diff --git a/chrome/app/policy/policy_templates.json b/chrome/app/policy/policy_templates.json index 657e0fa9654..fc4d10e83aa 100644 --- a/chrome/app/policy/policy_templates.json +++ b/chrome/app/policy/policy_templates.json @@ -2221,10 +2221,10 @@ 'future': True, 'example_value': True, 'id': 114, - 'caption': '''Enable TLS origin-bound certificates extension''', - 'desc': '''Specifies whether the TLS origin-bound certificates extension should be enabled. + 'caption': '''Enable TLS domain-bound certificates extension''', + 'desc': '''Specifies whether the TLS domain-bound certificates extension should be enabled. - This setting is used to enable the TLS origin-bound certificates extension for testing. This experimental setting will be removed in the future.''', + This setting is used to enable the TLS domain-bound certificates extension for testing. This experimental setting will be removed in the future.''', }, { 'name': 'EnableMemoryInfo', diff --git a/chrome/browser/browsing_data_remover.cc b/chrome/browser/browsing_data_remover.cc index baaf2583d63..cc9b69ce36b 100644 --- a/chrome/browser/browsing_data_remover.cc +++ b/chrome/browser/browsing_data_remover.cc @@ -104,7 +104,7 @@ BrowsingDataRemover::BrowsingDataRemover(Profile* profile, waiting_for_clear_cookies_count_(0), waiting_for_clear_history_(false), waiting_for_clear_networking_history_(false), - waiting_for_clear_origin_bound_certs_(false), + waiting_for_clear_server_bound_certs_(false), waiting_for_clear_plugin_data_(false), waiting_for_clear_quota_managed_data_(false), remove_mask_(0), @@ -129,7 +129,7 @@ BrowsingDataRemover::BrowsingDataRemover(Profile* profile, waiting_for_clear_cookies_count_(0), waiting_for_clear_history_(false), waiting_for_clear_networking_history_(false), - waiting_for_clear_origin_bound_certs_(false), + waiting_for_clear_server_bound_certs_(false), waiting_for_clear_plugin_data_(false), waiting_for_clear_quota_managed_data_(false), remove_mask_(0), @@ -288,16 +288,16 @@ void BrowsingDataRemover::RemoveImpl(int remove_mask, #endif } - if (remove_mask & REMOVE_ORIGIN_BOUND_CERTS) { + if (remove_mask & REMOVE_SERVER_BOUND_CERTS) { content::RecordAction( - UserMetricsAction("ClearBrowsingData_OriginBoundCerts")); + UserMetricsAction("ClearBrowsingData_ServerBoundCerts")); // Since we are running on the UI thread don't call GetURLRequestContext(). net::URLRequestContextGetter* rq_context = profile_->GetRequestContext(); if (rq_context) { - waiting_for_clear_origin_bound_certs_ = true; + waiting_for_clear_server_bound_certs_ = true; BrowserThread::PostTask( BrowserThread::IO, FROM_HERE, - base::Bind(&BrowsingDataRemover::ClearOriginBoundCertsOnIOThread, + base::Bind(&BrowsingDataRemover::ClearServerBoundCertsOnIOThread, base::Unretained(this), base::Unretained(rq_context))); } } @@ -692,21 +692,21 @@ void BrowsingDataRemover::ClearCookiesOnIOThread( base::Unretained(this))); } -void BrowsingDataRemover::ClearOriginBoundCertsOnIOThread( +void BrowsingDataRemover::ClearServerBoundCertsOnIOThread( net::URLRequestContextGetter* rq_context) { DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO)); - net::OriginBoundCertService* origin_bound_cert_service = - rq_context->GetURLRequestContext()->origin_bound_cert_service(); - origin_bound_cert_service->GetCertStore()->DeleteAllCreatedBetween( + net::ServerBoundCertService* server_bound_cert_service = + rq_context->GetURLRequestContext()->server_bound_cert_service(); + server_bound_cert_service->GetCertStore()->DeleteAllCreatedBetween( delete_begin_, delete_end_); BrowserThread::PostTask( BrowserThread::UI, FROM_HERE, - base::Bind(&BrowsingDataRemover::OnClearedOriginBoundCerts, + base::Bind(&BrowsingDataRemover::OnClearedServerBoundCerts, base::Unretained(this))); } -void BrowsingDataRemover::OnClearedOriginBoundCerts() { +void BrowsingDataRemover::OnClearedServerBoundCerts() { DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); - waiting_for_clear_origin_bound_certs_ = false; + waiting_for_clear_server_bound_certs_ = false; NotifyAndDeleteIfDone(); } diff --git a/chrome/browser/browsing_data_remover.h b/chrome/browser/browsing_data_remover.h index d47462438a5..c34db65ade7 100644 --- a/chrome/browser/browsing_data_remover.h +++ b/chrome/browser/browsing_data_remover.h @@ -72,14 +72,14 @@ class BrowsingDataRemover : public content::NotificationObserver, REMOVE_PLUGIN_DATA = 1 << 9, REMOVE_PASSWORDS = 1 << 10, REMOVE_WEBSQL = 1 << 11, - REMOVE_ORIGIN_BOUND_CERTS = 1 << 12, + REMOVE_SERVER_BOUND_CERTS = 1 << 12, // "Site data" includes cookies, appcache, file systems, indexedDBs, local // storage, webSQL, and plugin data. REMOVE_SITE_DATA = REMOVE_APPCACHE | REMOVE_COOKIES | REMOVE_FILE_SYSTEMS | REMOVE_INDEXEDDB | REMOVE_LOCAL_STORAGE | REMOVE_PLUGIN_DATA | REMOVE_WEBSQL | - REMOVE_ORIGIN_BOUND_CERTS + REMOVE_SERVER_BOUND_CERTS }; // When BrowsingDataRemover successfully removes data, a notification of type @@ -235,13 +235,13 @@ class BrowsingDataRemover : public content::NotificationObserver, // Invoked on the IO thread to delete cookies. void ClearCookiesOnIOThread(net::URLRequestContextGetter* rq_context); - // Invoked on the IO thread to delete origin bound certs. - void ClearOriginBoundCertsOnIOThread( + // Invoked on the IO thread to delete server bound certs. + void ClearServerBoundCertsOnIOThread( net::URLRequestContextGetter* rq_context); - // Callback when origin bound certs have been deleted. Invokes + // Callback when server bound certs have been deleted. Invokes // NotifyAndDeleteIfDone. - void OnClearedOriginBoundCerts(); + void OnClearedServerBoundCerts(); // Calculate the begin time for the deletion range specified by |time_period|. base::Time CalculateBeginDeleteTime(TimePeriod time_period); @@ -252,7 +252,7 @@ class BrowsingDataRemover : public content::NotificationObserver, !waiting_for_clear_cookies_count_&& !waiting_for_clear_history_ && !waiting_for_clear_networking_history_ && - !waiting_for_clear_origin_bound_certs_ && + !waiting_for_clear_server_bound_certs_ && !waiting_for_clear_plugin_data_ && !waiting_for_clear_quota_managed_data_; } @@ -300,7 +300,7 @@ class BrowsingDataRemover : public content::NotificationObserver, int waiting_for_clear_cookies_count_; bool waiting_for_clear_history_; bool waiting_for_clear_networking_history_; - bool waiting_for_clear_origin_bound_certs_; + bool waiting_for_clear_server_bound_certs_; bool waiting_for_clear_plugin_data_; bool waiting_for_clear_quota_managed_data_; diff --git a/chrome/browser/browsing_data_remover_unittest.cc b/chrome/browser/browsing_data_remover_unittest.cc index 65269cce894..f9f6495a9ac 100644 --- a/chrome/browser/browsing_data_remover_unittest.cc +++ b/chrome/browser/browsing_data_remover_unittest.cc @@ -196,49 +196,49 @@ class RemoveSafeBrowsingCookieTester : public RemoveCookieTester { }; #endif -class RemoveOriginBoundCertTester : public BrowsingDataRemoverTester { +class RemoveServerBoundCertTester : public BrowsingDataRemoverTester { public: - explicit RemoveOriginBoundCertTester(TestingProfile* profile) { + explicit RemoveServerBoundCertTester(TestingProfile* profile) { profile->CreateRequestContext(); - ob_cert_service_ = profile->GetRequestContext()->GetURLRequestContext()-> - origin_bound_cert_service(); + server_bound_cert_service_ = profile->GetRequestContext()-> + GetURLRequestContext()->server_bound_cert_service(); } - int OriginBoundCertCount() { - return ob_cert_service_->cert_count(); + int ServerBoundCertCount() { + return server_bound_cert_service_->cert_count(); } - // Add an origin bound cert for |origin| with specific creation and expiry + // Add a server bound cert for |server| with specific creation and expiry // times. The cert and key data will be filled with dummy values. - void AddOriginBoundCertWithTimes(const std::string& origin, + void AddServerBoundCertWithTimes(const std::string& server_identifier, base::Time creation_time, base::Time expiration_time) { - GetCertStore()->SetOriginBoundCert(origin, net::CLIENT_CERT_RSA_SIGN, - creation_time, expiration_time, - "a", "b"); + GetCertStore()->SetServerBoundCert(server_identifier, + net::CLIENT_CERT_RSA_SIGN, creation_time, + expiration_time, "a", "b"); } - // Add an origin bound cert for |origin|, with the current time as the + // Add a server bound cert for |server|, with the current time as the // creation time. The cert and key data will be filled with dummy values. - void AddOriginBoundCert(const std::string& origin) { + void AddServerBoundCert(const std::string& server_identifier) { base::Time now = base::Time::Now(); - AddOriginBoundCertWithTimes(origin, + AddServerBoundCertWithTimes(server_identifier, now, now + base::TimeDelta::FromDays(1)); } - net::OriginBoundCertStore* GetCertStore() { - return ob_cert_service_->GetCertStore(); + net::ServerBoundCertStore* GetCertStore() { + return server_bound_cert_service_->GetCertStore(); } private: - net::OriginBoundCertService* ob_cert_service_; + net::ServerBoundCertService* server_bound_cert_service_; net::SSLClientCertType type_; std::string key_; std::string cert_; - DISALLOW_COPY_AND_ASSIGN(RemoveOriginBoundCertTester); + DISALLOW_COPY_AND_ASSIGN(RemoveServerBoundCertTester); }; class RemoveHistoryTester : public BrowsingDataRemoverTester { @@ -511,39 +511,39 @@ TEST_F(BrowsingDataRemoverTest, RemoveSafeBrowsingCookieLastHour) { } #endif -TEST_F(BrowsingDataRemoverTest, RemoveOriginBoundCertForever) { - scoped_ptr tester( - new RemoveOriginBoundCertTester(GetProfile())); +TEST_F(BrowsingDataRemoverTest, RemoveServerBoundCertForever) { + scoped_ptr tester( + new RemoveServerBoundCertTester(GetProfile())); - tester->AddOriginBoundCert(kTestkOrigin1); - EXPECT_EQ(1, tester->OriginBoundCertCount()); + tester->AddServerBoundCert(kTestkOrigin1); + EXPECT_EQ(1, tester->ServerBoundCertCount()); BlockUntilBrowsingDataRemoved(BrowsingDataRemover::EVERYTHING, - BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS, tester.get()); + BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS, tester.get()); - EXPECT_EQ(BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS, GetRemovalMask()); - EXPECT_EQ(0, tester->OriginBoundCertCount()); + EXPECT_EQ(BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS, GetRemovalMask()); + EXPECT_EQ(0, tester->ServerBoundCertCount()); } -TEST_F(BrowsingDataRemoverTest, RemoveOriginBoundCertLastHour) { - scoped_ptr tester( - new RemoveOriginBoundCertTester(GetProfile())); +TEST_F(BrowsingDataRemoverTest, RemoveServerBoundCertLastHour) { + scoped_ptr tester( + new RemoveServerBoundCertTester(GetProfile())); base::Time now = base::Time::Now(); - tester->AddOriginBoundCert(kTestkOrigin1); - tester->AddOriginBoundCertWithTimes(kTestkOrigin2, + tester->AddServerBoundCert(kTestkOrigin1); + tester->AddServerBoundCertWithTimes(kTestkOrigin2, now - base::TimeDelta::FromHours(2), now); - EXPECT_EQ(2, tester->OriginBoundCertCount()); + EXPECT_EQ(2, tester->ServerBoundCertCount()); BlockUntilBrowsingDataRemoved(BrowsingDataRemover::LAST_HOUR, - BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS, tester.get()); + BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS, tester.get()); - EXPECT_EQ(BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS, GetRemovalMask()); - EXPECT_EQ(1, tester->OriginBoundCertCount()); - std::vector certs; - tester->GetCertStore()->GetAllOriginBoundCerts(&certs); - EXPECT_EQ(kTestkOrigin2, certs[0].origin()); + EXPECT_EQ(BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS, GetRemovalMask()); + EXPECT_EQ(1, tester->ServerBoundCertCount()); + std::vector certs; + tester->GetCertStore()->GetAllServerBoundCerts(&certs); + EXPECT_EQ(kTestkOrigin2, certs[0].server_identifier()); } TEST_F(BrowsingDataRemoverTest, RemoveHistoryForever) { diff --git a/chrome/browser/extensions/api/browsing_data/browsing_data_api.cc b/chrome/browser/extensions/api/browsing_data/browsing_data_api.cc index 6dd4d7b8696..b3f47c3aca0 100644 --- a/chrome/browser/extensions/api/browsing_data/browsing_data_api.cc +++ b/chrome/browser/extensions/api/browsing_data/browsing_data_api.cc @@ -34,7 +34,7 @@ const char kFormDataKey[] = "formData"; const char kHistoryKey[] = "history"; const char kIndexedDBKey[] = "indexedDB"; const char kLocalStorageKey[] = "localStorage"; -const char kOriginBoundCertsKey[] = "originBoundCerts"; +const char kServerBoundCertsKey[] = "serverBoundCerts"; const char kPasswordsKey[] = "passwords"; const char kPluginDataKey[] = "pluginData"; const char kWebSQLKey[] = "webSQL"; @@ -89,8 +89,8 @@ int ParseRemovalMask(base::DictionaryValue* value) { extension_browsing_data_api_constants::kLocalStorageKey)) GetRemovalMask |= BrowsingDataRemover::REMOVE_LOCAL_STORAGE; if (RemoveType(value, - extension_browsing_data_api_constants::kOriginBoundCertsKey)) - GetRemovalMask |= BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS; + extension_browsing_data_api_constants::kServerBoundCertsKey)) + GetRemovalMask |= BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS; if (RemoveType(value, extension_browsing_data_api_constants::kPasswordsKey)) GetRemovalMask |= BrowsingDataRemover::REMOVE_PASSWORDS; if (RemoveType(value, extension_browsing_data_api_constants::kPluginDataKey)) @@ -224,8 +224,8 @@ int RemoveLocalStorageFunction::GetRemovalMask() const { return BrowsingDataRemover::REMOVE_LOCAL_STORAGE; } -int RemoveOriginBoundCertsFunction::GetRemovalMask() const { - return BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS; +int RemoveServerBoundCertsFunction::GetRemovalMask() const { + return BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS; } int RemovePluginDataFunction::GetRemovalMask() const { diff --git a/chrome/browser/extensions/api/browsing_data/browsing_data_api.h b/chrome/browser/extensions/api/browsing_data/browsing_data_api.h index feaf1a713b7..eddc9a27da3 100644 --- a/chrome/browser/extensions/api/browsing_data/browsing_data_api.h +++ b/chrome/browser/extensions/api/browsing_data/browsing_data_api.h @@ -195,16 +195,16 @@ class RemoveLocalStorageFunction : public BrowsingDataExtensionFunction { DECLARE_EXTENSION_FUNCTION_NAME("browsingData.removeLocalStorage") }; -class RemoveOriginBoundCertsFunction : public BrowsingDataExtensionFunction { +class RemoveServerBoundCertsFunction : public BrowsingDataExtensionFunction { public: - RemoveOriginBoundCertsFunction() {} - virtual ~RemoveOriginBoundCertsFunction() {} + RemoveServerBoundCertsFunction() {} + virtual ~RemoveServerBoundCertsFunction() {} protected: // BrowsingDataTypeExtensionFunction interface method. virtual int GetRemovalMask() const OVERRIDE; - DECLARE_EXTENSION_FUNCTION_NAME("browsingData.removeOriginBoundCertificates") + DECLARE_EXTENSION_FUNCTION_NAME("browsingData.removeServerBoundCertificates") }; class RemovePluginDataFunction : public BrowsingDataExtensionFunction { diff --git a/chrome/browser/extensions/api/browsing_data/browsing_data_test.cc b/chrome/browser/extensions/api/browsing_data/browsing_data_test.cc index c33c438eb2c..cd1259d8556 100644 --- a/chrome/browser/extensions/api/browsing_data/browsing_data_test.cc +++ b/chrome/browser/extensions/api/browsing_data/browsing_data_test.cc @@ -28,7 +28,7 @@ const char kRemoveEverythingArguments[] = "[{\"since\": 1000}, {" "\"appcache\": true, \"cache\": true, \"cookies\": true, " "\"downloads\": true, \"fileSystems\": true, \"formData\": true, " "\"history\": true, \"indexedDB\": true, \"localStorage\": true, " - "\"originBoundCerts\": true, \"passwords\": true, \"pluginData\": true, " + "\"serverBoundCerts\": true, \"passwords\": true, \"pluginData\": true, " "\"webSQL\": true" "}]"; @@ -131,7 +131,7 @@ IN_PROC_BROWSER_TEST_F(ExtensionBrowsingDataTest, RemoveBrowsingDataMask) { RunRemoveBrowsingDataFunctionAndCompareMask( "localStorage", BrowsingDataRemover::REMOVE_LOCAL_STORAGE); RunRemoveBrowsingDataFunctionAndCompareMask( - "originBoundCerts", BrowsingDataRemover::REMOVE_ORIGIN_BOUND_CERTS); + "serverBoundCerts", BrowsingDataRemover::REMOVE_SERVER_BOUND_CERTS); RunRemoveBrowsingDataFunctionAndCompareMask( "passwords", BrowsingDataRemover::REMOVE_PASSWORDS); // We can't remove plugin data inside a test profile. diff --git a/chrome/browser/extensions/extension_function_registry.cc b/chrome/browser/extensions/extension_function_registry.cc index 99d525cfeb5..ffcbe0451ff 100644 --- a/chrome/browser/extensions/extension_function_registry.cc +++ b/chrome/browser/extensions/extension_function_registry.cc @@ -141,7 +141,7 @@ void ExtensionFunctionRegistry::ResetFunctions() { RegisterFunction(); RegisterFunction(); RegisterFunction(); - RegisterFunction(); + RegisterFunction(); RegisterFunction(); RegisterFunction(); RegisterFunction(); diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc index c4d0da5b6ec..9d5dd5fe71a 100644 --- a/chrome/browser/io_thread.cc +++ b/chrome/browser/io_thread.cc @@ -212,8 +212,8 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals, context->set_ftp_transaction_factory( globals->proxy_script_fetcher_ftp_transaction_factory.get()); context->set_cookie_store(globals->system_cookie_store.get()); - context->set_origin_bound_cert_service( - globals->system_origin_bound_cert_service.get()); + context->set_server_bound_cert_service( + globals->system_server_bound_cert_service.get()); context->set_network_delegate(globals->system_network_delegate.get()); // TODO(rtenneti): We should probably use HttpServerPropertiesManager for the // system URLRequestContext too. There's no reason this should be tied to a @@ -239,8 +239,8 @@ ConstructSystemRequestContext(IOThread::Globals* globals, context->set_ftp_transaction_factory( globals->system_ftp_transaction_factory.get()); context->set_cookie_store(globals->system_cookie_store.get()); - context->set_origin_bound_cert_service( - globals->system_origin_bound_cert_service.get()); + context->set_server_bound_cert_service( + globals->system_server_bound_cert_service.get()); return context; } @@ -404,15 +404,15 @@ void IOThread::Init() { net::ProxyService::CreateDirectWithNetLog(net_log_)); // In-memory cookie store. globals_->system_cookie_store = new net::CookieMonster(NULL, NULL); - // In-memory origin-bound cert store. - globals_->system_origin_bound_cert_service.reset( - new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(NULL))); + // In-memory server bound cert store. + globals_->system_server_bound_cert_service.reset( + new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(NULL))); net::HttpNetworkSession::Params session_params; session_params.host_resolver = globals_->host_resolver.get(); session_params.cert_verifier = globals_->cert_verifier.get(); - session_params.origin_bound_cert_service = - globals_->system_origin_bound_cert_service.get(); + session_params.server_bound_cert_service = + globals_->system_server_bound_cert_service.get(); session_params.transport_security_state = globals_->transport_security_state.get(); session_params.proxy_service = @@ -586,8 +586,8 @@ void IOThread::InitSystemRequestContextOnIOThread() { net::HttpNetworkSession::Params system_params; system_params.host_resolver = globals_->host_resolver.get(); system_params.cert_verifier = globals_->cert_verifier.get(); - system_params.origin_bound_cert_service = - globals_->system_origin_bound_cert_service.get(); + system_params.server_bound_cert_service = + globals_->system_server_bound_cert_service.get(); system_params.transport_security_state = globals_->transport_security_state.get(); system_params.ssl_host_info_factory = NULL; diff --git a/chrome/browser/io_thread.h b/chrome/browser/io_thread.h index 3e3bbddf172..d651faaba7f 100644 --- a/chrome/browser/io_thread.h +++ b/chrome/browser/io_thread.h @@ -35,7 +35,7 @@ class HttpAuthHandlerFactory; class HttpServerProperties; class HttpTransactionFactory; class NetworkDelegate; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyConfigService; class ProxyService; class SdchManager; @@ -93,10 +93,10 @@ class IOThread : public content::BrowserThreadDelegate { scoped_ptr system_http_transaction_factory; scoped_ptr system_ftp_transaction_factory; scoped_refptr system_request_context; - // |system_cookie_store| and |system_origin_bound_cert_service| are shared + // |system_cookie_store| and |system_server_bound_cert_service| are shared // between |proxy_script_fetcher_context| and |system_request_context|. scoped_refptr system_cookie_store; - scoped_ptr system_origin_bound_cert_service; + scoped_ptr system_server_bound_cert_service; scoped_refptr extension_event_router_forwarder; }; diff --git a/chrome/browser/net/sqlite_origin_bound_cert_store.cc b/chrome/browser/net/sqlite_origin_bound_cert_store.cc index 24e9f54ee60..f5350e5d5ea 100644 --- a/chrome/browser/net/sqlite_origin_bound_cert_store.cc +++ b/chrome/browser/net/sqlite_origin_bound_cert_store.cc @@ -27,8 +27,8 @@ using content::BrowserThread; // This class is designed to be shared between any calling threads and the // database thread. It batches operations and commits them on a timer. -class SQLiteOriginBoundCertStore::Backend - : public base::RefCountedThreadSafe { +class SQLiteServerBoundCertStore::Backend + : public base::RefCountedThreadSafe { public: explicit Backend(const FilePath& path) : path_(path), @@ -39,15 +39,15 @@ class SQLiteOriginBoundCertStore::Backend // Creates or load the SQLite database. bool Load( - std::vector* certs); + std::vector* certs); - // Batch an origin bound cert addition. - void AddOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert); + // Batch a server bound cert addition. + void AddServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert); - // Batch an origin bound cert deletion. - void DeleteOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert); + // Batch a server bound cert deletion. + void DeleteServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert); // Commit pending operations as soon as possible. void Flush(const base::Closure& completion_task); @@ -59,7 +59,7 @@ class SQLiteOriginBoundCertStore::Backend void SetClearLocalStateOnExit(bool clear_local_state); private: - friend class base::RefCountedThreadSafe; + friend class base::RefCountedThreadSafe; // You should call Close() before destructing this object. ~Backend() { @@ -79,24 +79,24 @@ class SQLiteOriginBoundCertStore::Backend PendingOperation( OperationType op, - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) : op_(op), cert_(cert) {} OperationType op() const { return op_; } - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert() const { + const net::DefaultServerBoundCertStore::ServerBoundCert& cert() const { return cert_; } private: OperationType op_; - net::DefaultOriginBoundCertStore::OriginBoundCert cert_; + net::DefaultServerBoundCertStore::ServerBoundCert cert_; }; private: - // Batch an origin bound cert operation (add or delete) + // Batch a server bound cert operation (add or delete) void BatchOperation( PendingOperation::OperationType op, - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert); + const net::DefaultServerBoundCertStore::ServerBoundCert& cert); // Commit our pending operations to the database. void Commit(); // Close() executed on the background thread. @@ -125,6 +125,9 @@ namespace { // Initializes the certs table, returning true on success. bool InitTable(sql::Connection* db) { + // The table is named "origin_bound_certs" for backwards compatability before + // we renamed this class to SQLiteServerBoundCertStore. Likewise, the primary + // key is "origin", but now can be other things like a plain domain. if (!db->DoesTableExist("origin_bound_certs")) { if (!db->Execute("CREATE TABLE origin_bound_certs (" "origin TEXT NOT NULL UNIQUE PRIMARY KEY," @@ -141,8 +144,8 @@ bool InitTable(sql::Connection* db) { } // namespace -bool SQLiteOriginBoundCertStore::Backend::Load( - std::vector* certs) { +bool SQLiteServerBoundCertStore::Backend::Load( + std::vector* certs) { // This function should be called only once per instance. DCHECK(!db_.get()); @@ -185,8 +188,8 @@ bool SQLiteOriginBoundCertStore::Backend::Load( std::string private_key_from_db, cert_from_db; smt.ColumnBlobAsString(1, &private_key_from_db); smt.ColumnBlobAsString(2, &cert_from_db); - scoped_ptr cert( - new net::DefaultOriginBoundCertStore::OriginBoundCert( + scoped_ptr cert( + new net::DefaultServerBoundCertStore::ServerBoundCert( smt.ColumnString(0), // origin static_cast(smt.ColumnInt(3)), base::Time::FromInternalValue(smt.ColumnInt64(5)), @@ -199,7 +202,7 @@ bool SQLiteOriginBoundCertStore::Backend::Load( return true; } -bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { +bool SQLiteServerBoundCertStore::Backend::EnsureDatabaseVersion() { // Version check. if (!meta_table_.Init( db_.get(), kCurrentVersionNumber, kCompatibleVersionNumber)) { @@ -207,7 +210,7 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { } if (meta_table_.GetCompatibleVersionNumber() > kCurrentVersionNumber) { - LOG(WARNING) << "Origin bound cert database is too new."; + LOG(WARNING) << "Server bound cert database is too new."; return false; } @@ -218,13 +221,13 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { return false; if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN cert_type " "INTEGER")) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 2."; return false; } // All certs in version 1 database are rsa_sign, which has a value of 1. if (!db_->Execute("UPDATE origin_bound_certs SET cert_type = 1")) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 2."; return false; } @@ -243,7 +246,7 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { if (cur_version == 2) { if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN " "expiration_time INTEGER")) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 4."; return false; } @@ -251,7 +254,7 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { if (!db_->Execute("ALTER TABLE origin_bound_certs ADD COLUMN " "creation_time INTEGER")) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 4."; return false; } @@ -265,7 +268,7 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { if (!smt.is_valid() || !update_expires_smt.is_valid() || !update_creation_smt.is_valid()) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 4."; return false; } @@ -285,7 +288,7 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { cert->valid_expiry().ToInternalValue()); update_expires_smt.BindString(1, origin); if (!update_expires_smt.Run()) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 4."; return false; } @@ -295,7 +298,7 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { update_creation_smt.BindInt64(0, cert->valid_start().ToInternalValue()); update_creation_smt.BindString(1, origin); if (!update_creation_smt.Run()) { - LOG(WARNING) << "Unable to update origin bound cert database to " + LOG(WARNING) << "Unable to update server bound cert database to " << "version 4."; return false; } @@ -319,25 +322,25 @@ bool SQLiteOriginBoundCertStore::Backend::EnsureDatabaseVersion() { // When the version is too old, we just try to continue anyway, there should // not be a released product that makes a database too old for us to handle. LOG_IF(WARNING, cur_version < kCurrentVersionNumber) << - "Origin bound cert database version " << cur_version << + "Server bound cert database version " << cur_version << " is too old to handle."; return true; } -void SQLiteOriginBoundCertStore::Backend::AddOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) { +void SQLiteServerBoundCertStore::Backend::AddServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { BatchOperation(PendingOperation::CERT_ADD, cert); } -void SQLiteOriginBoundCertStore::Backend::DeleteOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) { +void SQLiteServerBoundCertStore::Backend::DeleteServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { BatchOperation(PendingOperation::CERT_DELETE, cert); } -void SQLiteOriginBoundCertStore::Backend::BatchOperation( +void SQLiteServerBoundCertStore::Backend::BatchOperation( PendingOperation::OperationType op, - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) { + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { // Commit every 30 seconds. static const int kCommitIntervalMs = 30 * 1000; // Commit right away if we have more than 512 outstanding operations. @@ -368,7 +371,7 @@ void SQLiteOriginBoundCertStore::Backend::BatchOperation( } } -void SQLiteOriginBoundCertStore::Backend::Commit() { +void SQLiteServerBoundCertStore::Backend::Commit() { DCHECK(BrowserThread::CurrentlyOn(BrowserThread::DB)); PendingOperationsList ops; @@ -404,7 +407,7 @@ void SQLiteOriginBoundCertStore::Backend::Commit() { switch (po->op()) { case PendingOperation::CERT_ADD: { add_smt.Reset(); - add_smt.BindString(0, po->cert().origin()); + add_smt.BindString(0, po->cert().server_identifier()); const std::string& private_key = po->cert().private_key(); add_smt.BindBlob(1, private_key.data(), private_key.size()); const std::string& cert = po->cert().cert(); @@ -413,14 +416,14 @@ void SQLiteOriginBoundCertStore::Backend::Commit() { add_smt.BindInt64(4, po->cert().expiration_time().ToInternalValue()); add_smt.BindInt64(5, po->cert().creation_time().ToInternalValue()); if (!add_smt.Run()) - NOTREACHED() << "Could not add an origin bound cert to the DB."; + NOTREACHED() << "Could not add a server bound cert to the DB."; break; } case PendingOperation::CERT_DELETE: del_smt.Reset(); - del_smt.BindString(0, po->cert().origin()); + del_smt.BindString(0, po->cert().server_identifier()); if (!del_smt.Run()) - NOTREACHED() << "Could not delete an origin bound cert from the DB."; + NOTREACHED() << "Could not delete a server bound cert from the DB."; break; default: @@ -431,7 +434,7 @@ void SQLiteOriginBoundCertStore::Backend::Commit() { transaction.Commit(); } -void SQLiteOriginBoundCertStore::Backend::Flush( +void SQLiteServerBoundCertStore::Backend::Flush( const base::Closure& completion_task) { DCHECK(!BrowserThread::CurrentlyOn(BrowserThread::DB)); BrowserThread::PostTask( @@ -447,7 +450,7 @@ void SQLiteOriginBoundCertStore::Backend::Flush( // Fire off a close message to the background thread. We could still have a // pending commit timer that will be holding a reference on us, but if/when // this fires we will already have been cleaned up and it will be ignored. -void SQLiteOriginBoundCertStore::Backend::Close() { +void SQLiteServerBoundCertStore::Backend::Close() { DCHECK(!BrowserThread::CurrentlyOn(BrowserThread::DB)); // Must close the backend on the background thread. BrowserThread::PostTask( @@ -455,7 +458,7 @@ void SQLiteOriginBoundCertStore::Backend::Close() { base::Bind(&Backend::InternalBackgroundClose, this)); } -void SQLiteOriginBoundCertStore::Backend::InternalBackgroundClose() { +void SQLiteServerBoundCertStore::Backend::InternalBackgroundClose() { DCHECK(BrowserThread::CurrentlyOn(BrowserThread::DB)); // Commit any pending operations Commit(); @@ -466,17 +469,17 @@ void SQLiteOriginBoundCertStore::Backend::InternalBackgroundClose() { file_util::Delete(path_, false); } -void SQLiteOriginBoundCertStore::Backend::SetClearLocalStateOnExit( +void SQLiteServerBoundCertStore::Backend::SetClearLocalStateOnExit( bool clear_local_state) { base::AutoLock locked(lock_); clear_local_state_on_exit_ = clear_local_state; } -SQLiteOriginBoundCertStore::SQLiteOriginBoundCertStore(const FilePath& path) +SQLiteServerBoundCertStore::SQLiteServerBoundCertStore(const FilePath& path) : backend_(new Backend(path)) { } -SQLiteOriginBoundCertStore::~SQLiteOriginBoundCertStore() { +SQLiteServerBoundCertStore::~SQLiteServerBoundCertStore() { if (backend_.get()) { backend_->Close(); // Release our reference, it will probably still have a reference if the @@ -485,30 +488,30 @@ SQLiteOriginBoundCertStore::~SQLiteOriginBoundCertStore() { } } -bool SQLiteOriginBoundCertStore::Load( - std::vector* certs) { +bool SQLiteServerBoundCertStore::Load( + std::vector* certs) { return backend_->Load(certs); } -void SQLiteOriginBoundCertStore::AddOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) { +void SQLiteServerBoundCertStore::AddServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { if (backend_.get()) - backend_->AddOriginBoundCert(cert); + backend_->AddServerBoundCert(cert); } -void SQLiteOriginBoundCertStore::DeleteOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) { +void SQLiteServerBoundCertStore::DeleteServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) { if (backend_.get()) - backend_->DeleteOriginBoundCert(cert); + backend_->DeleteServerBoundCert(cert); } -void SQLiteOriginBoundCertStore::SetClearLocalStateOnExit( +void SQLiteServerBoundCertStore::SetClearLocalStateOnExit( bool clear_local_state) { if (backend_.get()) backend_->SetClearLocalStateOnExit(clear_local_state); } -void SQLiteOriginBoundCertStore::Flush(const base::Closure& completion_task) { +void SQLiteServerBoundCertStore::Flush(const base::Closure& completion_task) { if (backend_.get()) backend_->Flush(completion_task); else if (!completion_task.is_null()) diff --git a/chrome/browser/net/sqlite_origin_bound_cert_store.h b/chrome/browser/net/sqlite_origin_bound_cert_store.h index 8ade51e54a9..b013462a64e 100644 --- a/chrome/browser/net/sqlite_origin_bound_cert_store.h +++ b/chrome/browser/net/sqlite_origin_bound_cert_store.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -13,24 +13,24 @@ class FilePath; -// Implements the net::DefaultOriginBoundCertStore::PersistentStore interface +// Implements the net::DefaultServerBoundCertStore::PersistentStore interface // in terms of a SQLite database. For documentation about the actual member // functions consult the documentation of the parent class -// |net::DefaultOriginBoundCertStore::PersistentCertStore|. -class SQLiteOriginBoundCertStore - : public net::DefaultOriginBoundCertStore::PersistentStore { +// |net::DefaultServerBoundCertStore::PersistentCertStore|. +class SQLiteServerBoundCertStore + : public net::DefaultServerBoundCertStore::PersistentStore { public: - explicit SQLiteOriginBoundCertStore(const FilePath& path); - virtual ~SQLiteOriginBoundCertStore(); + explicit SQLiteServerBoundCertStore(const FilePath& path); + virtual ~SQLiteServerBoundCertStore(); - // net::DefaultOriginBoundCertStore::PersistentStore implementation. + // net::DefaultServerBoundCertStore::PersistentStore implementation. virtual bool Load( - std::vector* certs) + std::vector* certs) OVERRIDE; - virtual void AddOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) OVERRIDE; - virtual void DeleteOriginBoundCert( - const net::DefaultOriginBoundCertStore::OriginBoundCert& cert) OVERRIDE; + virtual void AddServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) OVERRIDE; + virtual void DeleteServerBoundCert( + const net::DefaultServerBoundCertStore::ServerBoundCert& cert) OVERRIDE; virtual void SetClearLocalStateOnExit(bool clear_local_state) OVERRIDE; virtual void Flush(const base::Closure& completion_task) OVERRIDE; @@ -39,7 +39,7 @@ class SQLiteOriginBoundCertStore scoped_refptr backend_; - DISALLOW_COPY_AND_ASSIGN(SQLiteOriginBoundCertStore); + DISALLOW_COPY_AND_ASSIGN(SQLiteServerBoundCertStore); }; #endif // CHROME_BROWSER_NET_SQLITE_ORIGIN_BOUND_CERT_STORE_H_ diff --git a/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc b/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc index 208bef1d353..7391c55580a 100644 --- a/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc +++ b/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc @@ -19,9 +19,9 @@ using content::BrowserThread; -class SQLiteOriginBoundCertStoreTest : public testing::Test { +class SQLiteServerBoundCertStoreTest : public testing::Test { public: - SQLiteOriginBoundCertStoreTest() + SQLiteServerBoundCertStoreTest() : db_thread_(BrowserThread::DB) { } @@ -60,15 +60,15 @@ class SQLiteOriginBoundCertStoreTest : public testing::Test { virtual void SetUp() { db_thread_.Start(); ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); - store_ = new SQLiteOriginBoundCertStore( + store_ = new SQLiteServerBoundCertStore( temp_dir_.path().Append(chrome::kOBCertFilename)); - ScopedVector certs; + ScopedVector certs; ASSERT_TRUE(store_->Load(&certs.get())); ASSERT_EQ(0u, certs.size()); // Make sure the store gets written at least once. - store_->AddOriginBoundCert( - net::DefaultOriginBoundCertStore::OriginBoundCert( - "https://encrypted.google.com:8443", + store_->AddServerBoundCert( + net::DefaultServerBoundCertStore::ServerBoundCert( + "google.com", net::CLIENT_CERT_RSA_SIGN, base::Time::FromInternalValue(1), base::Time::FromInternalValue(2), @@ -77,10 +77,10 @@ class SQLiteOriginBoundCertStoreTest : public testing::Test { content::TestBrowserThread db_thread_; ScopedTempDir temp_dir_; - scoped_refptr store_; + scoped_refptr store_; }; -TEST_F(SQLiteOriginBoundCertStoreTest, KeepOnDestruction) { +TEST_F(SQLiteServerBoundCertStoreTest, KeepOnDestruction) { store_->SetClearLocalStateOnExit(false); store_ = NULL; // Make sure we wait until the destructor has run. @@ -95,7 +95,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, KeepOnDestruction) { temp_dir_.path().Append(chrome::kOBCertFilename), false)); } -TEST_F(SQLiteOriginBoundCertStoreTest, RemoveOnDestruction) { +TEST_F(SQLiteServerBoundCertStoreTest, RemoveOnDestruction) { store_->SetClearLocalStateOnExit(true); // Replace the store effectively destroying the current one and forcing it // to write it's data to disk. Then we can see if after loading it again it @@ -112,16 +112,16 @@ TEST_F(SQLiteOriginBoundCertStoreTest, RemoveOnDestruction) { } // Test if data is stored as expected in the SQLite database. -TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) { - store_->AddOriginBoundCert( - net::DefaultOriginBoundCertStore::OriginBoundCert( - "https://www.google.com/", +TEST_F(SQLiteServerBoundCertStoreTest, TestPersistence) { + store_->AddServerBoundCert( + net::DefaultServerBoundCertStore::ServerBoundCert( + "foo.com", net::CLIENT_CERT_ECDSA_SIGN, base::Time::FromInternalValue(3), base::Time::FromInternalValue(4), "c", "d")); - ScopedVector certs; + ScopedVector certs; // Replace the store effectively destroying the current one and forcing it // to write it's data to disk. Then we can see if after loading it again it // is still there. @@ -131,14 +131,14 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) { BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB))); // Make sure we wait until the destructor has run. ASSERT_TRUE(helper->Run()); - store_ = new SQLiteOriginBoundCertStore( + store_ = new SQLiteServerBoundCertStore( temp_dir_.path().Append(chrome::kOBCertFilename)); // Reload and test for persistence ASSERT_TRUE(store_->Load(&certs.get())); ASSERT_EQ(2U, certs.size()); - net::DefaultOriginBoundCertStore::OriginBoundCert* ec_cert; - net::DefaultOriginBoundCertStore::OriginBoundCert* rsa_cert; + net::DefaultServerBoundCertStore::ServerBoundCert* ec_cert; + net::DefaultServerBoundCertStore::ServerBoundCert* rsa_cert; if (net::CLIENT_CERT_RSA_SIGN == certs[0]->type()) { rsa_cert = certs[0]; ec_cert = certs[1]; @@ -146,13 +146,13 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) { rsa_cert = certs[1]; ec_cert = certs[0]; } - ASSERT_STREQ("https://encrypted.google.com:8443", rsa_cert->origin().c_str()); + ASSERT_STREQ("google.com", rsa_cert->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, rsa_cert->type()); ASSERT_STREQ("a", rsa_cert->private_key().c_str()); ASSERT_STREQ("b", rsa_cert->cert().c_str()); ASSERT_EQ(1, rsa_cert->creation_time().ToInternalValue()); ASSERT_EQ(2, rsa_cert->expiration_time().ToInternalValue()); - ASSERT_STREQ("https://www.google.com/", ec_cert->origin().c_str()); + ASSERT_STREQ("foo.com", ec_cert->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_ECDSA_SIGN, ec_cert->type()); ASSERT_STREQ("c", ec_cert->private_key().c_str()); ASSERT_STREQ("d", ec_cert->cert().c_str()); @@ -160,13 +160,13 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) { ASSERT_EQ(4, ec_cert->expiration_time().ToInternalValue()); // Now delete the cert and check persistence again. - store_->DeleteOriginBoundCert(*certs[0]); - store_->DeleteOriginBoundCert(*certs[1]); + store_->DeleteServerBoundCert(*certs[0]); + store_->DeleteServerBoundCert(*certs[1]); store_ = NULL; // Make sure we wait until the destructor has run. ASSERT_TRUE(helper->Run()); certs.reset(); - store_ = new SQLiteOriginBoundCertStore( + store_ = new SQLiteServerBoundCertStore( temp_dir_.path().Append(chrome::kOBCertFilename)); // Reload and check if the cert has been removed. @@ -174,7 +174,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) { ASSERT_EQ(0U, certs.size()); } -TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV1) { +TEST_F(SQLiteServerBoundCertStoreTest, TestUpgradeV1) { // Reset the store. We'll be using a different database for this test. store_ = NULL; @@ -200,14 +200,14 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV1) { sql::Statement add_smt(db.GetUniqueStatement( "INSERT INTO origin_bound_certs (origin, private_key, cert) " "VALUES (?,?,?)")); - add_smt.BindString(0, "https://www.google.com:443"); + add_smt.BindString(0, "google.com"); add_smt.BindBlob(1, key_data.data(), key_data.size()); add_smt.BindBlob(2, cert_data.data(), cert_data.size()); ASSERT_TRUE(add_smt.Run()); ASSERT_TRUE(db.Execute( "INSERT INTO \"origin_bound_certs\" VALUES(" - "'https://foo.com',X'AA',X'BB');" + "'foo.com',X'AA',X'BB');" )); } @@ -217,21 +217,21 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV1) { for (int i = 0; i < 2; ++i) { SCOPED_TRACE(i); - ScopedVector certs; - store_ = new SQLiteOriginBoundCertStore(v1_db_path); + ScopedVector certs; + store_ = new SQLiteServerBoundCertStore(v1_db_path); // Load the database and ensure the certs can be read and are marked as RSA. ASSERT_TRUE(store_->Load(&certs.get())); ASSERT_EQ(2U, certs.size()); - ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str()); + ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); ASSERT_EQ(GetTestCertExpirationTime(), certs[0]->expiration_time()); ASSERT_EQ(key_data, certs[0]->private_key()); ASSERT_EQ(cert_data, certs[0]->cert()); - ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str()); + ASSERT_STREQ("foo.com", certs[1]->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[1]->type()); // Undecodable cert, expiration time will be uninitialized. ASSERT_EQ(base::Time(), certs[1]->expiration_time()); @@ -258,7 +258,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV1) { } } -TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) { +TEST_F(SQLiteServerBoundCertStoreTest, TestUpgradeV2) { // Reset the store. We'll be using a different database for this test. store_ = NULL; @@ -287,7 +287,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) { sql::Statement add_smt(db.GetUniqueStatement( "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type) " "VALUES (?,?,?,?)")); - add_smt.BindString(0, "https://www.google.com:443"); + add_smt.BindString(0, "google.com"); add_smt.BindBlob(1, key_data.data(), key_data.size()); add_smt.BindBlob(2, cert_data.data(), cert_data.size()); add_smt.BindInt64(3, 1); @@ -295,7 +295,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) { ASSERT_TRUE(db.Execute( "INSERT INTO \"origin_bound_certs\" VALUES(" - "'https://foo.com',X'AA',X'BB',64);" + "'foo.com',X'AA',X'BB',64);" )); } @@ -305,21 +305,21 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) { for (int i = 0; i < 2; ++i) { SCOPED_TRACE(i); - ScopedVector certs; - store_ = new SQLiteOriginBoundCertStore(v2_db_path); + ScopedVector certs; + store_ = new SQLiteServerBoundCertStore(v2_db_path); // Load the database and ensure the certs can be read and are marked as RSA. ASSERT_TRUE(store_->Load(&certs.get())); ASSERT_EQ(2U, certs.size()); - ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str()); + ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); ASSERT_EQ(GetTestCertExpirationTime(), certs[0]->expiration_time()); ASSERT_EQ(key_data, certs[0]->private_key()); ASSERT_EQ(cert_data, certs[0]->cert()); - ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str()); + ASSERT_STREQ("foo.com", certs[1]->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_ECDSA_SIGN, certs[1]->type()); // Undecodable cert, expiration time will be uninitialized. ASSERT_EQ(base::Time(), certs[1]->expiration_time()); @@ -346,7 +346,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) { } } -TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV3) { +TEST_F(SQLiteServerBoundCertStoreTest, TestUpgradeV3) { // Reset the store. We'll be using a different database for this test. store_ = NULL; @@ -376,7 +376,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV3) { sql::Statement add_smt(db.GetUniqueStatement( "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type, " "expiration_time) VALUES (?,?,?,?,?)")); - add_smt.BindString(0, "https://www.google.com:443"); + add_smt.BindString(0, "google.com"); add_smt.BindBlob(1, key_data.data(), key_data.size()); add_smt.BindBlob(2, cert_data.data(), cert_data.size()); add_smt.BindInt64(3, 1); @@ -385,7 +385,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV3) { ASSERT_TRUE(db.Execute( "INSERT INTO \"origin_bound_certs\" VALUES(" - "'https://foo.com',X'AA',X'BB',64,2000);" + "'foo.com',X'AA',X'BB',64,2000);" )); } @@ -395,14 +395,14 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV3) { for (int i = 0; i < 2; ++i) { SCOPED_TRACE(i); - ScopedVector certs; - store_ = new SQLiteOriginBoundCertStore(v3_db_path); + ScopedVector certs; + store_ = new SQLiteServerBoundCertStore(v3_db_path); // Load the database and ensure the certs can be read and are marked as RSA. ASSERT_TRUE(store_->Load(&certs.get())); ASSERT_EQ(2U, certs.size()); - ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str()); + ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); ASSERT_EQ(1000, certs[0]->expiration_time().ToInternalValue()); ASSERT_EQ(GetTestCertCreationTime(), @@ -410,7 +410,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV3) { ASSERT_EQ(key_data, certs[0]->private_key()); ASSERT_EQ(cert_data, certs[0]->cert()); - ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str()); + ASSERT_STREQ("foo.com", certs[1]->server_identifier().c_str()); ASSERT_EQ(net::CLIENT_CERT_ECDSA_SIGN, certs[1]->type()); ASSERT_EQ(2000, certs[1]->expiration_time().ToInternalValue()); // Undecodable cert, creation time will be uninitialized. @@ -439,7 +439,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV3) { } // Test that we can force the database to be written by calling Flush(). -TEST_F(SQLiteOriginBoundCertStoreTest, TestFlush) { +TEST_F(SQLiteServerBoundCertStoreTest, TestFlush) { // File timestamps don't work well on all platforms, so we'll determine // whether the DB file has been modified by checking its size. FilePath path = temp_dir_.path().Append(chrome::kOBCertFilename); @@ -449,12 +449,12 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestFlush) { // Write some certs, so the DB will have to expand by several KB. for (char c = 'a'; c < 'z'; ++c) { - std::string origin(1, c); + std::string server_identifier(1, c); std::string private_key(1000, c); std::string cert(1000, c); - store_->AddOriginBoundCert( - net::DefaultOriginBoundCertStore::OriginBoundCert( - origin, + store_->AddServerBoundCert( + net::DefaultServerBoundCertStore::ServerBoundCert( + server_identifier, net::CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), @@ -493,7 +493,7 @@ class CallbackCounter : public base::RefCountedThreadSafe { }; // Test that we can get a completion callback after a Flush(). -TEST_F(SQLiteOriginBoundCertStoreTest, TestFlushCompletionCallback) { +TEST_F(SQLiteServerBoundCertStoreTest, TestFlushCompletionCallback) { scoped_refptr counter(new CallbackCounter()); // Callback shouldn't be invoked until we call Flush(). diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc index 883d7cbbd83..7386d492841 100644 --- a/chrome/browser/net/ssl_config_service_manager_pref.cc +++ b/chrome/browser/net/ssl_config_service_manager_pref.cc @@ -139,7 +139,7 @@ class SSLConfigServiceManagerPref BooleanPrefMember rev_checking_enabled_; BooleanPrefMember ssl3_enabled_; BooleanPrefMember tls1_enabled_; - BooleanPrefMember origin_bound_certs_enabled_; + BooleanPrefMember domain_bound_certs_enabled_; BooleanPrefMember ssl_record_splitting_disabled_; // The cached list of disabled SSL cipher suites. @@ -159,7 +159,7 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( local_state, this); ssl3_enabled_.Init(prefs::kSSL3Enabled, local_state, this); tls1_enabled_.Init(prefs::kTLS1Enabled, local_state, this); - origin_bound_certs_enabled_.Init(prefs::kEnableOriginBoundCerts, + domain_bound_certs_enabled_.Init(prefs::kEnableOriginBoundCerts, local_state, this); ssl_record_splitting_disabled_.Init(prefs::kDisableSSLRecordSplitting, local_state, this); @@ -182,7 +182,7 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) { prefs->RegisterBooleanPref(prefs::kTLS1Enabled, default_config.tls1_enabled); prefs->RegisterBooleanPref(prefs::kEnableOriginBoundCerts, - default_config.origin_bound_certs_enabled); + default_config.domain_bound_certs_enabled); prefs->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting, !default_config.false_start_enabled); prefs->RegisterListPref(prefs::kCipherSuiteBlacklist); @@ -230,7 +230,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( config->ssl3_enabled = ssl3_enabled_.GetValue(); config->tls1_enabled = tls1_enabled_.GetValue(); config->disabled_cipher_suites = disabled_cipher_suites_; - config->origin_bound_certs_enabled = origin_bound_certs_enabled_.GetValue(); + config->domain_bound_certs_enabled = domain_bound_certs_enabled_.GetValue(); // disabling False Start also happens to disable record splitting. config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); SSLConfigServicePref::SetSSLConfigFlags(config); diff --git a/chrome/browser/profiles/off_the_record_profile_io_data.cc b/chrome/browser/profiles/off_the_record_profile_io_data.cc index c21cb737511..89501824494 100644 --- a/chrome/browser/profiles/off_the_record_profile_io_data.cc +++ b/chrome/browser/profiles/off_the_record_profile_io_data.cc @@ -194,12 +194,12 @@ void OffTheRecordProfileIOData::LazyInitializeInternal( http_server_properties_.reset(new net::HttpServerPropertiesImpl); main_context->set_http_server_properties(http_server_properties_.get()); - // For incognito, we use a non-persistent origin bound cert store. - net::OriginBoundCertService* origin_bound_cert_service = - new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(NULL)); - set_origin_bound_cert_service(origin_bound_cert_service); - main_context->set_origin_bound_cert_service(origin_bound_cert_service); + // For incognito, we use a non-persistent server bound cert store. + net::ServerBoundCertService* server_bound_cert_service = + new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(NULL)); + set_server_bound_cert_service(server_bound_cert_service); + main_context->set_server_bound_cert_service(server_bound_cert_service); main_context->set_cookie_store( new net::CookieMonster(NULL, profile_params->cookie_monster_delegate)); @@ -219,7 +219,7 @@ void OffTheRecordProfileIOData::LazyInitializeInternal( net::HttpCache* cache = new net::HttpCache(main_context->host_resolver(), main_context->cert_verifier(), - main_context->origin_bound_cert_service(), + main_context->server_bound_cert_service(), main_context->transport_security_state(), main_context->proxy_service(), GetSSLSessionCacheShard(), diff --git a/chrome/browser/profiles/profile_impl.cc b/chrome/browser/profiles/profile_impl.cc index 980264d1cfd..1a9e0a6d254 100644 --- a/chrome/browser/profiles/profile_impl.cc +++ b/chrome/browser/profiles/profile_impl.cc @@ -357,9 +357,9 @@ void ProfileImpl::DoFinalInit(bool is_new_profile) { FilePath cookie_path = GetPath(); cookie_path = cookie_path.Append(chrome::kCookieFilename); - FilePath origin_bound_cert_path = GetPath(); - origin_bound_cert_path = - origin_bound_cert_path.Append(chrome::kOBCertFilename); + FilePath server_bound_cert_path = GetPath(); + server_bound_cert_path = + server_bound_cert_path.Append(chrome::kOBCertFilename); FilePath cache_path = base_cache_path_; int cache_max_size; GetCacheParameters(false, &cache_path, &cache_max_size); @@ -389,7 +389,7 @@ void ProfileImpl::DoFinalInit(bool is_new_profile) { // Make sure we initialize the ProfileIOData after everything else has been // initialized that we might be reading from the IO thread. - io_data_.Init(cookie_path, origin_bound_cert_path, cache_path, + io_data_.Init(cookie_path, server_bound_cert_path, cache_path, cache_max_size, media_cache_path, media_cache_max_size, extensions_cookie_path, app_path, predictor_, g_browser_process->local_state(), diff --git a/chrome/browser/profiles/profile_impl_io_data.cc b/chrome/browser/profiles/profile_impl_io_data.cc index d16a19377d8..9385308c5b6 100644 --- a/chrome/browser/profiles/profile_impl_io_data.cc +++ b/chrome/browser/profiles/profile_impl_io_data.cc @@ -82,7 +82,7 @@ ProfileImplIOData::Handle::~Handle() { void ProfileImplIOData::Handle::Init( const FilePath& cookie_path, - const FilePath& origin_bound_cert_path, + const FilePath& server_bound_cert_path, const FilePath& cache_path, int cache_max_size, const FilePath& media_cache_path, @@ -100,7 +100,7 @@ void ProfileImplIOData::Handle::Init( LazyParams* lazy_params = new LazyParams; lazy_params->cookie_path = cookie_path; - lazy_params->origin_bound_cert_path = origin_bound_cert_path; + lazy_params->server_bound_cert_path = server_bound_cert_path; lazy_params->cache_path = cache_path; lazy_params->cache_max_size = cache_max_size; lazy_params->media_cache_path = media_cache_path; @@ -319,14 +319,14 @@ void ProfileImplIOData::LazyInitializeInternal( media_request_context_->set_proxy_service(proxy_service()); scoped_refptr cookie_store = NULL; - net::OriginBoundCertService* origin_bound_cert_service = NULL; + net::ServerBoundCertService* server_bound_cert_service = NULL; if (record_mode || playback_mode) { // Don't use existing cookies and use an in-memory store. cookie_store = new net::CookieMonster( NULL, profile_params->cookie_monster_delegate); - // Don't use existing origin-bound certs and use an in-memory store. - origin_bound_cert_service = new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(NULL)); + // Don't use existing server-bound certs and use an in-memory store. + server_bound_cert_service = new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(NULL)); } // setup cookie store @@ -360,22 +360,22 @@ void ProfileImplIOData::LazyInitializeInternal( media_request_context_->set_cookie_store(cookie_store); extensions_context->set_cookie_store(extensions_cookie_store); - // Setup origin bound cert service. - if (!origin_bound_cert_service) { - DCHECK(!lazy_params_->origin_bound_cert_path.empty()); + // Setup server bound cert service. + if (!server_bound_cert_service) { + DCHECK(!lazy_params_->server_bound_cert_path.empty()); - scoped_refptr origin_bound_cert_db = - new SQLiteOriginBoundCertStore(lazy_params_->origin_bound_cert_path); - origin_bound_cert_db->SetClearLocalStateOnExit( + scoped_refptr server_bound_cert_db = + new SQLiteServerBoundCertStore(lazy_params_->server_bound_cert_path); + server_bound_cert_db->SetClearLocalStateOnExit( profile_params->clear_local_state_on_exit); - origin_bound_cert_service = new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(origin_bound_cert_db.get())); + server_bound_cert_service = new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(server_bound_cert_db.get())); } - set_origin_bound_cert_service(origin_bound_cert_service); - main_context->set_origin_bound_cert_service(origin_bound_cert_service); - media_request_context_->set_origin_bound_cert_service( - origin_bound_cert_service); + set_server_bound_cert_service(server_bound_cert_service); + main_context->set_server_bound_cert_service(server_bound_cert_service); + media_request_context_->set_server_bound_cert_service( + server_bound_cert_service); net::HttpCache::DefaultBackend* main_backend = new net::HttpCache::DefaultBackend( @@ -386,7 +386,7 @@ void ProfileImplIOData::LazyInitializeInternal( net::HttpCache* main_cache = new net::HttpCache( main_context->host_resolver(), main_context->cert_verifier(), - main_context->origin_bound_cert_service(), + main_context->server_bound_cert_service(), main_context->transport_security_state(), main_context->proxy_service(), "", // pass empty ssl_session_cache_shard to share the SSL session cache diff --git a/chrome/browser/profiles/profile_impl_io_data.h b/chrome/browser/profiles/profile_impl_io_data.h index 9b1aa7f2e19..6a78e5fe879 100644 --- a/chrome/browser/profiles/profile_impl_io_data.h +++ b/chrome/browser/profiles/profile_impl_io_data.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -36,7 +36,7 @@ class ProfileImplIOData : public ProfileIOData { // Init() must be called before ~Handle(). It records all the necessary // parameters needed to construct a ChromeURLRequestContextGetter. void Init(const FilePath& cookie_path, - const FilePath& origin_bound_cert_path, + const FilePath& server_bound_cert_path, const FilePath& cache_path, int cache_max_size, const FilePath& media_cache_path, @@ -111,7 +111,7 @@ class ProfileImplIOData : public ProfileIOData { // All of these parameters are intended to be read on the IO thread. FilePath cookie_path; - FilePath origin_bound_cert_path; + FilePath server_bound_cert_path; FilePath cache_path; int cache_max_size; FilePath media_cache_path; diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc index 1e416a01b18..3224f132730 100644 --- a/chrome/browser/profiles/profile_io_data.cc +++ b/chrome/browser/profiles/profile_io_data.cc @@ -565,7 +565,7 @@ void ProfileIOData::ShutdownOnUIThread() { delete this; } -void ProfileIOData::set_origin_bound_cert_service( - net::OriginBoundCertService* origin_bound_cert_service) const { - origin_bound_cert_service_.reset(origin_bound_cert_service); +void ProfileIOData::set_server_bound_cert_service( + net::ServerBoundCertService* server_bound_cert_service) const { + server_bound_cert_service_.reset(server_bound_cert_service); } diff --git a/chrome/browser/profiles/profile_io_data.h b/chrome/browser/profiles/profile_io_data.h index 006419b3d6f..c8e2c556ee7 100644 --- a/chrome/browser/profiles/profile_io_data.h +++ b/chrome/browser/profiles/profile_io_data.h @@ -33,7 +33,7 @@ namespace net { class CookieStore; class FraudulentCertificateReporter; class HttpTransactionFactory; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyConfigService; class ProxyService; class SSLConfigService; @@ -178,12 +178,12 @@ class ProfileIOData { return chrome_url_data_manager_backend_.get(); } - // An OriginBoundCertService object is created by a derived class of + // A ServerBoundCertService object is created by a derived class of // ProfileIOData, and the derived class calls this method to set the - // origin_bound_cert_service_ member and transfers ownership to the base + // server_bound_cert_service_ member and transfers ownership to the base // class. - void set_origin_bound_cert_service( - net::OriginBoundCertService* origin_bound_cert_service) const; + void set_server_bound_cert_service( + net::ServerBoundCertService* server_bound_cert_service) const; net::NetworkDelegate* network_delegate() const { return network_delegate_.get(); @@ -273,7 +273,7 @@ class ProfileIOData { // Pointed to by URLRequestContext. mutable scoped_ptr chrome_url_data_manager_backend_; - mutable scoped_ptr origin_bound_cert_service_; + mutable scoped_ptr server_bound_cert_service_; mutable scoped_ptr network_delegate_; mutable scoped_ptr fraudulent_certificate_reporter_; diff --git a/chrome/common/extensions/api/browsingData.json b/chrome/common/extensions/api/browsingData.json index 8848f6e6063..7ba52ccc94b 100644 --- a/chrome/common/extensions/api/browsingData.json +++ b/chrome/common/extensions/api/browsingData.json @@ -79,10 +79,10 @@ "optional": true, "description": "Should websites' local storage data be cleared?" }, - "originBoundCertificates": { + "serverBoundCertificates": { "type": "boolean", "optional": true, - "description": "Should origin-bound certificates be removed?" + "description": "Should server-bound certificates be removed?" }, "pluginData": { "type": "boolean", diff --git a/chrome/common/extensions/docs/browsingData.html b/chrome/common/extensions/docs/browsingData.html index 27a3c6ad2aa..51ae013c6b9 100644 --- a/chrome/common/extensions/docs/browsingData.html +++ b/chrome/common/extensions/docs/browsingData.html @@ -627,7 +627,7 @@

Parameters

- originBoundCertificates + serverBoundCertificates
@@ -642,7 +642,7 @@

Parameters
-
Should origin-bound certificates be removed?
+
Should server-bound certificates be removed?
diff --git a/chrome/common/extensions/docs/examples/api/browsingData/basic.zip b/chrome/common/extensions/docs/examples/api/browsingData/basic.zip index 98d0f365ee9..d508afc05ad 100644 Binary files a/chrome/common/extensions/docs/examples/api/browsingData/basic.zip and b/chrome/common/extensions/docs/examples/api/browsingData/basic.zip differ diff --git a/chrome/common/extensions/docs/examples/api/browsingData/basic/popup.js b/chrome/common/extensions/docs/examples/api/browsingData/basic/popup.js index a86d6ace089..1b46ea971bc 100644 --- a/chrome/common/extensions/docs/examples/api/browsingData/basic/popup.js +++ b/chrome/common/extensions/docs/examples/api/browsingData/basic/popup.js @@ -119,7 +119,7 @@ PopupController.prototype = { "history": true, "indexedDB": true, "localStorage": true, - "originBoundCertificates": true, + "serverBoundCertificates": true, "pluginData": true, "passwords": true, "webSQL": true diff --git a/chrome/common/extensions/docs/samples.json b/chrome/common/extensions/docs/samples.json index ed13ebaea0d..4edf90b9935 100644 --- a/chrome/common/extensions/docs/samples.json +++ b/chrome/common/extensions/docs/samples.json @@ -18,6 +18,10 @@ "chrome.bookmarks.removeTree": "bookmarks.html#method-removeTree", "chrome.bookmarks.search": "bookmarks.html#method-search", "chrome.bookmarks.update": "bookmarks.html#method-update", + "chrome.browserAction.getBadgeBackgroundColor": "browserAction.html#method-getBadgeBackgroundColor", + "chrome.browserAction.getBadgeText": "browserAction.html#method-getBadgeText", + "chrome.browserAction.getPopup": "browserAction.html#method-getPopup", + "chrome.browserAction.getTitle": "browserAction.html#method-getTitle", "chrome.browserAction.onClicked": "browserAction.html#event-onClicked", "chrome.browserAction.setBadgeBackgroundColor": "browserAction.html#method-setBadgeBackgroundColor", "chrome.browserAction.setBadgeText": "browserAction.html#method-setBadgeText", @@ -142,6 +146,8 @@ "chrome.omnibox.onInputEntered": "omnibox.html#event-onInputEntered", "chrome.omnibox.onInputStarted": "omnibox.html#event-onInputStarted", "chrome.omnibox.setDefaultSuggestion": "omnibox.html#method-setDefaultSuggestion", + "chrome.pageAction.getPopup": "pageAction.html#method-getPopup", + "chrome.pageAction.getTitle": "pageAction.html#method-getTitle", "chrome.pageAction.hide": "pageAction.html#method-hide", "chrome.pageAction.onClicked": "pageAction.html#event-onClicked", "chrome.pageAction.setIcon": "pageAction.html#method-setIcon", @@ -524,7 +530,7 @@ "popup.html", "popup.js" ], - "source_hash": "d03a62493eb36bf3da3472f15df777137e159171", + "source_hash": "6e227746c25a1b9765dbd27e3eb0e7403dee2c65", "zip_path": "examples\/api\/browsingData\/basic.zip" }, { diff --git a/chrome/tools/chromeactions.txt b/chrome/tools/chromeactions.txt index 3fb362f449a..7a6667853ba 100644 --- a/chrome/tools/chromeactions.txt +++ b/chrome/tools/chromeactions.txt @@ -183,7 +183,7 @@ 0xea9b835bf0310f85 ClearBrowsingData_Downloads 0xe3c9686626019346 ClearBrowsingData_History 0x86678d0ede469c46 ClearBrowsingData_LSOData -0x82601d6a3aca0eb1 ClearBrowsingData_OriginBoundCerts +0x82601d6a3aca0eb1 ClearBrowsingData_ServerBoundCerts 0x511e8366cdda3890 ClearBrowsingData_Passwords 0x6d69a061f7adf595 ClearBrowsingData_ShowDlg 0x9fd631c62234969a ClearSelection diff --git a/content/public/common/content_switches.cc b/content/public/common/content_switches.cc index 07198b128a4..ac88386ca46 100644 --- a/content/public/common/content_switches.cc +++ b/content/public/common/content_switches.cc @@ -274,7 +274,7 @@ const char kEnableMediaStream[] = "enable-media-stream"; // assumed to be sRGB. const char kEnableMonitorProfile[] = "enable-monitor-profile"; -// Enables TLS origin bound certificate extension. +// Enables TLS domain bound certificate extension. const char kEnableOriginBoundCerts[] = "enable-origin-bound-certs"; // Enables partial swaps in the WK compositor on platforms that support it. diff --git a/content/shell/shell_url_request_context_getter.cc b/content/shell/shell_url_request_context_getter.cc index f18be2b3604..9a35da82782 100644 --- a/content/shell/shell_url_request_context_getter.cc +++ b/content/shell/shell_url_request_context_getter.cc @@ -52,8 +52,8 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() { storage_.reset(new net::URLRequestContextStorage(url_request_context_)); storage_->set_cookie_store(new net::CookieMonster(NULL, NULL)); - storage_->set_origin_bound_cert_service(new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(NULL))); + storage_->set_server_bound_cert_service(new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(NULL))); url_request_context_->set_accept_language("en-us,en"); url_request_context_->set_accept_charset("iso-8859-1,*,utf-8"); @@ -86,7 +86,7 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() { net::HttpCache* main_cache = new net::HttpCache( url_request_context_->host_resolver(), url_request_context_->cert_verifier(), - url_request_context_->origin_bound_cert_service(), + url_request_context_->server_bound_cert_service(), NULL, // tranport_security_state url_request_context_->proxy_service(), "", // ssl_session_cache_shard diff --git a/jingle/notifier/base/proxy_resolving_client_socket.cc b/jingle/notifier/base/proxy_resolving_client_socket.cc index ab0b6791612..5130100b013 100644 --- a/jingle/notifier/base/proxy_resolving_client_socket.cc +++ b/jingle/notifier/base/proxy_resolving_client_socket.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -48,8 +48,8 @@ ProxyResolvingClientSocket::ProxyResolvingClientSocket( session_params.client_socket_factory = socket_factory; session_params.host_resolver = request_context->host_resolver(); session_params.cert_verifier = request_context->cert_verifier(); - // TODO(rkn): This is NULL because OriginBoundCertService is not thread safe. - session_params.origin_bound_cert_service = NULL; + // TODO(rkn): This is NULL because ServerBoundCertService is not thread safe. + session_params.server_bound_cert_service = NULL; // transport_security_state is NULL because it's not thread safe. session_params.transport_security_state = NULL; session_params.proxy_service = request_context->proxy_service(); diff --git a/jingle/notifier/base/xmpp_client_socket_factory.cc b/jingle/notifier/base/xmpp_client_socket_factory.cc index c08de39a79a..87b439de7aa 100644 --- a/jingle/notifier/base/xmpp_client_socket_factory.cc +++ b/jingle/notifier/base/xmpp_client_socket_factory.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -45,8 +45,8 @@ net::SSLClientSocket* XmppClientSocketFactory::CreateSSLClientSocket( net::SSLClientSocketContext context; context.cert_verifier = request_context_getter_->GetURLRequestContext()->cert_verifier(); - // TODO(rkn): context.origin_bound_cert_service is NULL because the - // OriginBoundCertService class is not thread safe. + // TODO(rkn): context.server_bound_cert_service is NULL because the + // ServerBoundCertService class is not thread safe. return client_socket_factory_->CreateSSLClientSocket( transport_socket, host_and_port, ssl_config_, NULL, context); } diff --git a/net/base/default_origin_bound_cert_store.cc b/net/base/default_origin_bound_cert_store.cc index 8e721aeda19..3fd8c345047 100644 --- a/net/base/default_origin_bound_cert_store.cc +++ b/net/base/default_origin_bound_cert_store.cc @@ -10,14 +10,14 @@ namespace net { // static -const size_t DefaultOriginBoundCertStore::kMaxCerts = 3300; +const size_t DefaultServerBoundCertStore::kMaxCerts = 3300; -DefaultOriginBoundCertStore::DefaultOriginBoundCertStore( +DefaultServerBoundCertStore::DefaultServerBoundCertStore( PersistentStore* store) : initialized_(false), store_(store) {} -void DefaultOriginBoundCertStore::FlushStore( +void DefaultServerBoundCertStore::FlushStore( const base::Closure& completion_task) { base::AutoLock autolock(lock_); @@ -27,8 +27,8 @@ void DefaultOriginBoundCertStore::FlushStore( MessageLoop::current()->PostTask(FROM_HERE, completion_task); } -bool DefaultOriginBoundCertStore::GetOriginBoundCert( - const std::string& origin, +bool DefaultServerBoundCertStore::GetServerBoundCert( + const std::string& server_identifier, SSLClientCertType* type, base::Time* creation_time, base::Time* expiration_time, @@ -37,12 +37,12 @@ bool DefaultOriginBoundCertStore::GetOriginBoundCert( base::AutoLock autolock(lock_); InitIfNecessary(); - OriginBoundCertMap::iterator it = origin_bound_certs_.find(origin); + ServerBoundCertMap::iterator it = server_bound_certs_.find(server_identifier); - if (it == origin_bound_certs_.end()) + if (it == server_bound_certs_.end()) return false; - OriginBoundCert* cert = it->second; + ServerBoundCert* cert = it->second; *type = cert->type(); *creation_time = cert->creation_time(); *expiration_time = cert->expiration_time(); @@ -52,8 +52,8 @@ bool DefaultOriginBoundCertStore::GetOriginBoundCert( return true; } -void DefaultOriginBoundCertStore::SetOriginBoundCert( - const std::string& origin, +void DefaultServerBoundCertStore::SetServerBoundCert( + const std::string& server_identifier, SSLClientCertType type, base::Time creation_time, base::Time expiration_time, @@ -62,118 +62,119 @@ void DefaultOriginBoundCertStore::SetOriginBoundCert( base::AutoLock autolock(lock_); InitIfNecessary(); - InternalDeleteOriginBoundCert(origin); - InternalInsertOriginBoundCert( - origin, - new OriginBoundCert( - origin, type, creation_time, expiration_time, private_key, cert)); + InternalDeleteServerBoundCert(server_identifier); + InternalInsertServerBoundCert( + server_identifier, + new ServerBoundCert( + server_identifier, type, creation_time, expiration_time, private_key, + cert)); } -void DefaultOriginBoundCertStore::DeleteOriginBoundCert( - const std::string& origin) { +void DefaultServerBoundCertStore::DeleteServerBoundCert( + const std::string& server_identifier) { base::AutoLock autolock(lock_); InitIfNecessary(); - InternalDeleteOriginBoundCert(origin); + InternalDeleteServerBoundCert(server_identifier); } -void DefaultOriginBoundCertStore::DeleteAllCreatedBetween( +void DefaultServerBoundCertStore::DeleteAllCreatedBetween( base::Time delete_begin, base::Time delete_end) { base::AutoLock autolock(lock_); InitIfNecessary(); - for (OriginBoundCertMap::iterator it = origin_bound_certs_.begin(); - it != origin_bound_certs_.end();) { - OriginBoundCertMap::iterator cur = it; + for (ServerBoundCertMap::iterator it = server_bound_certs_.begin(); + it != server_bound_certs_.end();) { + ServerBoundCertMap::iterator cur = it; ++it; - OriginBoundCert* cert = cur->second; + ServerBoundCert* cert = cur->second; if ((delete_begin.is_null() || cert->creation_time() >= delete_begin) && (delete_end.is_null() || cert->creation_time() < delete_end)) { if (store_) - store_->DeleteOriginBoundCert(*cert); + store_->DeleteServerBoundCert(*cert); delete cert; - origin_bound_certs_.erase(cur); + server_bound_certs_.erase(cur); } } } -void DefaultOriginBoundCertStore::DeleteAll() { +void DefaultServerBoundCertStore::DeleteAll() { DeleteAllCreatedBetween(base::Time(), base::Time()); } -void DefaultOriginBoundCertStore::GetAllOriginBoundCerts( - std::vector* origin_bound_certs) { +void DefaultServerBoundCertStore::GetAllServerBoundCerts( + std::vector* server_bound_certs) { base::AutoLock autolock(lock_); InitIfNecessary(); - for (OriginBoundCertMap::iterator it = origin_bound_certs_.begin(); - it != origin_bound_certs_.end(); ++it) { - origin_bound_certs->push_back(*it->second); + for (ServerBoundCertMap::iterator it = server_bound_certs_.begin(); + it != server_bound_certs_.end(); ++it) { + server_bound_certs->push_back(*it->second); } } -int DefaultOriginBoundCertStore::GetCertCount() { +int DefaultServerBoundCertStore::GetCertCount() { base::AutoLock autolock(lock_); InitIfNecessary(); - return origin_bound_certs_.size(); + return server_bound_certs_.size(); } -DefaultOriginBoundCertStore::~DefaultOriginBoundCertStore() { +DefaultServerBoundCertStore::~DefaultServerBoundCertStore() { DeleteAllInMemory(); } -void DefaultOriginBoundCertStore::DeleteAllInMemory() { +void DefaultServerBoundCertStore::DeleteAllInMemory() { base::AutoLock autolock(lock_); - for (OriginBoundCertMap::iterator it = origin_bound_certs_.begin(); - it != origin_bound_certs_.end(); ++it) { + for (ServerBoundCertMap::iterator it = server_bound_certs_.begin(); + it != server_bound_certs_.end(); ++it) { delete it->second; } - origin_bound_certs_.clear(); + server_bound_certs_.clear(); } -void DefaultOriginBoundCertStore::InitStore() { +void DefaultServerBoundCertStore::InitStore() { lock_.AssertAcquired(); DCHECK(store_) << "Store must exist to initialize"; // Initialize the store and sync in any saved persistent certs. - std::vector certs; + std::vector certs; // Reserve space for the maximum amount of certs a database should have. // This prevents multiple vector growth / copies as we append certs. certs.reserve(kMaxCerts); store_->Load(&certs); - for (std::vector::const_iterator it = certs.begin(); + for (std::vector::const_iterator it = certs.begin(); it != certs.end(); ++it) { - origin_bound_certs_[(*it)->origin()] = *it; + server_bound_certs_[(*it)->server_identifier()] = *it; } } -void DefaultOriginBoundCertStore::InternalDeleteOriginBoundCert( - const std::string& origin) { +void DefaultServerBoundCertStore::InternalDeleteServerBoundCert( + const std::string& server_identifier) { lock_.AssertAcquired(); - OriginBoundCertMap::iterator it = origin_bound_certs_.find(origin); - if (it == origin_bound_certs_.end()) + ServerBoundCertMap::iterator it = server_bound_certs_.find(server_identifier); + if (it == server_bound_certs_.end()) return; // There is nothing to delete. - OriginBoundCert* cert = it->second; + ServerBoundCert* cert = it->second; if (store_) - store_->DeleteOriginBoundCert(*cert); - origin_bound_certs_.erase(it); + store_->DeleteServerBoundCert(*cert); + server_bound_certs_.erase(it); delete cert; } -void DefaultOriginBoundCertStore::InternalInsertOriginBoundCert( - const std::string& origin, - OriginBoundCert* cert) { +void DefaultServerBoundCertStore::InternalInsertServerBoundCert( + const std::string& server_identifier, + ServerBoundCert* cert) { lock_.AssertAcquired(); if (store_) - store_->AddOriginBoundCert(*cert); - origin_bound_certs_[origin] = cert; + store_->AddServerBoundCert(*cert); + server_bound_certs_[server_identifier] = cert; } -DefaultOriginBoundCertStore::PersistentStore::PersistentStore() {} +DefaultServerBoundCertStore::PersistentStore::PersistentStore() {} } // namespace net diff --git a/net/base/default_origin_bound_cert_store.h b/net/base/default_origin_bound_cert_store.h index e717d38e45d..81a6f052006 100644 --- a/net/base/default_origin_bound_cert_store.h +++ b/net/base/default_origin_bound_cert_store.h @@ -21,30 +21,30 @@ class Task; namespace net { -// This class is the system for storing and retrieving origin bound certs. +// This class is the system for storing and retrieving server bound certs. // Modeled after the CookieMonster class, it has an in-memory cert store, -// and synchronizes origin bound certs to an optional permanent storage that +// and synchronizes server bound certs to an optional permanent storage that // implements the PersistentStore interface. The use case is described in // http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html // // This class can be accessed by multiple threads. For example, it can be used -// by IO and origin bound cert management UI. -class NET_EXPORT DefaultOriginBoundCertStore : public OriginBoundCertStore { +// by IO and server bound cert management UI. +class NET_EXPORT DefaultServerBoundCertStore : public ServerBoundCertStore { public: class PersistentStore; - // The key for each OriginBoundCert* in OriginBoundCertMap is the - // corresponding origin. - typedef std::map OriginBoundCertMap; + // The key for each ServerBoundCert* in ServerBoundCertMap is the + // corresponding server. + typedef std::map ServerBoundCertMap; // The store passed in should not have had Init() called on it yet. This // class will take care of initializing it. The backing store is NOT owned by // this class, but it must remain valid for the duration of the - // DefaultOriginBoundCertStore's existence. If |store| is NULL, then no + // DefaultServerBoundCertStore's existence. If |store| is NULL, then no // backing store will be updated. - explicit DefaultOriginBoundCertStore(PersistentStore* store); + explicit DefaultServerBoundCertStore(PersistentStore* store); - virtual ~DefaultOriginBoundCertStore(); + virtual ~DefaultServerBoundCertStore(); // Flush the backing store (if any) to disk and post the given task when done. // WARNING: THE CALLBACK WILL RUN ON A RANDOM THREAD. IT MUST BE THREAD SAFE. @@ -53,27 +53,28 @@ class NET_EXPORT DefaultOriginBoundCertStore : public OriginBoundCertStore { // to the thread you actually want to be notified on. void FlushStore(const base::Closure& completion_task); - // OriginBoundCertStore implementation. - virtual bool GetOriginBoundCert( - const std::string& origin, + // ServerBoundCertStore implementation. + virtual bool GetServerBoundCert( + const std::string& server_identifier, SSLClientCertType* type, base::Time* creation_time, base::Time* expiration_time, std::string* private_key_result, std::string* cert_result) OVERRIDE; - virtual void SetOriginBoundCert( - const std::string& origin, + virtual void SetServerBoundCert( + const std::string& server_identifier, SSLClientCertType type, base::Time creation_time, base::Time expiration_time, const std::string& private_key, const std::string& cert) OVERRIDE; - virtual void DeleteOriginBoundCert(const std::string& origin) OVERRIDE; + virtual void DeleteServerBoundCert(const std::string& server_identifier) + OVERRIDE; virtual void DeleteAllCreatedBetween(base::Time delete_begin, base::Time delete_end) OVERRIDE; virtual void DeleteAll() OVERRIDE; - virtual void GetAllOriginBoundCerts( - std::vector* origin_bound_certs) OVERRIDE; + virtual void GetAllServerBoundCerts( + std::vector* server_bound_certs) OVERRIDE; virtual int GetCertCount() OVERRIDE; private: @@ -98,15 +99,15 @@ class NET_EXPORT DefaultOriginBoundCertStore : public OriginBoundCertStore { // Should only be called by InitIfNecessary(). void InitStore(); - // Deletes the cert for the specified origin, if such a cert exists, from the + // Deletes the cert for the specified server, if such a cert exists, from the // in-memory store. Deletes it from |store_| if |store_| is not NULL. - void InternalDeleteOriginBoundCert(const std::string& origin); + void InternalDeleteServerBoundCert(const std::string& server); // Takes ownership of *cert. - // Adds the cert for the specified origin to the in-memory store. Deletes it + // Adds the cert for the specified server to the in-memory store. Deletes it // from |store_| if |store_| is not NULL. - void InternalInsertOriginBoundCert(const std::string& origin, - OriginBoundCert* cert); + void InternalInsertServerBoundCert(const std::string& server_identifier, + ServerBoundCert* cert); // Indicates whether the cert store has been initialized. This happens // Lazily in InitStoreIfNecessary(). @@ -114,18 +115,18 @@ class NET_EXPORT DefaultOriginBoundCertStore : public OriginBoundCertStore { scoped_refptr store_; - OriginBoundCertMap origin_bound_certs_; + ServerBoundCertMap server_bound_certs_; // Lock for thread-safety base::Lock lock_; - DISALLOW_COPY_AND_ASSIGN(DefaultOriginBoundCertStore); + DISALLOW_COPY_AND_ASSIGN(DefaultServerBoundCertStore); }; -typedef base::RefCountedThreadSafe +typedef base::RefCountedThreadSafe RefcountedPersistentStore; -class NET_EXPORT DefaultOriginBoundCertStore::PersistentStore +class NET_EXPORT DefaultServerBoundCertStore::PersistentStore : public RefcountedPersistentStore { public: virtual ~PersistentStore() {} @@ -134,11 +135,11 @@ class NET_EXPORT DefaultOriginBoundCertStore::PersistentStore // called only once at startup. Note that the certs are individually allocated // and that ownership is transferred to the caller upon return. virtual bool Load( - std::vector* certs) = 0; + std::vector* certs) = 0; - virtual void AddOriginBoundCert(const OriginBoundCert& cert) = 0; + virtual void AddServerBoundCert(const ServerBoundCert& cert) = 0; - virtual void DeleteOriginBoundCert(const OriginBoundCert& cert) = 0; + virtual void DeleteServerBoundCert(const ServerBoundCert& cert) = 0; // Sets the value of the user preference whether the persistent storage // must be deleted upon destruction. diff --git a/net/base/default_origin_bound_cert_store_unittest.cc b/net/base/default_origin_bound_cert_store_unittest.cc index ec55716d08d..4e8628f8ec9 100644 --- a/net/base/default_origin_bound_cert_store_unittest.cc +++ b/net/base/default_origin_bound_cert_store_unittest.cc @@ -17,27 +17,27 @@ namespace net { class MockPersistentStore - : public DefaultOriginBoundCertStore::PersistentStore { + : public DefaultServerBoundCertStore::PersistentStore { public: MockPersistentStore(); virtual ~MockPersistentStore(); - // DefaultOriginBoundCertStore::PersistentStore implementation. + // DefaultServerBoundCertStore::PersistentStore implementation. virtual bool Load( - std::vector* certs) + std::vector* certs) OVERRIDE; - virtual void AddOriginBoundCert( - const DefaultOriginBoundCertStore::OriginBoundCert& cert) OVERRIDE; - virtual void DeleteOriginBoundCert( - const DefaultOriginBoundCertStore::OriginBoundCert& cert) OVERRIDE; + virtual void AddServerBoundCert( + const DefaultServerBoundCertStore::ServerBoundCert& cert) OVERRIDE; + virtual void DeleteServerBoundCert( + const DefaultServerBoundCertStore::ServerBoundCert& cert) OVERRIDE; virtual void SetClearLocalStateOnExit(bool clear_local_state) OVERRIDE; virtual void Flush(const base::Closure& completion_task) OVERRIDE; private: - typedef std::map - OriginBoundCertMap; + typedef std::map + ServerBoundCertMap; - OriginBoundCertMap origin_certs_; + ServerBoundCertMap origin_certs_; }; MockPersistentStore::MockPersistentStore() {} @@ -45,25 +45,25 @@ MockPersistentStore::MockPersistentStore() {} MockPersistentStore::~MockPersistentStore() {} bool MockPersistentStore::Load( - std::vector* certs) { - OriginBoundCertMap::iterator it; + std::vector* certs) { + ServerBoundCertMap::iterator it; for (it = origin_certs_.begin(); it != origin_certs_.end(); ++it) { certs->push_back( - new DefaultOriginBoundCertStore::OriginBoundCert(it->second)); + new DefaultServerBoundCertStore::ServerBoundCert(it->second)); } return true; } -void MockPersistentStore::AddOriginBoundCert( - const DefaultOriginBoundCertStore::OriginBoundCert& cert) { - origin_certs_[cert.origin()] = cert; +void MockPersistentStore::AddServerBoundCert( + const DefaultServerBoundCertStore::ServerBoundCert& cert) { + origin_certs_[cert.server_identifier()] = cert; } -void MockPersistentStore::DeleteOriginBoundCert( - const DefaultOriginBoundCertStore::OriginBoundCert& cert) { - origin_certs_.erase(cert.origin()); +void MockPersistentStore::DeleteServerBoundCert( + const DefaultServerBoundCertStore::ServerBoundCert& cert) { + origin_certs_.erase(cert.server_identifier()); } void MockPersistentStore::SetClearLocalStateOnExit(bool clear_local_state) {} @@ -72,36 +72,36 @@ void MockPersistentStore::Flush(const base::Closure& completion_task) { NOTREACHED(); } -TEST(DefaultOriginBoundCertStoreTest, TestLoading) { +TEST(DefaultServerBoundCertStoreTest, TestLoading) { scoped_refptr persistent_store(new MockPersistentStore); - persistent_store->AddOriginBoundCert( - DefaultOriginBoundCertStore::OriginBoundCert( - "https://encrypted.google.com/", + persistent_store->AddServerBoundCert( + DefaultServerBoundCertStore::ServerBoundCert( + "google.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "a", "b")); - persistent_store->AddOriginBoundCert( - DefaultOriginBoundCertStore::OriginBoundCert( - "https://www.verisign.com/", + persistent_store->AddServerBoundCert( + DefaultServerBoundCertStore::ServerBoundCert( + "verisign.com", CLIENT_CERT_ECDSA_SIGN, base::Time(), base::Time(), "c", "d")); // Make sure certs load properly. - DefaultOriginBoundCertStore store(persistent_store.get()); + DefaultServerBoundCertStore store(persistent_store.get()); EXPECT_EQ(2, store.GetCertCount()); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "e", "f"); EXPECT_EQ(2, store.GetCertCount()); - store.SetOriginBoundCert( - "https://www.twitter.com/", + store.SetServerBoundCert( + "twitter.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), @@ -109,14 +109,14 @@ TEST(DefaultOriginBoundCertStoreTest, TestLoading) { EXPECT_EQ(3, store.GetCertCount()); } -TEST(DefaultOriginBoundCertStoreTest, TestSettingAndGetting) { - DefaultOriginBoundCertStore store(NULL); +TEST(DefaultServerBoundCertStoreTest, TestSettingAndGetting) { + DefaultServerBoundCertStore store(NULL); SSLClientCertType type; base::Time creation_time; base::Time expiration_time; std::string private_key, cert; EXPECT_EQ(0, store.GetCertCount()); - EXPECT_FALSE(store.GetOriginBoundCert("https://www.verisign.com/", + EXPECT_FALSE(store.GetServerBoundCert("verisign.com", &type, &creation_time, &expiration_time, @@ -124,13 +124,13 @@ TEST(DefaultOriginBoundCertStoreTest, TestSettingAndGetting) { &cert)); EXPECT_TRUE(private_key.empty()); EXPECT_TRUE(cert.empty()); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_RSA_SIGN, base::Time::FromInternalValue(123), base::Time::FromInternalValue(456), "i", "j"); - EXPECT_TRUE(store.GetOriginBoundCert("https://www.verisign.com/", + EXPECT_TRUE(store.GetServerBoundCert("verisign.com", &type, &creation_time, &expiration_time, @@ -143,30 +143,30 @@ TEST(DefaultOriginBoundCertStoreTest, TestSettingAndGetting) { EXPECT_EQ("j", cert); } -TEST(DefaultOriginBoundCertStoreTest, TestDuplicateCerts) { +TEST(DefaultServerBoundCertStoreTest, TestDuplicateCerts) { scoped_refptr persistent_store(new MockPersistentStore); - DefaultOriginBoundCertStore store(persistent_store.get()); + DefaultServerBoundCertStore store(persistent_store.get()); SSLClientCertType type; base::Time creation_time; base::Time expiration_time; std::string private_key, cert; EXPECT_EQ(0, store.GetCertCount()); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_RSA_SIGN, base::Time::FromInternalValue(123), base::Time::FromInternalValue(1234), "a", "b"); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_ECDSA_SIGN, base::Time::FromInternalValue(456), base::Time::FromInternalValue(4567), "c", "d"); EXPECT_EQ(1, store.GetCertCount()); - EXPECT_TRUE(store.GetOriginBoundCert("https://www.verisign.com/", + EXPECT_TRUE(store.GetServerBoundCert("verisign.com", &type, &creation_time, &expiration_time, @@ -179,25 +179,25 @@ TEST(DefaultOriginBoundCertStoreTest, TestDuplicateCerts) { EXPECT_EQ("d", cert); } -TEST(DefaultOriginBoundCertStoreTest, TestDeleteAll) { +TEST(DefaultServerBoundCertStoreTest, TestDeleteAll) { scoped_refptr persistent_store(new MockPersistentStore); - DefaultOriginBoundCertStore store(persistent_store.get()); + DefaultServerBoundCertStore store(persistent_store.get()); EXPECT_EQ(0, store.GetCertCount()); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "a", "b"); - store.SetOriginBoundCert( - "https://www.google.com/", + store.SetServerBoundCert( + "google.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "c", "d"); - store.SetOriginBoundCert( - "https://www.harvard.com/", + store.SetServerBoundCert( + "harvard.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), @@ -208,46 +208,46 @@ TEST(DefaultOriginBoundCertStoreTest, TestDeleteAll) { EXPECT_EQ(0, store.GetCertCount()); } -TEST(DefaultOriginBoundCertStoreTest, TestDelete) { +TEST(DefaultServerBoundCertStoreTest, TestDelete) { scoped_refptr persistent_store(new MockPersistentStore); - DefaultOriginBoundCertStore store(persistent_store.get()); + DefaultServerBoundCertStore store(persistent_store.get()); SSLClientCertType type; base::Time creation_time; base::Time expiration_time; std::string private_key, cert; EXPECT_EQ(0, store.GetCertCount()); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "a", "b"); - store.SetOriginBoundCert( - "https://www.google.com/", + store.SetServerBoundCert( + "google.com", CLIENT_CERT_ECDSA_SIGN, base::Time(), base::Time(), "c", "d"); EXPECT_EQ(2, store.GetCertCount()); - store.DeleteOriginBoundCert("https://www.verisign.com/"); + store.DeleteServerBoundCert("verisign.com"); EXPECT_EQ(1, store.GetCertCount()); - EXPECT_FALSE(store.GetOriginBoundCert("https://www.verisign.com/", + EXPECT_FALSE(store.GetServerBoundCert("verisign.com", &type, &creation_time, &expiration_time, &private_key, &cert)); - EXPECT_TRUE(store.GetOriginBoundCert("https://www.google.com/", + EXPECT_TRUE(store.GetServerBoundCert("google.com", &type, &creation_time, &expiration_time, &private_key, &cert)); - store.DeleteOriginBoundCert("https://www.google.com/"); + store.DeleteServerBoundCert("google.com"); EXPECT_EQ(0, store.GetCertCount()); - EXPECT_FALSE(store.GetOriginBoundCert("https://www.google.com/", + EXPECT_FALSE(store.GetServerBoundCert("google.com", &type, &creation_time, &expiration_time, @@ -255,39 +255,39 @@ TEST(DefaultOriginBoundCertStoreTest, TestDelete) { &cert)); } -TEST(DefaultOriginBoundCertStoreTest, TestGetAll) { +TEST(DefaultServerBoundCertStoreTest, TestGetAll) { scoped_refptr persistent_store(new MockPersistentStore); - DefaultOriginBoundCertStore store(persistent_store.get()); + DefaultServerBoundCertStore store(persistent_store.get()); EXPECT_EQ(0, store.GetCertCount()); - store.SetOriginBoundCert( - "https://www.verisign.com/", + store.SetServerBoundCert( + "verisign.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "a", "b"); - store.SetOriginBoundCert( - "https://www.google.com/", + store.SetServerBoundCert( + "google.com", CLIENT_CERT_ECDSA_SIGN, base::Time(), base::Time(), "c", "d"); - store.SetOriginBoundCert( - "https://www.harvard.com/", + store.SetServerBoundCert( + "harvard.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "e", "f"); - store.SetOriginBoundCert( - "https://www.mit.com/", + store.SetServerBoundCert( + "mit.com", CLIENT_CERT_RSA_SIGN, base::Time(), base::Time(), "g", "h"); EXPECT_EQ(4, store.GetCertCount()); - std::vector certs; - store.GetAllOriginBoundCerts(&certs); + std::vector certs; + store.GetAllServerBoundCerts(&certs); EXPECT_EQ(4u, certs.size()); } diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h index 750f9ad1c9f..d308a6fc1e0 100644 --- a/net/base/net_error_list.h +++ b/net/base/net_error_list.h @@ -618,7 +618,7 @@ NET_ERROR(PKCS12_IMPORT_UNSUPPORTED, -709) // Key generation failed. NET_ERROR(KEY_GENERATION_FAILED, -710) -// Origin-bound certificate generation failed. +// Server-bound certificate generation failed. NET_ERROR(ORIGIN_BOUND_CERT_GENERATION_FAILED, -711) // Failure to export private key. diff --git a/net/base/net_log_event_type_list.h b/net/base/net_log_event_type_list.h index 55b1dd078d4..0654be149fa 100644 --- a/net/base/net_log_event_type_list.h +++ b/net/base/net_log_event_type_list.h @@ -457,14 +457,14 @@ EVENT_TYPE(SSL_SERVER_HANDSHAKE) // The SSL server requested a client certificate. EVENT_TYPE(SSL_CLIENT_CERT_REQUESTED) -// The start/end of getting an origin-bound certificate and private key. +// The start/end of getting a domain-bound certificate and private key. // // The END event will contain the following parameters on failure: // // { // "net_error": , // } -EVENT_TYPE(SSL_GET_ORIGIN_BOUND_CERT) +EVENT_TYPE(SSL_GET_DOMAIN_BOUND_CERT) // A client certificate (or none) was provided to the SSL library to be sent // to the SSL server. diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc index 8901e26b9c2..b3806450e5d 100644 --- a/net/base/origin_bound_cert_service.cc +++ b/net/base/origin_bound_cert_service.cc @@ -19,6 +19,7 @@ #include "base/stl_util.h" #include "base/threading/worker_pool.h" #include "crypto/ec_private_key.h" +#include "googleurl/src/gurl.h" #include "net/base/net_errors.h" #include "net/base/origin_bound_cert_store.h" #include "net/base/registry_controlled_domain.h" @@ -48,9 +49,9 @@ bool IsSupportedCertType(uint8 type) { } // namespace // Represents the output and result callback of a request. -class OriginBoundCertServiceRequest { +class ServerBoundCertServiceRequest { public: - OriginBoundCertServiceRequest(const CompletionCallback& callback, + ServerBoundCertServiceRequest(const CompletionCallback& callback, SSLClientCertType* type, std::string* private_key, std::string* cert) @@ -92,20 +93,20 @@ class OriginBoundCertServiceRequest { std::string* cert_; }; -// OriginBoundCertServiceWorker runs on a worker thread and takes care of the +// ServerBoundCertServiceWorker runs on a worker thread and takes care of the // blocking process of performing key generation. Deletes itself eventually // if Start() succeeds. -class OriginBoundCertServiceWorker { +class ServerBoundCertServiceWorker { public: - OriginBoundCertServiceWorker( - const std::string& origin, + ServerBoundCertServiceWorker( + const std::string& server_identifier, SSLClientCertType type, - OriginBoundCertService* origin_bound_cert_service) - : origin_(origin), + ServerBoundCertService* server_bound_cert_service) + : server_identifier_(server_identifier), type_(type), serial_number_(base::RandInt(0, std::numeric_limits::max())), origin_loop_(MessageLoop::current()), - origin_bound_cert_service_(origin_bound_cert_service), + server_bound_cert_service_(server_bound_cert_service), canceled_(false), error_(ERR_FAILED) { } @@ -115,11 +116,11 @@ class OriginBoundCertServiceWorker { return base::WorkerPool::PostTask( FROM_HERE, - base::Bind(&OriginBoundCertServiceWorker::Run, base::Unretained(this)), + base::Bind(&ServerBoundCertServiceWorker::Run, base::Unretained(this)), true /* task is slow */); } - // Cancel is called from the origin loop when the OriginBoundCertService is + // Cancel is called from the origin loop when the ServerBoundCertService is // getting deleted. void Cancel() { DCHECK_EQ(MessageLoop::current(), origin_loop_); @@ -130,7 +131,7 @@ class OriginBoundCertServiceWorker { private: void Run() { // Runs on a worker thread. - error_ = OriginBoundCertService::GenerateCert(origin_, + error_ = ServerBoundCertService::GenerateCert(server_identifier_, type_, serial_number_, &creation_time_, @@ -160,8 +161,8 @@ class OriginBoundCertServiceWorker { // memory leaks or worse errors. base::AutoLock locked(lock_); if (!canceled_) { - origin_bound_cert_service_->HandleResult( - origin_, error_, type_, creation_time_, expiration_time_, + server_bound_cert_service_->HandleResult( + server_identifier_, error_, type_, creation_time_, expiration_time_, private_key_, cert_); } } @@ -170,11 +171,11 @@ class OriginBoundCertServiceWorker { void Finish() { // Runs on the worker thread. - // We assume that the origin loop outlives the OriginBoundCertService. If - // the OriginBoundCertService is deleted, it will call Cancel on us. If it + // We assume that the origin loop outlives the ServerBoundCertService. If + // the ServerBoundCertService is deleted, it will call Cancel on us. If it // does so before the Acquire, we'll delete ourselves and return. If it's // trying to do so concurrently, then it'll block on the lock and we'll - // call PostTask while the OriginBoundCertService (and therefore the + // call PostTask while the ServerBoundCertService (and therefore the // MessageLoop) is still alive. If it does so after this function, we // assume that the MessageLoop will process pending tasks. In which case // we'll notice the |canceled_| flag in DoReply. @@ -185,7 +186,7 @@ class OriginBoundCertServiceWorker { canceled = canceled_; if (!canceled) { origin_loop_->PostTask( - FROM_HERE, base::Bind(&OriginBoundCertServiceWorker::DoReply, + FROM_HERE, base::Bind(&ServerBoundCertServiceWorker::DoReply, base::Unretained(this))); } } @@ -193,20 +194,20 @@ class OriginBoundCertServiceWorker { delete this; } - const std::string origin_; + const std::string server_identifier_; const SSLClientCertType type_; // Note that serial_number_ must be initialized on a non-worker thread - // (see documentation for OriginBoundCertService::GenerateCert). + // (see documentation for ServerBoundCertService::GenerateCert). uint32 serial_number_; MessageLoop* const origin_loop_; - OriginBoundCertService* const origin_bound_cert_service_; + ServerBoundCertService* const server_bound_cert_service_; // lock_ protects canceled_. base::Lock lock_; // If canceled_ is true, // * origin_loop_ cannot be accessed by the worker thread, - // * origin_bound_cert_service_ cannot be accessed by any thread. + // * server_bound_cert_service_ cannot be accessed by any thread. bool canceled_; int error_; @@ -215,20 +216,20 @@ class OriginBoundCertServiceWorker { std::string private_key_; std::string cert_; - DISALLOW_COPY_AND_ASSIGN(OriginBoundCertServiceWorker); + DISALLOW_COPY_AND_ASSIGN(ServerBoundCertServiceWorker); }; -// An OriginBoundCertServiceJob is a one-to-one counterpart of an -// OriginBoundCertServiceWorker. It lives only on the OriginBoundCertService's +// A ServerBoundCertServiceJob is a one-to-one counterpart of an +// ServerBoundCertServiceWorker. It lives only on the ServerBoundCertService's // origin message loop. -class OriginBoundCertServiceJob { +class ServerBoundCertServiceJob { public: - OriginBoundCertServiceJob(OriginBoundCertServiceWorker* worker, + ServerBoundCertServiceJob(ServerBoundCertServiceWorker* worker, SSLClientCertType type) : worker_(worker), type_(type) { } - ~OriginBoundCertServiceJob() { + ~ServerBoundCertServiceJob() { if (worker_) { worker_->Cancel(); DeleteAllCanceled(); @@ -237,7 +238,7 @@ class OriginBoundCertServiceJob { SSLClientCertType type() const { return type_; } - void AddRequest(OriginBoundCertServiceRequest* request) { + void AddRequest(ServerBoundCertServiceRequest* request) { requests_.push_back(request); } @@ -254,48 +255,48 @@ class OriginBoundCertServiceJob { SSLClientCertType type, const std::string& private_key, const std::string& cert) { - std::vector requests; + std::vector requests; requests_.swap(requests); - for (std::vector::iterator + for (std::vector::iterator i = requests.begin(); i != requests.end(); i++) { (*i)->Post(error, type, private_key, cert); - // Post() causes the OriginBoundCertServiceRequest to delete itself. + // Post() causes the ServerBoundCertServiceRequest to delete itself. } } void DeleteAllCanceled() { - for (std::vector::iterator + for (std::vector::iterator i = requests_.begin(); i != requests_.end(); i++) { if ((*i)->canceled()) { delete *i; } else { - LOG(DFATAL) << "OriginBoundCertServiceRequest leaked!"; + LOG(DFATAL) << "ServerBoundCertServiceRequest leaked!"; } } } - std::vector requests_; - OriginBoundCertServiceWorker* worker_; + std::vector requests_; + ServerBoundCertServiceWorker* worker_; SSLClientCertType type_; }; // static -const char OriginBoundCertService::kEPKIPassword[] = ""; +const char ServerBoundCertService::kEPKIPassword[] = ""; -OriginBoundCertService::OriginBoundCertService( - OriginBoundCertStore* origin_bound_cert_store) - : origin_bound_cert_store_(origin_bound_cert_store), +ServerBoundCertService::ServerBoundCertService( + ServerBoundCertStore* server_bound_cert_store) + : server_bound_cert_store_(server_bound_cert_store), requests_(0), cert_store_hits_(0), inflight_joins_(0) {} -OriginBoundCertService::~OriginBoundCertService() { +ServerBoundCertService::~ServerBoundCertService() { STLDeleteValues(&inflight_); } //static -std::string OriginBoundCertService::GetDomainForHost(const std::string& host) { +std::string ServerBoundCertService::GetDomainForHost(const std::string& host) { std::string domain = RegistryControlledDomainService::GetDomainAndRegistry(host); if (domain.empty()) @@ -303,7 +304,7 @@ std::string OriginBoundCertService::GetDomainForHost(const std::string& host) { return domain; } -int OriginBoundCertService::GetOriginBoundCert( +int ServerBoundCertService::GetDomainBoundCert( const std::string& origin, const std::vector& requested_types, SSLClientCertType* type, @@ -320,6 +321,10 @@ int OriginBoundCertService::GetOriginBoundCert( return ERR_INVALID_ARGUMENT; } + std::string domain = GetDomainForHost(GURL(origin).host()); + if (domain.empty()) + return ERR_INVALID_ARGUMENT; + SSLClientCertType preferred_type = CLIENT_CERT_INVALID_TYPE; for (size_t i = 0; i < requested_types.size(); ++i) { if (IsSupportedCertType(requested_types[i])) { @@ -334,35 +339,35 @@ int OriginBoundCertService::GetOriginBoundCert( requests_++; - // Check if an origin bound cert of an acceptable type already exists for this - // origin, and that it has not expired. + // Check if a domain bound cert of an acceptable type already exists for this + // domain, and that it has not expired. base::Time now = base::Time::Now(); base::Time creation_time; base::Time expiration_time; - if (origin_bound_cert_store_->GetOriginBoundCert(origin, + if (server_bound_cert_store_->GetServerBoundCert(domain, type, &creation_time, &expiration_time, private_key, cert)) { if (expiration_time < now) { - DVLOG(1) << "Cert store had expired cert for " << origin; + DVLOG(1) << "Cert store had expired cert for " << domain; } else if (!IsSupportedCertType(*type) || std::find(requested_types.begin(), requested_types.end(), *type) == requested_types.end()) { DVLOG(1) << "Cert store had cert of wrong type " << *type << " for " - << origin; + << domain; } else { cert_store_hits_++; return OK; } } - // |origin_bound_cert_store_| has no cert for this origin. See if an + // |server_bound_cert_store_| has no cert for this domain. See if an // identical request is currently in flight. - OriginBoundCertServiceJob* job = NULL; - std::map::const_iterator j; - j = inflight_.find(origin); + ServerBoundCertServiceJob* job = NULL; + std::map::const_iterator j; + j = inflight_.find(domain); if (j != inflight_.end()) { // An identical request is in flight already. We'll just attach our // callback. @@ -371,10 +376,10 @@ int OriginBoundCertService::GetOriginBoundCert( if (std::find(requested_types.begin(), requested_types.end(), job->type()) == requested_types.end()) { DVLOG(1) << "Found inflight job of wrong type " << job->type() - << " for " << origin; + << " for " << domain; // If we get here, the server is asking for different types of certs in // short succession. This probably means the server is broken or - // misconfigured. Since we only store one type of cert per origin, we + // misconfigured. Since we only store one type of cert per domain, we // are unable to handle this well. Just return an error and let the first // job finish. return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH; @@ -382,34 +387,34 @@ int OriginBoundCertService::GetOriginBoundCert( inflight_joins_++; } else { // Need to make a new request. - OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker( - origin, + ServerBoundCertServiceWorker* worker = new ServerBoundCertServiceWorker( + domain, preferred_type, this); - job = new OriginBoundCertServiceJob(worker, preferred_type); + job = new ServerBoundCertServiceJob(worker, preferred_type); if (!worker->Start()) { delete job; delete worker; // TODO(rkn): Log