Change Origin bound certs -> Domain bound certs.

net/base/origin_bound_cert_service.cc

Index: net/base/origin_bound_cert_service.cc
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
index 8901e26b9c2a031a83fdb283eb4e862b016527c9..1177c396bbe7c0dbc80afb67006d071dd8cf2e6f 100644
--- a/net/base/origin_bound_cert_service.cc
+++ b/net/base/origin_bound_cert_service.cc
@@ -19,6 +19,7 @@
 #include "base/stl_util.h"
 #include "base/threading/worker_pool.h"
 #include "crypto/ec_private_key.h"
+#include "googleurl/src/gurl.h"
 #include "net/base/net_errors.h"
 #include "net/base/origin_bound_cert_store.h"
 #include "net/base/registry_controlled_domain.h"
@@ -98,10 +99,10 @@ class OriginBoundCertServiceRequest {
 class OriginBoundCertServiceWorker {
  public:
   OriginBoundCertServiceWorker(
-      const std::string& origin,
+      const std::string& domain,
       SSLClientCertType type,
       OriginBoundCertService* origin_bound_cert_service)
-      : origin_(origin),
+      : domain_(domain),
         type_(type),
         serial_number_(base::RandInt(0, std::numeric_limits<int>::max())),
         origin_loop_(MessageLoop::current()),
@@ -130,7 +131,7 @@ class OriginBoundCertServiceWorker {
  private:
   void Run() {
     // Runs on a worker thread.
-    error_ = OriginBoundCertService::GenerateCert(origin_,
+    error_ = OriginBoundCertService::GenerateCert(domain_,
                                                   type_,
                                                   serial_number_,
                                                   &creation_time_,
@@ -161,7 +162,7 @@ class OriginBoundCertServiceWorker {
       base::AutoLock locked(lock_);
       if (!canceled_) {
         origin_bound_cert_service_->HandleResult(
-            origin_, error_, type_, creation_time_, expiration_time_,
+            domain_, error_, type_, creation_time_, expiration_time_,
             private_key_, cert_);
       }
     }
@@ -193,7 +194,7 @@ class OriginBoundCertServiceWorker {
       delete this;
   }
 
-  const std::string origin_;
+  const std::string domain_;
   const SSLClientCertType type_;
   // Note that serial_number_ must be initialized on a non-worker thread
   // (see documentation for OriginBoundCertService::GenerateCert).
@@ -320,6 +321,8 @@ int OriginBoundCertService::GetOriginBoundCert(
     return ERR_INVALID_ARGUMENT;
   }
 
+  std::string domain = GetDomainForHost(GURL(origin).host());

[wtc, 2012/03/08 02:13:45]

Should we also check domain.empty()?  See the origin.empty()
check at line 319 above.

[mattm, 2012/03/15 01:48:44]

Done.

+
   SSLClientCertType preferred_type = CLIENT_CERT_INVALID_TYPE;
   for (size_t i = 0; i < requested_types.size(); ++i) {
     if (IsSupportedCertType(requested_types[i])) {
@@ -334,35 +337,35 @@ int OriginBoundCertService::GetOriginBoundCert(
 
   requests_++;
 
-  // Check if an origin bound cert of an acceptable type already exists for this
-  // origin, and that it has not expired.
+  // Check if a domain bound cert of an acceptable type already exists for this
+  // domain, and that it has not expired.
   base::Time now = base::Time::Now();
   base::Time creation_time;
   base::Time expiration_time;
-  if (origin_bound_cert_store_->GetOriginBoundCert(origin,
+  if (origin_bound_cert_store_->GetOriginBoundCert(domain,
                                                    type,
                                                    &creation_time,
                                                    &expiration_time,
                                                    private_key,
                                                    cert)) {
     if (expiration_time < now) {
-      DVLOG(1) << "Cert store had expired cert for " << origin;
+      DVLOG(1) << "Cert store had expired cert for " << domain;
     } else if (!IsSupportedCertType(*type) ||
                std::find(requested_types.begin(), requested_types.end(),
                          *type) == requested_types.end()) {
       DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
-               << origin;
+               << domain;
     } else {
       cert_store_hits_++;
       return OK;
     }
   }
 
-  // |origin_bound_cert_store_| has no cert for this origin. See if an
+  // |origin_bound_cert_store_| has no cert for this domain. See if an
   // identical request is currently in flight.
   OriginBoundCertServiceJob* job = NULL;
   std::map<std::string, OriginBoundCertServiceJob*>::const_iterator j;
-  j = inflight_.find(origin);
+  j = inflight_.find(domain);
   if (j != inflight_.end()) {
     // An identical request is in flight already. We'll just attach our
     // callback.
@@ -371,10 +374,10 @@ int OriginBoundCertService::GetOriginBoundCert(
     if (std::find(requested_types.begin(), requested_types.end(), job->type())
         == requested_types.end()) {
       DVLOG(1) << "Found inflight job of wrong type " << job->type()
-               << " for " << origin;
+               << " for " << domain;
       // If we get here, the server is asking for different types of certs in
       // short succession.  This probably means the server is broken or
-      // misconfigured.  Since we only store one type of cert per origin, we
+      // misconfigured.  Since we only store one type of cert per domain, we
       // are unable to handle this well.  Just return an error and let the first
       // job finish.
       return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH;
@@ -383,7 +386,7 @@ int OriginBoundCertService::GetOriginBoundCert(
   } else {
     // Need to make a new request.
     OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker(
-            origin,
+            domain,
             preferred_type,
             this);
     job = new OriginBoundCertServiceJob(worker, preferred_type);
@@ -394,7 +397,7 @@ int OriginBoundCertService::GetOriginBoundCert(
       LOG(ERROR) << "OriginBoundCertServiceWorker couldn't be started.";
       return ERR_INSUFFICIENT_RESOURCES;  // Just a guess.
     }
-    inflight_[origin] = job;
+    inflight_[domain] = job;
   }
 
   OriginBoundCertServiceRequest* request =
@@ -409,7 +412,7 @@ OriginBoundCertStore* OriginBoundCertService::GetCertStore() {
 }
 
 // static
-int OriginBoundCertService::GenerateCert(const std::string& origin,
+int OriginBoundCertService::GenerateCert(const std::string& domain,
                                          SSLClientCertType type,
                                          uint32 serial_number,
                                          base::Time* creation_time,
@@ -430,7 +433,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
       }
       if (!x509_util::CreateOriginBoundCertEC(
           key.get(),
-          origin,
+          domain,
           serial_number,
           now,
           not_valid_after,
@@ -471,7 +474,7 @@ void OriginBoundCertService::CancelRequest(RequestHandle req) {
 
 // HandleResult is called by OriginBoundCertServiceWorker on the origin message
 // loop. It deletes OriginBoundCertServiceJob.
-void OriginBoundCertService::HandleResult(const std::string& origin,
+void OriginBoundCertService::HandleResult(const std::string& domain,
                                           int error,
                                           SSLClientCertType type,
                                           base::Time creation_time,
@@ -481,10 +484,10 @@ void OriginBoundCertService::HandleResult(const std::string& origin,
   DCHECK(CalledOnValidThread());
 
   origin_bound_cert_store_->SetOriginBoundCert(
-      origin, type, creation_time, expiration_time, private_key, cert);
+      domain, type, creation_time, expiration_time, private_key, cert);
 
   std::map<std::string, OriginBoundCertServiceJob*>::iterator j;
-  j = inflight_.find(origin);
+  j = inflight_.find(domain);
   if (j == inflight_.end()) {
     NOTREACHED();
     return;