// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/ssl/client_cert_store_nss.h" #include #include #include "base/bind.h" #include "base/location.h" #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "base/strings/string_piece.h" #include "base/threading/worker_pool.h" #include "crypto/nss_crypto_module_delegate.h" #include "net/cert/x509_util.h" namespace net { ClientCertStoreNSS::ClientCertStoreNSS( const PasswordDelegateFactory& password_delegate_factory) : password_delegate_factory_(password_delegate_factory) {} ClientCertStoreNSS::~ClientCertStoreNSS() {} void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request, CertificateList* selected_certs, const base::Closure& callback) { scoped_ptr password_delegate; if (!password_delegate_factory_.is_null()) { password_delegate.reset( password_delegate_factory_.Run(request.host_and_port)); } if (base::WorkerPool::PostTaskAndReply( FROM_HERE, base::Bind(&ClientCertStoreNSS::GetClientCertsOnWorkerThread, // Caller is responsible for keeping the ClientCertStore // alive until the callback is run. base::Unretained(this), base::Passed(&password_delegate), &request, selected_certs), callback, true)) return; selected_certs->clear(); callback.Run(); } void ClientCertStoreNSS::GetClientCertsImpl(CERTCertList* cert_list, const SSLCertRequestInfo& request, bool query_nssdb, CertificateList* selected_certs) { DCHECK(cert_list); DCHECK(selected_certs); selected_certs->clear(); // Create a "fake" CERTDistNames structure. No public API exists to create // one from a list of issuers. CERTDistNames ca_names; ca_names.arena = NULL; ca_names.nnames = 0; ca_names.names = NULL; ca_names.head = NULL; std::vector ca_names_items(request.cert_authorities.size()); for (size_t i = 0; i < request.cert_authorities.size(); ++i) { const std::string& authority = request.cert_authorities[i]; ca_names_items[i].type = siBuffer; ca_names_items[i].data = reinterpret_cast(const_cast(authority.data())); ca_names_items[i].len = static_cast(authority.size()); } ca_names.nnames = static_cast(ca_names_items.size()); if (!ca_names_items.empty()) ca_names.names = &ca_names_items[0]; size_t num_raw = 0; for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) { ++num_raw; // Only offer unexpired certificates. if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) != secCertTimeValid) { DVLOG(2) << "skipped expired cert: " << base::StringPiece(node->cert->nickname); continue; } scoped_refptr cert = X509Certificate::CreateFromHandle( node->cert, X509Certificate::OSCertHandles()); // Check if the certificate issuer is allowed by the server. if (request.cert_authorities.empty() || (!query_nssdb && cert->IsIssuedByEncoded(request.cert_authorities)) || (query_nssdb && NSS_CmpCertChainWCANames(node->cert, &ca_names) == SECSuccess)) { DVLOG(2) << "matched cert: " << base::StringPiece(node->cert->nickname); selected_certs->push_back(cert); } else DVLOG(2) << "skipped non-matching cert: " << base::StringPiece(node->cert->nickname); } DVLOG(2) << "num_raw:" << num_raw << " num_selected:" << selected_certs->size(); std::sort(selected_certs->begin(), selected_certs->end(), x509_util::ClientCertSorter()); } void ClientCertStoreNSS::GetClientCertsOnWorkerThread( scoped_ptr password_delegate, const SSLCertRequestInfo* request, CertificateList* selected_certs) { CERTCertList* client_certs = CERT_FindUserCertsByUsage( CERT_GetDefaultCertDB(), certUsageSSLClient, PR_FALSE, PR_FALSE, password_delegate.get()); // It is ok for a user not to have any client certs. if (!client_certs) { DVLOG(2) << "No client certs found."; selected_certs->clear(); return; } GetClientCertsImpl(client_certs, *request, true, selected_certs); CERT_DestroyCertList(client_certs); } bool ClientCertStoreNSS::SelectClientCertsForTesting( const CertificateList& input_certs, const SSLCertRequestInfo& request, CertificateList* selected_certs) { CERTCertList* cert_list = CERT_NewCertList(); if (!cert_list) return false; for (size_t i = 0; i < input_certs.size(); ++i) { CERT_AddCertToListTail( cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle())); } GetClientCertsImpl(cert_list, request, false, selected_certs); CERT_DestroyCertList(cert_list); return true; } } // namespace net