Remove certificates from Channel ID

net/ssl/channel_id_service.h

Index: net/ssl/channel_id_service.h
diff --git a/net/ssl/channel_id_service.h b/net/ssl/channel_id_service.h
index f1d0ab966f941c29fd25a32c7cbd38ea89ad7917..44fac6634457ff8bc687a53f6554555a3f29b5f7 100644
--- a/net/ssl/channel_id_service.h
+++ b/net/ssl/channel_id_service.h
@@ -15,6 +15,7 @@
 #include "base/threading/non_thread_safe.h"
 #include "base/time/time.h"
 #include "net/base/completion_callback.h"
+#include "net/base/net_errors.h"

[Ryan Sleevi, 2015/05/08 23:43:14]

unused?

[nharper, 2015/05/11 21:26:44]

Done.

 #include "net/base/net_export.h"
 #include "net/ssl/channel_id_store.h"
 
@@ -22,6 +23,10 @@ namespace base {
 class TaskRunner;
 }
 
+namespace crypto {
+class ECPrivateKey;
+}

[Ryan Sleevi, 2015/05/08 23:43:14]

}  // crypto

(and also line 24)

Style pedantry at its finest

[nharper, 2015/05/11 21:26:44]

Actually, it's

}  // namespace crypto

+
 namespace net {
 
 class ChannelIDServiceJob;
@@ -85,19 +90,12 @@ class NET_EXPORT ChannelIDService
   // the origin otherwise.
   static std::string GetDomainForHost(const std::string& host);
 
-  // Tests whether the system time is within the supported range for
-  // certificate generation.  This value is cached when ChannelIDService
-  // is created, so if the system time is changed by a huge amount, this may no
-  // longer hold.
-  bool IsSystemTimeValid() const { return is_system_time_valid_; }
-
   // Fetches the domain bound cert for the specified host if one exists and
   // creates one otherwise. Returns OK if successful or an error code upon
   // failure.
   //
-  // On successful completion, |private_key| stores a DER-encoded
-  // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate.
-  // The PrivateKeyInfo is always an ECDSA private key.
+  // On successful completion, |key| holds the ECDSA keypair used for this
+  // channel ID.
   //
   // |callback| must not be null. ERR_IO_PENDING is returned if the operation
   // could not be completed immediately, in which case the result code will
@@ -106,20 +104,17 @@ class NET_EXPORT ChannelIDService
   // |*out_req| will be initialized with a handle to the async request. This
   // RequestHandle object must be cancelled or destroyed before the
   // ChannelIDService is destroyed.
-  int GetOrCreateChannelID(
-      const std::string& host,
-      std::string* private_key,
-      std::string* cert,
-      const CompletionCallback& callback,
-      RequestHandle* out_req);
+  int GetOrCreateChannelID(const std::string& host,
+                           scoped_ptr<crypto::ECPrivateKey>* key,
+                           const CompletionCallback& callback,
+                           RequestHandle* out_req);
 
   // Fetches the domain bound cert for the specified host if one exists.
   // Returns OK if successful, ERR_FILE_NOT_FOUND if none exists, or an error
   // code upon failure.
   //
-  // On successful completion, |private_key| stores a DER-encoded
-  // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate.
-  // The PrivateKeyInfo is always an ECDSA private key.
+  // On successful completion, |key| holds the ECDSA keypair used for this
+  // channel ID.
   //
   // |callback| must not be null. ERR_IO_PENDING is returned if the operation
   // could not be completed immediately, in which case the result code will
@@ -131,12 +126,10 @@ class NET_EXPORT ChannelIDService
   // |*out_req| will be initialized with a handle to the async request. This
   // RequestHandle object must be cancelled or destroyed before the
   // ChannelIDService is destroyed.
-  int GetChannelID(
-      const std::string& host,
-      std::string* private_key,
-      std::string* cert,
-      const CompletionCallback& callback,
-      RequestHandle* out_req);
+  int GetChannelID(const std::string& host,
+                   scoped_ptr<crypto::ECPrivateKey>* key,
+                   const CompletionCallback& callback,
+                   RequestHandle* out_req);
 
   // Returns the backing ChannelIDStore.
   ChannelIDStore* GetChannelIDStore();
@@ -144,7 +137,7 @@ class NET_EXPORT ChannelIDService
   // Public only for unit testing.
   int cert_count();
   uint64 requests() const { return requests_; }
-  uint64 cert_store_hits() const { return cert_store_hits_; }
+  uint64 key_store_hits() const { return key_store_hits_; }
   uint64 inflight_joins() const { return inflight_joins_; }
   uint64 workers_created() const { return workers_created_; }
 
@@ -156,25 +149,21 @@ class NET_EXPORT ChannelIDService
 
   void GotChannelID(int err,
                     const std::string& server_identifier,
-                    base::Time expiration_time,
-                    const std::string& key,
-                    const std::string& cert);
+                    const scoped_ptr<crypto::ECPrivateKey> key);

[Ryan Sleevi, 2015/05/08 23:43:14]

weird to pass this as const - bug?

[nharper, 2015/05/11 21:26:44]

Refactoring mistake - I think it was a const-ref at some point. Removed the
const.

   void GeneratedChannelID(
       const std::string& server_identifier,
       int error,
       scoped_ptr<ChannelIDStore::ChannelID> channel_id);
   void HandleResult(int error,
                     const std::string& server_identifier,
-                    const std::string& private_key,
-                    const std::string& cert);
+                    crypto::ECPrivateKey* key);
 
   // Searches for an in-flight request for the same domain. If found,
   // attaches to the request and returns true. Returns false if no in-flight
   // request is found.
   bool JoinToInFlightRequest(const base::TimeTicks& request_start,
                              const std::string& domain,
-                             std::string* private_key,
-                             std::string* cert,
+                             scoped_ptr<crypto::ECPrivateKey>* key,
                              bool create_if_missing,
                              const CompletionCallback& callback,
                              RequestHandle* out_req);
@@ -185,8 +174,7 @@ class NET_EXPORT ChannelIDService
   // failure (including failure to find a domain-bound cert of |domain|).
   int LookupChannelID(const base::TimeTicks& request_start,
                       const std::string& domain,
-                      std::string* private_key,
-                      std::string* cert,
+                      scoped_ptr<crypto::ECPrivateKey>* key,
                       bool create_if_missing,
                       const CompletionCallback& callback,
                       RequestHandle* out_req);
@@ -199,12 +187,10 @@ class NET_EXPORT ChannelIDService
   std::map<std::string, ChannelIDServiceJob*> inflight_;
 
   uint64 requests_;
-  uint64 cert_store_hits_;
+  uint64 key_store_hits_;
   uint64 inflight_joins_;
   uint64 workers_created_;
 
-  bool is_system_time_valid_;
-
   base::WeakPtrFactory<ChannelIDService> weak_ptr_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(ChannelIDService);