Bug 431819, SSL client auth, repeated prompts for client certificate

r=rrelyea, r=dveditz
This commit is contained in:
Kai Engert 2008-06-18 21:36:29 +02:00
parent 7c88a89044
commit 0f228913f3
12 changed files with 572 additions and 19 deletions

View File

@ -61,6 +61,7 @@ pref("security.ssl3.rsa_null_sha", false);
pref("security.ssl3.rsa_null_md5", false);
pref("security.default_personal_cert", "Ask Every Time");
pref("security.remember_cert_checkbox_default_setting", true);
pref("security.ask_for_password", 0);
pref("security.password_lifetime", 30);
pref("security.warn_entering_secure", false);

View File

@ -42,6 +42,7 @@ const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
var dialogParams;
var itemCount = 0;
var rememberBox;
function onLoad()
{
@ -54,6 +55,28 @@ function onLoad()
org = dialogParams.GetString(1);
issuer = dialogParams.GetString(2);
// added with bug 431819. reuse string from caps in order to avoid string changes
var capsBundle = srGetStrBundle("chrome://global/locale/security/caps.properties");
var rememberString = capsBundle.GetStringFromName("CheckMessage");
var rememberSetting = true;
var pref = Components.classes['@mozilla.org/preferences-service;1']
.getService(Components.interfaces.nsIPrefService);
if (pref) {
pref = pref.getBranch(null);
try {
rememberSetting =
pref.getBoolPref("security.remember_cert_checkbox_default_setting");
}
catch(e) {
// pref is missing
}
}
rememberBox = document.getElementById("rememberBox");
rememberBox.label = rememberString;
rememberBox.checked = rememberSetting;
var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
var message1 = bundle.formatStringFromName("clientAuthMessage1",
[org],
@ -98,11 +121,14 @@ function doOK()
dialogParams.SetInt(0,1);
var index = parseInt(document.getElementById("nicknames").value);
dialogParams.SetInt(1, index);
dialogParams.SetInt(2, rememberBox.checked);
return true;
}
function doCancel()
{
dialogParams.SetInt(0,0);
dialogParams.SetInt(1, -1); // invalid value
dialogParams.SetInt(2, rememberBox.checked);
return true;
}

View File

@ -73,6 +73,7 @@
<description>&clientAuthAsk.message3;</description>
<textbox readonly="true" id="details" multiline="true"
style="height: 11em;"/>
<checkbox id="rememberBox" checked="true"/>
</groupbox>
</dialog>

View File

@ -309,10 +309,18 @@ nsNSSDialogs::ChooseCertificate(nsIInterfaceRequestor *ctx, const PRUnichar *cn,
if (NS_FAILED(rv)) return rv;
PRInt32 status;
rv = block->GetInt(0, &status);
if (NS_FAILED(rv)) return rv;
nsCOMPtr<nsIClientAuthUserDecision> extraResult = do_QueryInterface(ctx);
if (extraResult) {
PRInt32 rememberSelection;
rv = block->GetInt(2, &rememberSelection);
if (NS_SUCCEEDED(rv)) {
extraResult->SetRememberClientAuthCertificate(rememberSelection!=0);
}
}
*canceled = (status == 0)?PR_TRUE:PR_FALSE;
if (!*canceled) {
// retrieve the nickname

View File

@ -61,6 +61,12 @@ interface nsIClientAuthDialogs : nsISupports
out boolean canceled);
};
[scriptable, uuid(95c4373e-bdd4-4a63-b431-f5b000367721)]
interface nsIClientAuthUserDecision : nsISupports
{
attribute boolean rememberClientAuthCertificate;
};
%{C++
#define NS_CLIENTAUTHDIALOGS_CONTRACTID "@mozilla.org/nsClientAuthDialogs;1"
%}

