summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-06-01 20:28:03 +0000
committerwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-06-01 20:28:03 +0000
commit3dd6f5e0807447194b12c7adc9a730d81738a0a6 (patch)
tree6176f288326fdb65d167ce419929260209fff32b /net
parent3f94a9eedbb0bd352beeea9ae65591c69c9012f1 (diff)
downloadchromium_src-3dd6f5e0807447194b12c7adc9a730d81738a0a6.zip
chromium_src-3dd6f5e0807447194b12c7adc9a730d81738a0a6.tar.gz
chromium_src-3dd6f5e0807447194b12c7adc9a730d81738a0a6.tar.bz2
Use SSLClientSocketNSS on Mac OS X. By default, chrome still uses
SSLClientSocketMac. Specify the --use-nss-for-ssl command-line option to use SSLClientSocketNSS. The nss.gyp in src/net/third_party/nss is renamed ssl.gyp to avoid a naming conflict with the nss.gyp in src/third_party/nss. The GYP generator for Xcode project files disallows same-named .gyp files. SSL client authentication doesn't work yet. R=mark BUG=30689 TEST=No build and test failures on Mac and Windows. Review URL: http://codereview.chromium.org/2322008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@48650 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/base/x509_certificate.h21
-rw-r--r--net/net.gyp82
-rw-r--r--net/socket/ssl_client_socket_nss.cc52
-rw-r--r--net/socket/ssl_client_socket_nss.h6
-rw-r--r--net/third_party/nss/ssl.gyp (renamed from net/third_party/nss/nss.gyp)31
5 files changed, 93 insertions, 99 deletions
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 6bccdf3..5c80b2d 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -210,6 +210,16 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
// Returns true if two OSCertHandles refer to identical certificates.
static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
+ // Creates an OS certificate handle from the BER-encoded representation.
+ // Returns NULL on failure.
+ static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
+ int length);
+
+ // Duplicates (or adds a reference to) an OS certificate handle.
+ static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
+
+ // Frees (or releases a reference to) an OS certificate handle.
+ static void FreeOSCertHandle(OSCertHandle cert_handle);
private:
friend class base::RefCountedThreadSafe<X509Certificate>;
@@ -254,17 +264,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
bool VerifyEV() const;
- // Creates an OS certificate handle from the BER-encoded representation.
- // Returns NULL on failure.
- static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
- int length);
-
- // Duplicates (or adds a reference to) an OS certificate handle.
- static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
-
- // Frees (or releases a reference to) an OS certificate handle.
- static void FreeOSCertHandle(OSCertHandle cert_handle);
-
// Calculates the SHA-1 fingerprint of the certificate. Returns an empty
// (all zero) fingerprint on failure.
static Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
diff --git a/net/net.gyp b/net/net.gyp
index 5be0bee..14f2db8 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -175,12 +175,20 @@
],
'conditions': [
[ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
- 'dependencies': [
- '../build/linux/system.gyp:gconf',
- '../build/linux/system.gyp:gdk',
- '../build/linux/system.gyp:nss',
- ],
- }],
+ 'dependencies': [
+ '../build/linux/system.gyp:gconf',
+ '../build/linux/system.gyp:gdk',
+ '../build/linux/system.gyp:nss',
+ ],
+ },
+ { # else: OS is not in the above list
+ 'sources!': [
+ 'base/cert_database_nss.cc',
+ 'base/keygen_handler_nss.cc',
+ 'base/x509_certificate_nss.cc',
+ ],
+ },
+ ],
[ 'OS == "win"', {
'dependencies': [
# For nss_memio.{c,h}, which require only NSPR.
@@ -194,22 +202,10 @@
],
},
],
- [ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
- },
- { # else: OS is not in the above list
- 'sources!': [
- 'base/cert_database_nss.cc',
- 'base/keygen_handler_nss.cc',
- 'base/x509_certificate_nss.cc',
- ],
- },
- ],
[ 'OS == "mac"', {
- 'sources!': [
- # TODO(wtc): Remove nss_memio.{c,h} when http://crbug.com/30689
- # is fixed.
- 'base/nss_memio.c',
- 'base/nss_memio.h',
+ 'dependencies': [
+ # For nss_memio.{c,h}, which require only NSPR.
