Honor server requested origin bound client cert types.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 2124 matching lines @@
 bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
   PRBool xtn_negotiated = PR_FALSE;
   SECStatus rv = SSL_HandshakeNegotiatedExtension(
       socket, ssl_ob_cert_xtn, &xtn_negotiated);
   DCHECK_EQ(SECSuccess, rv);
 
   return xtn_negotiated ? true : false;
 }
 
 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
-    const std::vector<uint8>& requested_cert_types,
+    const SECItem* cert_types,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   ob_cert_xtn_negotiated_ = true;
 
   // We have negotiated the origin-bound certificate extension.
   std::string origin = "https://" + host_and_port_.ToString();
+  std::vector<uint8> requested_cert_types(cert_types->data,
+                                          cert_types->data + cert_types->len);

[wtc, 2011/12/06 02:47:58]

Since we still need to convert to a std::vector<uint8> here,
I suggest that OriginBoundClientAuthHandler should just take
const std::vector<uint8>& requested_cert_types.

I guess you're trying to avoid duplicating the conversion
code?  If so, then this is fine.

   net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
   int error = origin_bound_cert_service_->GetOriginBoundCert(
       origin,
       requested_cert_types,
       &ob_cert_type_,
       &ob_private_key_,
       &ob_cert_,
       base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
                  base::Unretained(this)),
       &ob_cert_request_handle_);
@@ skipping 32 matching lines @@
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertList** result_certs,
     void** result_private_key,
     CERTCertificate** result_nss_certificate,
     SECKEYPrivateKey** result_nss_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
+  const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
+
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
-    // TODO(mattm): Once NSS supports it, pass the actual requested types.
-    std::vector<uint8> requested_cert_types;
-    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
-    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        requested_cert_types, result_nss_certificate, result_nss_private_key);
+        cert_types, result_nss_certificate, result_nss_private_key);
   }
 
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
 #if defined(OS_WIN)
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
       PCCERT_CONTEXT cert_context =
           that->ssl_config_.client_cert->os_cert_handle();
 
       HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
@@ skipping 281 matching lines @@
 SECStatus SSLClientSocketNSS::ClientAuthHandler(
     void* arg,
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
+  const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
+
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
-    // TODO(mattm): Once NSS supports it, pass the actual requested types.
-    std::vector<uint8> requested_cert_types;
-    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
-    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        requested_cert_types, result_certificate, result_private_key);
+        cert_types, result_certificate, result_private_key);
   }
 
   // Regular client certificate requested.
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
   void* wincx  = SSL_RevealPinArg(socket);
 
   // Second pass: a client certificate should have been selected.
   if (that->ssl_config_.send_client_cert) {
     if (that->ssl_config_.client_cert) {
       CERTCertificate* cert = CERT_DupCertificate(
@@ skipping 125 matching lines @@
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 }  // namespace net