View File

@ -60,6 +60,7 @@ CPPSRCS = \
nsNSSCleaner.cpp \
nsCertOverrideService.cpp \
nsRecentBadCerts.cpp \
nsClientAuthRemember.cpp \
nsPSMBackgroundThread.cpp \
nsSSLThread.cpp \
nsCertVerificationThread.cpp \

View File

@ -0,0 +1,256 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is
* Red Hat, Inc.
* Portions created by the Initial Developer are Copyright (C) 2008
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Kai Engert <kengert@redhat.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nsClientAuthRemember.h"
#include "nsIX509Cert.h"
#include "nsCRT.h"
#include "nsNetUtil.h"
#include "nsIObserverService.h"
#include "nsNetUtil.h"
#include "nsISupportsPrimitives.h"
#include "nsPromiseFlatString.h"
#include "nsProxiedService.h"
#include "nsStringBuffer.h"
#include "nsAutoLock.h"
#include "nspr.h"
#include "pk11pub.h"
#include "certdb.h"
#include "sechash.h"
#include "ssl.h" // For SSL_ClearSessionCache
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS1(nsClientAuthRememberService,
nsIObserver)
nsClientAuthRememberService::nsClientAuthRememberService()
{
monitor = PR_NewMonitor();
}
nsClientAuthRememberService::~nsClientAuthRememberService()
{
RemoveAllFromMemory();
if (monitor)
PR_DestroyMonitor(monitor);
}
nsresult
nsClientAuthRememberService::Init()
{
if (!mSettingsTable.Init())
return NS_ERROR_OUT_OF_MEMORY;
nsCOMPtr<nsIProxyObjectManager> proxyman(do_GetService(NS_XPCOMPROXY_CONTRACTID));
if (!proxyman)
return NS_ERROR_FAILURE;
nsCOMPtr<nsIObserverService> observerService(do_GetService("@mozilla.org/observer-service;1"));
nsCOMPtr<nsIObserverService> proxiedObserver;
NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD,
NS_GET_IID(nsIObserverService),
observerService,
NS_PROXY_SYNC,
getter_AddRefs(proxiedObserver));
if (proxiedObserver) {
proxiedObserver->AddObserver(this, "profile-before-change", PR_TRUE);
}
return NS_OK;
}
NS_IMETHODIMP
nsClientAuthRememberService::Observe(nsISupports *aSubject,
const char *aTopic,
const PRUnichar *aData)
{
// check the topic
if (!nsCRT::strcmp(aTopic, "profile-before-change")) {
// The profile is about to change,
// or is going away because the application is shutting down.
nsAutoMonitor lock(monitor);
RemoveAllFromMemory();
}
return NS_OK;
}
void nsClientAuthRememberService::ClearRememberedDecisions()
{
nsAutoMonitor lock(monitor);
RemoveAllFromMemory();
}
void
nsClientAuthRememberService::RemoveAllFromMemory()
{
mSettingsTable.Clear();
}
static nsresult
GetCertFingerprintByOidTag(CERTCertificate* nsscert,
SECOidTag aOidTag,
nsCString &fp)
{
unsigned int hash_len = HASH_ResultLenByOidTag(aOidTag);
nsRefPtr<nsStringBuffer> fingerprint = nsStringBuffer::Alloc(hash_len);