to the NetLog. - LOG(ERROR) << "OriginBoundCertServiceWorker couldn't be started."; + LOG(ERROR) << "ServerBoundCertServiceWorker couldn't be started."; return ERR_INSUFFICIENT_RESOURCES; // Just a guess. } - inflight_[origin] = job; + inflight_[domain] = job; } - OriginBoundCertServiceRequest* request = - new OriginBoundCertServiceRequest(callback, type, private_key, cert); + ServerBoundCertServiceRequest* request = + new ServerBoundCertServiceRequest(callback, type, private_key, cert); job->AddRequest(request); *out_req = request; return ERR_IO_PENDING; } -OriginBoundCertStore* OriginBoundCertService::GetCertStore() { - return origin_bound_cert_store_.get(); +ServerBoundCertStore* ServerBoundCertService::GetCertStore() { + return server_bound_cert_store_.get(); } // static -int OriginBoundCertService::GenerateCert(const std::string& origin, +int ServerBoundCertService::GenerateCert(const std::string& server_identifier, SSLClientCertType type, uint32 serial_number, base::Time* creation_time, @@ -428,9 +433,9 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, DLOG(ERROR) << "Unable to create key pair for client"; return ERR_KEY_GENERATION_FAILED; } - if (!x509_util::CreateOriginBoundCertEC( + if (!x509_util::CreateDomainBoundCertEC( key.get(), - origin, + server_identifier, serial_number, now, not_valid_after, @@ -462,16 +467,16 @@ int OriginBoundCertService::GenerateCert(const std::string& origin, return OK; } -void OriginBoundCertService::CancelRequest(RequestHandle req) { +void ServerBoundCertService::CancelRequest(RequestHandle req) { DCHECK(CalledOnValidThread()); - OriginBoundCertServiceRequest* request = - reinterpret_cast(req); + ServerBoundCertServiceRequest* request = + reinterpret_cast(req); request->Cancel(); } -// HandleResult is called by OriginBoundCertServiceWorker on the origin message -// loop. It deletes OriginBoundCertServiceJob. -void OriginBoundCertService::HandleResult(const std::string& origin, +// HandleResult is called by ServerBoundCertServiceWorker on the origin message +// loop. It deletes ServerBoundCertServiceJob. +void ServerBoundCertService::HandleResult(const std::string& server_identifier, int error, SSLClientCertType type, base::Time creation_time, @@ -480,24 +485,25 @@ void OriginBoundCertService::HandleResult(const std::string& origin, const std::string& cert) { DCHECK(CalledOnValidThread()); - origin_bound_cert_store_->SetOriginBoundCert( - origin, type, creation_time, expiration_time, private_key, cert); + server_bound_cert_store_->SetServerBoundCert( + server_identifier, type, creation_time, expiration_time, private_key, + cert); - std::map::iterator j; - j = inflight_.find(origin); + std::map::iterator j; + j = inflight_.find(server_identifier); if (j == inflight_.end()) { NOTREACHED(); return; } - OriginBoundCertServiceJob* job = j->second; + ServerBoundCertServiceJob* job = j->second; inflight_.erase(j); job->HandleResult(error, type, private_key, cert); delete job; } -int OriginBoundCertService::cert_count() { - return origin_bound_cert_store_->GetCertCount(); +int ServerBoundCertService::cert_count() { + return server_bound_cert_store_->GetCertCount(); } } // namespace net diff --git a/net/base/origin_bound_cert_service.h b/net/base/origin_bound_cert_service.h index d9096df772c..355379f7fda 100644 --- a/net/base/origin_bound_cert_service.h +++ b/net/base/origin_bound_cert_service.h @@ -20,14 +20,14 @@ namespace net { -class OriginBoundCertServiceJob; -class OriginBoundCertServiceWorker; -class OriginBoundCertStore; +class ServerBoundCertServiceJob; +class ServerBoundCertServiceWorker; +class ServerBoundCertStore; -// A class for creating and fetching origin bound certs. +// A class for creating and fetching server bound certs. // Inherits from NonThreadSafe in order to use the function // |CalledOnValidThread|. -class NET_EXPORT OriginBoundCertService +class NET_EXPORT ServerBoundCertService : NON_EXPORTED_BASE(public base::NonThreadSafe) { public: // Opaque type used to cancel a request. @@ -38,18 +38,18 @@ class NET_EXPORT OriginBoundCertService // being unable to import unencrypted PrivateKeyInfo for EC keys.) static const char kEPKIPassword[]; - // This object owns origin_bound_cert_store. - explicit OriginBoundCertService( - OriginBoundCertStore* origin_bound_cert_store); + // This object owns server_bound_cert_store. + explicit ServerBoundCertService( + ServerBoundCertStore* server_bound_cert_store); - ~OriginBoundCertService(); + ~ServerBoundCertService(); // Returns the domain to be used for |host|. The domain is the // "registry controlled domain", or the "ETLD + 1" where one exists, or // the origin otherwise. static std::string GetDomainForHost(const std::string& host); - // Fetches the origin bound cert for the specified origin of the specified + // Fetches the domain bound cert for the specified origin of the specified // type if one exists and creates one otherwise. Returns OK if successful or // an error code upon failure. // @@ -67,7 +67,7 @@ class NET_EXPORT OriginBoundCertService // // |*out_req| will be filled with a handle to the async request. This handle // is not valid after the request has completed. - int GetOriginBoundCert( + int GetDomainBoundCert( const std::string& origin, const std::vector& requested_types, SSLClientCertType* type, @@ -77,12 +77,12 @@ class NET_EXPORT OriginBoundCertService RequestHandle* out_req); // Cancels the specified request. |req| is the handle returned by - // GetOriginBoundCert(). After a request is canceled, its completion + // GetDomainBoundCert(). After a request is canceled, its completion // callback will not be called. void CancelRequest(RequestHandle req); - // Returns the backing OriginBoundCertStore. - OriginBoundCertStore* GetCertStore(); + // Returns the backing ServerBoundCertStore. + ServerBoundCertStore* GetCertStore(); // Public only for unit testing. int cert_count(); @@ -91,7 +91,7 @@ class NET_EXPORT OriginBoundCertService uint64 inflight_joins() const { return inflight_joins_; } private: - friend class OriginBoundCertServiceWorker; // Calls HandleResult. + friend class ServerBoundCertServiceWorker; // Calls HandleResult. // On success, |private_key| stores a DER-encoded PrivateKeyInfo // struct, |cert| stores a DER-encoded certificate, |creation_time| stores the @@ -101,7 +101,7 @@ class NET_EXPORT OriginBoundCertService // |serial_number| is passed in because it is created with the function // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened // with a LazyInstance, which is not allowed on a worker thread. - static int GenerateCert(const std::string& origin, + static int GenerateCert(const std::string& server_identifier, SSLClientCertType type, uint32 serial_number, base::Time* creation_time, @@ -109,7 +109,7 @@ class NET_EXPORT OriginBoundCertService std::string* private_key, std::string* cert); - void HandleResult(const std::string& origin, + void HandleResult(const std::string& server_identifier, int error, SSLClientCertType type, base::Time creation_time, @@ -117,17 +117,17 @@ class NET_EXPORT OriginBoundCertService const std::string& private_key, const std::string& cert); - scoped_ptr origin_bound_cert_store_; + scoped_ptr server_bound_cert_store_; - // inflight_ maps from an origin to an active generation which is taking + // inflight_ maps from a server to an active generation which is taking // place. - std::map inflight_; + std::map inflight_; uint64 requests_; uint64 cert_store_hits_; uint64 inflight_joins_; - DISALLOW_COPY_AND_ASSIGN(OriginBoundCertService); + DISALLOW_COPY_AND_ASSIGN(ServerBoundCertService); }; } // namespace net diff --git a/net/base/origin_bound_cert_service_unittest.cc b/net/base/origin_bound_cert_service_unittest.cc index f658659ab12..64dd0101b21 100644 --- a/net/base/origin_bound_cert_service_unittest.cc +++ b/net/base/origin_bound_cert_service_unittest.cc @@ -25,43 +25,43 @@ void FailTest(int /* result */) { FAIL(); } -TEST(OriginBoundCertServiceTest, GetDomainForHost) { +TEST(ServerBoundCertServiceTest, GetDomainForHost) { EXPECT_EQ("google.com", - OriginBoundCertService::GetDomainForHost("google.com")); + ServerBoundCertService::GetDomainForHost("google.com")); EXPECT_EQ("google.com", - OriginBoundCertService::GetDomainForHost("www.google.com")); + ServerBoundCertService::GetDomainForHost("www.google.com")); // NOTE(rch): we would like to segregate cookies and certificates for // *.appspot.com, but currently we can not do that becaues we want to // allow direct navigation to appspot.com. EXPECT_EQ("appspot.com", - OriginBoundCertService::GetDomainForHost("foo.appspot.com")); + ServerBoundCertService::GetDomainForHost("foo.appspot.com")); EXPECT_EQ("google.com", - OriginBoundCertService::GetDomainForHost("www.mail.google.com")); + ServerBoundCertService::GetDomainForHost("www.mail.google.com")); EXPECT_EQ("goto", - OriginBoundCertService::GetDomainForHost("goto")); + ServerBoundCertService::GetDomainForHost("goto")); EXPECT_EQ("127.0.0.1", - OriginBoundCertService::GetDomainForHost("127.0.0.1")); + ServerBoundCertService::GetDomainForHost("127.0.0.1")); } // See http://crbug.com/91512 - implement OpenSSL version of CreateSelfSigned. #if !defined(USE_OPENSSL) -TEST(OriginBoundCertServiceTest, CacheHit) { - scoped_ptr service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); +TEST(ServerBoundCertServiceTest, CacheHit) { + scoped_ptr service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); std::string origin("https://encrypted.google.com:443"); int error; std::vector types; types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; - OriginBoundCertService::RequestHandle request_handle; + ServerBoundCertService::RequestHandle request_handle; // Asynchronous completion. SSLClientCertType type1; std::string private_key_info1, der_cert1; EXPECT_EQ(0, service->cert_count()); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type1, &private_key_info1, &der_cert1, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); @@ -76,7 +76,7 @@ TEST(OriginBoundCertServiceTest, CacheHit) { // Synchronous completion. SSLClientCertType type2; std::string private_key_info2, der_cert2; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, callback.callback(), &request_handle); EXPECT_TRUE(request_handle == NULL); @@ -91,20 +91,20 @@ TEST(OriginBoundCertServiceTest, CacheHit) { EXPECT_EQ(0u, service->inflight_joins()); } -TEST(OriginBoundCertServiceTest, UnsupportedTypes) { - scoped_ptr service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); +TEST(ServerBoundCertServiceTest, UnsupportedTypes) { + scoped_ptr service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); std::string origin("https://encrypted.google.com:443"); int error; std::vector types; TestCompletionCallback callback; - OriginBoundCertService::RequestHandle request_handle; + ServerBoundCertService::RequestHandle request_handle; // Empty requested_types. SSLClientCertType type1; std::string private_key_info1, der_cert1; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type1, &private_key_info1, &der_cert1, callback.callback(), &request_handle); EXPECT_EQ(ERR_INVALID_ARGUMENT, error); @@ -114,7 +114,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { types.push_back(CLIENT_CERT_RSA_SIGN); types.push_back(2); types.push_back(3); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type1, &private_key_info1, &der_cert1, callback.callback(), &request_handle); EXPECT_EQ(ERR_CLIENT_AUTH_CERT_TYPE_UNSUPPORTED, error); @@ -124,7 +124,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { types.push_back(CLIENT_CERT_ECDSA_SIGN); // Asynchronous completion. EXPECT_EQ(0, service->cert_count()); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type1, &private_key_info1, &der_cert1, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); @@ -142,7 +142,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { types.clear(); SSLClientCertType type2; std::string private_key_info2, der_cert2; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, callback.callback(), &request_handle); EXPECT_EQ(ERR_INVALID_ARGUMENT, error); @@ -152,7 +152,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { types.push_back(CLIENT_CERT_RSA_SIGN); types.push_back(2); types.push_back(3); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, callback.callback(), &request_handle); EXPECT_EQ(ERR_CLIENT_AUTH_CERT_TYPE_UNSUPPORTED, error); @@ -160,7 +160,7 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { // If we request EC, the cert we created before should still be there. types.push_back(CLIENT_CERT_ECDSA_SIGN); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, callback.callback(), &request_handle); EXPECT_TRUE(request_handle == NULL); @@ -171,20 +171,20 @@ TEST(OriginBoundCertServiceTest, UnsupportedTypes) { EXPECT_EQ(der_cert1, der_cert2); } -TEST(OriginBoundCertServiceTest, StoreCerts) { - scoped_ptr service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); +TEST(ServerBoundCertServiceTest, StoreCerts) { + scoped_ptr service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); int error; std::vector types; types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; - OriginBoundCertService::RequestHandle request_handle; + ServerBoundCertService::RequestHandle request_handle; std::string origin1("https://encrypted.google.com:443"); SSLClientCertType type1; std::string private_key_info1, der_cert1; EXPECT_EQ(0, service->cert_count()); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin1, types, &type1, &private_key_info1, &der_cert1, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); @@ -196,7 +196,7 @@ TEST(OriginBoundCertServiceTest, StoreCerts) { std::string origin2("https://www.verisign.com:443"); SSLClientCertType type2; std::string private_key_info2, der_cert2; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin2, types, &type2, &private_key_info2, &der_cert2, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); @@ -208,7 +208,7 @@ TEST(OriginBoundCertServiceTest, StoreCerts) { std::string origin3("https://www.twitter.com:443"); SSLClientCertType type3; std::string private_key_info3, der_cert3; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin3, types, &type3, &private_key_info3, &der_cert3, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); @@ -229,9 +229,9 @@ TEST(OriginBoundCertServiceTest, StoreCerts) { } // Tests an inflight join. -TEST(OriginBoundCertServiceTest, InflightJoin) { - scoped_ptr service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); +TEST(ServerBoundCertServiceTest, InflightJoin) { + scoped_ptr service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); std::string origin("https://encrypted.google.com:443"); int error; std::vector types; @@ -240,14 +240,14 @@ TEST(OriginBoundCertServiceTest, InflightJoin) { SSLClientCertType type1; std::string private_key_info1, der_cert1; TestCompletionCallback callback1; - OriginBoundCertService::RequestHandle request_handle1; + ServerBoundCertService::RequestHandle request_handle1; SSLClientCertType type2; std::string private_key_info2, der_cert2; TestCompletionCallback callback2; - OriginBoundCertService::RequestHandle request_handle2; + ServerBoundCertService::RequestHandle request_handle2; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type1, &private_key_info1, &der_cert1, callback1.callback(), &request_handle1); EXPECT_EQ(ERR_IO_PENDING, error); @@ -255,7 +255,7 @@ TEST(OriginBoundCertServiceTest, InflightJoin) { // If we request RSA and EC in the 2nd request, should still join with the // original request. types.insert(types.begin(), CLIENT_CERT_RSA_SIGN); - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type2, &private_key_info2, &der_cert2, callback2.callback(), &request_handle2); EXPECT_EQ(ERR_IO_PENDING, error); @@ -273,9 +273,9 @@ TEST(OriginBoundCertServiceTest, InflightJoin) { EXPECT_EQ(1u, service->inflight_joins()); } -TEST(OriginBoundCertServiceTest, ExtractValuesFromBytesEC) { - scoped_ptr service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); +TEST(ServerBoundCertServiceTest, ExtractValuesFromBytesEC) { + scoped_ptr service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); std::string origin("https://encrypted.google.com:443"); SSLClientCertType type; std::string private_key_info, der_cert; @@ -283,9 +283,9 @@ TEST(OriginBoundCertServiceTest, ExtractValuesFromBytesEC) { std::vector types; types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; - OriginBoundCertService::RequestHandle request_handle; + ServerBoundCertService::RequestHandle request_handle; - error = service->GetOriginBoundCert( + error = service->GetDomainBoundCert( origin, types, &type, &private_key_info, &der_cert, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); @@ -303,7 +303,7 @@ TEST(OriginBoundCertServiceTest, ExtractValuesFromBytesEC) { std::vector key_vec(private_key_info.begin(), private_key_info.end()); scoped_ptr private_key( crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( - OriginBoundCertService::kEPKIPassword, key_vec, spki)); + ServerBoundCertService::kEPKIPassword, key_vec, spki)); EXPECT_TRUE(private_key != NULL); // Check that we can retrieve the cert from the bytes. @@ -313,18 +313,18 @@ TEST(OriginBoundCertServiceTest, ExtractValuesFromBytesEC) { } // Tests that the callback of a canceled request is never made. -TEST(OriginBoundCertServiceTest, CancelRequest) { - scoped_ptr service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); +TEST(ServerBoundCertServiceTest, CancelRequest) { + scoped_ptr service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); std::string origin("https://encrypted.google.com:443"); SSLClientCertType type; std::string private_key_info, der_cert; int error; std::vector types; types.push_back(CLIENT_CERT_ECDSA_SIGN); - OriginBoundCertService::RequestHandle request_handle; + ServerBoundCertService::RequestHandle request_handle; - error = service->GetOriginBoundCert(origin, + error = service->GetDomainBoundCert(origin, types, &type, &private_key_info, @@ -340,8 +340,8 @@ TEST(OriginBoundCertServiceTest, CancelRequest) { // worker thread) is likely to complete by the end of this test. TestCompletionCallback callback; for (int i = 0; i < 5; ++i) { - error = service->GetOriginBoundCert( - "https://encrypted.google.com:" + std::string(1, (char) ('1' + i)), + error = service->GetDomainBoundCert( + "https://foo" + std::string(1, (char) ('1' + i)), types, &type, &private_key_info, @@ -358,34 +358,34 @@ TEST(OriginBoundCertServiceTest, CancelRequest) { EXPECT_EQ(6, service->cert_count()); } -TEST(OriginBoundCertServiceTest, Expiration) { - OriginBoundCertStore* store = new DefaultOriginBoundCertStore(NULL); +TEST(ServerBoundCertServiceTest, Expiration) { + ServerBoundCertStore* store = new DefaultServerBoundCertStore(NULL); base::Time now = base::Time::Now(); - store->SetOriginBoundCert("https://good", + store->SetServerBoundCert("good", CLIENT_CERT_ECDSA_SIGN, now, now + base::TimeDelta::FromDays(1), "a", "b"); - store->SetOriginBoundCert("https://expired", + store->SetServerBoundCert("expired", CLIENT_CERT_ECDSA_SIGN, now - base::TimeDelta::FromDays(2), now - base::TimeDelta::FromDays(1), "c", "d"); - OriginBoundCertService service(store); + ServerBoundCertService service(store); EXPECT_EQ(2, service.cert_count()); int error; std::vector types; types.push_back(CLIENT_CERT_ECDSA_SIGN); TestCompletionCallback callback; - OriginBoundCertService::RequestHandle request_handle; + ServerBoundCertService::RequestHandle request_handle; // Cert still valid - synchronous completion. SSLClientCertType type1; std::string private_key_info1, der_cert1; - error = service.GetOriginBoundCert( + error = service.GetDomainBoundCert( "https://good", types, &type1, &private_key_info1, &der_cert1, callback.callback(), &request_handle); EXPECT_EQ(OK, error); @@ -398,7 +398,7 @@ TEST(OriginBoundCertServiceTest, Expiration) { // Cert expired - New cert will be generated, asynchronous completion. SSLClientCertType type2; std::string private_key_info2, der_cert2; - error = service.GetOriginBoundCert( + error = service.GetDomainBoundCert( "https://expired", types, &type2, &private_key_info2, &der_cert2, callback.callback(), &request_handle); EXPECT_EQ(ERR_IO_PENDING, error); diff --git a/net/base/origin_bound_cert_store.cc b/net/base/origin_bound_cert_store.cc index af2acce658e..cd4264a500a 100644 --- a/net/base/origin_bound_cert_store.cc +++ b/net/base/origin_bound_cert_store.cc @@ -6,24 +6,24 @@ namespace net { -OriginBoundCertStore::OriginBoundCert::OriginBoundCert() +ServerBoundCertStore::ServerBoundCert::ServerBoundCert() : type_(CLIENT_CERT_INVALID_TYPE) { } -OriginBoundCertStore::OriginBoundCert::OriginBoundCert( - const std::string& origin, +ServerBoundCertStore::ServerBoundCert::ServerBoundCert( + const std::string& server_identifier, SSLClientCertType type, base::Time creation_time, base::Time expiration_time, const std::string& private_key, const std::string& cert) - : origin_(origin), + : server_identifier_(server_identifier), type_(type), creation_time_(creation_time), expiration_time_(expiration_time), private_key_(private_key), cert_(cert) {} -OriginBoundCertStore::OriginBoundCert::~OriginBoundCert() {} +ServerBoundCertStore::ServerBoundCert::~ServerBoundCert() {} } // namespace net diff --git a/net/base/origin_bound_cert_store.h b/net/base/origin_bound_cert_store.h index 1101a0193b9..2ae22c512ee 100644 --- a/net/base/origin_bound_cert_store.h +++ b/net/base/origin_bound_cert_store.h @@ -15,30 +15,30 @@ namespace net { -// An interface for storing and retrieving origin bound certs. Origin bound +// An interface for storing and retrieving server bound certs. +// There isn't a domain bound certs spec yet, but the old origin bound // certificates are specified in -// http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.html. +// http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-01.html. -// Owned only by a single OriginBoundCertService object, which is responsible +// Owned only by a single ServerBoundCertService object, which is responsible // for deleting it. - -class NET_EXPORT OriginBoundCertStore { +class NET_EXPORT ServerBoundCertStore { public: - // The OriginBoundCert class contains a private key in addition to the origin + // The ServerBoundCert class contains a private key in addition to the server // cert, and cert type. - class NET_EXPORT OriginBoundCert { + class NET_EXPORT ServerBoundCert { public: - OriginBoundCert(); - OriginBoundCert(const std::string& origin, + ServerBoundCert(); + ServerBoundCert(const std::string& server_identifier, SSLClientCertType type, base::Time creation_time, base::Time expiration_time, const std::string& private_key, const std::string& cert); - ~OriginBoundCert(); + ~ServerBoundCert(); - // Origin, for instance "https://www.verisign.com:443" - const std::string& origin() const { return origin_; } + // Server identifier. For domain bound certs, for instance "verisign.com". + const std::string& server_identifier() const { return server_identifier_; } // TLS ClientCertificateType. SSLClientCertType type() const { return type_; } // The time the certificate was created, also the start of the certificate @@ -54,7 +54,7 @@ class NET_EXPORT OriginBoundCertStore { const std::string& cert() const { return cert_; } private: - std::string origin_; + std::string server_identifier_; SSLClientCertType type_; base::Time creation_time_; base::Time expiration_time_; @@ -62,7 +62,7 @@ class NET_EXPORT OriginBoundCertStore { std::string cert_; }; - virtual ~OriginBoundCertStore() {} + virtual ~ServerBoundCertStore() {} // TODO(rkn): File I/O may be required, so this should have an asynchronous // interface. @@ -71,41 +71,41 @@ class NET_EXPORT OriginBoundCertStore { // |type| is the ClientCertificateType of the returned certificate, // |creation_time| stores the start of the validity period of the certificate // and |expiration_time| is the expiration time of the certificate. - // Returns false if no origin bound cert exists for the specified origin. - virtual bool GetOriginBoundCert( - const std::string& origin, + // Returns false if no server bound cert exists for the specified server. + virtual bool GetServerBoundCert( + const std::string& server_identifier, SSLClientCertType* type, base::Time* creation_time, base::Time* expiration_time, std::string* private_key_result, std::string* cert_result) = 0; - // Adds an origin bound cert and the corresponding private key to the store. - virtual void SetOriginBoundCert( - const std::string& origin, + // Adds a server bound cert and the corresponding private key to the store. + virtual void SetServerBoundCert( + const std::string& server_identifier, SSLClientCertType type, base::Time creation_time, base::Time expiration_time, const std::string& private_key, const std::string& cert) = 0; - // Removes an origin bound cert and the corresponding private key from the + // Removes a server bound cert and the corresponding private key from the // store. - virtual void DeleteOriginBoundCert(const std::string& origin) = 0; + virtual void DeleteServerBoundCert(const std::string& server_identifier) = 0; - // Deletes all of the origin bound certs that have a creation_date greater + // Deletes all of the server bound certs that have a creation_date greater // than or equal to |delete_begin| and less than |delete_end|. If a // base::Time value is_null, that side of the comparison is unbounded. virtual void DeleteAllCreatedBetween(base::Time delete_begin, base::Time delete_end) = 0; - // Removes all origin bound certs and the corresponding private keys from + // Removes all server bound certs and the corresponding private keys from // the store. virtual void DeleteAll() = 0; - // Returns all origin bound certs and the corresponding private keys. - virtual void GetAllOriginBoundCerts( - std::vector* origin_bound_certs) = 0; + // Returns all server bound certs and the corresponding private keys. + virtual void GetAllServerBoundCerts( + std::vector* server_bound_certs) = 