diff options
| author | snej@chromium.org <snej@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-26 21:37:54 +0000 |
|---|---|---|
| committer | snej@chromium.org <snej@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-26 21:37:54 +0000 |
| commit | d3002098f8982ac54901ce9fdc8e81cdb725d8e6 (patch) | |
| tree | 4cd95eb31701c7b27e0518d46f1ae0d6a62d05ab /net/socket | |
| parent | af3719864762ddf3e061ba24129d054e3a722930 (diff) | |
| download | chromium_src-d3002098f8982ac54901ce9fdc8e81cdb725d8e6.zip chromium_src-d3002098f8982ac54901ce9fdc8e81cdb725d8e6.tar.gz chromium_src-d3002098f8982ac54901ce9fdc8e81cdb725d8e6.tar.bz2 | |
Mac: Make client-cert picker only show certs the server will accept.
BUG=38691
TEST=manual testing with various sites
Review URL: http://codereview.chromium.org/1128008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42822 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 4cf7722..ad3c747 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -655,19 +655,32 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) { void SSLClientSocketMac::GetSSLCertRequestInfo( SSLCertRequestInfo* cert_request_info) { // I'm being asked for available client certs (identities). - - CFArrayRef allowed_issuer_names = NULL; - if (SSLCopyDistinguishedNames(ssl_context_, &allowed_issuer_names) == noErr && - allowed_issuer_names != NULL) { - SSL_LOG << "Server has " << CFArrayGetCount(allowed_issuer_names) - << " allowed issuer names"; - CFRelease(allowed_issuer_names); - // TODO(snej): Filter GetSSLClientCertificates using this array. + // First, get the cert issuer names allowed by the server. + std::vector<CertPrincipal> valid_issuers; + CFArrayRef valid_issuer_names = NULL; + if (SSLCopyDistinguishedNames(ssl_context_, &valid_issuer_names) == noErr && + valid_issuer_names != NULL) { + SSL_LOG << "Server has " << CFArrayGetCount(valid_issuer_names) + << " valid issuer names"; + int n = CFArrayGetCount(valid_issuer_names); + for (int i = 0; i < n; i++) { + // Parse each name into a CertPrincipal object. + CFDataRef issuer = reinterpret_cast<CFDataRef>( + CFArrayGetValueAtIndex(valid_issuer_names, i)); + CertPrincipal p; + if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer), + CFDataGetLength(issuer))) { + valid_issuers.push_back(p); + } + } + CFRelease(valid_issuer_names); } + // Now get the available client certs whose issuers are allowed by the server. cert_request_info->host_and_port = hostname_; cert_request_info->client_certs.clear(); X509Certificate::GetSSLClientCertificates(hostname_, + valid_issuers, &cert_request_info->client_certs); SSL_LOG << "Asking user to choose between " << cert_request_info->client_certs.size() << " client certs..."; |