summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/http/http_network_transaction.cc11
-rw-r--r--net/socket/ssl_client_socket_unittest.cc58
-rw-r--r--net/url_request/url_request_unittest.cc11
-rw-r--r--third_party/tlslite/README.chromium4
-rw-r--r--third_party/tlslite/patches/send_certificate_types.patch32
-rw-r--r--third_party/tlslite/tlslite/constants.py6
-rw-r--r--third_party/tlslite/tlslite/messages.py6
7 files changed, 120 insertions, 8 deletions
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index a79a9a4..1ff166c 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -442,8 +442,7 @@ void HttpNetworkTransaction::OnNeedsClientAuth(
DCHECK_EQ(STATE_INIT_STREAM_COMPLETE, next_state_);
response_.cert_request_info = cert_info;
- int result = HandleCertificateRequest(ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
- DoCallback(result);
+ OnIOComplete(ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
}
HttpNetworkTransaction::~HttpNetworkTransaction() {
@@ -579,6 +578,8 @@ int HttpNetworkTransaction::DoInitStreamComplete(int result) {
if (result == OK) {
next_state_ = STATE_GENERATE_PROXY_AUTH_TOKEN;
DCHECK(stream_.get());
+ } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
+ result = HandleCertificateRequest(result);
}
// At this point we are done with the stream_request_.
@@ -987,6 +988,7 @@ int HttpNetworkTransaction::HandleCertificateRequest(int error) {
// long time while the user selects a certificate.
// Second, even if we did keep the connection open, NSS has a bug where
// restarting the handshake for ClientAuth is currently broken.
+ DCHECK_EQ(error, ERR_SSL_CLIENT_AUTH_CERT_NEEDED);
if (stream_.get()) {
// Since we already have a stream, we're being called as part of SSL
@@ -999,10 +1001,8 @@ int HttpNetworkTransaction::HandleCertificateRequest(int error) {
if (stream_request_.get()) {
// The server is asking for a client certificate during the initial
// handshake.
- DCHECK_EQ(STATE_INIT_STREAM_COMPLETE, next_state_);
stream_request_->Cancel();
stream_request_ = NULL;
- next_state_ = STATE_INIT_STREAM;
}
// If the user selected one of the certificate in client_certs for this
@@ -1014,6 +1014,9 @@ int HttpNetworkTransaction::HandleCertificateRequest(int error) {
response_.cert_request_info->client_certs;
for (size_t i = 0; i < client_certs.size(); ++i) {
if (client_cert->fingerprint().Equals(client_certs[i]->fingerprint())) {
+ // TODO(davidben): Add a unit test which covers this path; we need to be
+ // able to send a legitimate certificate and also bypass/clear the
+ // SSL session cache.
ssl_config_.client_cert = client_cert;
ssl_config_.send_client_cert = true;
next_state_ = STATE_INIT_STREAM;
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 6673ec6..b4ce521 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -167,8 +167,9 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) {
log.entries(), -1, net::NetLog::TYPE_SSL_CONNECT));
}
-// TODO(davidben): Also test providing a certificate.
-TEST_F(SSLClientSocketTest, ConnectClientAuthNoCert) {
+// Attempt to connect to a page which requests a client certificate. It should
+// return an error code on connect.
+TEST_F(SSLClientSocketTest, ConnectClientAuthCertRequested) {
net::TestServer test_server(net::TestServer::TYPE_HTTPS_CLIENT_AUTH,
FilePath());
ASSERT_TRUE(test_server.Start());
@@ -211,6 +212,59 @@ TEST_F(SSLClientSocketTest, ConnectClientAuthNoCert) {
log.entries(), -1, net::NetLog::TYPE_SSL_CONNECT));
}
+// Connect to a server requesting optional client authentication. Send it a
+// null certificate. It should allow the connection.
+//
+// TODO(davidben): Also test providing an actual certificate.
+TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) {
+ net::TestServer test_server(net::TestServer::TYPE_HTTPS_CLIENT_AUTH,
+ FilePath());
+ ASSERT_TRUE(test_server.Start());
+
+ net::AddressList addr;
+ ASSERT_TRUE(test_server.GetAddressList(&addr));
+
+ TestCompletionCallback callback;
+ net::CapturingNetLog log(net::CapturingNetLog::kUnbounded);
+ net::ClientSocket* transport = new net::TCPClientSocket(addr, &log);
+ int rv = transport->Connect(&callback);
+ if (rv == net::ERR_IO_PENDING)
+ rv = callback.WaitForResult();
+ EXPECT_EQ(net::OK, rv);
+
+ net::SSLConfig ssl_config = kDefaultSSLConfig;
+ ssl_config.send_client_cert = true;
+ ssl_config.client_cert = NULL;
+
+ scoped_ptr<net::SSLClientSocket> sock(
+ socket_factory_->CreateSSLClientSocket(transport,
+ test_server.host_port_pair().host(), ssl_config));
+
+ EXPECT_FALSE(sock->IsConnected());
+
+ // Our test server accepts certificate-less connections.
+ // TODO(davidben): Add a test which requires them and verify the error.