0; // Returns the number of certs in the store. // Public only for unit testing. diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index c46b73b327d..16720bde240 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -22,7 +22,7 @@ SSLConfig::SSLConfig() ssl3_enabled(true), tls1_enabled(true), cached_info_enabled(false), - origin_bound_certs_enabled(false), + domain_bound_certs_enabled(false), false_start_enabled(true), send_client_cert(false), verify_ev_cert(false), @@ -131,8 +131,8 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, (orig_config.tls1_enabled != new_config.tls1_enabled) || (orig_config.disabled_cipher_suites != new_config.disabled_cipher_suites) || - (orig_config.origin_bound_certs_enabled != - new_config.origin_bound_certs_enabled) || + (orig_config.domain_bound_certs_enabled != + new_config.domain_bound_certs_enabled) || (orig_config.false_start_enabled != new_config.false_start_enabled); diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index 0c5abc1680b..d44e6eaba82 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -70,7 +70,7 @@ struct NET_EXPORT SSLConfig { std::vector disabled_cipher_suites; bool cached_info_enabled; // True if TLS cached info extension is enabled. - bool origin_bound_certs_enabled; // True if TLS origin bound cert extension + bool domain_bound_certs_enabled; // True if TLS origin bound cert extension // is enabled. bool false_start_enabled; // True if we'll use TLS False Start. diff --git a/net/base/x509_util.h b/net/base/x509_util.h index 825ee023296..4c07b252024 100644 --- a/net/base/x509_util.h +++ b/net/base/x509_util.h @@ -19,19 +19,20 @@ namespace net { namespace x509_util { -// Creates an origin bound certificate containing the public key in |key|. -// Web origin, serial number and validity period are given as +// Creates a server bound certificate containing the public key in |key|. +// Domain, serial number and validity period are given as // parameters. The certificate is signed by the private key in |key|. // The hashing algorithm for the signature is SHA-1. // // See Internet Draft draft-balfanz-tls-obc-00 for more details: // http://tools.ietf.org/html/draft-balfanz-tls-obc-00 -bool NET_EXPORT_PRIVATE CreateOriginBoundCertEC(crypto::ECPrivateKey* key, - const std::string& origin, - uint32 serial_number, - base::Time not_valid_before, - base::Time not_valid_after, - std::string* der_cert); +bool NET_EXPORT_PRIVATE CreateDomainBoundCertEC( + crypto::ECPrivateKey* key, + const std::string& domain, + uint32 serial_number, + base::Time not_valid_before, + base::Time not_valid_after, + std::string* der_cert); } // namespace x509_util diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc index 141c0faf620..b2afe6836a7 100644 --- a/net/base/x509_util_nss.cc +++ b/net/base/x509_util_nss.cc @@ -24,31 +24,32 @@ namespace { -class ObCertOIDWrapper { +class DomainBoundCertOIDWrapper { public: - static ObCertOIDWrapper* GetInstance() { + static DomainBoundCertOIDWrapper* GetInstance() { // Instantiated as a leaky singleton to allow the singleton to be // constructed on a worker thead that is not joined when a process // shuts down. - return Singleton >::get(); + return Singleton >::get(); } - SECOidTag ob_cert_oid_tag() const { - return ob_cert_oid_tag_; + SECOidTag domain_bound_cert_oid_tag() const { + return domain_bound_cert_oid_tag_; } private: - friend struct DefaultSingletonTraits; + friend struct DefaultSingletonTraits; - ObCertOIDWrapper(); + DomainBoundCertOIDWrapper(); - SECOidTag ob_cert_oid_tag_; + SECOidTag domain_bound_cert_oid_tag_; - DISALLOW_COPY_AND_ASSIGN(ObCertOIDWrapper); + DISALLOW_COPY_AND_ASSIGN(DomainBoundCertOIDWrapper); }; -ObCertOIDWrapper::ObCertOIDWrapper(): ob_cert_oid_tag_(SEC_OID_UNKNOWN) { +DomainBoundCertOIDWrapper::DomainBoundCertOIDWrapper() + : domain_bound_cert_oid_tag_(SEC_OID_UNKNOWN) { // 1.3.6.1.4.1.11129.2.1.6 // (iso.org.dod.internet.private.enterprises.google.googleSecurity. // certificateExtensions.originBoundCertificate) @@ -63,8 +64,8 @@ ObCertOIDWrapper::ObCertOIDWrapper(): ob_cert_oid_tag_(SEC_OID_UNKNOWN) { oid_data.desc = "Origin Bound Certificate"; oid_data.mechanism = CKM_INVALID_MECHANISM; oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; - ob_cert_oid_tag_ = SECOID_AddEntry(&oid_data); - if (ob_cert_oid_tag_ == SEC_OID_UNKNOWN) + domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); + if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) LOG(ERROR) << "OB_CERT OID tag creation failed"; } @@ -169,10 +170,10 @@ bool SignCertificate( return true; } -bool CreateOriginBoundCertInternal( +bool CreateDomainBoundCertInternal( SECKEYPublicKey* public_key, SECKEYPrivateKey* private_key, - const std::string& origin, + const std::string& domain, uint32 serial_number, base::Time not_valid_before, base::Time not_valid_after, @@ -196,28 +197,29 @@ bool CreateOriginBoundCertInternal( } // Create SECItem for IA5String encoding. - SECItem origin_string_item = { + SECItem domain_string_item = { siAsciiString, - (unsigned char*)origin.data(), - origin.size() + (unsigned char*)domain.data(), + domain.size() }; // IA5Encode and arena allocate SECItem - SECItem* asn1_origin_string = SEC_ASN1EncodeItem( - cert->arena, NULL, &origin_string_item, + SECItem* asn1_domain_string = SEC_ASN1EncodeItem( + cert->arena, NULL, &domain_string_item, SEC_ASN1_GET(SEC_IA5StringTemplate)); - if (asn1_origin_string == NULL) { - LOG(ERROR) << "Unable to get ASN1 encoding for origin in ob_cert extension"; + if (asn1_domain_string == NULL) { + LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" + " extension"; CERT_DestroyCertificate(cert); return false; } // Add the extension to the opaque handle - if (CERT_AddExtension(cert_handle, - ObCertOIDWrapper::GetInstance()->ob_cert_oid_tag(), - asn1_origin_string, - PR_TRUE, PR_TRUE) != SECSuccess){ - LOG(ERROR) << "Unable to add origin bound cert extension to opaque handle"; + if (CERT_AddExtension( + cert_handle, + DomainBoundCertOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), + asn1_domain_string, PR_TRUE, PR_TRUE) != SECSuccess){ + LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; CERT_DestroyCertificate(cert); return false; } @@ -272,17 +274,17 @@ CERTCertificate* CreateSelfSignedCert( return cert; } -bool CreateOriginBoundCertEC( +bool CreateDomainBoundCertEC( crypto::ECPrivateKey* key, - const std::string& origin, + const std::string& domain, uint32 serial_number, base::Time not_valid_before, base::Time not_valid_after, std::string* der_cert) { DCHECK(key); - return CreateOriginBoundCertInternal(key->public_key(), + return CreateDomainBoundCertInternal(key->public_key(), key->key(), - origin, + domain, serial_number, not_valid_before, not_valid_after, diff --git a/net/base/x509_util_nss_unittest.cc b/net/base/x509_util_nss_unittest.cc index 97eb5b4163e..be719d79483 100644 --- a/net/base/x509_util_nss_unittest.cc +++ b/net/base/x509_util_nss_unittest.cc @@ -74,7 +74,7 @@ void VerifyCertificateSignature(const std::string& der_cert, EXPECT_TRUE(ok); } -void VerifyOriginBoundCert(const std::string& origin, +void VerifyDomainBoundCert(const std::string& domain, const std::string& der_cert) { // Origin Bound Cert OID. static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; @@ -82,8 +82,8 @@ void VerifyOriginBoundCert(const std::string& origin, // Create object neccessary for extension lookup call. SECItem extension_object = { siAsciiString, - (unsigned char*)origin.data(), - origin.size() + (unsigned char*)domain.data(), + domain.size() }; // IA5Encode and arena allocate SECItem. @@ -139,24 +139,24 @@ void VerifyOriginBoundCert(const std::string& origin, } // namespace -// This test creates an origin-bound cert from an EC private key and +// This test creates a domain-bound cert from an EC private key and // then verifies the content of the certificate. -TEST(X509UtilNSSTest, CreateOriginBoundCertEC) { +TEST(X509UtilNSSTest, CreateDomainBoundCertEC) { // Create a sample ASCII weborigin. - std::string origin = "http://weborigin.com:443"; + std::string domain = "weborigin.com"; base::Time now = base::Time::Now(); scoped_ptr private_key( crypto::ECPrivateKey::Create()); std::string der_cert; - ASSERT_TRUE(x509_util::CreateOriginBoundCertEC( + ASSERT_TRUE(x509_util::CreateDomainBoundCertEC( private_key.get(), - origin, 1, + domain, 1, now, now + base::TimeDelta::FromDays(1), &der_cert)); - VerifyOriginBoundCert(origin, der_cert); + VerifyDomainBoundCert(domain, der_cert); #if !defined(OS_WIN) && !defined(OS_MACOSX) // signature_verifier_win and signature_verifier_mac can't handle EC certs. diff --git a/net/base/x509_util_openssl.cc b/net/base/x509_util_openssl.cc index 8bebfe0c163..b240644ac20 100644 --- a/net/base/x509_util_openssl.cc +++ b/net/base/x509_util_openssl.cc @@ -15,9 +15,9 @@ namespace net { namespace x509_util { -bool CreateOriginBoundCertEC( +bool CreateDomainBoundCertEC( crypto::ECPrivateKey* key, - const std::string& origin, + const std::string& domain, uint32 serial_number, base::Time not_valid_before, base::Time not_valid_after, diff --git a/net/base/x509_util_openssl_unittest.cc b/net/base/x509_util_openssl_unittest.cc index 599d0e4e278..20675057ecf 100644 --- a/net/base/x509_util_openssl_unittest.cc +++ b/net/base/x509_util_openssl_unittest.cc @@ -10,18 +10,18 @@ namespace net { -// For OpenSSL, x509_util::CreateOriginBoundCertEC() is not yet implemented +// For OpenSSL, x509_util::CreateDomainBoundCertEC() is not yet implemented // and should return false. This unit test ensures that a stub implementation // is present. -TEST(X509UtilOpenSSLTest, CreateOriginBoundCertNotImplemented) { - std::string origin = "http://weborigin.com:443"; +TEST(X509UtilOpenSSLTest, CreateDomainBoundCertNotImplemented) { + std::string domain = "weborigin.com"; base::Time now = base::Time::Now(); scoped_ptr private_key( crypto::ECPrivateKey::Create()); std::string der_cert; - EXPECT_FALSE(x509_util::CreateOriginBoundCertEC( + EXPECT_FALSE(x509_util::CreateDomainBoundCertEC( private_key.get(), - origin, 1, + domain, 1, now, now + base::TimeDelta::FromDays(1), &der_cert)); diff --git a/net/http/http_cache.cc b/net/http/http_cache.cc index 41e54366234..28e85296172 100644 --- a/net/http/http_cache.cc +++ b/net/http/http_cache.cc @@ -45,7 +45,7 @@ namespace { HttpNetworkSession* CreateNetworkSession( HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, ProxyService* proxy_service, SSLHostInfoFactory* ssl_host_info_factory, @@ -58,7 +58,7 @@ HttpNetworkSession* CreateNetworkSession( HttpNetworkSession::Params params; params.host_resolver = host_resolver; params.cert_verifier = cert_verifier; - params.origin_bound_cert_service = origin_bound_cert_service; + params.server_bound_cert_service = server_bound_cert_service; params.transport_security_state = transport_security_state; params.proxy_service = proxy_service; params.ssl_host_info_factory = ssl_host_info_factory; @@ -298,7 +298,7 @@ class HttpCache::SSLHostInfoFactoryAdaptor : public SSLHostInfoFactory { //----------------------------------------------------------------------------- HttpCache::HttpCache(HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, ProxyService* proxy_service, const std::string& ssl_session_cache_shard, @@ -320,7 +320,7 @@ HttpCache::HttpCache(HostResolver* host_resolver, CreateNetworkSession( host_resolver, cert_verifier, - origin_bound_cert_service, + server_bound_cert_service, transport_security_state, proxy_service, ssl_host_info_factory_.get(), diff --git a/net/http/http_cache.h b/net/http/http_cache.h index d1e7ad85e97..fa44f946805 100644 --- a/net/http/http_cache.h +++ b/net/http/http_cache.h @@ -51,7 +51,7 @@ class HttpServerProperties; class IOBuffer; class NetLog; class NetworkDelegate; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyService; class SSLConfigService; class TransportSecurityState; @@ -121,7 +121,7 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory, // The HttpCache takes ownership of the |backend_factory|. HttpCache(HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, ProxyService* proxy_service, const std::string& ssl_session_cache_shard, diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc index 6cacaf36d84..e10c12f7f15 100644 --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -33,7 +33,7 @@ net::ClientSocketPoolManager* CreateSocketPoolManager( net::ClientSocketFactory::GetDefaultFactory(), params.host_resolver, params.cert_verifier, - params.origin_bound_cert_service, + params.server_bound_cert_service, params.transport_security_state, params.ssl_host_info_factory, params.ssl_session_cache_shard, diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h index 9d8c2ec4422..1da8c21436c 100644 --- a/net/http/http_network_session.h +++ b/net/http/http_network_session.h @@ -35,7 +35,7 @@ class HttpResponseBodyDrainer; class HttpServerProperties; class NetLog; class NetworkDelegate; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyService; class SOCKSClientSocketPool; class SSLClientSocketPool; @@ -54,7 +54,7 @@ class NET_EXPORT HttpNetworkSession : client_socket_factory(NULL), host_resolver(NULL), cert_verifier(NULL), - origin_bound_cert_service(NULL), + server_bound_cert_service(NULL), transport_security_state(NULL), proxy_service(NULL), ssl_host_info_factory(NULL), @@ -68,7 +68,7 @@ class NET_EXPORT HttpNetworkSession ClientSocketFactory* client_socket_factory; HostResolver* host_resolver; CertVerifier* cert_verifier; - OriginBoundCertService* origin_bound_cert_service; + ServerBoundCertService* server_bound_cert_service; TransportSecurityState* transport_security_state; ProxyService* proxy_service; SSLHostInfoFactory* ssl_host_info_factory; diff --git a/net/http/http_proxy_client_socket_pool_spdy21_unittest.cc b/net/http/http_proxy_client_socket_pool_spdy21_unittest.cc index 15696279502..25f8c642ff6 100644 --- a/net/http/http_proxy_client_socket_pool_spdy21_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_spdy21_unittest.cc @@ -69,7 +69,7 @@ class HttpProxyClientSocketPoolSpdy21Test : public TestWithHttpParam { &ssl_histograms_, &host_resolver_, &cert_verifier_, - NULL /* origin_bound_cert_store */, + NULL /* server_bound_cert_store */, NULL /* transport_security_state */, NULL /* ssl_host_info_factory */, "" /* ssl_session_cache_shard */, diff --git a/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc b/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc index b1bbe6de9a9..f54e7d20381 100644 --- a/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc @@ -69,7 +69,7 @@ class HttpProxyClientSocketPoolSpdy2Test : public TestWithHttpParam { &ssl_histograms_, &host_resolver_, &cert_verifier_, - NULL /* origin_bound_cert_store */, + NULL /* server_bound_cert_store */, NULL /* transport_security_state */, NULL /* ssl_host_info_factory */, "" /* ssl_session_cache_shard */, diff --git a/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc b/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc index c5c3b1a449e..0bc603ed1c6 100644 --- a/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc @@ -69,7 +69,7 @@ class HttpProxyClientSocketPoolSpdy3Test : public TestWithHttpParam { &ssl_histograms_, &host_resolver_, &cert_verifier_, - NULL /* origin_bound_cert_store */, + NULL /* server_bound_cert_store */, NULL /* transport_security_state */, NULL /* ssl_host_info_factory */, "" /* ssl_session_cache_shard */, diff --git a/net/socket/client_socket_pool_manager_impl.cc b/net/socket/client_socket_pool_manager_impl.cc index 19e0442b867..ccd3965072c 100644 --- a/net/socket/client_socket_pool_manager_impl.cc +++ b/net/socket/client_socket_pool_manager_impl.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -37,7 +37,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl( ClientSocketFactory* socket_factory, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, @@ -47,7 +47,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl( socket_factory_(socket_factory), host_resolver_(host_resolver), cert_verifier_(cert_verifier), - origin_bound_cert_service_(origin_bound_cert_service), + server_bound_cert_service_(server_bound_cert_service), transport_security_state_(transport_security_state), ssl_host_info_factory_(ssl_host_info_factory), ssl_session_cache_shard_(ssl_session_cache_shard), @@ -66,7 +66,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl( &ssl_pool_histograms_, host_resolver, cert_verifier, - origin_bound_cert_service, + server_bound_cert_service, transport_security_state, ssl_host_info_factory, ssl_session_cache_shard, @@ -286,7 +286,7 @@ ClientSocketPoolManagerImpl::GetSocketPoolForHTTPProxy( &ssl_for_https_proxy_pool_histograms_, host_resolver_, cert_verifier_, - origin_bound_cert_service_, + server_bound_cert_service_, transport_security_state_, ssl_host_info_factory_, ssl_session_cache_shard_, @@ -325,7 +325,7 @@ SSLClientSocketPool* ClientSocketPoolManagerImpl::GetSocketPoolForSSLWithProxy( &ssl_pool_histograms_, host_resolver_, cert_verifier_, - origin_bound_cert_service_, + server_bound_cert_service_, transport_security_state_, ssl_host_info_factory_, ssl_session_cache_shard_, diff --git a/net/socket/client_socket_pool_manager_impl.h b/net/socket/client_socket_pool_manager_impl.h index 96caa314a41..2559aad0ccb 100644 --- a/net/socket/client_socket_pool_manager_impl.h +++ b/net/socket/client_socket_pool_manager_impl.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -26,7 +26,7 @@ class ClientSocketPoolHistograms; class HttpProxyClientSocketPool; class HostResolver; class NetLog; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyService; class SOCKSClientSocketPool; class SSLClientSocketPool; @@ -61,7 +61,7 @@ class ClientSocketPoolManagerImpl : public base::NonThreadSafe, ClientSocketFactory* socket_factory, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, @@ -107,7 +107,7 @@ class ClientSocketPoolManagerImpl : public base::NonThreadSafe, ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; CertVerifier* const cert_verifier_; - OriginBoundCertService* const origin_bound_cert_service_; + ServerBoundCertService* const server_bound_cert_service_; TransportSecurityState* const transport_security_state_; SSLHostInfoFactory* const ssl_host_info_factory_; const std::string ssl_session_cache_shard_; diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index ef5b0dbed64..f5236abe427 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -242,7 +242,7 @@ SSLSocketDataProvider::SSLSocketDataProvider(IoMode mode, int result) protocol_negotiated(SSLClientSocket::kProtoUnknown), client_cert_sent(false), cert_request_info(NULL), - origin_bound_cert_type(CLIENT_CERT_INVALID_TYPE) { + domain_bound_cert_type(CLIENT_CERT_INVALID_TYPE) { } SSLSocketDataProvider::~SSLSocketDataProvider() { @@ -696,7 +696,7 @@ int MockClientSocket::ExportKeyingMaterial(const base::StringPiece& label, return OK; } -OriginBoundCertService* MockClientSocket::GetOriginBoundCertService() const { +ServerBoundCertService* MockClientSocket::GetServerBoundCertService() const { NOTREACHED(); return NULL; } @@ -1132,7 +1132,7 @@ base::TimeDelta MockSSLClientSocket::GetConnectTimeMicros() const { void MockSSLClientSocket::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->Reset(); ssl_info->cert = data_->cert; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || data_->client_cert_sent; } @@ -1178,21 +1178,21 @@ void MockSSLClientSocket::set_protocol_negotiated( protocol_negotiated_ = protocol_negotiated; } -bool MockSSLClientSocket::WasOriginBoundCertSent() const { - return data_->origin_bound_cert_type != CLIENT_CERT_INVALID_TYPE; +bool MockSSLClientSocket::WasDomainBoundCertSent() const { + return data_->domain_bound_cert_type != CLIENT_CERT_INVALID_TYPE; } -SSLClientCertType MockSSLClientSocket::origin_bound_cert_type() const { - return data_->origin_bound_cert_type; +SSLClientCertType MockSSLClientSocket::domain_bound_cert_type() const { + return data_->domain_bound_cert_type; } -SSLClientCertType MockSSLClientSocket::set_origin_bound_cert_type( +SSLClientCertType MockSSLClientSocket::set_domain_bound_cert_type( SSLClientCertType type) { - return data_->origin_bound_cert_type = type; + return data_->domain_bound_cert_type = type; } -OriginBoundCertService* MockSSLClientSocket::GetOriginBoundCertService() const { - return data_->origin_bound_cert_service; +ServerBoundCertService* MockSSLClientSocket::GetServerBoundCertService() const { + return data_->server_bound_cert_service; } void MockSSLClientSocket::OnReadComplete(const MockRead& data) { diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index ecd671cdc25..f678614f562 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -48,7 +48,7 @@ enum { class AsyncSocket; class MockClientSocket; -class OriginBoundCertService; +class ServerBoundCertService; class SSLClientSocket; class SSLHostInfo; class StreamSocket; @@ -280,8 +280,8 @@ struct SSLSocketDataProvider { bool client_cert_sent; SSLCertRequestInfo* cert_request_info; scoped_refptr cert; - SSLClientCertType origin_bound_cert_type; - OriginBoundCertService* origin_bound_cert_service; + SSLClientCertType domain_bound_cert_type; + ServerBoundCertService* server_bound_cert_service; }; // A DataProvider where the client must write a request before the reads (e.g. @@ -602,7 +602,7 @@ class MockClientSocket : public SSLClientSocket { unsigned int outlen) OVERRIDE; virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; protected: virtual ~MockClientSocket(); @@ -757,11 +757,11 @@ class MockSSLClientSocket : public MockClientSocket, public AsyncSocket { // This MockSocket does not implement the manual async IO feature. virtual void OnReadComplete(const MockRead& data) OVERRIDE; - virtual bool WasOriginBoundCertSent() const OVERRIDE; - virtual SSLClientCertType origin_bound_cert_type() const OVERRIDE; - virtual SSLClientCertType set_origin_bound_cert_type( + virtual bool WasDomainBoundCertSent() const OVERRIDE; + virtual SSLClientCertType domain_bound_cert_type() const OVERRIDE; + virtual SSLClientCertType set_domain_bound_cert_type( SSLClientCertType type) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; private: static void ConnectCallback(MockSSLClientSocket *ssl_client_socket, diff --git a/net/socket/ssl_client_socket.cc b/net/socket/ssl_client_socket.cc index ecee79b3154..10873ae8714 100644 --- a/net/socket/ssl_client_socket.cc +++ b/net/socket/ssl_client_socket.cc @@ -12,7 +12,7 @@ SSLClientSocket::SSLClientSocket() : was_npn_negotiated_(false), was_spdy_negotiated_(false), protocol_negotiated_(kProtoUnknown), - origin_bound_cert_type_(CLIENT_CERT_INVALID_TYPE) { + domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE) { } SSLClientSocket::NextProto SSLClientSocket::NextProtoFromString( @@ -124,17 +124,17 @@ void SSLClientSocket::set_protocol_negotiated( protocol_negotiated_ = protocol_negotiated; } -bool SSLClientSocket::WasOriginBoundCertSent() const { - return origin_bound_cert_type_ != CLIENT_CERT_INVALID_TYPE; +bool SSLClientSocket::WasDomainBoundCertSent() const { + return domain_bound_cert_type_ != CLIENT_CERT_INVALID_TYPE; } -SSLClientCertType SSLClientSocket::origin_bound_cert_type() const { - return origin_bound_cert_type_; +SSLClientCertType SSLClientSocket::domain_bound_cert_type() const { + return domain_bound_cert_type_; } -SSLClientCertType SSLClientSocket::set_origin_bound_cert_type( +SSLClientCertType SSLClientSocket::set_domain_bound_cert_type( SSLClientCertType type) { - return origin_bound_cert_type_ = type; + return domain_bound_cert_type_ = type; } } // namespace net diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h index bafe1d463e1..6b86900b713 100644 --- a/net/socket/ssl_client_socket.h +++ b/net/socket/ssl_client_socket.h @@ -18,7 +18,7 @@ namespace net { class CertVerifier; -class OriginBoundCertService; +class ServerBoundCertService; class SSLCertRequestInfo; class SSLHostInfo; class SSLHostInfoFactory; @@ -30,23 +30,23 @@ class TransportSecurityState; struct SSLClientSocketContext { SSLClientSocketContext() : cert_verifier(NULL), - origin_bound_cert_service(NULL), + server_bound_cert_service(NULL), transport_security_state(NULL), ssl_host_info_factory(NULL) {} SSLClientSocketContext(CertVerifier* cert_verifier_arg, - OriginBoundCertService* origin_bound_cert_service_arg, + ServerBoundCertService* server_bound_cert_service_arg, TransportSecurityState* transport_security_state_arg, SSLHostInfoFactory* ssl_host_info_factory_arg, const std::string& ssl_session_cache_shard_arg) : cert_verifier(cert_verifier_arg), - origin_bound_cert_service(origin_bound_cert_service_arg), + server_bound_cert_service(server_bound_cert_service_arg), transport_security_state(transport_security_state_arg), ssl_host_info_factory(ssl_host_info_factory_arg), ssl_session_cache_shard(ssl_session_cache_shard_arg) {} CertVerifier* cert_verifier; - OriginBoundCertService* origin_bound_cert_service; + ServerBoundCertService* server_bound_cert_service; TransportSecurityState* transport_security_state; SSLHostInfoFactory* ssl_host_info_factory; // ssl_session_cache_shard is an opaque string that identifies a shard of the @@ -142,21 +142,21 @@ class NET_EXPORT SSLClientSocket : public SSLSocket { virtual void set_protocol_negotiated( SSLClientSocket::NextProto protocol_negotiated); - // Returns the OriginBoundCertService used by this socket, or NULL if - // origin bound certificates are not supported. - virtual OriginBoundCertService* GetOriginBoundCertService() const = 0; + // Returns the ServerBoundCertService used by this socket, or NULL if + // server bound certificates are not supported. + virtual ServerBoundCertService* GetServerBoundCertService() const = 0; - // Returns true if an origin bound certificate was sent on this connection. + // Returns true if a domain bound certificate was sent on this connection. // This may be useful for protocols, like SPDY, which allow the same - // connection to be shared between multiple origins, each of which need - // an