src/chrome/browser/ui/android/ssl_client_certificate_request.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/ui/android/ssl_client_certificate_request.h"
   6
   7 #include "base/android/jni_array.h"
   8 #include "base/android/jni_string.h"
   9 #include "base/android/scoped_java_ref.h"
  10 #include "base/basictypes.h"
  11 #include "base/bind.h"
  12 #include "base/callback_helpers.h"
  13 #include "base/compiler_specific.h"
  14 #include "base/logging.h"
  15 #include "chrome/browser/ssl/ssl_client_certificate_selector.h"
  16 #include "chrome/browser/ui/android/window_android_helper.h"
  17 #include "content/public/browser/browser_thread.h"
  18 #include "jni/SSLClientCertificateRequest_jni.h"
  19 #include "net/android/keystore_openssl.h"
  20 #include "net/base/host_port_pair.h"
  21 #include "net/cert/cert_database.h"
  22 #include "net/cert/x509_certificate.h"
  23 #include "net/ssl/openssl_client_key_store.h"
  24 #include "net/ssl/ssl_cert_request_info.h"
  25 #include "net/ssl/ssl_client_cert_type.h"
  26 #include "ui/base/android/window_android.h"
  27
  28
  29 namespace chrome {
  30
  31 namespace {
  32
  33 typedef net::OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;
  34
  35 // Must be called on the I/O thread to record a client certificate
  36 // and its private key in the OpenSSLClientKeyStore.
  37 void RecordClientCertificateKey(
  38     const scoped_refptr<net::X509Certificate>& client_cert,
  39     ScopedEVP_PKEY private_key) {
  40   DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
  41   net::OpenSSLClientKeyStore::GetInstance()->RecordClientCertPrivateKey(
  42       client_cert.get(), private_key.get());
  43 }
  44
  45 void StartClientCertificateRequest(
  46     const net::SSLCertRequestInfo* cert_request_info,
  47     ui::WindowAndroid* window,
  48     const chrome::SelectCertificateCallback& callback) {
  49   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
  50
  51   // Ensure that callback(NULL) is posted as a task on the UI thread
  52   // in case of an error.
  53   base::Closure post_task_closure = base::Bind(
  54       base::IgnoreResult(&content::BrowserThread::PostTask),
  55       content::BrowserThread::UI,
  56       FROM_HERE,
  57       base::Bind(callback, scoped_refptr<net::X509Certificate>()));
  58
  59   base::ScopedClosureRunner guard(post_task_closure);
  60
  61   // Build the |key_types| JNI parameter, as a String[]
  62   std::vector<std::string> key_types;
  63   for (size_t n = 0; n < cert_request_info->cert_key_types.size(); ++n) {
  64     switch (cert_request_info->cert_key_types[n]) {
  65       case net::CLIENT_CERT_RSA_SIGN:
  66         key_types.push_back("RSA");
  67         break;
  68       case net::CLIENT_CERT_DSS_SIGN:
  69         key_types.push_back("DSA");
  70         break;
  71       case net::CLIENT_CERT_ECDSA_SIGN:
  72         key_types.push_back("ECDSA");
  73         break;
  74       default:
  75         // Ignore unknown types.
  76         break;
  77     }
  78   }
  79
  80   JNIEnv* env = base::android::AttachCurrentThread();
  81   ScopedJavaLocalRef<jobjectArray> key_types_ref =
  82       base::android::ToJavaArrayOfStrings(env, key_types);
  83   if (key_types_ref.is_null()) {
  84     LOG(ERROR) << "Could not create key types array (String[])";
  85     return;
  86   }
  87
  88   // Build the |encoded_principals| JNI parameter, as a byte[][]
  89   ScopedJavaLocalRef<jobjectArray> principals_ref =
  90       base::android::ToJavaArrayOfByteArray(
  91           env, cert_request_info->cert_authorities);
  92   if (principals_ref.is_null()) {
  93     LOG(ERROR) << "Could not create principals array (byte[][])";
  94     return;
  95   }
  96
  97   // Build the |host_name| and |port| JNI parameters, as a String and
  98   // a jint.
  99   ScopedJavaLocalRef<jstring> host_name_ref =
 100       base::android::ConvertUTF8ToJavaString(
 101           env, cert_request_info->host_and_port.host());
 102
 103   // Create a copy of the callback on the heap so that its address
 104   // and ownership can be passed through and returned from Java via JNI.
 105   scoped_ptr<chrome::SelectCertificateCallback> request(
 106       new chrome::SelectCertificateCallback(callback));
 107
 108   jlong request_id = reinterpret_cast<intptr_t>(request.get());
 109
 110   if (!chrome::android::
 111       Java_SSLClientCertificateRequest_selectClientCertificate(
 112           env,
 113           request_id,
 114           window->GetJavaObject().obj(),
 115           key_types_ref.obj(),
 116           principals_ref.obj(),
 117           host_name_ref.obj(),
 118           cert_request_info->host_and_port.port())) {
 119     return;
 120   }
 121
 122   ignore_result(guard.Release());
 123
 124   // Ownership was transferred to Java.
