1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/ssl/client_cert_identity.h"
6
7 #include <utility>
8
9 #include "base/functional/bind.h"
10 #include "net/cert/x509_util.h"
11 #include "net/ssl/ssl_private_key.h"
12
13 namespace net {
14
15 namespace {
16
IdentityOwningPrivateKeyCallback(std::unique_ptr<ClientCertIdentity> identity,base::OnceCallback<void (scoped_refptr<SSLPrivateKey>)> private_key_callback,scoped_refptr<SSLPrivateKey> private_key)17 void IdentityOwningPrivateKeyCallback(
18 std::unique_ptr<ClientCertIdentity> identity,
19 base::OnceCallback<void(scoped_refptr<SSLPrivateKey>)> private_key_callback,
20 scoped_refptr<SSLPrivateKey> private_key) {
21 std::move(private_key_callback).Run(std::move(private_key));
22 }
23
24 } // namespace
25
ClientCertIdentity(scoped_refptr<net::X509Certificate> cert)26 ClientCertIdentity::ClientCertIdentity(scoped_refptr<net::X509Certificate> cert)
27 : cert_(std::move(cert)) {}
28 ClientCertIdentity::~ClientCertIdentity() = default;
29
30 // static
SelfOwningAcquirePrivateKey(std::unique_ptr<ClientCertIdentity> self,base::OnceCallback<void (scoped_refptr<SSLPrivateKey>)> private_key_callback)31 void ClientCertIdentity::SelfOwningAcquirePrivateKey(
32 std::unique_ptr<ClientCertIdentity> self,
33 base::OnceCallback<void(scoped_refptr<SSLPrivateKey>)>
34 private_key_callback) {
35 ClientCertIdentity* self_ptr = self.get();
36 auto wrapped_private_key_callback =
37 base::BindOnce(&IdentityOwningPrivateKeyCallback, std::move(self),
38 std::move(private_key_callback));
39 self_ptr->AcquirePrivateKey(std::move(wrapped_private_key_callback));
40 }
41
SetIntermediates(std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates)42 void ClientCertIdentity::SetIntermediates(
43 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates) {
44 cert_ = cert_->CloneWithDifferentIntermediates(std::move(intermediates));
45 DCHECK(cert_);
46 }
47
ClientCertIdentitySorter()48 ClientCertIdentitySorter::ClientCertIdentitySorter()
49 : now_(base::Time::Now()) {}
50
operator ()(const std::unique_ptr<ClientCertIdentity> & a_identity,const std::unique_ptr<ClientCertIdentity> & b_identity) const51 bool ClientCertIdentitySorter::operator()(
52 const std::unique_ptr<ClientCertIdentity>& a_identity,
53 const std::unique_ptr<ClientCertIdentity>& b_identity) const {
54 X509Certificate* a = a_identity->certificate();
55 X509Certificate* b = b_identity->certificate();
56 DCHECK(a);
57 DCHECK(b);
58
59 // Certificates that are expired/not-yet-valid are sorted last.
60 bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry();
61 bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry();
62 if (a_is_valid != b_is_valid)
63 return a_is_valid && !b_is_valid;
64
65 // Certificates with longer expirations appear as higher priority (less
66 // than) certificates with shorter expirations.
67 if (a->valid_expiry() != b->valid_expiry())
68 return a->valid_expiry() > b->valid_expiry();
69
70 // If the expiration dates are equivalent, certificates that were issued
71 // more recently should be prioritized over older certificates.
72 if (a->valid_start() != b->valid_start())
73 return a->valid_start() > b->valid_start();
74
75 // Otherwise, prefer client certificates with shorter chains.
76 const auto& a_intermediates = a->intermediate_buffers();
77 const auto& b_intermediates = b->intermediate_buffers();
78 return a_intermediates.size() < b_intermediates.size();
79 }
80
81 } // namespace net
82