origin bound certificate. - virtual bool WasOriginBoundCertSent() const; + // connection to be shared between multiple domains, each of which need + // a domain bound certificate. + virtual bool WasDomainBoundCertSent() const; - // Returns the type of the origin bound cert that was sent, or + // Returns the type of the domain bound cert that was sent, or // CLIENT_CERT_INVALID_TYPE if none was sent. - virtual SSLClientCertType origin_bound_cert_type() const; + virtual SSLClientCertType domain_bound_cert_type() const; - virtual SSLClientCertType set_origin_bound_cert_type(SSLClientCertType type); + virtual SSLClientCertType set_domain_bound_cert_type(SSLClientCertType type); private: // True if NPN was responded to, independent of selecting SPDY or HTTP. @@ -165,9 +165,9 @@ class NET_EXPORT SSLClientSocket : public SSLSocket { bool was_spdy_negotiated_; // Protocol that we negotiated with the server. SSLClientSocket::NextProto protocol_negotiated_; - // Type of the origin bound cert that was sent, or CLIENT_CERT_INVALID_TYPE + // Type of the domain bound cert that was sent, or CLIENT_CERT_INVALID_TYPE // if none was sent. - SSLClientCertType origin_bound_cert_type_; + SSLClientCertType domain_bound_cert_type_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index a89d6890a0a..7bb1dcd00aa 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -724,7 +724,7 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); // security info @@ -793,7 +793,7 @@ SSLClientSocketMac::GetNextProto(std::string* proto, return kNextProtoUnsupported; } -OriginBoundCertService* SSLClientSocketMac::GetOriginBoundCertService() const { +ServerBoundCertService* SSLClientSocketMac::GetServerBoundCertService() const { return NULL; } diff --git a/net/socket/ssl_client_socket_mac.h b/net/socket/ssl_client_socket_mac.h index ec2b51a3139..4559dd7d53d 100644 --- a/net/socket/ssl_client_socket_mac.h +++ b/net/socket/ssl_client_socket_mac.h @@ -51,7 +51,7 @@ class SSLClientSocketMac : public SSLClientSocket { unsigned int outlen) OVERRIDE; virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback) OVERRIDE; diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 2b9c73dca20..0d712e38754 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -447,10 +447,10 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, ssl_connection_status_(0), client_auth_cert_needed_(false), cert_verifier_(context.cert_verifier), - ob_cert_xtn_negotiated_(false), - origin_bound_cert_service_(context.origin_bound_cert_service), - ob_cert_type_(CLIENT_CERT_INVALID_TYPE), - ob_cert_request_handle_(NULL), + domain_bound_cert_xtn_negotiated_(false), + server_bound_cert_service_(context.server_bound_cert_service), + domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE), + domain_bound_cert_request_handle_(NULL), handshake_callback_called_(false), completed_handshake_(false), ssl_session_cache_shard_(context.ssl_session_cache_shard), @@ -500,7 +500,7 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { } ssl_info->is_issued_by_known_root = server_cert_verify_result_->is_issued_by_known_root; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); PRUint16 cipher_suite = @@ -622,9 +622,10 @@ void SSLClientSocketNSS::Disconnect() { verifier_.reset(); transport_->socket()->Disconnect(); - if (ob_cert_request_handle_ != NULL) { - origin_bound_cert_service_->CancelRequest(ob_cert_request_handle_); - ob_cert_request_handle_ = NULL; + if (domain_bound_cert_request_handle_ != NULL) { + server_bound_cert_service_->CancelRequest( + domain_bound_cert_request_handle_); + domain_bound_cert_request_handle_ = NULL; } // TODO(wtc): Send SSL close_notify alert. @@ -658,7 +659,7 @@ void SSLClientSocketNSS::Disconnect() { nss_bufs_ = NULL; client_certs_.clear(); client_auth_cert_needed_ = false; - ob_cert_xtn_negotiated_ = false; + domain_bound_cert_xtn_negotiated_ = false; LeaveFunction(""); } @@ -971,16 +972,16 @@ int SSLClientSocketNSS::InitializeSSLOptions() { #ifdef SSL_ENABLE_OB_CERTS rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, - ssl_config_.origin_bound_certs_enabled); + ssl_config_.domain_bound_certs_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS"); #endif #ifdef SSL_ENCRYPT_CLIENT_CERTS // For now, enable the encrypted client certificates extension only if - // origin-bound certificates are enabled. + // server-bound certificates are enabled. rv = SSL_OptionSet(nss_fd_, SSL_ENCRYPT_CLIENT_CERTS, - ssl_config_.origin_bound_certs_enabled); + ssl_config_.domain_bound_certs_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENCRYPT_CLIENT_CERTS"); #endif @@ -1282,8 +1283,8 @@ int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) { case STATE_HANDSHAKE: rv = DoHandshake(); break; - case STATE_GET_OB_CERT_COMPLETE: - rv = DoGetOBCertComplete(rv); + case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE: + rv = DoGetDBCertComplete(rv); break; case STATE_VERIFY_DNSSEC: rv = DoVerifyDNSSEC(rv); @@ -1430,14 +1431,14 @@ int SSLClientSocketNSS::DoHandshake() { int net_error = net::OK; SECStatus rv = SSL_ForceHandshake(nss_fd_); - // TODO(rkn): Handle the case in which origin-bound cert generation takes + // TODO(rkn): Handle the case in which server-bound cert generation takes // too long and the server has closed the connection. Report some new error // code so that the higher level code will attempt to delete the socket and // redo the handshake. if (client_auth_cert_needed_) { - if (ob_cert_xtn_negotiated_) { - GotoState(STATE_GET_OB_CERT_COMPLETE); + if (domain_bound_cert_xtn_negotiated_) { + GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); net_error = ERR_IO_PENDING; } else { net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; @@ -1552,12 +1553,12 @@ int SSLClientSocketNSS::DoHandshake() { return net_error; } -int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, +int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key) { // Set the certificate. SECItem cert_item; - cert_item.data = (unsigned char*) ob_cert_.data(); - cert_item.len = ob_cert_.size(); + cert_item.data = (unsigned char*) domain_bound_cert_.data(); + cert_item.len = domain_bound_cert_.size(); *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &cert_item, NULL, @@ -1567,13 +1568,14 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, return MapNSSError(PORT_GetError()); // Set the private key. - switch (ob_cert_type_) { + switch (domain_bound_cert_type_) { case CLIENT_CERT_ECDSA_SIGN: { SECKEYPublicKey* public_key = NULL; if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( - OriginBoundCertService::kEPKIPassword, - reinterpret_cast(ob_private_key_.data()), - ob_private_key_.size(), + ServerBoundCertService::kEPKIPassword, + reinterpret_cast( + domain_bound_private_key_.data()), + domain_bound_private_key_.size(), &(*cert)->subjectPublicKeyInfo, false, false, @@ -1595,18 +1597,18 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert, return OK; } -int SSLClientSocketNSS::DoGetOBCertComplete(int result) { - net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, +int SSLClientSocketNSS::DoGetDBCertComplete(int result) { + net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, result); client_auth_cert_needed_ = false; - ob_cert_request_handle_ = NULL; + domain_bound_cert_request_handle_ = NULL; if (result != OK) return result; CERTCertificate* cert; SECKEYPrivateKey* key; - int error = ImportOBCertAndKey(&cert, &key); + int error = ImportDBCertAndKey(&cert, &key); if (error != OK) return error; @@ -1622,7 +1624,7 @@ int SSLClientSocketNSS::DoGetOBCertComplete(int result) { return MapNSSError(PORT_GetError()); GotoState(STATE_HANDSHAKE); - set_origin_bound_cert_type(ob_cert_type_); + set_domain_bound_cert_type(domain_bound_cert_type_); return OK; } @@ -2173,7 +2175,7 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg, } // static -bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { +bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) { PRBool xtn_negotiated = PR_FALSE; SECStatus rv = SSL_HandshakeNegotiatedExtension( socket, ssl_ob_cert_xtn, &xtn_negotiated); @@ -2182,42 +2184,42 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) { return xtn_negotiated ? true : false; } -SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler( +SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler( const SECItem* cert_types, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key) { - ob_cert_xtn_negotiated_ = true; + domain_bound_cert_xtn_negotiated_ = true; - // We have negotiated the origin-bound certificate extension. + // We have negotiated the domain-bound certificate extension. std::string origin = "https://" + host_and_port_.ToString(); std::vector requested_cert_types(cert_types->data, cert_types->data + cert_types->len); - net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL); - int error = origin_bound_cert_service_->GetOriginBoundCert( + net_log_.BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, NULL); + int error = server_bound_cert_service_->GetDomainBoundCert( origin, requested_cert_types, - &ob_cert_type_, - &ob_private_key_, - &ob_cert_, + &domain_bound_cert_type_, + &domain_bound_private_key_, + &domain_bound_cert_, base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, base::Unretained(this)), - &ob_cert_request_handle_); + &domain_bound_cert_request_handle_); if (error == ERR_IO_PENDING) { // Asynchronous case. client_auth_cert_needed_ = true; return SECWouldBlock; } - net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, + net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, error); SECStatus rv = SECSuccess; if (error == OK) { // Synchronous success. - int result = ImportOBCertAndKey(result_certificate, + int result = ImportDBCertAndKey(result_certificate, result_private_key); if (result == OK) { - set_origin_bound_cert_type(ob_cert_type_); + set_domain_bound_cert_type(domain_bound_cert_type_); } else { rv = SECFailure; } @@ -2249,9 +2251,9 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler( const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); - // Check if an origin-bound certificate is requested. - if (OriginBoundCertNegotiated(socket)) { - return that->OriginBoundClientAuthHandler( + // Check if a domain-bound certificate is requested. + if (DomainBoundCertNegotiated(socket)) { + return that->DomainBoundClientAuthHandler( cert_types, result_nss_certificate, result_nss_private_key); } @@ -2555,9 +2557,9 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler( const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket); - // Check if an origin-bound certificate is requested. - if (OriginBoundCertNegotiated(socket)) { - return that->OriginBoundClientAuthHandler( + // Check if a domain-bound certificate is requested. + if (DomainBoundCertNegotiated(socket)) { + return that->DomainBoundClientAuthHandler( cert_types, result_certificate, result_private_key); } @@ -2711,8 +2713,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const { return valid_thread_id_ == base::PlatformThread::CurrentId(); } -OriginBoundCertService* SSLClientSocketNSS::GetOriginBoundCertService() const { - return origin_bound_cert_service_; +ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { + return server_bound_cert_service_; } } // namespace net diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 1582f37a979..49343d1a280 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -35,7 +35,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class OriginBoundCertService; +class ServerBoundCertService; class SingleRequestCertVerifier; class SSLHostInfo; class TransportSecurityState; @@ -93,14 +93,14 @@ class SSLClientSocketNSS : public SSLClientSocket { const CompletionCallback& callback) OVERRIDE; virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; virtual bool SetSendBufferSize(int32 size) OVERRIDE; - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; private: enum State { STATE_NONE, STATE_LOAD_SSL_HOST_INFO, STATE_HANDSHAKE, - STATE_GET_OB_CERT_COMPLETE, + STATE_GET_DOMAIN_BOUND_CERT_COMPLETE, STATE_VERIFY_DNSSEC, STATE_VERIFY_CERT, STATE_VERIFY_CERT_COMPLETE, @@ -132,14 +132,14 @@ class SSLClientSocketNSS : public SSLClientSocket { int DoHandshake(); - // ImportOBCertAndKey is a helper function for turning a DER-encoded cert and + // ImportDBCertAndKey is a helper function for turning a DER-encoded cert and // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success // and an error code otherwise. - // Requires |ob_private_key_| and |ob_cert_| to have been set by a call to - // OriginBoundCertService->GetOriginBoundCert. The caller takes ownership of - // the |*cert| and |*key|. - int ImportOBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); - int DoGetOBCertComplete(int result); + // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been + // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller + // takes ownership of the |*cert| and |*key|. + int ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); + int DoGetDBCertComplete(int result); int DoVerifyDNSSEC(int result); int DoVerifyCert(int result); int DoVerifyCertComplete(int result); @@ -163,11 +163,11 @@ class SSLClientSocketNSS : public SSLClientSocket { // argument. static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, PRBool checksig, PRBool is_server); - // Returns true if connection negotiated the origin bound cert extension. - static bool OriginBoundCertNegotiated(PRFileDesc* socket); - // Origin bound cert client auth handler. + // Returns true if connection negotiated the domain bound cert extension. + static bool DomainBoundCertNegotiated(PRFileDesc* socket); + // Domain bound cert client auth handler. // Returns the value the ClientAuthHandler function should return. - SECStatus OriginBoundClientAuthHandler( + SECStatus DomainBoundClientAuthHandler( const SECItem* cert_types, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key); @@ -256,13 +256,13 @@ class SSLClientSocketNSS : public SSLClientSocket { CertVerifier* const cert_verifier_; scoped_ptr verifier_; - // For origin bound certificates in client auth. - bool ob_cert_xtn_negotiated_; - OriginBoundCertService* origin_bound_cert_service_; - SSLClientCertType ob_cert_type_; - std::string ob_private_key_; - std::string ob_cert_; - OriginBoundCertService::RequestHandle ob_cert_request_handle_; + // For domain bound certificates in client auth. + bool domain_bound_cert_xtn_negotiated_; + ServerBoundCertService* server_bound_cert_service_; + SSLClientCertType domain_bound_cert_type_; + std::string domain_bound_private_key_; + std::string domain_bound_cert_; + ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; // True if NSS has called HandshakeCallback. bool handshake_callback_called_; diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index a29acf6ee1e..d691f221749 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -587,7 +587,7 @@ void SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { server_cert_verify_result_.is_issued_by_known_root; ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); @@ -653,8 +653,8 @@ SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto( return npn_status_; } -OriginBoundCertService* -SSLClientSocketOpenSSL::GetOriginBoundCertService() const { +ServerBoundCertService* +SSLClientSocketOpenSSL::GetServerBoundCertService() const { return NULL; } diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h index 69f03c9f4df..f2739d4a21e 100644 --- a/net/socket/ssl_client_socket_openssl.h +++ b/net/socket/ssl_client_socket_openssl.h @@ -65,7 +65,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { unsigned int outlen); virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos); - virtual OriginBoundCertService* GetOriginBoundCertService() const; + virtual ServerBoundCertService* GetServerBoundCertService() const; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback); diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 0c96546bd1d..71a5b0dbf1a 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -448,7 +448,7 @@ SSLClientSocketPool::SSLClientSocketPool( ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, @@ -471,7 +471,7 @@ SSLClientSocketPool::SSLClientSocketPool( host_resolver, SSLClientSocketContext( cert_verifier, - origin_bound_cert_service, + server_bound_cert_service, transport_security_state, ssl_host_info_factory, ssl_session_cache_shard), diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index bd667ff86ae..d80ace97519 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -176,7 +176,7 @@ class NET_EXPORT_PRIVATE SSLClientSocketPool ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, CertVerifier* cert_verifier, - OriginBoundCertService* origin_bound_cert_service, + ServerBoundCertService* server_bound_cert_service, TransportSecurityState* transport_security_state, SSLHostInfoFactory* ssl_host_info_factory, const std::string& ssl_session_cache_shard, diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index d77e15752e0..c6896ec209e 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -96,7 +96,7 @@ class SSLClientSocketPoolTest : public testing::Test { ssl_histograms_.get(), NULL /* host_resolver */, NULL /* cert_verifier */, - NULL /* origin_bound_cert_service */, + NULL /* server_bound_cert_service */, NULL /* transport_security_state */, NULL /* ssl_host_info_factory */, "" /* ssl_session_cache_shard */, diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index 4e61c6ffffb..b2054eb5bd5 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -412,7 +412,7 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; - ssl_info->client_cert_sent = WasOriginBoundCertSent() || + ssl_info->client_cert_sent = WasDomainBoundCertSent() || (ssl_config_.send_client_cert && ssl_config_.client_cert); SecPkgContext_ConnectionInfo connection_info; SECURITY_STATUS status = QueryContextAttributes( @@ -555,7 +555,7 @@ SSLClientSocketWin::GetNextProto(std::string* proto, return kNextProtoUnsupported; } -OriginBoundCertService* SSLClientSocketWin::GetOriginBoundCertService() const { +ServerBoundCertService* SSLClientSocketWin::GetServerBoundCertService() const { return NULL; } diff --git a/net/socket/ssl_client_socket_win.h b/net/socket/ssl_client_socket_win.h index e1ca1120928..e9a74feeb22 100644 --- a/net/socket/ssl_client_socket_win.h +++ b/net/socket/ssl_client_socket_win.h @@ -55,7 +55,7 @@ class SSLClientSocketWin : public SSLClientSocket { unsigned int outlen); virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos); - virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; + virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback) OVERRIDE; diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc index 11276d1f7be..ce998e408f2 100644 --- a/net/socket/ssl_server_socket_unittest.cc +++ b/net/socket/ssl_server_socket_unittest.cc @@ -281,7 +281,7 @@ class SSLServerSocketTest : public PlatformTest { net::SSLConfig ssl_config; ssl_config.cached_info_enabled = false; ssl_config.false_start_enabled = false; - ssl_config.origin_bound_certs_enabled = false; + ssl_config.domain_bound_certs_enabled = false; ssl_config.ssl3_enabled = true; ssl_config.tls1_enabled = true; diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc index 9da445620fe..8604d281e6f 100644 --- a/net/socket_stream/socket_stream.cc +++ b/net/socket_stream/socket_stream.cc @@ -58,7 +58,7 @@ SocketStream::SocketStream(const GURL& url, Delegate* delegate) next_state_(STATE_NONE), host_resolver_(NULL), cert_verifier_(NULL), - origin_bound_cert_service_(NULL), + server_bound_cert_service_(NULL), http_auth_handler_factory_(NULL), factory_(ClientSocketFactory::GetDefaultFactory()), proxy_mode_(kDirectConnection), @@ -126,7 +126,7 @@ void SocketStream::set_context(URLRequestContext* context) { if (context_) { host_resolver_ = context_->host_resolver(); cert_verifier_ = context_->cert_verifier(); - origin_bound_cert_service_ = context_->origin_bound_cert_service(); + server_bound_cert_service_ = context_->server_bound_cert_service(); http_auth_handler_factory_ = context_->http_auth_handler_factory(); } } @@ -923,7 +923,7 @@ int SocketStream::DoSecureProxyConnect() { DCHECK(factory_); SSLClientSocketContext ssl_context; ssl_context.cert_verifier = cert_verifier_; - ssl_context.origin_bound_cert_service = origin_bound_cert_service_; + ssl_context.server_bound_cert_service = server_bound_cert_service_; // TODO(agl): look into plumbing SSLHostInfo here. socket_.reset(factory_->CreateSSLClientSocket( socket_.release(), @@ -954,7 +954,7 @@ int SocketStream::DoSSLConnect() { DCHECK(factory_); SSLClientSocketContext ssl_context; ssl_context.cert_verifier = cert_verifier_; - ssl_context.origin_bound_cert_service = origin_bound_cert_service_; + ssl_context.server_bound_cert_service = server_bound_cert_service_; // TODO(agl): look into plumbing SSLHostInfo here. socket_.reset(factory_->CreateSSLClientSocket(socket_.release(), HostPortPair::FromURL(url_), diff --git a/net/socket_stream/socket_stream.h b/net/socket_stream/socket_stream.h index 510310eb0e3..cf678d983cf 100644 --- a/net/socket_stream/socket_stream.h +++ b/net/socket_stream/socket_stream.h @@ -326,7 +326,7 @@ class NET_EXPORT SocketStream State next_state_; HostResolver* host_resolver_; CertVerifier* cert_verifier_; - OriginBoundCertService* origin_bound_cert_service_; + ServerBoundCertService* server_bound_cert_service_; HttpAuthHandlerFactory* http_auth_handler_factory_; ClientSocketFactory* factory_; diff --git a/net/spdy/spdy_http_stream_spdy2_unittest.cc b/net/spdy/spdy_http_stream_spdy2_unittest.cc index ecec044b5a6..1b5662ac91e 100644 --- a/net/spdy/spdy_http_stream_spdy2_unittest.cc +++ b/net/spdy/spdy_http_stream_spdy2_unittest.cc @@ -63,12 +63,6 @@ class SpdyHttpStreamSpdy2Test : public testing::Test { return session_->InitializeWithSocket(connection.release(), false, OK); } - void TestSendCredentials( - OriginBoundCertService* obc_service, - const std::string& cert, - const std::string& proof, - SSLClientCertType type); - SpdySessionDependencies session_deps_; scoped_ptr data_; scoped_refptr http_session_; @@ -243,216 +237,6 @@ TEST_F(SpdyHttpStreamSpdy2Test, SpdyURLTest) { EXPECT_TRUE(data()->at_write_eof()); } -namespace { - -void GetECOriginBoundCertAndProof(const std::string& origin, - OriginBoundCertService* obc_service, - std::string* cert, - std::string* proof) { - TestCompletionCallback callback; - std::vector requested_cert_types; - requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN); - SSLClientCertType cert_type; - std::string key; - OriginBoundCertService::RequestHandle request_handle; - int rv = obc_service->GetOriginBoundCert(origin, requested_cert_types, - &cert_type, &key, cert, - callback.callback(), - &request_handle); - EXPECT_EQ(ERR_IO_PENDING, rv); - EXPECT_EQ(OK, callback.WaitForResult()); - EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, cert_type); - - unsigned char secret[32]; - memset(secret, 'A', arraysize(secret)); - - // Convert the key string into a vector - std::vector key_data(key.begin(), key.end()); - - base::StringPiece spki_piece; - ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(*cert, &spki_piece)); - std::vector spki(spki_piece.data(), - spki_piece.data() + spki_piece.size()); - - std::vector proof_data; - scoped_ptr private_key( - crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( - OriginBoundCertService::kEPKIPassword, key_data, spki)); - scoped_ptr creator( - crypto::ECSignatureCreator::Create(private_key.get())); - creator->Sign(secret, arraysize(secret), &proof_data); - proof->assign(proof_data.begin(), proof_data.end()); -} - -} // namespace - -// TODO(rch): When openssl supports origin bound certifictes, this -// guard can be removed -#if !defined(USE_OPENSSL) -// Test that if we request a resource for a new origin on a session that -// used origin bound certificates, that we send a CREDENTIAL frame for -// the new origin before we send the new request. -void SpdyHttpStreamSpdy2Test::TestSendCredentials( - OriginBoundCertService* obc_service, - const std::string& cert, - const std::string& proof, - SSLClientCertType type) { - EnableCompression(false); - - spdy::SpdyCredential cred; - cred.slot = 1; - cred.proof = proof; - cred.certs.push_back(cert); - - scoped_ptr req(ConstructSpdyGet(NULL, 0, false, 1, LOWEST)); - scoped_ptr credential(ConstructSpdyCredential(cred)); - scoped_ptr req2(ConstructSpdyGet("http://www.gmail.com", - false, 3, LOWEST)); - MockWrite writes[] = { - CreateMockWrite(*req.get(), 0), - CreateMockWrite(*credential.get(), 2), - CreateMockWrite(*req2.get(), 3), - }; - - scoped_ptr resp(ConstructSpdyGetSynReply(NULL, 0, 1)); - scoped_ptr resp2(ConstructSpdyGetSynReply(NULL, 0, 3)); - MockRead reads[] = { - CreateMockRead(*resp, 1), - CreateMockRead(*resp2, 4), - MockRead(SYNCHRONOUS, 0, 5) // EOF - }; - - HostPortPair host_port_pair("www.google.com", 80); - HostPortProxyPair pair(host_port_pair, ProxyServer::Direct()); - - DeterministicMockClientSocketFactory* socket_factory = - session_deps_.deterministic_socket_factory.get(); - scoped_refptr data( - new DeterministicSocketData(reads, arraysize(reads), - writes, arraysize(writes))); - socket_factory->AddSocketDataProvider(data.get()); - SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = type; - ssl.origin_bound_cert_service = obc_service; - ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY3; - socket_factory->AddSSLSocketDataProvider(&ssl); - http_session_ = SpdySessionDependencies::SpdyCreateSessionDeterministic( - &session_deps_); - session_ = http_session_->spdy_session_pool()->Get(pair, BoundNetLog()); - transport_params_ = new TransportSocketParams(host_port_pair, - MEDIUM, false, false); - TestCompletionCallback callback; - scoped_ptr connection(new ClientSocketHandle); - SSLConfig ssl_config; - scoped_refptr socks_params; - scoped_refptr http_proxy_params; - scoped_refptr ssl_params( - new SSLSocketParams(transport_params_, - socks_params, - http_proxy_params, - ProxyServer::SCHEME_DIRECT, - host_port_pair, - ssl_config, - 