A speculative fix for the TLS 1.2 client authentication bug with the

CAC card on Mac OS X.

Manually encode the ASN.1 DigestInfo structure and pass CSSM_ALGID_NONE
as the digestAlg argument to CSSM_SignData. The theory is that the CAC
card may not support a digestAlg argument of CSSM_ALGID_SHA256 passed to
CSSM_SignData.

Set the OS error when CDSA/CSSM functions fail and log the OS error when
we get ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.

R=rsleevi@chromium.org
BUG=255579
TEST=manual testing

Review URL: https://chromiumcodereview.appspot.com/18055011

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209318 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 2 insertions, 0 deletions

diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index ff5a8940..be33ac5 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -190,6 +190,8 @@ int MapNSSError(PRErrorCode err) {
       return ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY;
     case SEC_ERROR_INVALID_KEY:
     case SSL_ERROR_SIGN_HASHES_FAILURE:
+      LOG(ERROR) << "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error " << err
+                 << ", OS error " << PR_GetOSError();
       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
     // A handshake (initial or renegotiation) may fail because some signature
     // (for example, the signature in the ServerKeyExchange message for an