if (!fingerprint)
return NS_ERROR_OUT_OF_MEMORY;
PK11_HashBuf(aOidTag, (unsigned char*)fingerprint->Data(),
nsscert->derCert.data, nsscert->derCert.len);
SECItem fpItem;
fpItem.data = (unsigned char*)fingerprint->Data();
fpItem.len = hash_len;
fp.Adopt(CERT_Hexify(&fpItem, 1));
return NS_OK;
}
nsresult
nsClientAuthRememberService::RememberDecision(const nsACString & aHostName,
CERTCertificate *aServerCert, CERTCertificate *aClientCert)
{
// aClientCert == NULL means: remember that user does not want to use a cert
NS_ENSURE_ARG_POINTER(aServerCert);
if (aHostName.IsEmpty())
return NS_ERROR_INVALID_ARG;
nsCAutoString fpStr;
nsresult rv = GetCertFingerprintByOidTag(aServerCert, SEC_OID_SHA256, fpStr);
if (NS_FAILED(rv))
return rv;
{
nsAutoMonitor lock(monitor);
if (aClientCert) {
AddEntryToList(aHostName, fpStr,
nsDependentCString(aClientCert->nickname));
}
else {
nsCString empty;
AddEntryToList(aHostName, fpStr, empty);
}
}
return NS_OK;
}
nsresult
nsClientAuthRememberService::HasRememberedDecision(const nsACString & aHostName,
CERTCertificate *aCert,
nsACString & aClientNickname,
PRBool *_retval)
{
if (aHostName.IsEmpty())
return NS_ERROR_INVALID_ARG;
NS_ENSURE_ARG_POINTER(aCert);
NS_ENSURE_ARG_POINTER(_retval);
*_retval = PR_FALSE;
nsresult rv;
nsCAutoString fpStr;
rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
if (NS_FAILED(rv))
return rv;
nsCAutoString hostCert;
GetHostWithCert(aHostName, fpStr, hostCert);
nsClientAuthRemember settings;
{
nsAutoMonitor lock(monitor);
nsClientAuthRememberEntry *entry = mSettingsTable.GetEntry(hostCert.get());
if (!entry)
return NS_OK;
settings = entry->mSettings; // copy
}
aClientNickname = settings.mClientNickname;
*_retval = PR_TRUE;
return NS_OK;
}
nsresult
nsClientAuthRememberService::AddEntryToList(const nsACString &aHostName,
const nsACString &fingerprint,
const nsACString &client_nickname)
{
nsCAutoString hostCert;
GetHostWithCert(aHostName, fingerprint, hostCert);
{
nsAutoMonitor lock(monitor);
nsClientAuthRememberEntry *entry = mSettingsTable.PutEntry(hostCert.get());
if (!entry) {
NS_ERROR("can't insert a null entry!");
return NS_ERROR_OUT_OF_MEMORY;
}
entry->mHostWithCert = hostCert;
nsClientAuthRemember &settings = entry->mSettings;
settings.mAsciiHost = aHostName;
settings.mFingerprint = fingerprint;
settings.mClientNickname = client_nickname;
}
return NS_OK;
}
void
nsClientAuthRememberService::GetHostWithCert(const nsACString & aHostName,
const nsACString & fingerprint,
nsACString& _retval)
{
nsCAutoString hostCert(aHostName);
hostCert.AppendLiteral(":");
hostCert.Append(fingerprint);
_retval.Assign(hostCert);
}

