diff options
| author | hclam@chromium.org <hclam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-23 09:54:15 +0000 |
|---|---|---|
| committer | hclam@chromium.org <hclam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-23 09:54:15 +0000 |
| commit | f61c397ae7c8d07762b02d6578928163e2a8eca0 (patch) | |
| tree | 3c029791e1a36b1218b5378c5e7b579d84023755 /net/base | |
| parent | 88616f47602e8a2a16c65ca0a59444e0ce550772 (diff) | |
| download | chromium_src-f61c397ae7c8d07762b02d6578928163e2a8eca0.zip chromium_src-f61c397ae7c8d07762b02d6578928163e2a8eca0.tar.gz chromium_src-f61c397ae7c8d07762b02d6578928163e2a8eca0.tar.bz2 | |
Defines SSLServerSocket and implements SSLServerSocketNSS
Defines a SSLServerSocket interface. Implement this interface using NSS as
SSLServerSocketNSS.
This is the first version of the code. It disables several functions of NSS
like caching, session ticket, reneogotiation, etc. This is implemented to
suit the needs of Chromoting. Additional features of this socket will be added
when necessary.
BUG=None
TEST=None
Review URL: http://codereview.chromium.org/5746003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@70041 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/net_log_event_type_list.h | 3 | ||||
| -rw-r--r-- | net/base/ssl_config_service.cc | 5 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 5 | ||||
| -rw-r--r-- | net/base/x509_certificate.h | 5 | ||||
| -rw-r--r-- | net/base/x509_certificate_mac.cc | 11 | ||||
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 9 | ||||
| -rw-r--r-- | net/base/x509_certificate_openssl.cc | 5 | ||||
| -rw-r--r-- | net/base/x509_certificate_unittest.cc | 12 | ||||
| -rw-r--r-- | net/base/x509_certificate_win.cc | 9 |
9 files changed, 62 insertions, 2 deletions
diff --git a/net/base/net_log_event_type_list.h b/net/base/net_log_event_type_list.h index e571685..f1bc4f8 100644 --- a/net/base/net_log_event_type_list.h +++ b/net/base/net_log_event_type_list.h @@ -325,6 +325,9 @@ EVENT_TYPE(SOCKS_UNKNOWN_ADDRESS_TYPE) // The start/end of a SSL connect(). EVENT_TYPE(SSL_CONNECT) +// The start/end of a SSL accept(). +EVENT_TYPE(SSL_ACCEPT) + // An SSL error occurred while trying to do the indicated activity. // The following parameters are attached to the event: // { diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index 9b0a903..d02df38 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -23,8 +23,9 @@ SSLConfig::SSLConfig() : rev_checking_enabled(true), ssl3_enabled(true), tls1_enabled(true), dnssec_enabled(false), snap_start_enabled(false), dns_cert_provenance_checking_enabled(false), - mitm_proxies_allowed(false), false_start_enabled(true), - send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) { + session_resume_disabled(false), mitm_proxies_allowed(false), + false_start_enabled(true), send_client_cert(false), + verify_ev_cert(false), ssl3_fallback(false) { } SSLConfig::~SSLConfig() { diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index c1ae553..de2ebef 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -32,6 +32,11 @@ struct SSLConfig { // True if we'll do async checks for certificate provenance using DNS. bool dns_cert_provenance_checking_enabled; + // TODO(hclam): This option is used to simplify the SSLServerSocketNSS + // implementation and should be removed when session caching is implemented. + // See http://crbug.com/67236 for more details. + bool session_resume_disabled; // Don't allow session resume. + // Cipher suites which should be explicitly prevented from being used in // addition to those disabled by the net built-in policy -- by default, all // cipher suites supported by the underlying SSL implementation will be diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index 3ee7304..c59c33c 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -287,6 +287,11 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { int flags, CertVerifyResult* verify_result) const; + // This method returns the DER encoded certificate. + // If the return value is true then the DER encoded certificate is available. + // The content of the DER encoded certificate is written to |encoded|. + bool GetDEREncoded(std::string* encoded); + OSCertHandle os_cert_handle() const { return cert_handle_; } // Returns true if two OSCertHandles refer to identical certificates. diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index f7c89e4..fd965cb3 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -651,6 +651,17 @@ int X509Certificate::Verify(const std::string& hostname, int flags, return OK; } +bool X509Certificate::GetDEREncoded(std::string* encoded) { + encoded->clear(); + CSSM_DATA der_data; + if(SecCertificateGetData(cert_handle_, &der_data) == noErr) { + encoded->append(reinterpret_cast<char*>(der_data.Data), + der_data.Length); + return true; + } + return false; +} + bool X509Certificate::VerifyEV() const { // We don't call this private method, but we do need to implement it because // it's defined in x509_certificate.h. We perform EV checking in the diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 2962cb5..05e736c 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -829,6 +829,15 @@ bool X509Certificate::VerifyEV() const { return true; } +bool X509Certificate::GetDEREncoded(std::string* encoded) { + if (!cert_handle_->derCert.len) + return false; + encoded->clear(); + encoded->append(reinterpret_cast<char*>(cert_handle_->derCert.data), + cert_handle_->derCert.len); + return true; +} + // static bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, X509Certificate::OSCertHandle b) { diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc index c6ffb2c..cf43610 100644 --- a/net/base/x509_certificate_openssl.cc +++ b/net/base/x509_certificate_openssl.cc @@ -462,6 +462,11 @@ int X509Certificate::Verify(const std::string& hostname, return OK; } +bool X509Certificate::GetDEREncoded(std::string* encoded) { + // TODO(port): Implement. + return false; +} + // static bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, X509Certificate::OSCertHandle b) { diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 83c11fa..dba5ef3 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -672,6 +672,18 @@ TEST(X509CertificateTest, CreateSelfSigned) { EXPECT_EQ("subject", cert->subject().GetDisplayName()); EXPECT_FALSE(cert->HasExpired()); } + +TEST(X509CertificateTest, GetDEREncoded) { + scoped_ptr<base::RSAPrivateKey> private_key( + base::RSAPrivateKey::Create(1024)); + scoped_refptr<net::X509Certificate> cert = + net::X509Certificate::CreateSelfSigned( + private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1)); + + std::string der_cert; + EXPECT_TRUE(cert->GetDEREncoded(&der_cert)); + EXPECT_FALSE(der_cert.empty()); +} #endif class X509CertificateParseTest diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index 568c1fd..663563d 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -843,6 +843,15 @@ int X509Certificate::Verify(const std::string& hostname, return OK; } +bool X509Certificate::GetDEREncoded(std::string* encoded) { + if (!cert_handle_->pbCertEncoded || !cert_handle_->cbCertEncoded) + return false; + encoded->clear(); + encoded->append(reinterpret_cast<char*>(cert_handle_->pbCertEncoded), + cert_handle_->cbCertEncoded); + return true; +} + // Returns true if the certificate is an extended-validation certificate. // // This function checks the certificatePolicies extensions of the |