1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/ui/android/ssl_client_certificate_request.h"
6
7 #include "base/android/jni_array.h"
8 #include "base/android/jni_string.h"
9 #include "base/android/scoped_java_ref.h"
10 #include "base/basictypes.h"
11 #include "base/bind.h"
12 #include "base/callback_helpers.h"
13 #include "base/compiler_specific.h"
14 #include "base/logging.h"
15 #include "chrome/browser/ssl/ssl_client_certificate_selector.h"
16 #include "chrome/browser/ui/android/window_android_helper.h"
17 #include "content/public/browser/browser_thread.h"
18 #include "jni/SSLClientCertificateRequest_jni.h"
19 #include "net/android/keystore_openssl.h"
20 #include "net/base/host_port_pair.h"
21 #include "net/cert/cert_database.h"
22 #include "net/cert/x509_certificate.h"
23 #include "net/ssl/openssl_client_key_store.h"
24 #include "net/ssl/ssl_cert_request_info.h"
25 #include "net/ssl/ssl_client_cert_type.h"
26 #include "ui/base/android/window_android.h"
27
28
29 namespace chrome {
30
31 namespace {
32
33 typedef net::OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;
34
35 // Must be called on the I/O thread to record a client certificate
36 // and its private key in the OpenSSLClientKeyStore.
RecordClientCertificateKey(const scoped_refptr<net::X509Certificate> & client_cert,ScopedEVP_PKEY private_key)37 void RecordClientCertificateKey(
38 const scoped_refptr<net::X509Certificate>& client_cert,
39 ScopedEVP_PKEY private_key) {
40 DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
41 net::OpenSSLClientKeyStore::GetInstance()->RecordClientCertPrivateKey(
42 client_cert.get(), private_key.get());
43 }
44
StartClientCertificateRequest(const net::SSLCertRequestInfo * cert_request_info,ui::WindowAndroid * window,const chrome::SelectCertificateCallback & callback)45 void StartClientCertificateRequest(
46 const net::SSLCertRequestInfo* cert_request_info,
47 ui::WindowAndroid* window,
48 const chrome::SelectCertificateCallback& callback) {
49 DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
50
51 // Ensure that callback(NULL) is posted as a task on the UI thread
52 // in case of an error.
53 base::Closure post_task_closure = base::Bind(
54 base::IgnoreResult(&content::BrowserThread::PostTask),
55 content::BrowserThread::UI,
56 FROM_HERE,
57 base::Bind(callback, scoped_refptr<net::X509Certificate>()));
58
59 base::ScopedClosureRunner guard(post_task_closure);
60
61 // Build the |key_types| JNI parameter, as a String[]
62 std::vector<std::string> key_types;
63 for (size_t n = 0; n < cert_request_info->cert_key_types.size(); ++n) {
64 switch (cert_request_info->cert_key_types[n]) {
65 case net::CLIENT_CERT_RSA_SIGN:
66 key_types.push_back("RSA");
67 break;
68 case net::CLIENT_CERT_DSS_SIGN:
69 key_types.push_back("DSA");
70 break;
71 case net::CLIENT_CERT_ECDSA_SIGN:
72 key_types.push_back("ECDSA");
73 break;
74 default:
75 // Ignore unknown types.
76 break;
77 }
78 }
79
80 JNIEnv* env = base::android::AttachCurrentThread();
81 ScopedJavaLocalRef<jobjectArray> key_types_ref =
82 base::android::ToJavaArrayOfStrings(env, key_types);
83 if (key_types_ref.is_null()) {
84 LOG(ERROR) << "Could not create key types array (String[])";
85 return;
86 }
87
88 // Build the |encoded_principals| JNI parameter, as a byte[][]
89 ScopedJavaLocalRef<jobjectArray> principals_ref =
90 base::android::ToJavaArrayOfByteArray(
91 env, cert_request_info->cert_authorities);
92 if (principals_ref.is_null()) {
93 LOG(ERROR) << "Could not create principals array (byte[][])";
94 return;
95 }
96
97 // Build the |host_name| and |port| JNI parameters, as a String and
98 // a jint.
99 ScopedJavaLocalRef<jstring> host_name_ref =
100 base::android::ConvertUTF8ToJavaString(
101 env, cert_request_info->host_and_port.host());
102
103 // Create a copy of the callback on the heap so that its address
104 // and ownership can be passed through and returned from Java via JNI.
105 scoped_ptr<chrome::SelectCertificateCallback> request(
106 new chrome::SelectCertificateCallback(callback));
107
108 jlong request_id = reinterpret_cast<intptr_t>(request.get());
109
110 if (!chrome::android::
111 Java_SSLClientCertificateRequest_selectClientCertificate(
112 env,
113 request_id,
114 window->GetJavaObject().obj(),
115 key_types_ref.obj(),
116 principals_ref.obj(),
117 host_name_ref.obj(),
118 cert_request_info->host_and_port.port())) {
119 return;
120 }
121
122 ignore_result(guard.Release());
123
124 // Ownership was transferred to Java.