+ '../third_party/nss/nss.gyp:nspr',
],
'link_settings': {
'libraries': [
@@ -552,12 +548,23 @@
],
}],
[ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
- 'dependencies': [
- '../build/linux/system.gyp:gconf',
- '../build/linux/system.gyp:gdk',
- '../build/linux/system.gyp:nss',
- ],
- }],
+ 'sources!': [
+ 'socket/ssl_client_socket_nss_factory.cc',
+ 'socket/ssl_client_socket_nss_factory.h',
+ ],
+ 'dependencies': [
+ '../build/linux/system.gyp:gconf',
+ '../build/linux/system.gyp:gdk',
+ '../build/linux/system.gyp:nss',
+ ],
+ },
+ { # else: OS is not in the above list
+ 'sources!': [
+ 'ocsp/nss_ocsp.cc',
+ 'ocsp/nss_ocsp.h',
+ ],
+ },
+ ],
[ 'OS == "win"', {
'sources!': [
'http/http_auth_handler_ntlm_portable.cc',
@@ -565,7 +572,7 @@
],
'dependencies': [
'../third_party/nss/nss.gyp:nss',
- 'third_party/nss/nss.gyp:ssl',
+ 'third_party/nss/ssl.gyp:ssl',
'tld_cleanup',
],
'link_settings': {
@@ -577,26 +584,13 @@
{ # else: OS != "win"
'sources!': [
'proxy/proxy_resolver_winhttp.cc',
- 'socket/ssl_client_socket_nss_factory.cc',
- 'socket/ssl_client_socket_nss_factory.h',
- ],
- },
- ],
- [ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
- },
- { # else: OS != "linux"
- 'sources!': [
- 'ocsp/nss_ocsp.cc',
- 'ocsp/nss_ocsp.h',
],
},
],
[ 'OS == "mac"', {
- 'sources!': [
- # TODO(wtc): Remove ssl_client_socket_nss.{cc,h} when
- # http://crbug.com/30689 is fixed.
- 'socket/ssl_client_socket_nss.cc',
- 'socket/ssl_client_socket_nss.h',
+ 'dependencies': [
+ '../third_party/nss/nss.gyp:nss',
+ 'third_party/nss/ssl.gyp:ssl',
],
'link_settings': {
'libraries': [
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index f5484ec..f015b57 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -318,7 +318,7 @@ int SSLClientSocketNSS::Init() {
EnsureNSSSSLInit();
if (!NSS_IsInitialized())
return ERR_UNEXPECTED;
-#if !defined(OS_WIN)
+#if !defined(OS_MACOSX) && !defined(OS_WIN)
// We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop
// by MessageLoopForIO::current().
// X509Certificate::Verify() runs on a worker thread of CertVerifier.
@@ -663,16 +663,12 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
if (server_cert_ == NULL) {
server_cert_nss_ = SSL_PeerCertificate(nss_fd_);
if (server_cert_nss_) {
-#if defined(OS_WIN)
- // TODO(wtc): close cert_store_ at shutdown.
- if (!cert_store_)
- cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
-
+#if defined(OS_MACOSX) || defined(OS_WIN)
// Get each of the intermediate certificates in the server's chain.
// These will be added to the server's X509Certificate object, making
// them available to X509Certificate::Verify() for chain building.
X509Certificate::OSCertHandles intermediate_ca_certs;
- PCCERT_CONTEXT cert_context = NULL;
+ X509Certificate::OSCertHandle cert_handle = NULL;
CERTCertList* cert_list = CERT_GetCertChainFromCert(
server_cert_nss_, PR_Now(), certUsageSSLCA);
if (cert_list) {
@@ -681,6 +677,7 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
node = CERT_LIST_NEXT(node)) {
if (node->cert == server_cert_nss_)
continue;
+#if defined(OS_WIN)
// Work around http://crbug.com/43538 by not importing the
// problematic COMODO EV SGC CA certificate. CryptoAPI will
// download a good certificate for that CA, issued by COMODO
@@ -688,35 +685,27 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
// certificate.
if (IsProblematicComodoEVCACert(*node->cert))
continue;
- cert_context = NULL;
- BOOL ok = CertAddEncodedCertificateToStore(
- cert_store_,
- X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- node->cert->derCert.data,
- node->cert->derCert.len,
- CERT_STORE_ADD_USE_EXISTING,
- &cert_context);
- DCHECK(ok);
- intermediate_ca_certs.push_back(cert_context);
+#endif
+ cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
+ reinterpret_cast<char*>(node->cert->derCert.data),
+ node->cert->derCert.len);
+ DCHECK(cert_handle);
+ intermediate_ca_certs.push_back(cert_handle);
}
CERT_DestroyCertList(cert_list);
}
// Finally create the X509Certificate object.
