Gave the GetOriginBoundCertificate an asynchronous interface because certificate

net/base/origin_bound_cert_service.h

Index: net/base/origin_bound_cert_service.h
===================================================================
--- net/base/origin_bound_cert_service.h	(revision 94628)
+++ net/base/origin_bound_cert_service.h	(working copy)
@@ -6,20 +6,30 @@
 #define NET_BASE_ORIGIN_BOUND_CERT_SERVICE_H_
 #pragma once
 
+#include <map>
 #include <string>
 
-#include "base/memory/ref_counted.h"
+#include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/threading/non_thread_safe.h"
+#include "net/base/completion_callback.h"
 #include "net/base/net_api.h"
 
 namespace net {
 
+class OriginBoundCertServiceJob;
+class OriginBoundCertServiceWorker;
 class OriginBoundCertStore;
 
 // A class for creating and fetching origin bound certs.
+// Inherits from NonThreadSafe in order to use the function
+// |CalledOnValidThread|.
 class NET_API OriginBoundCertService
-    : public base::RefCountedThreadSafe<OriginBoundCertService> {
+    : NON_EXPORTED_BASE(public base::NonThreadSafe) {
  public:
+  // Opaque type used to cancel a request.
+  typedef void* RequestHandle;
+
   // This object owns origin_bound_cert_store.
   explicit OriginBoundCertService(
       OriginBoundCertStore* origin_bound_cert_store);
@@ -27,21 +37,68 @@
   ~OriginBoundCertService();
 
   // TODO(rkn): Specify certificate type (RSA or DSA).
-  // TODO(rkn): Key generation can be time consuming, so this should have an
-  // asynchronous interface.
+  //
   // Fetches the origin bound cert for the specified origin if one exists
-  // and creates one otherwise. On success, |private_key_result| stores a
-  // DER-encoded PrivateKeyInfo struct, and |cert_result| stores a DER-encoded
-  // certificate.
-  bool GetOriginBoundCert(const std::string& origin,
-                          std::string* private_key_result,
-                          std::string* cert_result);
+  // and creates one otherwise. Returns OK if successful or an error code upon
+  // failure.
+  //
+  // On success, |private_key| stores a DER-encoded PrivateKeyInfo

[wtc, 2011/08/09 00:43:34]

On success => On successful completion

+  // struct, and |cert| stores a DER-encoded certificate.
+  //
+  // |callback| must not be null. ERR_IO_PENDING is returned if the operation
+  // could not be completed synchronously, in which case the result code will

[wtc, 2011/08/09 00:43:34]

synchronously => immediately

+  // be passed to the callback when available.
+  //
+  // If |out_req| is non_NULL, then |*out_req| will be filled with a handle to
+  // the async request. This handle is not valid after the request has
+  // completed.
+  int GetOriginBoundCert(const std::string& origin,
+                         std::string* private_key,
+                         std::string* cert,
+                         CompletionCallback* callback,
+                         RequestHandle* out_req);
 
+  // Cancels the specified request. |req| is the handle returned by
+  // GetOriginBoundCert(). After a request is canceled, its completion
+  // callback will not be called.
+  void CancelRequest(RequestHandle req);
+
   // Public only for unit testing.
-  int GetCertCount();
+  int get_cert_count();
+  uint64 requests() const { return requests_; }
+  uint64 cache_hits() const {return cache_hits_; }

[agl, 2011/08/08 22:36:27]

space before {

+  uint64 inflight_joins() const {return inflight_joins_; }

[agl, 2011/08/08 22:36:27]

ditto

 
  private:
+  friend class OriginBoundCertServiceWorker;  // Calls HandleResult.
+
+  // On success, |private_key| stores a DER-encoded PrivateKeyInfo
+  // struct, and |cert| stores a DER-encoded certificate. Returns
+  // OK if successful and an error code otherwise.
+  // |serial_number| is passed in because it is created with the function
+  // base::RandInt, which opens the file /dev/urandom. This is done with a
+  // LazyInstance, which is not allowed on a worker thread.
+  static int GenerateCert(const std::string& origin,
+                          uint32 serial_number,

[agl, 2011/08/08 22:36:27]

A 32-bit serial number is really small. I know NSS will reject certificates with
duplicate issuer+serial number pairs. This might be a concern.

+                          std::string* private_key,
+                          std::string* cert);
+
+  void HandleResult(const std::string& origin,
+                    int error,
+                    const std::string& private_key,
+                    const std::string& cert);
+
   scoped_ptr<OriginBoundCertStore> origin_bound_cert_store_;
+
+  // inflight_ maps from an origin to an active generation which is taking
+  // place.
+  std::map<std::string, OriginBoundCertServiceJob*> inflight_;
+
+  uint64 requests_;
+  uint64 cache_hits_;
+  uint64 inflight_joins_;
+
+  DISALLOW_COPY_AND_ASSIGN(OriginBoundCertService);
 };
 
 }  // namespace net