125 chrome::SelectCertificateCallback* ALLOW_UNUSED dummy =
126 request.release();
127 }
128
129 } // namespace
130
131 namespace android {
132
133 // Called from JNI on request completion/result.
134 // |env| is the current thread's JNIEnv.
135 // |clazz| is the SSLClientCertificateRequest JNI class reference.
136 // |request_id| is the id passed to
137 // Java_SSLClientCertificateRequest_selectClientCertificate() in Start().
138 // |encoded_chain_ref| is a JNI reference to a Java array of byte arrays,
139 // each item holding a DER-encoded X.509 certificate.
140 // |private_key_ref| is the platform PrivateKey object JNI reference for
141 // the client certificate.
142 // Note: both |encoded_chain_ref| and |private_key_ref| will be NULL if
143 // the user didn't select a certificate.
OnSystemRequestCompletion(JNIEnv * env,jclass clazz,jlong request_id,jobjectArray encoded_chain_ref,jobject private_key_ref)144 static void OnSystemRequestCompletion(
145 JNIEnv* env,
146 jclass clazz,
147 jlong request_id,
148 jobjectArray encoded_chain_ref,
149 jobject private_key_ref) {
150 DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
151
152 // Take back ownership of the request object.
153 scoped_ptr<chrome::SelectCertificateCallback> callback(
154 reinterpret_cast<chrome::SelectCertificateCallback*>(request_id));
155
156 // Ensure that callback(NULL) is called in case of an error.
157 base::Closure null_closure =
158 base::Bind(*callback, scoped_refptr<net::X509Certificate>());
159
160 base::ScopedClosureRunner guard(null_closure);
161
162 if (encoded_chain_ref == NULL || private_key_ref == NULL) {
163 LOG(ERROR) << "Client certificate request cancelled";
164 return;
165 }
166
167 // Convert the encoded chain to a vector of strings.
168 std::vector<std::string> encoded_chain_strings;
169 if (encoded_chain_ref) {
170 base::android::JavaArrayOfByteArrayToStringVector(
171 env, encoded_chain_ref, &encoded_chain_strings);
172 }
173
174 std::vector<base::StringPiece> encoded_chain;
175 for (size_t n = 0; n < encoded_chain_strings.size(); ++n)
176 encoded_chain.push_back(encoded_chain_strings[n]);
177
178 // Create the X509Certificate object from the encoded chain.
179 scoped_refptr<net::X509Certificate> client_cert(
180 net::X509Certificate::CreateFromDERCertChain(encoded_chain));
181 if (!client_cert.get()) {
182 LOG(ERROR) << "Could not decode client certificate chain";
183 return;
184 }
185
186 // Create an EVP_PKEY wrapper for the private key JNI reference.
187 ScopedEVP_PKEY private_key(
188 net::android::GetOpenSSLPrivateKeyWrapper(private_key_ref));
189 if (!private_key.get()) {
190 LOG(ERROR) << "Could not create OpenSSL wrapper for private key";
191 return;
192 }
193
194 ignore_result(guard.Release());
195
196 // RecordClientCertificateKey() must be called on the I/O thread,
197 // before the callback is called with the selected certificate on
198 // the UI thread.
199 content::BrowserThread::PostTaskAndReply(
200 content::BrowserThread::IO,
201 FROM_HERE,
202 base::Bind(&RecordClientCertificateKey,
203 client_cert,
204 base::Passed(&private_key)),
205 base::Bind(*callback, client_cert));
206 }
207
NotifyClientCertificatesChanged()208 static void NotifyClientCertificatesChanged() {
209 net::CertDatabase::GetInstance()->OnAndroidKeyStoreChanged();
210 }
211
NotifyClientCertificatesChangedOnIOThread(JNIEnv * env,jclass)212 static void NotifyClientCertificatesChangedOnIOThread(JNIEnv* env, jclass) {
213 if (content::BrowserThread::CurrentlyOn(content::BrowserThread::IO)) {
214 NotifyClientCertificatesChanged();
215 } else {
216 content::BrowserThread::PostTask(
217 content::BrowserThread::IO,
218 FROM_HERE,
219 base::Bind(&NotifyClientCertificatesChanged));
220 }
221 }
222
RegisterSSLClientCertificateRequestAndroid(JNIEnv * env)223 bool RegisterSSLClientCertificateRequestAndroid(JNIEnv* env) {
224 return RegisterNativesImpl(env);
225 }
226
227 } // namespace android
228
ShowSSLClientCertificateSelector(content::WebContents * contents,const net::HttpNetworkSession * network_session,net::SSLCertRequestInfo * cert_request_info,const chrome::SelectCertificateCallback & callback)229 void ShowSSLClientCertificateSelector(
230 content::WebContents* contents,
231 const net::HttpNetworkSession* network_session,
232 net::SSLCertRequestInfo* cert_request_info,
233 const chrome::SelectCertificateCallback& callback) {
234 ui::WindowAndroid* window =
235 WindowAndroidHelper::FromWebContents(contents)->GetWindowAndroid();
236 DCHECK(window);
237 DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
238 StartClientCertificateRequest(cert_request_info, window, callback);
239 }
240
241 } // namespace chrome
242