Gave the GetOriginBoundCertificate an asynchronous interface because certificate

net/base/origin_bound_cert_service.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
 #define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
 #pragma once
 
+#include <map>
 #include <string>
 
-#include "base/memory/ref_counted.h"
+#include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/threading/non_thread_safe.h"
+#include "net/base/completion_callback.h"
 #include "net/base/net_api.h"
 
 namespace net {
 
+class OriginBoundCertServiceJob;
+class OriginBoundCertServiceWorker;
 class OriginBoundCertStore;
 
 // A class for creating and fetching origin bound certs.
+// Inherits from NonThreadSafe in order to use the function
+// |CalledOnValidThread|.
 class NET_API OriginBoundCertService
-    : public base::RefCountedThreadSafe<OriginBoundCertService> {
+    : NON_EXPORTED_BASE(public base::NonThreadSafe) {
  public:
+  // Opaque type used to cancel a request.
+  typedef void* RequestHandle;
+
   // This object owns origin_bound_cert_store.
   explicit OriginBoundCertService(
       OriginBoundCertStore* origin_bound_cert_store);
 
   ~OriginBoundCertService();
 
   // TODO(rkn): Specify certificate type (RSA or DSA).
-  // TODO(rkn): Key generation can be time consuming, so this should have an
-  // asynchronous interface.
+  //
   // Fetches the origin bound cert for the specified origin if one exists
-  // and creates one otherwise. On success, |private_key_result| stores a
-  // DER-encoded PrivateKeyInfo struct, and |cert_result| stores a DER-encoded
-  // certificate.
-  bool GetOriginBoundCert(const std::string& origin,
-                          std::string* private_key_result,
-                          std::string* cert_result);
+  // and creates one otherwise. Returns OK if successful or an error code upon
+  // failure.
+  //
+  // On successful completion, |private_key| stores a DER-encoded
+  // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate.
+  //
+  // |callback| must not be null. ERR_IO_PENDING is returned if the operation
+  // could not be completed immediately, in which case the result code will
+  // be passed to the callback when available.
+  //
+  // If |out_req| is non-NULL, then |*out_req| will be filled with a handle to
+  // the async request. This handle is not valid after the request has
+  // completed.
+  int GetOriginBoundCert(const std::string& origin,
+                         std::string* private_key,
+                         std::string* cert,
+                         CompletionCallback* callback,
+                         RequestHandle* out_req);
+
+  // Cancels the specified request. |req| is the handle returned by
+  // GetOriginBoundCert(). After a request is canceled, its completion
+  // callback will not be called.
+  void CancelRequest(RequestHandle req);
 
   // Public only for unit testing.
-  int GetCertCount();
+  int cert_count();
+  uint64 requests() const { return requests_; }
+  uint64 synchronous_completions() const { return synchronous_completions_; }
+  uint64 inflight_joins() const { return inflight_joins_; }
 
  private:
+  friend class OriginBoundCertServiceWorker;  // Calls HandleResult.
+
+  // On success, |private_key| stores a DER-encoded PrivateKeyInfo
+  // struct, and |cert| stores a DER-encoded certificate. Returns
+  // OK if successful and an error code otherwise.
+  // |serial_number| is passed in because it is created with the function
+  // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened
+  // with a LazyInstance, which is not allowed on a worker thread.
+  static int GenerateCert(const std::string& origin,
+                          uint32 serial_number,
+                          std::string* private_key,
+                          std::string* cert);
+
+  void HandleResult(const std::string& origin,
+                    int error,
+                    const std::string& private_key,
+                    const std::string& cert);
+
   scoped_ptr<OriginBoundCertStore> origin_bound_cert_store_;
+
+  // inflight_ maps from an origin to an active generation which is taking
+  // place.
+  std::map<std::string, OriginBoundCertServiceJob*> inflight_;
+
+  uint64 requests_;
+  uint64 synchronous_completions_;

[wtc, 2011/08/09 18:09:47]

Let's call this member cert_store_hits_.  "synchronous
completions" is too indirect.

+  uint64 inflight_joins_;
+
+  DISALLOW_COPY_AND_ASSIGN(OriginBoundCertService);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_