| - // Check if an origin-bound certificate is requested.
|
| - if (OriginBoundCertNegotiated(socket)) {
|
| - return that->OriginBoundClientAuthHandler(
|
| + // Check if a domain-bound certificate is requested.
|
| + if (DomainBoundCertNegotiated(socket)) {
|
| + return that->DomainBoundClientAuthHandler(
|
| cert_types, result_certificate, result_private_key);
|
| }
|
|
|
| @@ -2711,8 +2713,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const {
|
| return valid_thread_id_ == base::PlatformThread::CurrentId();
|
| }
|
|
|
| -OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const {
|
| - return origin_bound_cert_service_;
|
| +ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
|
| + return server_bound_cert_service_;
|
| }
|
|
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 9617039:
Change Origin bound certs -> Domain bound certs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src