1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/ssl/client_cert_store_win.h"
#include <algorithm>
#include <string>
#define SECURITY_WIN32 // Needs to be defined before including security.h
#include <windows.h>
#include <wincrypt.h>
#include <security.h>
#include "base/callback.h"
#include "base/logging.h"
#include "crypto/scoped_capi_types.h"
#include "net/cert/x509_util.h"
namespace net {
namespace {
// Callback required by Windows API function CertFindChainInStore(). In addition
// to filtering by extended/enhanced key usage, we do not show expired
// certificates and require digital signature usage in the key usage extension.
//
// This matches our behavior on Mac OS X and that of NSS. It also matches the
// default behavior of IE8. See http://support.microsoft.com/kb/890326 and
// http://blogs.msdn.com/b/askie/archive/2009/06/09/my-expired-client-certifica
// tes-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx
static BOOL WINAPI ClientCertFindCallback(PCCERT_CONTEXT cert_context,
void* find_arg) {
// Verify the certificate key usage is appropriate or not specified.
BYTE key_usage;
if (CertGetIntendedKeyUsage(X509_ASN_ENCODING, cert_context->pCertInfo,
&key_usage, 1)) {
if (!(key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE))
return FALSE;
} else {
DWORD err = GetLastError();
// If |err| is non-zero, it's an actual error. Otherwise the extension
// just isn't present, and we treat it as if everything was allowed.
if (err) {
DLOG(ERROR) << "CertGetIntendedKeyUsage failed: " << err;
return FALSE;
}
}
// Verify the current time is within the certificate's validity period.
if (CertVerifyTimeValidity(NULL, cert_context->pCertInfo) != 0)
return FALSE;
// Verify private key metadata is associated with this certificate.
// TODO(ppi): Is this really needed? Isn't it equivalent to leaving
// CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG not set in |find_flags| argument of
// CertFindChainInStore()?
DWORD size = 0;
if (!CertGetCertificateContextProperty(
cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) {
return FALSE;
}
return TRUE;
}
void GetClientCertsImpl(HCERTSTORE cert_store,
const SSLCertRequestInfo& request,
CertificateList* selected_certs) {
selected_certs->clear();
const size_t auth_count = request.cert_authorities.size();
std::vector<CERT_NAME_BLOB> issuers(auth_count);
for (size_t i = 0; i < auth_count; ++i) {
issuers[i].cbData = static_cast<DWORD>(request.cert_authorities[i].size());
issuers[i].pbData = reinterpret_cast<BYTE*>(
const_cast<char*>(request.cert_authorities[i].data()));
}
// Enumerate the client certificates.
CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para;
memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para));
find_by_issuer_para.cbSize = sizeof(find_by_issuer_para);
find_by_issuer_para.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
find_by_issuer_para.cIssuer = static_cast<DWORD>(auth_count);
find_by_issuer_para.rgIssuer =
reinterpret_cast<CERT_NAME_BLOB*>(issuers.data());
find_by_issuer_para.pfnFindCallback = ClientCertFindCallback;
PCCERT_CHAIN_CONTEXT chain_context = NULL;
DWORD find_flags = CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG |
CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG;
for (;;) {
// Find a certificate chain.
chain_context = CertFindChainInStore(cert_store,
X509_ASN_ENCODING,
find_flags,
CERT_CHAIN_FIND_BY_ISSUER,
&find_by_issuer_para,
chain_context);
if (!chain_context) {
if (GetLastError() != CRYPT_E_NOT_FOUND)
DPLOG(ERROR) << "CertFindChainInStore failed: ";
break;
}
// Get the leaf certificate.
PCCERT_CONTEXT cert_context =
chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
// Copy the certificate, so that it is valid after |cert_store| is closed.
PCCERT_CONTEXT cert_context2 = NULL;
BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
CERT_STORE_ADD_USE_EXISTING,
&cert_context2);
if (!ok) {
NOTREACHED();
continue;
}
// Grab the intermediates, if any.
X509Certificate::OSCertHandles intermediates;
for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; ++i) {
PCCERT_CONTEXT chain_intermediate =
chain_context->rgpChain[0]->rgpElement[i]->pCertContext;
PCCERT_CONTEXT copied_intermediate = NULL;
ok = CertAddCertificateContextToStore(NULL, chain_intermediate,
CERT_STORE_ADD_USE_EXISTING,
&copied_intermediate);
if (ok)
intermediates.push_back(copied_intermediate);
}
scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
cert_context2, intermediates);
selected_certs->push_back(cert);
CertFreeCertificateContext(cert_context2);
for (size_t i = 0; i < intermediates.size(); ++i)
CertFreeCertificateContext(intermediates[i]);
}
std::sort(selected_certs->begin(), selected_certs->end(),
x509_util::ClientCertSorter());
}
} // namespace
ClientCertStoreWin::ClientCertStoreWin() {}
ClientCertStoreWin::~ClientCertStoreWin() {}
void ClientCertStoreWin::GetClientCerts(const SSLCertRequestInfo& request,
CertificateList* selected_certs,
const base::Closure& callback) {
// Client certificates of the user are in the "MY" system certificate store.
HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY");
if (!my_cert_store) {
PLOG(ERROR) << "Could not open the \"MY\" system certificate store: ";
selected_certs->clear();
callback.Run();
return;
}
GetClientCertsImpl(my_cert_store, request, selected_certs);
if (!CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG))
PLOG(ERROR) << "Could not close the \"MY\" system certificate store: ";
callback.Run();
}
bool ClientCertStoreWin::SelectClientCertsForTesting(
const CertificateList& input_certs,
const SSLCertRequestInfo& request,
CertificateList* selected_certs) {
typedef crypto::ScopedCAPIHandle<
HCERTSTORE,
crypto::CAPIDestroyerWithFlags<HCERTSTORE,
CertCloseStore, 0> > ScopedHCERTSTORE;
ScopedHCERTSTORE test_store(CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0,
NULL));
if (!test_store)
return false;
// Add available certificates to the test store.
for (size_t i = 0; i < input_certs.size(); ++i) {
// Add the certificate to the test store.
PCCERT_CONTEXT cert = NULL;
if (!CertAddCertificateContextToStore(test_store,
input_certs[i]->os_cert_handle(),
CERT_STORE_ADD_NEW, &cert)) {
return false;
}
// Add dummy private key data to the certificate - otherwise the certificate
// would be discarded by the filtering routines.
CRYPT_KEY_PROV_INFO private_key_data;
memset(&private_key_data, 0, sizeof(private_key_data));
if (!CertSetCertificateContextProperty(cert,
CERT_KEY_PROV_INFO_PROP_ID,
0, &private_key_data)) {
return false;
}
// Decrement the reference count of the certificate (since we requested a
// copy).
if (!CertFreeCertificateContext(cert))
return false;
}
GetClientCertsImpl(test_store.get(), request, selected_certs);
return true;
}
} // namespace net
|