- BOOL ok = CertAddEncodedCertificateToStore(
- cert_store_,
- X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- server_cert_nss_->derCert.data,
- server_cert_nss_->derCert.len,
- CERT_STORE_ADD_USE_EXISTING,
- &cert_context);
- DCHECK(ok);
+ cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
+ reinterpret_cast<char*>(server_cert_nss_->derCert.data),
+ server_cert_nss_->derCert.len);
+ DCHECK(cert_handle);
server_cert_ = X509Certificate::CreateFromHandle(
- cert_context,
+ cert_handle,
X509Certificate::SOURCE_FROM_NETWORK,
intermediate_ca_certs);
for (size_t i = 0; i < intermediate_ca_certs.size(); ++i)
- CertFreeCertificateContext(intermediate_ca_certs[i]);
+ X509Certificate::FreeOSCertHandle(intermediate_ca_certs[i]);
#else
server_cert_ = X509Certificate::CreateFromHandle(
CERT_DupCertificate(server_cert_nss_),
@@ -1215,6 +1204,10 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
PCCERT_CHAIN_CONTEXT chain_context = NULL;
+ // TODO(wtc): close cert_store_ at shutdown.
+ if (!cert_store_)
+ cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
+
for (;;) {
// Find a certificate chain.
chain_context = CertFindChainInStore(my_cert_store,
@@ -1255,6 +1248,11 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
// Tell NSS to suspend the client authentication. We will then abort the
// handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
return SECWouldBlock;
+#elif defined(OS_MACOSX)
+ // TODO(wtc): see http://crbug.com/45369.
+ // Not implemented. Send no client certificate.
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
#else
CERTCertificate* cert = NULL;
SECKEYPrivateKey* privkey = NULL;
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index 74f2003..7d51d6d 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -165,10 +165,8 @@ class SSLClientSocketNSS : public SSLClientSocket {
BoundNetLog net_log_;
#if defined(OS_WIN)
- // A CryptoAPI in-memory certificate store. We use it for two purposes:
- // 1. Import server certificates into this store so that we can verify and
- // display the certificates using CryptoAPI.
- // 2. Copy client certificates from the "MY" system certificate store into
+ // A CryptoAPI in-memory certificate store. We use it for one purpose:
+ // 1. Copy client certificates from the "MY" system certificate store into
// this store so that we can close the system store when we finish
// searching for client certificates.
static HCERTSTORE cert_store_;
diff --git a/net/third_party/nss/nss.gyp b/net/third_party/nss/ssl.gyp
index a3610f5..3166be8 100644
--- a/net/third_party/nss/nss.gyp
+++ b/net/third_party/nss/ssl.gyp
@@ -67,6 +67,10 @@
'ssl/bodge/loader.h',
'ssl/bodge/secure_memcmp.c',
],
+ 'sources!': [
+ 'ssl/os2_err.c',
+ 'ssl/os2_err.h',
+ ],
'defines': [
'NSS_ENABLE_ECC',
'NSS_ENABLE_ZLIB',
@@ -77,13 +81,20 @@
'NO_NSPR_10_SUPPORT',
],
'conditions': [
+ [ 'OS == "win"', {
+ 'sources!': [
+ 'ssl/unix_err.c',
+ 'ssl/unix_err.h',
+ ],
+ },
+ { # else: OS != "win"
+ 'sources!': [
+ 'ssl/win32err.c',
+ 'ssl/win32err.h',
+ ],
+ },
+ ],
[ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
- 'sources!': [
- 'ssl/os2_err.c',
- 'ssl/os2_err.h',
- 'ssl/win32err.c',
- 'ssl/win32err.h',
- ],
'defines': [
# These macros are needed only for compiling the files in
# ssl/bodge.
@@ -105,16 +116,10 @@
'<!@(<(pkg-config) --libs-only-l nss | sed -e "s/-lssl3//")',
],
}],
- [ 'OS == "win"', {
+ [ 'OS == "mac" or OS == "win"', {
'sources/': [
['exclude', 'ssl/bodge/'],
],
- 'sources!': [
- 'ssl/os2_err.c',
- 'ssl/os2_err.h',
- 'ssl/unix_err.c',
- 'ssl/unix_err.h',
- ],
'dependencies': [
'../../../third_party/zlib/zlib.gyp:zlib',
'../../../third_party/nss/nss.gyp:nss',