Commit 8d8ad9e1 authored by mattm@chromium.org's avatar mattm@chromium.org

Honor server requested origin bound client cert types.

BUG=88782
TEST=changed certificate_types struct in local copy of nss selfserv,
reloaded, checked "echo .dump | sqlite3 'Origin Bound Certs'" to see if
new cert was generated.


Review URL: http://codereview.chromium.org/8821002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113159 0039d316-1c4b-4281-b951-d872f2087c98
parent dbc37da0
...@@ -2152,13 +2152,15 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { ...@@ -2152,13 +2152,15 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
} }
SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
const std::vector<uint8>& requested_cert_types, const SECItem* cert_types,
CERTCertificate** result_certificate, CERTCertificate** result_certificate,
SECKEYPrivateKey** result_private_key) { SECKEYPrivateKey** result_private_key) {
ob_cert_xtn_negotiated_ = true; ob_cert_xtn_negotiated_ = true;
// We have negotiated the origin-bound certificate extension. // We have negotiated the origin-bound certificate extension.
std::string origin = "https://" + host_and_port_.ToString(); std::string origin = "https://" + host_and_port_.ToString();
std::vector<uint8> requested_cert_types(cert_types->data,
cert_types->data + cert_types->len);
net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
int error = origin_bound_cert_service_->GetOriginBoundCert( int error = origin_bound_cert_service_->GetOriginBoundCert(
origin, origin,
...@@ -2211,14 +2213,12 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler( ...@@ -2211,14 +2213,12 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
// Check if an origin-bound certificate is requested. // Check if an origin-bound certificate is requested.
if (OriginBoundCertNegotiated(socket)) { if (OriginBoundCertNegotiated(socket)) {
// TODO(mattm): Once NSS supports it, pass the actual requested types.
std::vector<uint8> requested_cert_types;
requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
return that->OriginBoundClientAuthHandler( return that->OriginBoundClientAuthHandler(
requested_cert_types, result_nss_certificate, result_nss_private_key); cert_types, result_nss_certificate, result_nss_private_key);
} }
that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert; that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
...@@ -2520,14 +2520,12 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( ...@@ -2520,14 +2520,12 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL); that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
// Check if an origin-bound certificate is requested. // Check if an origin-bound certificate is requested.
if (OriginBoundCertNegotiated(socket)) { if (OriginBoundCertNegotiated(socket)) {
// TODO(mattm): Once NSS supports it, pass the actual requested types.
std::vector<uint8> requested_cert_types;
requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
return that->OriginBoundClientAuthHandler( return that->OriginBoundClientAuthHandler(
requested_cert_types, result_certificate, result_private_key); cert_types, result_certificate, result_private_key);
} }
// Regular client certificate requested. // Regular client certificate requested.
......
...@@ -168,7 +168,7 @@ class SSLClientSocketNSS : public SSLClientSocket { ...@@ -168,7 +168,7 @@ class SSLClientSocketNSS : public SSLClientSocket {
// Origin bound cert client auth handler. // Origin bound cert client auth handler.
// Returns the value the ClientAuthHandler function should return. // Returns the value the ClientAuthHandler function should return.
SECStatus OriginBoundClientAuthHandler( SECStatus OriginBoundClientAuthHandler(
const std::vector<uint8>& requested_cert_types, const SECItem* cert_types,
CERTCertificate** result_certificate, CERTCertificate** result_certificate,
SECKEYPrivateKey** result_private_key); SECKEYPrivateKey** result_private_key);
#if defined(NSS_PLATFORM_CLIENT_AUTH) #if defined(NSS_PLATFORM_CLIENT_AUTH)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment