Sign CertificateVerify messages on a background thread.

net/socket/ssl_client_socket_openssl.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
 
+#include <openssl/base.h>
+#include <openssl/ssl.h>
+
 #include <string>
+#include <vector>
 
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "net/base/completion_callback.h"
 #include "net/base/io_buffer.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/ssl_client_socket.h"
 #include "net/ssl/channel_id_service.h"
 #include "net/ssl/openssl_ssl_util.h"
 #include "net/ssl/ssl_client_cert_type.h"
 #include "net/ssl/ssl_config_service.h"
 #include "net/ssl/ssl_failure_state.h"
 
-// Avoid including misc OpenSSL headers, i.e.:
-// <openssl/bio.h>
-typedef struct bio_st BIO;
-// <openssl/evp.h>
-typedef struct evp_pkey_st EVP_PKEY;
-// <openssl/ssl.h>
-typedef struct ssl_session_st SSL_SESSION;
-typedef struct ssl_st SSL;
-// <openssl/x509.h>
-typedef struct x509_st X509;
-// <openssl/ossl_type.h>
-typedef struct x509_store_ctx_st X509_STORE_CTX;
-
 namespace net {
 
 class CertVerifier;
 class CTVerifier;
 class SSLCertRequestInfo;
 class SSLInfo;
+class SSLPrivateKey;
 
 // An SSL client socket implemented with OpenSSL.
 class SSLClientSocketOpenSSL : public SSLClientSocket {
  public:
   // Takes ownership of the transport_socket, which may already be connected.
   // The given hostname will be compared with the name(s) in the server's
   // certificate during the SSL handshake.  ssl_config specifies the SSL
   // settings.
   SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket,
                          const HostPortPair& host_and_port,
@@ skipping 71 matching lines @@
   void OnHandshakeIOComplete(int result);
   void OnSendComplete(int result);
   void OnRecvComplete(int result);
 
   int DoHandshakeLoop(int last_io_result);
   int DoReadLoop();
   int DoWriteLoop();
   int DoPayloadRead();
   int DoPayloadWrite();
 
+  // Called when an asynchronous event completes which may have blocked the
+  // pending Read or Write calls, if any. Retries both state machines and, if
+  // complete, runs the respective callbacks.
+  void PumpReadWriteEvents();
+
   int BufferSend();
   int BufferRecv();
   void BufferSendComplete(int result);
   void BufferRecvComplete(int result);
   void TransportWriteComplete(int result);
   int TransportReadComplete(int result);
 
   // Callback from the SSL layer that indicates the remote server is requesting
   // a certificate for this client.
   int ClientCertRequestCallback(SSL* ssl);
@@ skipping 39 matching lines @@
   // the |ssl_info|.signed_certificate_timestamps list.
   void AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const;
 
   // Returns a unique key string for the SSL session cache for
   // this socket.
   std::string GetSessionCacheKey() const;
 
   // Returns true if renegotiations are allowed.
   bool IsRenegotiationAllowed() const;
 
+  // Callbacks for operations with the private key.
+  int PrivateKeyTypeCallback();
+  int PrivateKeySupportsDigestCallback(const EVP_MD* md);
+  size_t PrivateKeyMaxSignatureLenCallback();
+  ssl_private_key_result_t PrivateKeySignCallback(uint8_t* out,
+                                                  size_t* out_len,
+                                                  size_t max_out,
+                                                  const EVP_MD* md,
+                                                  const uint8_t* in,
+                                                  size_t in_len);
+  ssl_private_key_result_t PrivateKeySignCompleteCallback(uint8_t* out,
+                                                          size_t* out_len,
+                                                          size_t max_out);
+
+  void OnPrivateKeySignComplete(Error error,
+                                const std::vector<uint8_t>& signature);
+
   bool transport_send_busy_;
   bool transport_recv_busy_;
 
   // Buffers which are shared by BoringSSL and SSLClientSocketOpenSSL.
   // GrowableIOBuffer is used to keep ownership and setting offset.
   scoped_refptr<GrowableIOBuffer> send_buffer_;
   scoped_refptr<GrowableIOBuffer> recv_buffer_;
 
   CompletionCallback user_connect_callback_;
   CompletionCallback user_read_callback_;
@@ skipping 90 matching lines @@
   // True if the current session was newly-established, but the certificate had
   // not yet been verified externally, so it cannot be inserted into the cache
   // until later.
   bool session_pending_;
   // True if the initial handshake's certificate has been verified.
   bool certificate_verified_;
   // The request handle for |channel_id_service_|.
   ChannelIDService::Request channel_id_request_;
   SSLFailureState ssl_failure_state_;
 
+  scoped_ptr<SSLPrivateKey> private_key_;
+  int signature_result_;
+  std::vector<uint8_t> signature_;
+
   TransportSecurityState* transport_security_state_;
 
   CertPolicyEnforcer* const policy_enforcer_;
 
   // pinning_failure_log contains a message produced by
   // TransportSecurityState::CheckPublicKeyPins in the event of a
   // pinning failure. It is a (somewhat) human-readable string.
   std::string pinning_failure_log_;
 
   BoundNetLog net_log_;
   base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_;
 };
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_