| Index: net/base/origin_bound_cert_service.h
|
| diff --git a/net/base/origin_bound_cert_service.h b/net/base/origin_bound_cert_service.h
|
| index 861602f457515ea1322c1a72a1c7f98f98384c64..c3861e6db06e10ee9f0427e285079b77bb8e5085 100644
|
| --- a/net/base/origin_bound_cert_service.h
|
| +++ b/net/base/origin_bound_cert_service.h
|
| @@ -8,12 +8,14 @@
|
|
|
| #include <map>
|
| #include <string>
|
| +#include <vector>
|
|
|
| #include "base/basictypes.h"
|
| #include "base/memory/scoped_ptr.h"
|
| #include "base/threading/non_thread_safe.h"
|
| #include "net/base/completion_callback.h"
|
| #include "net/base/net_export.h"
|
| +#include "net/base/ssl_client_cert_type.h"
|
|
|
| namespace net {
|
|
|
| @@ -30,20 +32,28 @@ class NET_EXPORT OriginBoundCertService
|
| // Opaque type used to cancel a request.
|
| typedef void* RequestHandle;
|
|
|
| + // Password used on EncryptedPrivateKeyInfo data stored in EC private_key
|
| + // values. (This is not used to provide any security, but to workaround NSS
|
| + // being unable to import unencrypted PrivateKeyInfo for EC keys.)
|
| + static const char kEPKIPassword[];
|
| +
|
| // This object owns origin_bound_cert_store.
|
| explicit OriginBoundCertService(
|
| OriginBoundCertStore* origin_bound_cert_store);
|
|
|
| ~OriginBoundCertService();
|
|
|
| - // TODO(rkn): Specify certificate type (RSA or DSA).
|
| + // Fetches the origin bound cert for the specified origin of the specified
|
| + // type if one exists and creates one otherwise. Returns OK if successful or
|
| + // an error code upon failure.
|
| //
|
| - // Fetches the origin bound cert for the specified origin if one exists
|
| - // and creates one otherwise. Returns OK if successful or an error code upon
|
| - // failure.
|
| + // |requested_types| is a list of the TLS ClientCertificateTypes the site will
|
| + // accept, ordered from most preferred to least preferred. Types we don't
|
| + // support will be ignored. See ssl_client_cert_type.h.
|
| //
|
| // On successful completion, |private_key| stores a DER-encoded
|
| - // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate.
|
| + // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate, and
|
| + // |type| specifies the type of certificate that was returned.
|
| //
|
| // |callback| must not be null. ERR_IO_PENDING is returned if the operation
|
| // could not be completed immediately, in which case the result code will
|
| @@ -52,11 +62,14 @@ class NET_EXPORT OriginBoundCertService
|
| // If |out_req| is non-NULL, then |*out_req| will be filled with a handle to
|
| // the async request. This handle is not valid after the request has
|
| // completed.
|
| - int GetOriginBoundCert(const std::string& origin,
|
| - std::string* private_key,
|
| - std::string* cert,
|
| - const CompletionCallback& callback,
|
| - RequestHandle* out_req);
|
| + int GetOriginBoundCert(
|
| + const std::string& origin,
|
| + const std::vector<uint8>& requested_types,
|
| + SSLClientCertType* type,
|
| + std::string* private_key,
|
| + std::string* cert,
|
| + const CompletionCallback& callback,
|
| + RequestHandle* out_req);
|
|
|
| // Cancels the specified request. |req| is the handle returned by
|
| // GetOriginBoundCert(). After a request is canceled, its completion
|
| @@ -79,12 +92,14 @@ class NET_EXPORT OriginBoundCertService
|
| // base::RandInt, which opens the file /dev/urandom. /dev/urandom is opened
|
| // with a LazyInstance, which is not allowed on a worker thread.
|
| static int GenerateCert(const std::string& origin,
|
| + SSLClientCertType type,
|
| uint32 serial_number,
|
| std::string* private_key,
|
| std::string* cert);
|
|
|
| void HandleResult(const std::string& origin,
|
| int error,
|
| + SSLClientCertType type,
|
| const std::string& private_key,
|
| const std::string& cert);
|
|
|
|
|
Chromium Code Reviews
Issue 8662036:
Support EC certs in OriginBoundCertService and OriginBoundCertStore. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src