 125   chrome::SelectCertificateCallback* ALLOW_UNUSED dummy =
 126       request.release();
 127 }
 128
 129 }  // namespace
 130
 131 namespace android {
 132
 133 // Called from JNI on request completion/result.
 134 // |env| is the current thread's JNIEnv.
 135 // |clazz| is the SSLClientCertificateRequest JNI class reference.
 136 // |request_id| is the id passed to
 137 // Java_SSLClientCertificateRequest_selectClientCertificate() in Start().
 138 // |encoded_chain_ref| is a JNI reference to a Java array of byte arrays,
 139 // each item holding a DER-encoded X.509 certificate.
 140 // |private_key_ref| is the platform PrivateKey object JNI reference for
 141 // the client certificate.
 142 // Note: both |encoded_chain_ref| and |private_key_ref| will be NULL if
 143 // the user didn't select a certificate.
 144 static void OnSystemRequestCompletion(
 145     JNIEnv* env,
 146     jclass clazz,
 147     jlong request_id,
 148     jobjectArray encoded_chain_ref,
 149     jobject private_key_ref) {
 150   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 151
 152   // Take back ownership of the request object.
 153   scoped_ptr<chrome::SelectCertificateCallback> callback(
 154       reinterpret_cast<chrome::SelectCertificateCallback*>(request_id));
 155
 156   // Ensure that callback(NULL) is called in case of an error.
 157   base::Closure null_closure =
 158       base::Bind(*callback, scoped_refptr<net::X509Certificate>());
 159
 160   base::ScopedClosureRunner guard(null_closure);
 161
 162   if (encoded_chain_ref == NULL || private_key_ref == NULL) {
 163     LOG(ERROR) << "Client certificate request cancelled";
 164     return;
 165   }
 166
 167   // Convert the encoded chain to a vector of strings.
 168   std::vector<std::string> encoded_chain_strings;
 169   if (encoded_chain_ref) {
 170     base::android::JavaArrayOfByteArrayToStringVector(
 171         env, encoded_chain_ref, &encoded_chain_strings);
 172   }
 173
 174   std::vector<base::StringPiece> encoded_chain;
 175   for (size_t n = 0; n < encoded_chain_strings.size(); ++n)
 176     encoded_chain.push_back(encoded_chain_strings[n]);
 177
 178   // Create the X509Certificate object from the encoded chain.
 179   scoped_refptr<net::X509Certificate> client_cert(
 180       net::X509Certificate::CreateFromDERCertChain(encoded_chain));
 181   if (!client_cert.get()) {
 182     LOG(ERROR) << "Could not decode client certificate chain";
 183     return;
 184   }
 185
 186   // Create an EVP_PKEY wrapper for the private key JNI reference.
 187   ScopedEVP_PKEY private_key(
 188       net::android::GetOpenSSLPrivateKeyWrapper(private_key_ref));
 189   if (!private_key.get()) {
 190     LOG(ERROR) << "Could not create OpenSSL wrapper for private key";
 191     return;
 192   }
 193
 194   ignore_result(guard.Release());
 195
 196   // RecordClientCertificateKey() must be called on the I/O thread,
 197   // before the callback is called with the selected certificate on
 198   // the UI thread.
 199   content::BrowserThread::PostTaskAndReply(
 200       content::BrowserThread::IO,
 201       FROM_HERE,
 202       base::Bind(&RecordClientCertificateKey,
 203                  client_cert,
 204                  base::Passed(&private_key)),
 205       base::Bind(*callback, client_cert));
 206 }
 207
 208 static void NotifyClientCertificatesChanged() {
 209   net::CertDatabase::GetInstance()->OnAndroidKeyStoreChanged();
 210 }
 211
 212 static void NotifyClientCertificatesChangedOnIOThread(JNIEnv* env, jclass) {
 213   if (content::BrowserThread::CurrentlyOn(content::BrowserThread::IO)) {
 214     NotifyClientCertificatesChanged();
 215   } else {
 216     content::BrowserThread::PostTask(
 217          content::BrowserThread::IO,
 218          FROM_HERE,
 219          base::Bind(&NotifyClientCertificatesChanged));
 220   }
 221 }
 222
 223 bool RegisterSSLClientCertificateRequestAndroid(JNIEnv* env) {
 224   return RegisterNativesImpl(env);
 225 }
 226
 227 }  // namespace android
 228
 229 void ShowSSLClientCertificateSelector(
 230     content::WebContents* contents,
 231     const net::HttpNetworkSession* network_session,
 232     net::SSLCertRequestInfo* cert_request_info,
 233     const chrome::SelectCertificateCallback& callback) {
 234   ui::WindowAndroid* window =
 235       WindowAndroidHelper::FromWebContents(contents)->GetWindowAndroid();
 236   DCHECK(window);
 237   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 238   StartClientCertificateRequest(cert_request_info, window, callback);
 239 }
 240
 241 }  // namespace chrome