net/ssl/client_cert_store_impl_nss.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/ssl/client_cert_store_impl.h"
   6
   7 #include <nss.h>
   8 #include <ssl.h>
   9
  10 #include "base/logging.h"
  11 #include "net/base/x509_util.h"
  12
  13 namespace net {
  14
  15 namespace {
  16
  17 bool GetClientCertsImpl(CERTCertList* cert_list,
  18                         const SSLCertRequestInfo& request,
  19                         CertificateList* selected_certs) {
  20   DCHECK(cert_list);
  21   DCHECK(selected_certs);
  22
  23   selected_certs->clear();
  24   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
  25        !CERT_LIST_END(node, cert_list);
  26        node = CERT_LIST_NEXT(node)) {
  27     // Only offer unexpired certificates.
  28     if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
  29         secCertTimeValid) {
  30       continue;
  31     }
  32
  33     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
  34         node->cert, X509Certificate::OSCertHandles());
  35
  36     // Check if the certificate issuer is allowed by the server.
  37     if (!request.cert_authorities.empty() &&
  38         !cert->IsIssuedByEncoded(request.cert_authorities)) {
  39       continue;
  40     }
  41     selected_certs->push_back(cert);
  42   }
  43
  44   std::sort(selected_certs->begin(), selected_certs->end(),
  45             x509_util::ClientCertSorter());
  46   return true;
  47 }
  48
  49 }  // namespace
  50
  51 bool ClientCertStoreImpl::GetClientCerts(const SSLCertRequestInfo& request,
  52                                          CertificateList* selected_certs) {
  53   CERTCertList* client_certs = CERT_FindUserCertsByUsage(
  54       CERT_GetDefaultCertDB(), certUsageSSLClient,
  55       PR_FALSE, PR_FALSE, NULL);
  56   // It is ok for a user not to have any client certs.
  57   if (!client_certs)
  58     return true;
  59
  60   bool rv = GetClientCertsImpl(client_certs, request, selected_certs);
  61   CERT_DestroyCertList(client_certs);
  62   return rv;
  63 }
  64
  65 bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs,
  66                                             const SSLCertRequestInfo& request,
  67                                             CertificateList* selected_certs) {
  68   CERTCertList* cert_list = CERT_NewCertList();
  69   if (!cert_list)
  70     return false;
  71   for (size_t i = 0; i < input_certs.size(); ++i) {
  72     CERT_AddCertToListTail(
  73         cert_list, CERT_DupCertificate(input_certs[i]->os_cert_handle()));
  74   }
  75
  76   bool rv = GetClientCertsImpl(cert_list, request, selected_certs);
  77   CERT_DestroyCertList(cert_list);
  78   return rv;
  79 }
  80
  81 }  // namespace net