View File

@ -0,0 +1,172 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is
* Red Hat, Inc.
* Portions created by the Initial Developer are Copyright (C) 2008
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Kai Engert <kengert@redhat.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef __NSCLIENTAUTHREMEMBER_H__
#define __NSCLIENTAUTHREMEMBER_H__
#include "nsTHashtable.h"
#include "nsIObserver.h"
#include "nsIX509Cert.h"
#include "nsAutoPtr.h"
#include "nsNSSCertificate.h"
#include "nsString.h"
#include "prmon.h"
class nsClientAuthRemember
{
public:
nsClientAuthRemember()
{
}
nsClientAuthRemember(const nsClientAuthRemember &other)
{
this->operator=(other);
}
nsClientAuthRemember &operator=(const nsClientAuthRemember &other)
{
mAsciiHost = other.mAsciiHost;
mFingerprint = other.mFingerprint;
mClientNickname = other.mClientNickname;
return *this;
}
nsCString mAsciiHost;
nsCString mFingerprint;
nsCString mClientNickname;
};
// hash entry class
class nsClientAuthRememberEntry : public PLDHashEntryHdr
{
public:
// Hash methods
typedef const char* KeyType;
typedef const char* KeyTypePointer;
// do nothing with aHost - we require mHead to be set before we're live!
nsClientAuthRememberEntry(KeyTypePointer aHostWithCertUTF8)
{
}
nsClientAuthRememberEntry(const nsClientAuthRememberEntry& toCopy)
{
mSettings = toCopy.mSettings;
}
~nsClientAuthRememberEntry()
{
}
KeyType GetKey() const
{
return HostWithCertPtr();
}
KeyTypePointer GetKeyPointer() const
{
return HostWithCertPtr();
}
PRBool KeyEquals(KeyTypePointer aKey) const
{
return !strcmp(HostWithCertPtr(), aKey);
}
static KeyTypePointer KeyToPointer(KeyType aKey)
{
return aKey;
}
static PLDHashNumber HashKey(KeyTypePointer aKey)
{
// PL_DHashStringKey doesn't use the table parameter, so we can safely
// pass nsnull
return PL_DHashStringKey(nsnull, aKey);
}
enum { ALLOW_MEMMOVE = PR_FALSE };
// get methods
inline const nsCString &HostWithCert() const { return mHostWithCert; }
inline KeyTypePointer HostWithCertPtr() const
{
return mHostWithCert.get();
}
nsClientAuthRemember mSettings;
nsCString mHostWithCert;
};
class nsClientAuthRememberService : public nsIObserver
{
public:
NS_DECL_ISUPPORTS
NS_DECL_NSIOBSERVER
nsClientAuthRememberService();
~nsClientAuthRememberService();
nsresult Init();
static void GetHostWithCert(const nsACString & aHostName,
const nsACString & nickname, nsACString& _retval);
nsresult RememberDecision(const nsACString & aHostName,
CERTCertificate *aServerCert, CERTCertificate *aClientCert);
nsresult HasRememberedDecision(const nsACString & aHostName,
CERTCertificate *aCert, nsACString & aClientNickname, PRBool *_retval);
void ClearRememberedDecisions();
protected:
PRMonitor *monitor;
nsTHashtable<nsClientAuthRememberEntry> mSettingsTable;
void RemoveAllFromMemory();
nsresult AddEntryToList(const nsACString &host,
const nsACString &server_fingerprint,
const nsACString &client_nickname);
};
#endif

View File

@ -296,6 +296,7 @@ nsNSSComponent::nsNSSComponent()
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
nsSSLIOLayerHelpers::Init();
mClientAuthRememberService.Init();
NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
++mInstanceCount;
@ -1683,6 +1684,7 @@ nsNSSComponent::ShutdownNSS()
ShutdownSmartCardThreads();
SSL_ClearSessionCache();
mClientAuthRememberService.ClearRememberedDecisions();
UnloadLoadableRoots();
CleanupIdentityInfo();
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n"));
@ -2148,6 +2150,7 @@ void nsNSSComponent::ShowAlert(AlertIdentifier ai)
nsresult nsNSSComponent::LogoutAuthenticatedPK11()
{
mClientAuthRememberService.ClearRememberedDecisions();
return mShutdownObjectList->doPK11Logout();
}
@ -2409,6 +2412,13 @@ nsNSSComponent::DoProfileChangeNetRestore()
mIsNetworkDown = PR_FALSE;
}
NS_IMETHODIMP
nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars)
{
NS_ENSURE_ARG_POINTER(cars);
*cars = &mClientAuthRememberService;
}
//---------------------------------------------
// Implementing nsICryptoHash
//---------------------------------------------
@ -3178,4 +3188,3 @@ PSMContentListener::SetParentContentListener(nsIURIContentListener * aContentLis
mParentContentListener = aContentListener;
return NS_OK;
}

