diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-11 17:02:20 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-11 17:02:20 +0000 |
| commit | fd4f139fe08bc9596a7295fb5fee8300fb34856a (patch) | |
| tree | 1a01ad68092ad448907764d7d6c87ee48bcf4ad5 /net/socket/ssl_client_socket_nss.cc | |
| parent | 52f139e2c4189849974901c38aa47b739a40d98a (diff) | |
| download | chromium_src-fd4f139fe08bc9596a7295fb5fee8300fb34856a.zip chromium_src-fd4f139fe08bc9596a7295fb5fee8300fb34856a.tar.gz chromium_src-fd4f139fe08bc9596a7295fb5fee8300fb34856a.tar.bz2 | |
Second attempt to land r49489.
Use NSS for SSL by default on Mac OS X.
To use Mac OS X Secure Transport in Chromium, specify the --use-system-ssl
command-line switch, which also replaced the --use-schannel command-line
switch for Windows. All other programs are hardcoded to use NSS for SSL.
If SSL client authentication is requested, fall back on Mac OS X Secure
Transport for now.
Original review URL: http://codereview.chromium.org/2747002/show
R=mark,mbelshe
BUG=30689
TEST=none
Review URL: http://codereview.chromium.org/2769012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@49540 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 085e52c..44aa579 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1268,10 +1268,36 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. return SECWouldBlock; #elif defined(OS_MACOSX) - // TODO(wtc): see http://crbug.com/45369. - // Not implemented. Send no client certificate. - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); - return SECFailure; + if (that->ssl_config_.send_client_cert) { + // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using + // CDSA/CSSM yet (http://crbug.com/45369), so client_cert must be NULL. + DCHECK(!that->ssl_config_.client_cert); + // Send no client certificate. + return SECFailure; + } + + that->client_certs_.clear(); + + // First, get the cert issuer names allowed by the server. + std::vector<CertPrincipal> valid_issuers; + int n = ca_names->nnames; + for (int i = 0; i < n; i++) { + // Parse each name into a CertPrincipal object. + CertPrincipal p; + if (p.ParseDistinguishedName(ca_names->names[i].data, + ca_names->names[i].len)) { + valid_issuers.push_back(p); + } + } + + // Now get the available client certs whose issuers are allowed by the server. + X509Certificate::GetSSLClientCertificates(that->hostname_, + valid_issuers, + &that->client_certs_); + + // Tell NSS to suspend the client authentication. We will then abort the + // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. + return SECWouldBlock; #else CERTCertificate* cert = NULL; SECKEYPrivateKey* privkey = NULL; |