0, - false, - false)); - EXPECT_EQ(ERR_IO_PENDING, - connection->Init(host_port_pair.ToString(), - ssl_params, - MEDIUM, - callback.callback(), - http_session_->GetSSLSocketPool( - HttpNetworkSession::NORMAL_SOCKET_POOL), - BoundNetLog())); - callback.WaitForResult(); - EXPECT_EQ(OK, - session_->InitializeWithSocket(connection.release(), true, OK)); - - HttpRequestInfo request; - request.method = "GET"; - request.url = GURL("http://www.google.com/"); - HttpResponseInfo response; - HttpRequestHeaders headers; - BoundNetLog net_log; - scoped_ptr http_stream( - new SpdyHttpStream(session_.get(), true)); - ASSERT_EQ( - OK, - http_stream->InitializeStream(&request, net_log, CompletionCallback())); - - EXPECT_FALSE(session_->NeedsCredentials(host_port_pair)); - HostPortPair new_host_port_pair("www.gmail.com", 80); - EXPECT_TRUE(session_->NeedsCredentials(new_host_port_pair)); - - EXPECT_EQ(ERR_IO_PENDING, http_stream->SendRequest(headers, NULL, &response, - callback.callback())); - EXPECT_TRUE(http_session_->spdy_session_pool()->HasSession(pair)); - - data->RunFor(2); - callback.WaitForResult(); - - // Start up second request for resource on a new origin. - scoped_ptr http_stream2( - new SpdyHttpStream(session_.get(), true)); - request.url = GURL("http://www.gmail.com/"); - ASSERT_EQ( - OK, - http_stream2->InitializeStream(&request, net_log, CompletionCallback())); - EXPECT_EQ(ERR_IO_PENDING, http_stream2->SendRequest(headers, NULL, &response, - callback.callback())); - data->RunFor(2); - callback.WaitForResult(); - - EXPECT_EQ(ERR_IO_PENDING, http_stream2->ReadResponseHeaders( - callback.callback())); - data->RunFor(1); - EXPECT_EQ(OK, callback.WaitForResult()); - ASSERT_TRUE(response.headers.get() != NULL); - ASSERT_EQ(200, response.headers->response_code()); -} - -class MockECSignatureCreator : public crypto::ECSignatureCreator { - public: - explicit MockECSignatureCreator(crypto::ECPrivateKey* key) : key_(key) {} - - virtual bool Sign(const uint8* data, - int data_len, - std::vector* signature) OVERRIDE { - std::vector private_key_value; - key_->ExportValue(&private_key_value); - std::string head = "fakesignature"; - std::string tail = "/fakesignature"; - - signature->clear(); - signature->insert(signature->end(), head.begin(), head.end()); - signature->insert(signature->end(), private_key_value.begin(), - private_key_value.end()); - signature->insert(signature->end(), '-'); - signature->insert(signature->end(), data, data + data_len); - signature->insert(signature->end(), tail.begin(), tail.end()); - return true; - } - - private: - crypto::ECPrivateKey* key_; - DISALLOW_COPY_AND_ASSIGN(MockECSignatureCreator); -}; - -class MockECSignatureCreatorFactory : public crypto::ECSignatureCreatorFactory { - public: - MockECSignatureCreatorFactory() {} - virtual ~MockECSignatureCreatorFactory() {} - - virtual crypto::ECSignatureCreator* Create( - crypto::ECPrivateKey* key) OVERRIDE { - return new MockECSignatureCreator(key); - } - private: - DISALLOW_COPY_AND_ASSIGN(MockECSignatureCreatorFactory); -}; - -#endif // !defined(USE_OPENSSL) - // TODO(willchan): Write a longer test for SpdyStream that exercises all // methods. diff --git a/net/spdy/spdy_http_stream_spdy3_unittest.cc b/net/spdy/spdy_http_stream_spdy3_unittest.cc index b0a34c78acb..68a958ce6ce 100644 --- a/net/spdy/spdy_http_stream_spdy3_unittest.cc +++ b/net/spdy/spdy_http_stream_spdy3_unittest.cc @@ -64,7 +64,7 @@ class SpdyHttpStreamSpdy3Test : public testing::Test { } void TestSendCredentials( - OriginBoundCertService* obc_service, + ServerBoundCertService* server_bound_cert_service, const std::string& cert, const std::string& proof, SSLClientCertType type); @@ -245,20 +245,20 @@ TEST_F(SpdyHttpStreamSpdy3Test, SpdyURLTest) { namespace { -void GetECOriginBoundCertAndProof(const std::string& origin, - OriginBoundCertService* obc_service, - std::string* cert, - std::string* proof) { +void GetECServerBoundCertAndProof( + const std::string& origin, + ServerBoundCertService* server_bound_cert_service, + std::string* cert, + std::string* proof) { TestCompletionCallback callback; std::vector requested_cert_types; requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN); SSLClientCertType cert_type; std::string key; - OriginBoundCertService::RequestHandle request_handle; - int rv = obc_service->GetOriginBoundCert(origin, requested_cert_types, - &cert_type, &key, cert, - callback.callback(), - &request_handle); + ServerBoundCertService::RequestHandle request_handle; + int rv = server_bound_cert_service->GetDomainBoundCert( + origin, requested_cert_types, &cert_type, &key, cert, callback.callback(), + &request_handle); EXPECT_EQ(ERR_IO_PENDING, rv); EXPECT_EQ(OK, callback.WaitForResult()); EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, cert_type); @@ -277,7 +277,7 @@ void GetECOriginBoundCertAndProof(const std::string& origin, std::vector proof_data; scoped_ptr private_key( crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( - OriginBoundCertService::kEPKIPassword, key_data, spki)); + ServerBoundCertService::kEPKIPassword, key_data, spki)); scoped_ptr creator( crypto::ECSignatureCreator::Create(private_key.get())); creator->Sign(secret, arraysize(secret), &proof_data); @@ -286,14 +286,14 @@ void GetECOriginBoundCertAndProof(const std::string& origin, } // namespace -// TODO(rch): When openssl supports origin bound certifictes, this +// TODO(rch): When openssl supports server bound certifictes, this // guard can be removed #if !defined(USE_OPENSSL) // Test that if we request a resource for a new origin on a session that -// used origin bound certificates, that we send a CREDENTIAL frame for -// the new origin before we send the new request. +// used domain bound certificates, that we send a CREDENTIAL frame for +// the new domain before we send the new request. void SpdyHttpStreamSpdy3Test::TestSendCredentials( - OriginBoundCertService* obc_service, + ServerBoundCertService* server_bound_cert_service, const std::string& cert, const std::string& proof, SSLClientCertType type) { @@ -332,8 +332,8 @@ void SpdyHttpStreamSpdy3Test::TestSendCredentials( writes, arraysize(writes))); socket_factory->AddSocketDataProvider(data.get()); SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = type; - ssl.origin_bound_cert_service = obc_service; + ssl.domain_bound_cert_type = type; + ssl.server_bound_cert_service = server_bound_cert_service; ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY3; socket_factory->AddSSLSocketDataProvider(&ssl); http_session_ = SpdySessionDependencies::SpdyCreateSessionDeterministic( @@ -457,14 +457,16 @@ TEST_F(SpdyHttpStreamSpdy3Test, SendCredentialsEC) { crypto::ECSignatureCreator::SetFactoryForTesting( ec_signature_creator_factory.get()); - scoped_ptr obc_service( - new OriginBoundCertService(new DefaultOriginBoundCertStore(NULL))); + scoped_ptr server_bound_cert_service( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL))); std::string cert; std::string proof; - GetECOriginBoundCertAndProof("http://www.gmail.com/", obc_service.get(), + GetECServerBoundCertAndProof("http://www.gmail.com/", + server_bound_cert_service.get(), &cert, &proof); - TestSendCredentials(obc_service.get(), cert, proof, CLIENT_CERT_ECDSA_SIGN); + TestSendCredentials(server_bound_cert_service.get(), cert, proof, + CLIENT_CERT_ECDSA_SIGN); } #endif // !defined(USE_OPENSSL) diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc index ddfa2a2be9e..cf955dbeb31 100644 --- a/net/spdy/spdy_session.cc +++ b/net/spdy/spdy_session.cc @@ -407,7 +407,7 @@ net::Error SpdySession::InitializeWithSocket( protocol = protocol_negotiated; } - if (ssl_socket->WasOriginBoundCertSent()) { + if (ssl_socket->WasDomainBoundCertSent()) { // According to the SPDY spec, the credential associated with the TLS // connection is stored in slot[0]. credential_state_.SetHasCredential(host_port_pair()); @@ -599,7 +599,7 @@ bool SpdySession::NeedsCredentials(const HostPortPair& origin) const { SSLClientSocket* ssl_socket = GetSSLClientSocket(); if (ssl_socket->protocol_negotiated() < SSLClientSocket::kProtoSPDY3) return false; - if (!ssl_socket->WasOriginBoundCertSent()) + if (!ssl_socket->WasDomainBoundCertSent()) return false; return !credential_state_.HasCredential(origin); } @@ -681,7 +681,7 @@ int SpdySession::WriteCredentialFrame(const std::string& origin, spki_piece.data() + spki_piece.size()); scoped_ptr private_key( crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo( - OriginBoundCertService::kEPKIPassword, key_data, spki)); + ServerBoundCertService::kEPKIPassword, key_data, spki)); scoped_ptr creator( crypto::ECSignatureCreator::Create(private_key.get())); creator->Sign(secret, arraysize(secret), &proof); @@ -1272,16 +1272,16 @@ bool SpdySession::GetSSLCertRequestInfo( return true; } -OriginBoundCertService* SpdySession::GetOriginBoundCertService() const { +ServerBoundCertService* SpdySession::GetServerBoundCertService() const { if (!is_secure_) return NULL; - return GetSSLClientSocket()->GetOriginBoundCertService(); + return GetSSLClientSocket()->GetServerBoundCertService(); } -SSLClientCertType SpdySession::GetOriginBoundCertType() const { +SSLClientCertType SpdySession::GetDomainBoundCertType() const { if (!is_secure_) return CLIENT_CERT_INVALID_TYPE; - return GetSSLClientSocket()->origin_bound_cert_type(); + return GetSSLClientSocket()->domain_bound_cert_type(); } void SpdySession::OnError(int error_code) { diff --git a/net/spdy/spdy_session.h b/net/spdy/spdy_session.h index f56187bb7cb..66a3acd62c4 100644 --- a/net/spdy/spdy_session.h +++ b/net/spdy/spdy_session.h @@ -160,13 +160,13 @@ class NET_EXPORT SpdySession : public base::RefCounted, // true when SSL is in use. bool GetSSLCertRequestInfo(SSLCertRequestInfo* cert_request_info); - // Returns the OriginBoundCertService used by this Socket, or NULL - // Origin Bound Certs are not supported in this session. - OriginBoundCertService* GetOriginBoundCertService() const; + // Returns the ServerBoundCertService used by this Socket, or NULL + // if server bound certs are not supported in this session. + ServerBoundCertService* GetServerBoundCertService() const; - // Returns the type of the origin bound cert that was sent, or + // Returns the type of the domain bound cert that was sent, or // CLIENT_CERT_INVALID_TYPE if none was sent. - SSLClientCertType GetOriginBoundCertType() const; + SSLClientCertType GetDomainBoundCertType() const; // Reset all static settings to initialized values. Used to init test suite. static void ResetStaticSettingsToInit(); @@ -253,7 +253,7 @@ class NET_EXPORT SpdySession : public base::RefCounted, int GetLocalAddress(IPEndPoint* address) const; // Returns true if a request for a resource in |origin| requires a - // SPDY CREDENTIAL frame to be sent first, with an origin bound certificate. + // SPDY CREDENTIAL frame to be sent first, with a domain bound certificate. bool NeedsCredentials(const HostPortPair& origin) const; // Adds |alias| to set of aliases associated with this session. diff --git a/net/spdy/spdy_session_spdy2_unittest.cc b/net/spdy/spdy_session_spdy2_unittest.cc index 346c057921c..cdedd1ec21e 100644 --- a/net/spdy/spdy_session_spdy2_unittest.cc +++ b/net/spdy/spdy_session_spdy2_unittest.cc @@ -949,7 +949,7 @@ TEST_F(SpdySessionSpdy2Test, NeedsCredentials) { session_deps.socket_factory->AddSocketDataProvider(&data); SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; + ssl.domain_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY2; session_deps.socket_factory->AddSSLSocketDataProvider(&ssl); diff --git a/net/spdy/spdy_session_spdy3_unittest.cc b/net/spdy/spdy_session_spdy3_unittest.cc index f516ed2a624..c38b769062c 100644 --- a/net/spdy/spdy_session_spdy3_unittest.cc +++ b/net/spdy/spdy_session_spdy3_unittest.cc @@ -949,7 +949,7 @@ TEST_F(SpdySessionSpdy3Test, NeedsCredentials) { session_deps.socket_factory->AddSocketDataProvider(&data); SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; + ssl.domain_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY3; session_deps.socket_factory->AddSSLSocketDataProvider(&ssl); @@ -1025,7 +1025,7 @@ TEST_F(SpdySessionSpdy3Test, SendCredentials) { session_deps.socket_factory->AddSocketDataProvider(&data); SSLSocketDataProvider ssl(SYNCHRONOUS, OK); - ssl.origin_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; + ssl.domain_bound_cert_type = CLIENT_CERT_ECDSA_SIGN; ssl.protocol_negotiated = SSLClientSocket::kProtoSPDY3; session_deps.socket_factory->AddSSLSocketDataProvider(&ssl); diff --git a/net/spdy/spdy_stream.cc b/net/spdy/spdy_stream.cc index 0f20a853a38..29967e9fd9d 100644 --- a/net/spdy/spdy_stream.cc +++ b/net/spdy/spdy_stream.cc @@ -90,7 +90,7 @@ SpdyStream::SpdyStream(SpdySession* session, net_log_(net_log), send_bytes_(0), recv_bytes_(0), - ob_cert_type_(CLIENT_CERT_INVALID_TYPE) { + domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE) { } SpdyStream::~SpdyStream() { @@ -490,7 +490,7 @@ int SpdyStream::SendRequest(bool has_upload_data) { return ERR_IO_PENDING; } CHECK_EQ(STATE_NONE, io_state_); - io_state_ = STATE_GET_ORIGIN_BOUND_CERT; + io_state_ = STATE_GET_DOMAIN_BOUND_CERT; return DoLoop(OK); } @@ -559,8 +559,8 @@ GURL SpdyStream::GetUrlFromHeaderBlock( return GURL(url); } -void SpdyStream::OnGetOriginBoundCertComplete(int result) { - DCHECK_EQ(STATE_GET_ORIGIN_BOUND_CERT_COMPLETE, io_state_); +void SpdyStream::OnGetDomainBoundCertComplete(int result) { + DCHECK_EQ(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE, io_state_); DoLoop(result); } @@ -570,19 +570,19 @@ int SpdyStream::DoLoop(int result) { io_state_ = STATE_NONE; switch (state) { // State machine 1: Send headers and body. - case STATE_GET_ORIGIN_BOUND_CERT: + case STATE_GET_DOMAIN_BOUND_CERT: CHECK_EQ(OK, result); - result = DoGetOriginBoundCert(); + result = DoGetDomainBoundCert(); break; - case STATE_GET_ORIGIN_BOUND_CERT_COMPLETE: - result = DoGetOriginBoundCertComplete(result); + case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE: + result = DoGetDomainBoundCertComplete(result); break; - case STATE_SEND_ORIGIN_BOUND_CERT: + case STATE_SEND_DOMAIN_BOUND_CERT: CHECK_EQ(OK, result); - result = DoSendOriginBoundCert(); + result = DoSendDomainBoundCert(); break; - case STATE_SEND_ORIGIN_BOUND_CERT_COMPLETE: - result = DoSendOriginBoundCertComplete(result); + case STATE_SEND_DOMAIN_BOUND_CERT_COMPLETE: + result = DoSendDomainBoundCertComplete(result); break; case STATE_SEND_HEADERS: CHECK_EQ(OK, result); @@ -635,7 +635,7 @@ int SpdyStream::DoLoop(int result) { return result; } -int SpdyStream::DoGetOriginBoundCert() { +int SpdyStream::DoGetDomainBoundCert() { CHECK(request_.get()); HostPortPair origin(HostPortPair::FromURL(GetUrl())); if (!session_->NeedsCredentials(origin)) { @@ -644,42 +644,42 @@ int SpdyStream::DoGetOriginBoundCert() { return OK; } - io_state_ = STATE_GET_ORIGIN_BOUND_CERT_COMPLETE; - OriginBoundCertService* obc_service = session_->GetOriginBoundCertService(); - DCHECK(obc_service != NULL); + io_state_ = STATE_GET_DOMAIN_BOUND_CERT_COMPLETE; + ServerBoundCertService* sbc_service = session_->GetServerBoundCertService(); + DCHECK(sbc_service != NULL); std::vector requested_cert_types; - requested_cert_types.push_back(session_->GetOriginBoundCertType()); - int rv = obc_service->GetOriginBoundCert( - GetUrl().GetOrigin().spec(), requested_cert_types, &ob_cert_type_, - &ob_private_key_, &ob_cert_, - base::Bind(&SpdyStream::OnGetOriginBoundCertComplete, + requested_cert_types.push_back(session_->GetDomainBoundCertType()); + int rv = sbc_service->GetDomainBoundCert( + GetUrl().GetOrigin().spec(), requested_cert_types, + &domain_bound_cert_type_, &domain_bound_private_key_, &domain_bound_cert_, + base::Bind(&SpdyStream::OnGetDomainBoundCertComplete, base::Unretained(this)), - &ob_cert_request_handle_); + &domain_bound_cert_request_handle_); return rv; } -int SpdyStream::DoGetOriginBoundCertComplete(int result) { +int SpdyStream::DoGetDomainBoundCertComplete(int result) { if (result != OK) return result; - io_state_ = STATE_SEND_ORIGIN_BOUND_CERT; + io_state_ = STATE_SEND_DOMAIN_BOUND_CERT; return OK; } -int SpdyStream::DoSendOriginBoundCert() { - io_state_ = STATE_SEND_ORIGIN_BOUND_CERT_COMPLETE; +int SpdyStream::DoSendDomainBoundCert() { + io_state_ = STATE_SEND_DOMAIN_BOUND_CERT_COMPLETE; CHECK(request_.get()); std::string origin = GetUrl().GetOrigin().spec(); origin.erase(origin.length() - 1); // trim trailing slash int rv = session_->WriteCredentialFrame( - origin, ob_cert_type_, ob_private_key_, ob_cert_, - static_cast(priority_)); + origin, domain_bound_cert_type_, domain_bound_private_key_, + domain_bound_cert_, static_cast(priority_)); if (rv != ERR_IO_PENDING) return rv; return OK; } -int SpdyStream::DoSendOriginBoundCertComplete(int result) { +int SpdyStream::DoSendDomainBoundCertComplete(int result) { if (result < 0) return result; diff --git a/net/spdy/spdy_stream.h b/net/spdy/spdy_stream.h index 3d0804b257e..131137d05a1 100644 --- a/net/spdy/spdy_stream.h +++ b/net/spdy/spdy_stream.h @@ -258,10 +258,10 @@ class NET_EXPORT_PRIVATE SpdyStream private: enum State { STATE_NONE, - STATE_GET_ORIGIN_BOUND_CERT, - STATE_GET_ORIGIN_BOUND_CERT_COMPLETE, - STATE_SEND_ORIGIN_BOUND_CERT, - STATE_SEND_ORIGIN_BOUND_CERT_COMPLETE, + STATE_GET_DOMAIN_BOUND_CERT, + STATE_GET_DOMAIN_BOUND_CERT_COMPLETE, + STATE_SEND_DOMAIN_BOUND_CERT, + STATE_SEND_DOMAIN_BOUND_CERT_COMPLETE, STATE_SEND_HEADERS, STATE_SEND_HEADERS_COMPLETE, STATE_SEND_BODY, @@ -274,16 +274,16 @@ class NET_EXPORT_PRIVATE SpdyStream friend class base::RefCounted; virtual ~SpdyStream(); - void OnGetOriginBoundCertComplete(int result); + void OnGetDomainBoundCertComplete(int result); // Try to make progress sending/receiving the request/response. int DoLoop(int result); // The implementations of each state of the state machine. - int DoGetOriginBoundCert(); - int DoGetOriginBoundCertComplete(int result); - int DoSendOriginBoundCert(); - int DoSendOriginBoundCertComplete(int result); + int DoGetDomainBoundCert(); + int DoGetDomainBoundCertComplete(int result); + int DoSendDomainBoundCert(); + int DoSendDomainBoundCertComplete(int result); int DoSendHeaders(); int DoSendHeadersComplete(int result); int DoSendBody(); @@ -357,10 +357,10 @@ class NET_EXPORT_PRIVATE SpdyStream // Data received before delegate is attached. std::vector > pending_buffers_; - SSLClientCertType ob_cert_type_; - std::string ob_private_key_; - std::string ob_cert_; - OriginBoundCertService::RequestHandle ob_cert_request_handle_; + SSLClientCertType domain_bound_cert_type_; + std::string domain_bound_private_key_; + std::string domain_bound_cert_; + ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; DISALLOW_COPY_AND_ASSIGN(SpdyStream); }; diff --git a/net/url_request/url_request_context.cc b/net/url_request/url_request_context.cc index c2c784334cd..e42d46536b0 100644 --- a/net/url_request/url_request_context.cc +++ b/net/url_request/url_request_context.cc @@ -18,7 +18,7 @@ URLRequestContext::URLRequestContext() net_log_(NULL), host_resolver_(NULL), cert_verifier_(NULL), - origin_bound_cert_service_(NULL), + server_bound_cert_service_(NULL), fraudulent_certificate_reporter_(NULL), http_auth_handler_factory_(NULL), proxy_service_(NULL), @@ -36,7 +36,7 @@ void URLRequestContext::CopyFrom(URLRequestContext* other) { set_net_log(other->net_log()); set_host_resolver(other->host_resolver()); set_cert_verifier(other->cert_verifier()); - set_origin_bound_cert_service(other->origin_bound_cert_service()); + set_server_bound_cert_service(other->server_bound_cert_service()); set_fraudulent_certificate_reporter(other->fraudulent_certificate_reporter()); set_http_auth_handler_factory(other->http_auth_handler_factory()); set_proxy_service(other->proxy_service()); diff --git a/net/url_request/url_request_context.h b/net/url_request/url_request_context.h index 7d9d2e60855..f4fb5ea4927 100644 --- a/net/url_request/url_request_context.h +++ b/net/url_request/url_request_context.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -31,7 +31,7 @@ class HostResolver; class HttpAuthHandlerFactory; class HttpTransactionFactory; class NetworkDelegate; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyService; class URLRequest; class URLRequestJobFactory; @@ -77,13 +77,13 @@ class NET_EXPORT URLRequestContext cert_verifier_ = cert_verifier; } - OriginBoundCertService* origin_bound_cert_service() const { - return origin_bound_cert_service_; + ServerBoundCertService* server_bound_cert_service() const { + return server_bound_cert_service_; } - void set_origin_bound_cert_service( - OriginBoundCertService* origin_bound_cert_service) { - origin_bound_cert_service_ = origin_bound_cert_service; + void set_server_bound_cert_service( + ServerBoundCertService* server_bound_cert_service) { + server_bound_cert_service_ = server_bound_cert_service; } FraudulentCertificateReporter* fraudulent_certificate_reporter() const { @@ -207,7 +207,7 @@ class NET_EXPORT URLRequestContext NetLog* net_log_; HostResolver* host_resolver_; CertVerifier* cert_verifier_; - OriginBoundCertService* origin_bound_cert_service_; + ServerBoundCertService* server_bound_cert_service_; FraudulentCertificateReporter* fraudulent_certificate_reporter_; HttpAuthHandlerFactory* http_auth_handler_factory_; ProxyService* proxy_service_; diff --git a/net/url_request/url_request_context_storage.cc b/net/url_request/url_request_context_storage.cc index 88908390dda..2c9f8163c80 100644 --- a/net/url_request/url_request_context_storage.cc +++ b/net/url_request/url_request_context_storage.cc @@ -44,10 +44,10 @@ void URLRequestContextStorage::set_cert_verifier(CertVerifier* cert_verifier) { cert_verifier_.reset(cert_verifier); } -void URLRequestContextStorage::set_origin_bound_cert_service( - OriginBoundCertService* origin_bound_cert_service) { - context_->set_origin_bound_cert_service(origin_bound_cert_service); - origin_bound_cert_service_.reset(origin_bound_cert_service); +void URLRequestContextStorage::set_server_bound_cert_service( + ServerBoundCertService* server_bound_cert_service) { + context_->set_server_bound_cert_service(server_bound_cert_service); + server_bound_cert_service_.reset(server_bound_cert_service); } void URLRequestContextStorage::set_fraudulent_certificate_reporter( diff --git a/net/url_request/url_request_context_storage.h b/net/url_request/url_request_context_storage.h index 8ae2a0029fc..1e62fb15f44 100644 --- a/net/url_request/url_request_context_storage.h +++ b/net/url_request/url_request_context_storage.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -23,7 +23,7 @@ class HttpServerProperties; class HttpTransactionFactory; class NetLog; class NetworkDelegate; -class OriginBoundCertService; +class ServerBoundCertService; class ProxyService; class SSLConfigService; class TransportSecurityState; @@ -46,8 +46,8 @@ class NET_EXPORT URLRequestContextStorage { void set_net_log(NetLog* net_log); void set_host_resolver(HostResolver* host_resolver); void set_cert_verifier(CertVerifier* cert_verifier); - void set_origin_bound_cert_service( - OriginBoundCertService* origin_bound_cert_service); + void set_server_bound_cert_service( + ServerBoundCertService* server_bound_cert_service); void set_fraudulent_certificate_reporter( FraudulentCertificateReporter* fraudulent_certificate_reporter); void set_http_auth_handler_factory( @@ -75,7 +75,7 @@ class NET_EXPORT URLRequestContextStorage { scoped_ptr net_log_; scoped_ptr host_resolver_; scoped_ptr cert_verifier_; - scoped_ptr origin_bound_cert_service_; + scoped_ptr server_bound_cert_service_; scoped_ptr fraudulent_certificate_reporter_; scoped_ptr http_auth_handler_factory_; scoped_ptr proxy_service_; diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc index dc5fa05d9cb..274a411556a 100644 --- a/net/url_request/url_request_test_util.cc +++ b/net/url_request/url_request_test_util.cc @@ -143,10 +143,10 @@ void TestURLRequestContext::Init() { if (!cookie_store()) context_storage_.set_cookie_store(new net::CookieMonster(NULL, NULL)); // In-memory origin bound cert service. - if (!origin_bound_cert_service()) { - context_storage_.set_origin_bound_cert_service( - new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(NULL))); + if (!server_bound_cert_service()) { + context_storage_.set_server_bound_cert_service( + new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(NULL))); } if (accept_language().empty()) set_accept_language("en-us,fr"); diff --git a/tools/valgrind/gtest_exclude/net_unittests.gtest-tsan.txt b/tools/valgrind/gtest_exclude/net_unittests.gtest-tsan.txt index a367a26da9b..b3b63d2779d 100644 --- a/tools/valgrind/gtest_exclude/net_unittests.gtest-tsan.txt +++ b/tools/valgrind/gtest_exclude/net_unittests.gtest-tsan.txt @@ -21,4 +21,4 @@ HttpNetworkTransactionTest.KeepAliveConnectionEOF URLRequestTest.FileTest # http://crbug.com/92439 -OriginBoundCertServiceTest.* +ServerBoundCertServiceTest.* diff --git a/webkit/tools/test_shell/test_shell_request_context.cc b/webkit/tools/test_shell/test_shell_request_context.cc index 4d38d24d883..217eac409d4 100644 --- a/webkit/tools/test_shell/test_shell_request_context.cc +++ b/webkit/tools/test_shell/test_shell_request_context.cc @@ -49,8 +49,8 @@ void TestShellRequestContext::Init( net::HttpCache::Mode cache_mode, bool no_proxy) { storage_.set_cookie_store(new net::CookieMonster(NULL, NULL)); - storage_.set_origin_bound_cert_service(new net::OriginBoundCertService( - new net::DefaultOriginBoundCertStore(NULL))); + storage_.set_server_bound_cert_service(new net::ServerBoundCertService( + new net::DefaultServerBoundCertStore(NULL))); // hard-code A-L and A-C for test shells set_accept_language("en-us,en"); @@ -95,7 +95,7 @@ void TestShellRequestContext::Init( net::HttpCache* cache = new net::HttpCache(host_resolver(), cert_verifier(), - origin_bound_cert_service(), + server_bound_cert_service(), NULL, // transport_security_state proxy_service(), "", // ssl_session_cache_shard