diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-04 18:17:23 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-04 18:17:23 +0000 |
| commit | e9b084c2af3b8831f1d872691184da32e7df5b92 (patch) | |
| tree | 994040e79c5b5c9fd2b38a659053cf61019aa3e7 /net/socket | |
| parent | 7edfe106be9de3a636a27304534c246c0f2f36b0 (diff) | |
| download | chromium_src-e9b084c2af3b8831f1d872691184da32e7df5b92.zip chromium_src-e9b084c2af3b8831f1d872691184da32e7df5b92.tar.gz chromium_src-e9b084c2af3b8831f1d872691184da32e7df5b92.tar.bz2 | |
Fix a regression on Windows introduced by r48650.
For some reason, passing NULL as the hCertStore argument
to CertAddEncodedCertificateToStore causes CertGetCertificateChain
to fail to build the certificate chain for some servers,
even though the hCertStore member of the server certificate
context should contain its CA certificates.
So I reverted to passing our in-memory certificate store
as the hCertStore argument to CertAddEncodedCertificateToStore.
R=agl,mark
BUG=45706
TEST=Visit https://moversguide.usps.com/ on Windows. Should
not get the "certificate is not trusted" SSL error page.
Review URL: http://codereview.chromium.org/2605007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@48953 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 31 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 12 |
2 files changed, 34 insertions, 9 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index f015b57..085e52c 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -656,6 +656,29 @@ bool SSLClientSocketNSS::SetSendBufferSize(int32 size) { return transport_->SetSendBufferSize(size); } +#if defined(OS_WIN) +// static +X509Certificate::OSCertHandle SSLClientSocketNSS::CreateOSCert( + const SECItem& der_cert) { + // TODO(wtc): close cert_store_ at shutdown. + if (!cert_store_) + cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL); + + X509Certificate::OSCertHandle cert_handle = NULL; + BOOL ok = CertAddEncodedCertificateToStore( + cert_store_, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + der_cert.data, der_cert.len, CERT_STORE_ADD_USE_EXISTING, &cert_handle); + return ok ? cert_handle : NULL; +} +#elif defined(OS_MACOSX) +// static +X509Certificate::OSCertHandle SSLClientSocketNSS::CreateOSCert( + const SECItem& der_cert) { + return X509Certificate::CreateOSCertHandleFromBytes( + reinterpret_cast<char*>(der_cert.data), der_cert.len); +} +#endif + X509Certificate *SSLClientSocketNSS::UpdateServerCert() { // We set the server_cert_ from OwnAuthCertHandler(), but this handler // does not necessarily get called if we are continuing a cached SSL @@ -686,9 +709,7 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() { if (IsProblematicComodoEVCACert(*node->cert)) continue; #endif - cert_handle = X509Certificate::CreateOSCertHandleFromBytes( - reinterpret_cast<char*>(node->cert->derCert.data), - node->cert->derCert.len); + cert_handle = CreateOSCert(node->cert->derCert); DCHECK(cert_handle); intermediate_ca_certs.push_back(cert_handle); } @@ -696,9 +717,7 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() { } // Finally create the X509Certificate object. - cert_handle = X509Certificate::CreateOSCertHandleFromBytes( - reinterpret_cast<char*>(server_cert_nss_->derCert.data), - server_cert_nss_->derCert.len); + cert_handle = CreateOSCert(server_cert_nss_->derCert); DCHECK(cert_handle); server_cert_ = X509Certificate::CreateFromHandle( cert_handle, diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 7d51d6d..cf3b478 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -19,13 +19,13 @@ #include "net/base/net_log.h" #include "net/base/nss_memio.h" #include "net/base/ssl_config_service.h" +#include "net/base/x509_certificate.h" #include "net/socket/ssl_client_socket.h" namespace net { class BoundNetLog; class CertVerifier; -class X509Certificate; // An SSL client socket implemented with Mozilla NSS. class SSLClientSocketNSS : public SSLClientSocket { @@ -65,6 +65,10 @@ class SSLClientSocketNSS : public SSLClientSocket { int InitializeSSLOptions(); void InvalidateSessionIfBadCertificate(); +#if defined(OS_MACOSX) || defined(OS_WIN) + // Creates an OS certificate from a DER-encoded certificate. + static X509Certificate::OSCertHandle CreateOSCert(const SECItem& der_cert); +#endif X509Certificate* UpdateServerCert(); void CheckSecureRenegotiation() const; void DoReadCallback(int result); @@ -165,8 +169,10 @@ class SSLClientSocketNSS : public SSLClientSocket { BoundNetLog net_log_; #if defined(OS_WIN) - // A CryptoAPI in-memory certificate store. We use it for one purpose: - // 1. Copy client certificates from the "MY" system certificate store into + // A CryptoAPI in-memory certificate store. We use it for two purposes: + // 1. Import server certificates into this store so that we can verify and + // display the certificates using CryptoAPI. + // 2. Copy client certificates from the "MY" system certificate store into // this store so that we can close the system store when we finish // searching for client certificates. static HCERTSTORE cert_store_; |