SSLCertRequestInfo: Add |valid_cas| and |valid_key_types|

net/base/ssl_cert_request_info.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_SSL_CERT_REQUEST_INFO_H_
 #define NET_BASE_SSL_CERT_REQUEST_INFO_H_
 
 #include <string>
 #include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
+#include "net/base/ssl_client_cert_type.h"
 
 namespace net {
 
 class X509Certificate;
 
 // The SSLCertRequestInfo class contains the info that allows a user to
 // select a certificate to send to the SSL server for client authentication.
 class NET_EXPORT SSLCertRequestInfo
     : public base::RefCountedThreadSafe<SSLCertRequestInfo> {
  public:
   SSLCertRequestInfo();
 
   void Reset();
 
   // The host and port of the SSL server that requested client authentication.
   std::string host_and_port;
 
   // True if the server that issues this request was the HTTPS proxy used in
   // the request.  False, if the server was the origin server.
   bool is_proxy;
 
+  // True if |client_certs| is always empty because it is not possible
+  // to generate the list of compatible client certificates before
+  // prompting the user. This happens on Android. In this case, the values
+  // of |valid_cas| and |valid_key_types| must be used instead.
+  bool no_client_certs;

[Ryan Sleevi, 2012/12/11 21:30:24]

I don't think we should be expressing this value on the SSLCertRequestInfo
itself.

It should be in the code, and it SHOULD be fixed so that all platforms behave
the same (at some later point).

You should put a TODO here to reference the bug (or, ideally, attempt the
refactoring yourself, since all the implementation exists for the other
platforms and just needs to be brought out)

[digit1, 2012/12/11 23:05:31]

There is some code in the content or browser layer that currently assumes that
an empty |client_certs| means there are no matching certificates. In this case,
any certificate selection is short-cutted and nothing works. That's why I had to
add this field.

I assume we could add a ::GetClientCertificates() method here instead, but it
will have to be callable from multiple threads.

+
   // A list of client certificates that match the server's criteria in the
   // SSL CertificateRequest message.  In TLS 1.0, the CertificateRequest
   // message is defined as:
   //   enum {
   //     rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
   //     (255)
   //   } ClientCertificateType;
   //
   //   opaque DistinguishedName<1..2^16-1>;
   //
   //   struct {
   //       ClientCertificateType certificate_types<1..2^8-1>;
   //       DistinguishedName certificate_authorities<3..2^16-1>;
   //   } CertificateRequest;
   std::vector<scoped_refptr<X509Certificate> > client_certs;
 
+#if defined(USE_OPENSSL)

[Ryan Sleevi, 2012/12/11 21:30:24]

I strongly dislike #ifdefs for shared code like this.

+  // The list of valid certificate authorities the server recognizes.
+  // Each item is a DER-encoded X.509 DistinguishedName.
+  std::vector<std::string> valid_cas;
+
+  // The list of certificate signing key types that the server
+  // supports.
+  std::vector<SSLClientCertType> valid_key_types;
+#endif
+
  private:
   friend class base::RefCountedThreadSafe<SSLCertRequestInfo>;
 
   ~SSLCertRequestInfo();
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_SSL_CERT_REQUEST_INFO_H_