View File

@ -69,6 +69,7 @@
#include "nsNSSCallbacks.h"
#include "nsNSSHelper.h"
#include "nsClientAuthRemember.h"
#define NS_NSSCOMPONENT_CID \
{0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}}
@ -171,6 +172,8 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0;
NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars) = 0;
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
};
@ -259,6 +262,7 @@ public:
NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module);
NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token);
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token);
NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars);
NS_IMETHOD EnsureIdentityInfoLoaded();
private:
@ -324,6 +328,7 @@ private:
nsSSLThread *mSSLThread;
nsCertVerificationThread *mCertVerificationThread;
nsNSSHttpInterface mHttpForNSS;
nsClientAuthRememberService mClientAuthRememberService;
static PRStatus PR_CALLBACK IdentityInfoInit(void);
PRCallOnceType mIdentityInfoCallOnce;

View File

@ -58,6 +58,7 @@
#include "nsIDateTimeFormat.h"
#include "nsDateTimeFormatCID.h"
#include "nsIClientAuthDialogs.h"
#include "nsClientAuthRemember.h"
#include "nsICertOverrideService.h"
#include "nsIBadCertListener2.h"
#include "nsISSLErrorListener.h"
@ -237,7 +238,7 @@ void nsNSSSocketInfo::virtualDestroyNSSReference()
{
}
NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo,
nsITransportSecurityInfo,
nsISSLSocketControl,
nsIInterfaceRequestor,
@ -245,7 +246,8 @@ NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
nsIIdentityInfo,
nsIAssociatedContentSecurity,
nsISerializable,
nsIClassInfo)
nsIClassInfo,
nsIClientAuthUserDecision)
nsresult
nsNSSSocketInfo::GetHandshakePending(PRBool *aHandshakePending)
@ -299,6 +301,19 @@ PRBool nsNSSSocketInfo::GetCanceled()
return mCanceled;
}
NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(PRBool *aRememberClientAuthCertificate)
{
NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
*aRememberClientAuthCertificate = mRememberClientAuthCertificate;
return NS_OK;
}
NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(PRBool aRememberClientAuthCertificate)
{
mRememberClientAuthCertificate = aRememberClientAuthCertificate;
return NS_OK;
}
void nsNSSSocketInfo::SetHasCleartextPhase(PRBool aHasCleartextPhase)
{
mHasCleartextPhase = aHasCleartextPhase;
@ -2464,12 +2479,10 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
nsNSSShutDownPreventionLock locker;
void* wincx = NULL;
SECStatus ret = SECFailure;
nsresult rv;
nsNSSSocketInfo* info = NULL;
PRArenaPool* arena = NULL;
char** caNameStrings;
CERTCertificate* cert = NULL;
CERTCertificate* serverCert = NULL;
SECKEYPrivateKey* privKey = NULL;
CERTCertList* certList = NULL;
CERTCertListNode* node;
@ -2593,13 +2606,63 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
goto noCert;
}
}
else { // Not Auto => ask
/* Get the SSL Certificate */
CERTCertificate* serverCert = NULL;
CERTCertificateCleaner serverCertCleaner(serverCert);
serverCert = SSL_PeerCertificate(socket);
if (serverCert == NULL) {
/* couldn't get the server cert: what do I do? */
goto loser;
}
nsXPIDLCString hostname;
info->GetHostName(getter_Copies(hostname));
nsresult rv;
NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID);
nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(nssComponentCID, &rv));
// it's ok to keep our raw pointer to the nsClientAuthRememberService
// as long as we hold the reference to the nssComponent.
// Yes, this sucks, but this is branch only code,
// and I don't want to deal with new interfaces, and want to use full
// typed pointers.
// Note nsINSSComponent is NOT exposed to anywhere outside of PSM.
nsClientAuthRememberService *cars = nsnull;
if (nssComponent) {
nssComponent->GetClientAuthRememberService(&cars);
}
PRBool hasRemembered = PR_FALSE;
nsCString rememberedNickname;
if (cars) {
PRBool found;
nsresult rv = cars->HasRememberedDecision(hostname,
serverCert,
rememberedNickname, &found);
if (NS_SUCCEEDED(rv) && found) {
hasRemembered = PR_TRUE;
}
}
PRBool canceled = PR_FALSE;
if (hasRemembered)
{
if (rememberedNickname.IsEmpty())
canceled = PR_TRUE;
else {
char *const_nickname = const_cast<char*>(rememberedNickname.get());
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), const_nickname);
}
}
else
{
/* user selects a cert to present */
nsIClientAuthDialogs *dialogs = NULL;
PRInt32 selectedIndex = -1;
PRUnichar **certNicknameList = NULL;
PRUnichar **certDetailsList = NULL;
PRBool canceled;
/* find all user certs that are for SSL */
/* note that we are allowing expired certs in this list */
@ -2656,13 +2719,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
NS_ASSERTION(nicknames->numnicknames == NumberOfCerts, "nicknames->numnicknames != NumberOfCerts");
/* Get the SSL Certificate */
serverCert = SSL_PeerCertificate(socket);
if (serverCert == NULL) {
/* couldn't get the server cert: what do I do? */
goto loser;
}
/* Get CN and O of the subject and O of the issuer */
char *ccn = CERT_GetCommonName(&serverCert->subject);
charCleaner ccnCleaner(ccn);
@ -2670,8 +2726,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
PRInt32 port;
info->GetPort(&port);
char *hostname = SSL_RevealURL(socket);
charCleaner hostnameCleaner(hostname);
nsString cn_host_port;
if (ccn && strcmp(ccn, hostname) == 0) {
@ -2695,8 +2749,6 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
NS_ConvertUTF8toUTF16 issuer(cissuer);
if (cissuer) PORT_Free(cissuer);
CERT_DestroyCertificate(serverCert);
certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames);
if (!certNicknameList)
goto loser;
@ -2764,9 +2816,12 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
if (NS_FAILED(rv)) goto loser;
if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
// even if the user has canceled, we want to remember that, to avoid repeating prompts
PRBool wantRemember = PR_FALSE;
info->GetRememberClientAuthCertificate(&wantRemember);
int i;
if (!canceled)
for (i = 0, node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node, certList);
++i, node = CERT_LIST_NEXT(node)) {
@ -2777,6 +2832,15 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
}
}
if (cars && wantRemember) {
cars->RememberDecision(hostname,
serverCert,
canceled ? 0 : cert);
}
}
if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
if (cert == NULL) {
goto loser;
}

