Support EC certs in OriginBoundCertService and OriginBoundCertStore.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 2595350e7548256bfcf2f76827236ee2bde15d8e..0160ea3e20d53fc95177d9ddbe362d0d1113300b 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -74,6 +74,7 @@
 #include "base/stringprintf.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
+#include "crypto/ec_private_key.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
@@ -1545,20 +1546,49 @@ int SSLClientSocketNSS::ImportOBCertAndKey(CERTCertificate** cert,
     return MapNSSError(PORT_GetError());
 
   // Set the private key.
-  SECItem der_private_key_info;
-  der_private_key_info.data = (unsigned char*)ob_private_key_.data();
-  der_private_key_info.len = ob_private_key_.size();
-  const unsigned int key_usage = KU_DIGITAL_SIGNATURE;
-  crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
-  SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
-      slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE,
-      key_usage, key, NULL);
+  switch (ob_cert_type_) {
+    case CLIENT_CERT_RSA_SIGN: {
+      SECItem der_private_key_info;
+      der_private_key_info.data = (unsigned char*)ob_private_key_.data();
+      der_private_key_info.len = ob_private_key_.size();
+      const unsigned int key_usage = KU_DIGITAL_SIGNATURE;
+      crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
+      SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+          slot.get(), &der_private_key_info, NULL, NULL, PR_FALSE, PR_FALSE,
+          key_usage, key, NULL);
+
+      if (rv != SECSuccess) {
+        int error = MapNSSError(PORT_GetError());
+        CERT_DestroyCertificate(*cert);
+        *cert = NULL;
+        return error;
+      }
+      break;
+    }
 
-  if (rv != SECSuccess) {
-    int error = MapNSSError(PORT_GetError());
-    CERT_DestroyCertificate(*cert);
-    *cert = NULL;
-    return error;
+    case CLIENT_CERT_ECDSA_SIGN: {
+      std::vector<uint8> private_key_info(ob_private_key_.begin(),
+                                          ob_private_key_.end());

[wtc, 2011/12/02 22:06:59]

Nit: this copies the PrivateKeyInfo.  If
crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo()
takes a SECItem or a data/len pair instead of const std::vector<uint8>&,
we can avoid this copying.

[mattm, 2011/12/05 22:19:20]

Done.

+      SECKEYPublicKey* public_key = NULL;
+      if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
+          OriginBoundCertService::kEPKIPassword,
+          private_key_info,
+          &(*cert)->subjectPublicKeyInfo,
+          false,
+          false,
+          key,
+          &public_key)) {
+        CERT_DestroyCertificate(*cert);
+        *cert = NULL;
+        return MapNSSError(PORT_GetError());
+      }
+      SECKEY_DestroyPublicKey(public_key);
+      break;
+    }
+
+    default:
+      NOTREACHED();
+      return ERR_INVALID_ARGUMENT;
   }
 
   return OK;
@@ -2113,6 +2143,7 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
 }
 
 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
+    const std::vector<uint8>& requested_cert_types,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   ob_cert_xtn_negotiated_ = true;
@@ -2122,6 +2153,8 @@ SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
   net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
   int error = origin_bound_cert_service_->GetOriginBoundCert(
       origin,
+      requested_cert_types,
+      &ob_cert_type_,
       &ob_private_key_,
       &ob_cert_,
       base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
@@ -2171,8 +2204,12 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
 
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
+    // TODO(mattm): Once NSS supports it, pass the actual requested types.
+    std::vector<uint8> requested_cert_types;
+    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
+    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        result_nss_certificate, result_nss_private_key);
+        requested_cert_types, result_nss_certificate, result_nss_private_key);
   }
 
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
@@ -2476,8 +2513,12 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
 
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
+    // TODO(mattm): Once NSS supports it, pass the actual requested types.
+    std::vector<uint8> requested_cert_types;
+    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
+    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        result_certificate, result_private_key);
+        requested_cert_types, result_certificate, result_private_key);
   }
 
   // Regular client certificate requested.