+ rv = sock->Connect(&callback);
+ EXPECT_TRUE(net::LogContainsBeginEvent(
+ log.entries(), 5, net::NetLog::TYPE_SSL_CONNECT));
+ if (rv != net::OK) {
+ ASSERT_EQ(net::ERR_IO_PENDING, rv);
+ EXPECT_FALSE(sock->IsConnected());
+ EXPECT_FALSE(net::LogContainsEndEvent(
+ log.entries(), -1, net::NetLog::TYPE_SSL_CONNECT));
+
+ rv = callback.WaitForResult();
+ EXPECT_EQ(net::OK, rv);
+ }
+
+ EXPECT_TRUE(sock->IsConnected());
+ EXPECT_TRUE(net::LogContainsEndEvent(
+ log.entries(), -1, net::NetLog::TYPE_SSL_CONNECT));
+
+ sock->Disconnect();
+ EXPECT_FALSE(sock->IsConnected());
+}
+
// TODO(wtc): Add unit tests for IsConnectedAndIdle:
// - Server closes an SSL connection (with a close_notify alert message).
// - Server closes the underlying TCP connection directly.
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index aabb070..2ffb631 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -467,6 +467,17 @@ TEST_F(HTTPSRequestTest, ClientAuthTest) {
EXPECT_EQ(1, d.on_certificate_requested_count());
EXPECT_FALSE(d.received_data_before_response());
EXPECT_EQ(0, d.bytes_received());
+
+ // Send no certificate.
+ // TODO(davidben): Get temporary client cert import (with keys) working on
+ // all platforms so we can test sending a cert as well.
+ r.ContinueWithCertificate(NULL);
+
+ MessageLoop::current()->Run();
+
+ EXPECT_EQ(1, d.response_started_count());
+ EXPECT_FALSE(d.received_data_before_response());
+ EXPECT_NE(0, d.bytes_received());
}
}
diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium
index 792d7e4..3fc9665 100644
--- a/third_party/tlslite/README.chromium
+++ b/third_party/tlslite/README.chromium
@@ -21,3 +21,7 @@ Local Modifications:
of byte arrays, each containing a DER-encoded distinguished name.
tlslite/TLSConnection.py was changed to take a list of such byte arrays
when creating a TLS server that will request client authentication.
+- patches/send_certificate_types.patch: tlslite/message.py was changed to
+ default to a certificate_types of [rsa_sign] in CertificateRequest. Apple's
+ Secure Transport library rejects an empty list and raises an SSL protocol
+ error.
diff --git a/third_party/tlslite/patches/send_certificate_types.patch b/third_party/tlslite/patches/send_certificate_types.patch
new file mode 100644
index 0000000..14b2935
--- /dev/null
+++ b/third_party/tlslite/patches/send_certificate_types.patch
@@ -0,0 +1,32 @@
+diff --git a/tlslite/constants.py b/tlslite/constants.py
+index 8f2d559..04302c0 100644
+--- a/tlslite/constants.py
++++ b/tlslite/constants.py
+@@ -5,6 +5,12 @@ class CertificateType:
+ openpgp = 1
+ cryptoID = 2
+
++class ClientCertificateType:
++ rsa_sign = 1
++ dss_sign = 2
++ rsa_fixed_dh = 3
++ dss_fixed_dh = 4
++
+ class HandshakeType:
+ hello_request = 0
+ client_hello = 1
+diff --git a/tlslite/messages.py b/tlslite/messages.py
+index 06c46b9..8bcec2c 100644
+--- a/tlslite/messages.py
++++ b/tlslite/messages.py
+@@ -346,7 +346,9 @@ class Certificate(HandshakeMsg):
+ class CertificateRequest(HandshakeMsg):
+ def __init__(self):
+ self.contentType = ContentType.handshake
+- self.certificate_types = []
++ #Apple's implementation rejects empty certificate_types, so
++ #default to rsa_sign.
++ self.certificate_types = [ClientCertificateType.rsa_sign]
+ #treat as opaque bytes for now
+ self.certificate_authorities = createByteArraySequence([])
+
diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
index 8f2d559..04302c0 100644
--- a/third_party/tlslite/tlslite/constants.py
+++ b/third_party/tlslite/tlslite/constants.py
@@ -5,6 +5,12 @@ class CertificateType:
openpgp = 1
cryptoID = 2
+class ClientCertificateType:
+ rsa_sign = 1
+ dss_sign = 2
+ rsa_fixed_dh = 3
+ dss_fixed_dh = 4
+
class HandshakeType:
hello_request = 0
client_hello = 1
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
index fb4cc21..dc6ed32 100644
--- a/third_party/tlslite/tlslite/messages.py
+++ b/third_party/tlslite/tlslite/messages.py
@@ -346,7 +346,9 @@ class Certificate(HandshakeMsg):
class CertificateRequest(HandshakeMsg):
def __init__(self):
self.contentType = ContentType.handshake
- self.certificate_types = []
+ #Apple's Secure Transport library rejects empty certificate_types, so
+ #default to rsa_sign.
+ self.certificate_types = [ClientCertificateType.rsa_sign]
self.certificate_authorities = []
def create(self, certificate_types, certificate_authorities):
@@ -579,4 +581,4 @@ class ApplicationData(Msg):
return self
def write(self):
- return self.bytes \ No newline at end of file
+ return self.bytes
generated by cgit v1.1 at 2025-01-30 18:02:16 +0000