View File

@ -55,6 +55,7 @@
#include "nsIAssociatedContentSecurity.h"
#include "nsXPIDLString.h"
#include "nsNSSShutDown.h"
#include "nsIClientAuthDialogs.h"
#include "nsAutoPtr.h"
#include "nsNSSCertificate.h"
@ -132,6 +133,7 @@ class nsNSSSocketInfo : public nsITransportSecurityInfo,
public nsIAssociatedContentSecurity,
public nsISerializable,
public nsIClassInfo,
public nsIClientAuthUserDecision,
public nsNSSShutDownObject,
public nsOnPK11LogoutCancelObject
{
@ -148,6 +150,7 @@ public:
NS_DECL_NSIASSOCIATEDCONTENTSECURITY
NS_DECL_NSISERIALIZABLE
NS_DECL_NSICLASSINFO
NS_DECL_NSICLIENTAUTHUSERDECISION
nsresult SetSecurityState(PRUint32 aState);
nsresult SetShortSecurityDescription(const PRUnichar *aText);
@ -220,6 +223,7 @@ protected:
PRPackedBool mHasCleartextPhase;
PRPackedBool mHandshakeInProgress;
PRPackedBool mAllowTLSIntoleranceTimeout;
PRPackedBool mRememberClientAuthCertificate;
PRIntervalTime mHandshakeStartTime;
PRInt32 mPort;
nsXPIDLCString mHostName;