Revert "Fix broken channel icon in chrome://help on CrOS" and try again
[chromium-blink-merge.git] / net / ssl / client_cert_store_nss.cc
blob169351710b52677359a9566c46f848d77f24f6cd
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/ssl/client_cert_store_nss.h"
7 #include <nss.h>
8 #include <ssl.h>
10 #include "base/bind.h"
11 #include "base/bind_helpers.h"
12 #include "base/location.h"
13 #include "base/logging.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/strings/string_piece.h"
16 #include "base/threading/worker_pool.h"
17 #include "crypto/nss_crypto_module_delegate.h"
18 #include "net/cert/x509_util.h"
19 #include "net/ssl/ssl_cert_request_info.h"
21 namespace net {
23 ClientCertStoreNSS::ClientCertStoreNSS(
24 const PasswordDelegateFactory& password_delegate_factory)
25 : password_delegate_factory_(password_delegate_factory) {}
27 ClientCertStoreNSS::~ClientCertStoreNSS() {}
29 void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request,
30 CertificateList* selected_certs,
31 const base::Closure& callback) {
32 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate;
33 if (!password_delegate_factory_.is_null()) {
34 password_delegate.reset(
35 password_delegate_factory_.Run(request.host_and_port));
37 if (base::WorkerPool::PostTaskAndReply(
38 FROM_HERE,
39 base::Bind(&ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread,
40 // Caller is responsible for keeping the ClientCertStore
41 // alive until the callback is run.
42 base::Unretained(this), base::Passed(&password_delegate),
43 &request, selected_certs),
44 callback, true)) {
45 return;
47 // If the task could not be posted, behave as if there were no certificates
48 // which requires to clear |selected_certs|.
49 selected_certs->clear();
50 callback.Run();
53 // static
54 void ClientCertStoreNSS::FilterCertsOnWorkerThread(
55 const CertificateList& certs,
56 const SSLCertRequestInfo& request,
57 bool query_nssdb,
58 CertificateList* filtered_certs) {
59 DCHECK(filtered_certs);
61 filtered_certs->clear();
63 // Create a "fake" CERTDistNames structure. No public API exists to create
64 // one from a list of issuers.
65 CERTDistNames ca_names;
66 ca_names.arena = NULL;
67 ca_names.nnames = 0;
68 ca_names.names = NULL;
69 ca_names.head = NULL;
71 std::vector<SECItem> ca_names_items(request.cert_authorities.size());
72 for (size_t i = 0; i < request.cert_authorities.size(); ++i) {
73 const std::string& authority = request.cert_authorities[i];
74 ca_names_items[i].type = siBuffer;
75 ca_names_items[i].data =
76 reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data()));
77 ca_names_items[i].len = static_cast<unsigned int>(authority.size());
79 ca_names.nnames = static_cast<int>(ca_names_items.size());
80 if (!ca_names_items.empty())
81 ca_names.names = &ca_names_items[0];
83 size_t num_raw = 0;
84 for (const auto& cert : certs) {
85 ++num_raw;
86 X509Certificate::OSCertHandle handle = cert->os_cert_handle();
88 // Only offer unexpired certificates.
89 if (CERT_CheckCertValidTimes(handle, PR_Now(), PR_TRUE) !=
90 secCertTimeValid) {
91 DVLOG(2) << "skipped expired cert: "
92 << base::StringPiece(handle->nickname);
93 continue;
96 // Check if the certificate issuer is allowed by the server.
97 if (request.cert_authorities.empty() ||
98 (!query_nssdb && cert->IsIssuedByEncoded(request.cert_authorities)) ||
99 (query_nssdb &&
100 NSS_CmpCertChainWCANames(handle, &ca_names) == SECSuccess)) {
101 DVLOG(2) << "matched cert: " << base::StringPiece(handle->nickname);
102 filtered_certs->push_back(cert);
103 } else {
104 DVLOG(2) << "skipped non-matching cert: "
105 << base::StringPiece(handle->nickname);
108 DVLOG(2) << "num_raw:" << num_raw
109 << " num_filtered:" << filtered_certs->size();
111 std::sort(filtered_certs->begin(), filtered_certs->end(),
112 x509_util::ClientCertSorter());
115 void ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread(
116 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,
117 const SSLCertRequestInfo* request,
118 CertificateList* selected_certs) {
119 CertificateList platform_certs;
120 GetPlatformCertsOnWorkerThread(password_delegate.Pass(), &platform_certs);
121 FilterCertsOnWorkerThread(platform_certs, *request, true, selected_certs);
124 // static
125 void ClientCertStoreNSS::GetPlatformCertsOnWorkerThread(
126 scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,
127 net::CertificateList* certs) {
128 CERTCertList* found_certs =
129 CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient,
130 PR_FALSE, PR_FALSE, password_delegate.get());
131 if (!found_certs) {
132 DVLOG(2) << "No client certs found.";
133 return;
135 for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs);
136 !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) {
137 certs->push_back(X509Certificate::CreateFromHandle(
138 node->cert, X509Certificate::OSCertHandles()));
140 CERT_DestroyCertList(found_certs);
143 } // namespace net