net/ssl/client_cert_store_nss.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/ssl/client_cert_store_nss.h"
   6
   7 #include <nss.h>
   8 #include <ssl.h>
   9
  10 #include "base/bind.h"
  11 #include "base/bind_helpers.h"
  12 #include "base/location.h"
  13 #include "base/logging.h"
  14 #include "base/memory/scoped_ptr.h"
  15 #include "base/strings/string_piece.h"
  16 #include "base/threading/worker_pool.h"
  17 #include "crypto/nss_crypto_module_delegate.h"
  18 #include "net/cert/x509_util.h"
  19 #include "net/ssl/ssl_cert_request_info.h"
  20
  21 namespace net {
  22
  23 ClientCertStoreNSS::ClientCertStoreNSS(
  24     const PasswordDelegateFactory& password_delegate_factory)
  25     : password_delegate_factory_(password_delegate_factory) {}
  26
  27 ClientCertStoreNSS::~ClientCertStoreNSS() {}
  28
  29 void ClientCertStoreNSS::GetClientCerts(const SSLCertRequestInfo& request,
  30                                          CertificateList* selected_certs,
  31                                          const base::Closure& callback) {
  32   scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate;
  33   if (!password_delegate_factory_.is_null()) {
  34     password_delegate.reset(
  35         password_delegate_factory_.Run(request.host_and_port));
  36   }
  37   if (base::WorkerPool::PostTaskAndReply(
  38           FROM_HERE,
  39           base::Bind(&ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread,
  40                      // Caller is responsible for keeping the ClientCertStore
  41                      // alive until the callback is run.
  42                      base::Unretained(this), base::Passed(&password_delegate),
  43                      &request, selected_certs),
  44           callback, true)) {
  45     return;
  46   }
  47   // If the task could not be posted, behave as if there were no certificates
  48   // which requires to clear |selected_certs|.
  49   selected_certs->clear();
  50   callback.Run();
  51 }
  52
  53 // static
  54 void ClientCertStoreNSS::FilterCertsOnWorkerThread(
  55     const CertificateList& certs,
  56     const SSLCertRequestInfo& request,
  57     bool query_nssdb,
  58     CertificateList* filtered_certs) {
  59   DCHECK(filtered_certs);
  60
  61   filtered_certs->clear();
  62
  63   // Create a "fake" CERTDistNames structure. No public API exists to create
  64   // one from a list of issuers.
  65   CERTDistNames ca_names;
  66   ca_names.arena = NULL;
  67   ca_names.nnames = 0;
  68   ca_names.names = NULL;
  69   ca_names.head = NULL;
  70
  71   std::vector<SECItem> ca_names_items(request.cert_authorities.size());
  72   for (size_t i = 0; i < request.cert_authorities.size(); ++i) {
  73     const std::string& authority = request.cert_authorities[i];
  74     ca_names_items[i].type = siBuffer;
  75     ca_names_items[i].data =
  76         reinterpret_cast<unsigned char*>(const_cast<char*>(authority.data()));
  77     ca_names_items[i].len = static_cast<unsigned int>(authority.size());
  78   }
  79   ca_names.nnames = static_cast<int>(ca_names_items.size());
  80   if (!ca_names_items.empty())
  81     ca_names.names = &ca_names_items[0];
  82
  83   size_t num_raw = 0;
  84   for (const auto& cert : certs) {
  85     ++num_raw;
  86     X509Certificate::OSCertHandle handle = cert->os_cert_handle();
  87
  88     // Only offer unexpired certificates.
  89     if (CERT_CheckCertValidTimes(handle, PR_Now(), PR_TRUE) !=
  90         secCertTimeValid) {
  91       DVLOG(2) << "skipped expired cert: "
  92                << base::StringPiece(handle->nickname);
  93       continue;
  94     }
  95
  96     // Check if the certificate issuer is allowed by the server.
  97     if (request.cert_authorities.empty() ||
  98         (!query_nssdb && cert->IsIssuedByEncoded(request.cert_authorities)) ||
  99         (query_nssdb &&
 100          NSS_CmpCertChainWCANames(handle, &ca_names) == SECSuccess)) {
 101       DVLOG(2) << "matched cert: " << base::StringPiece(handle->nickname);
 102       filtered_certs->push_back(cert);
 103     } else {
 104       DVLOG(2) << "skipped non-matching cert: "
 105                << base::StringPiece(handle->nickname);
 106     }
 107   }
 108   DVLOG(2) << "num_raw:" << num_raw
 109            << " num_filtered:" << filtered_certs->size();
 110
 111   std::sort(filtered_certs->begin(), filtered_certs->end(),
 112             x509_util::ClientCertSorter());
 113 }
 114
 115 void ClientCertStoreNSS::GetAndFilterCertsOnWorkerThread(
 116     scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,
 117     const SSLCertRequestInfo* request,
 118     CertificateList* selected_certs) {
 119   CertificateList platform_certs;
 120   GetPlatformCertsOnWorkerThread(password_delegate.Pass(), &platform_certs);
 121   FilterCertsOnWorkerThread(platform_certs, *request, true, selected_certs);
 122 }
 123
 124 // static
 125 void ClientCertStoreNSS::GetPlatformCertsOnWorkerThread(
 126     scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,
 127     net::CertificateList* certs) {
 128   CERTCertList* found_certs =
 129       CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient,
 130                                 PR_FALSE, PR_FALSE, password_delegate.get());
 131   if (!found_certs) {
 132     DVLOG(2) << "No client certs found.";
 133     return;
 134   }
 135   for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs);
 136        !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) {
 137     certs->push_back(X509Certificate::CreateFromHandle(
 138         node->cert, X509Certificate::OSCertHandles()));
 139   }
 140   CERT_DestroyCertList(found_certs);
 141 }
 142
 143 }  // namespace net