Add a new SSLClientSocket::was_origin_cert_sent() method

net/socket/ssl_client_socket.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_
 #pragma once
 
 #include <string>
 
@@ skipping 105 matching lines @@
 
   // Get the application level protocol that we negotiated with the server.
   // *proto is set to the resulting protocol (n.b. that the string may have
   // embedded NULs).
   //   kNextProtoUnsupported: *proto is cleared.
   //   kNextProtoNegotiated:  *proto is set to the negotiated protocol.
   //   kNextProtoNoOverlap:   *proto is set to the first protocol in the
   //                          supported list.
   virtual NextProtoStatus GetNextProto(std::string* proto) = 0;
 
+  // Returns true if connection negotiated the origin bound cert extension.
+  virtual bool WasOriginBoundCertNegotiated() = 0;

[wtc, 2011/12/06 19:22:11]

This method should report the stronger condition: whether an
origin-bound cert was sent.  This is because the server may
echo the origin-bound cert extension in ServerHello but not
request an origin-bound cert.

So I suggest renaming this method WasOriginBoundCertSent
and updating the comment accordingly.

Nit: it may be a good idea to explain what this method is
intended for.

Note: an alternative API design would be a generic method that
returns the client certificate sent to the server, and then
we inspect the client certificate to determine whether it is
a regular client certificate or origin-bound certificate.
But let's go with the simpler OBC-specific method now.

It is possible that it is enough to simply report whether
the origin-bound cert extension was negoriated.

[Ryan Hamilton, 2011/12/06 20:03:47]

I thought that if the OBC extension was negotiated, the server MUST request an
origin bound certificate.  I guess that's not the case.
 
Done.
 
Done.
 
*nod*
 
This is an interesting distinction that I'm surprised to learn exists :>  But if
it does, I think your proposal is probably what we want.

+
   static NextProto NextProtoFromString(const std::string& proto_string);
 
   static bool IgnoreCertError(int error, int load_flags);
 
   virtual bool was_npn_negotiated() const;
 
   virtual bool set_was_npn_negotiated(bool negotiated);
 
   virtual void UseDNSSEC(DNSSECProvider*) { }
 
   virtual bool was_spdy_negotiated() const;

[wtc, 2011/12/06 19:22:11]

Can you find out why was_npn_negotiated() and was_spdy_negotiated()
are named in all lowercase and not abstract methods (= 0)?

[Ryan Hamilton, 2011/12/06 20:03:47]

This is because these methods are simple getters for the local members:

  was_npn_negotiated_;
  was_spdy_negotiated_;

I guess you're pointing out that we could also add a member:

 was_origin_bound_cert_sent_

and then name the method was_origin_bound_cert_sent().

I guess this would be more appropriate?  I'll do this instead.

[wtc, 2011/12/06 20:47:03]

I just wanted you to find out why was_npn_negotiated() and
was_spdy_negotiated() are declared and defined that way.
I am not sure which way is better, but it'd be nice to
standardize on one way.

 
   virtual bool set_was_spdy_negotiated(bool negotiated);
 
  private:
   // True if NPN was responded to, independent of selecting SPDY or HTTP.
   bool was_npn_negotiated_;
   // True if NPN successfully negotiated SPDY.
   bool was_spdy_negotiated_;
 };
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_H_