Add a new SSLClientSocket::was_origin_cert_sent() method

net/socket/ssl_client_socket.h

Index: net/socket/ssl_client_socket.h
===================================================================
--- net/socket/ssl_client_socket.h	(revision 112347)
+++ net/socket/ssl_client_socket.h	(working copy)
@@ -123,6 +123,9 @@
   //                          supported list.
   virtual NextProtoStatus GetNextProto(std::string* proto) = 0;
 
+  // Returns true if connection negotiated the origin bound cert extension.
+  virtual bool WasOriginBoundCertNegotiated() = 0;

[wtc, 2011/12/06 19:22:11]

This method should report the stronger condition: whether an
origin-bound cert was sent.  This is because the server may
echo the origin-bound cert extension in ServerHello but not
request an origin-bound cert.

So I suggest renaming this method WasOriginBoundCertSent
and updating the comment accordingly.

Nit: it may be a good idea to explain what this method is
intended for.

Note: an alternative API design would be a generic method that
returns the client certificate sent to the server, and then
we inspect the client certificate to determine whether it is
a regular client certificate or origin-bound certificate.
But let's go with the simpler OBC-specific method now.

It is possible that it is enough to simply report whether
the origin-bound cert extension was negoriated.

[Ryan Hamilton, 2011/12/06 20:03:47]

I thought that if the OBC extension was negotiated, the server MUST request an
origin bound certificate.  I guess that's not the case.
 
Done.
 
Done.
 
*nod*
 
This is an interesting distinction that I'm surprised to learn exists :>  But if
it does, I think your proposal is probably what we want.

+
   static NextProto NextProtoFromString(const std::string& proto_string);
 
   static bool IgnoreCertError(int error, int load_flags);