Support EC certs in OriginBoundCertService and OriginBoundCertStore.

net/base/origin_bound_cert_service.h

Index: net/base/origin_bound_cert_service.h
diff --git a/net/base/origin_bound_cert_service.h b/net/base/origin_bound_cert_service.h
index 861602f457515ea1322c1a72a1c7f98f98384c64..300e6886b74c8e5822e3a57e86b26a2f143da318 100644
--- a/net/base/origin_bound_cert_service.h
+++ b/net/base/origin_bound_cert_service.h
@@ -8,12 +8,14 @@
 
 #include <map>
 #include <string>
+#include <vector>
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/threading/non_thread_safe.h"
 #include "net/base/completion_callback.h"
 #include "net/base/net_export.h"
+#include "net/base/origin_bound_cert_type.h"
 
 namespace net {
 
@@ -30,17 +32,23 @@ class NET_EXPORT OriginBoundCertService
   // Opaque type used to cancel a request.
   typedef void* RequestHandle;
 
+  // Password used on EncryptedPrivateKeyInfo data stored in EC private_key
+  // values.  (This is not used to provide any security, but to workaround an
+  // NSS issue.)

[wtc, 2011/11/30 23:23:40]

Please include the NSS bug number or provide enough detail
(such as "NSS cannot import unencrypted PrivateKeyInfo for EC
keys").

[mattm, 2011/12/02 01:55:59]

Done.

+  static const char kEPKIPassword[];
+
   // This object owns origin_bound_cert_store.
   explicit OriginBoundCertService(
       OriginBoundCertStore* origin_bound_cert_store);
 
   ~OriginBoundCertService();
 
-  // TODO(rkn): Specify certificate type (RSA or DSA).
+  // Fetches the origin bound cert for the specified origin of the specified
+  // type if one exists and creates one otherwise. Returns OK if successful or
+  // an error code upon failure.
   //
-  // Fetches the origin bound cert for the specified origin if one exists
-  // and creates one otherwise. Returns OK if successful or an error code upon
-  // failure.
+  // |requested_types| is a list the types of certificates the site will
+  // accept, ordered from most preferred to least preferred.
   //
   // On successful completion, |private_key| stores a DER-encoded
   // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate.

[wtc, 2011/11/30 23:23:40]

Also document the new |type| output parameter.

[mattm, 2011/12/02 01:55:59]

Done.

@@ -52,11 +60,14 @@ class NET_EXPORT OriginBoundCertService
   // If |out_req| is non-NULL, then |*out_req| will be filled with a handle to
   // the async request. This handle is not valid after the request has
   // completed.
-  int GetOriginBoundCert(const std::string& origin,
-                         std::string* private_key,
-                         std::string* cert,
-                         const CompletionCallback& callback,
-                         RequestHandle* out_req);
+  int GetOriginBoundCert(
+      const std::string& origin,
+      const std::vector<OriginBoundCertType>& requested_types,
+      OriginBoundCertType* type,
+      std::string* private_key,
+      std::string* cert,
+      const CompletionCallback& callback,
+      RequestHandle* out_req);
 
   // Cancels the specified request. |req| is the handle returned by
   // GetOriginBoundCert(). After a request is canceled, its completion
@@ -79,12 +90,14 @@ class NET_EXPORT OriginBoundCertService
   // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened
   // with a LazyInstance, which is not allowed on a worker thread.
   static int GenerateCert(const std::string& origin,
+                          OriginBoundCertType type,
                           uint32 serial_number,
                           std::string* private_key,
                           std::string* cert);
 
   void HandleResult(const std::string& origin,
                     int error,
+                    OriginBoundCertType type,
                     const std::string& private_key,
                     const std::string& cert);