Sign CertificateVerify messages on a background thread.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/ssl.h>
 #include <string.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/environment.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/profiler/scoped_tracker.h"
+#include "base/stl_util.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/thread_local.h"
+#include "base/threading/worker_pool.h"
 #include "base/values.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util_openssl.h"
 #include "net/http/transport_security_state.h"
 #include "net/ssl/scoped_openssl_types.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_client_session_cache_openssl.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_failure_state.h"
 #include "net/ssl/ssl_info.h"
+#include "net/ssl/ssl_private_key.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
 #endif
 
 #if defined(USE_OPENSSL_CERTS)
 #include "net/ssl/openssl_client_key_store.h"
 #else
-#include "net/ssl/openssl_platform_key.h"
+#include "net/ssl/ssl_platform_key.h"
 #endif
 
 namespace net {
 
 namespace {
 
 // Enable this to see logging for state machine state transitions.
 #if 0
 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
                            " jump to state " << s; \
                            next_handshake_state_ = s; } while (0)
 #else
 #define GotoState(s) next_handshake_state_ = s
 #endif
 
 // This constant can be any non-negative/non-zero value (eg: it does not
 // overlap with any value of the net::Error range, including net::OK).
-const int kNoPendingReadResult = 1;
+const int kNoPendingResult = 1;
 
 // If a client doesn't have a list of protocols that it supports, but
 // the server supports NPN, choosing "http/1.1" is the best answer.
 const char kDefaultSupportedNPNProtocol[] = "http/1.1";
 
 // Default size of the internal BoringSSL buffers.
 const int KDefaultOpenSSLBufferSize = 17 * 1024;
 
 void FreeX509Stack(STACK_OF(X509)* ptr) {
   sk_X509_pop_free(ptr, X509_free);
@@ skipping 56 matching lines @@
     sk_X509_push(stack.get(), x509.release());
   }
   return stack.Pass();
 }
 
 int LogErrorCallback(const char* str, size_t len, void* context) {
   LOG(ERROR) << base::StringPiece(str, len);
   return 1;
 }
 
+bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
+  switch (EVP_MD_type(md)) {
+    case NID_md5_sha1:
+      *hash = SSLPrivateKey::Hash::MD5_SHA1;
+      return true;
+    case NID_md5:
+      *hash = SSLPrivateKey::Hash::MD5;
+      return true;
+    case NID_sha1:
+      *hash = SSLPrivateKey::Hash::SHA1;
+      return true;
+    case NID_sha224:
+      *hash = SSLPrivateKey::Hash::SHA224;
+      return true;
+    case NID_sha256:
+      *hash = SSLPrivateKey::Hash::SHA256;
+      return true;
+    case NID_sha384:
+      *hash = SSLPrivateKey::Hash::SHA384;
+      return true;
+    case NID_sha512:
+      *hash = SSLPrivateKey::Hash::SHA512;
+      return true;
+    default:
+      return false;
+  }
+}
+
 }  // namespace
 
 class SSLClientSocketOpenSSL::SSLContext {
  public:
   static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); }
   SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
   SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; }
 
   SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) {
     DCHECK(ssl);
@@ skipping 185 matching lines @@
   return SSL_PROTOCOL_VERSION_TLS1_2;
 }
 
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : transport_send_busy_(false),
       transport_recv_busy_(false),
-      pending_read_error_(kNoPendingReadResult),
+      pending_read_error_(kNoPendingResult),
       pending_read_ssl_error_(SSL_ERROR_NONE),
       transport_read_error_(OK),
       transport_write_error_(OK),
       server_cert_chain_(new PeerCertificateChain(NULL)),
       completed_connect_(false),
       was_ever_used_(false),
       cert_verifier_(context.cert_verifier),
       cert_transparency_verifier_(context.cert_transparency_verifier),
       channel_id_service_(context.channel_id_service),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       next_handshake_state_(STATE_NONE),
       npn_status_(kNextProtoUnsupported),
       channel_id_sent_(false),
       handshake_completed_(false),
       certificate_verified_(false),
       ssl_failure_state_(SSL_FAILURE_NONE),
+      signature_result_(kNoPendingResult),
       transport_security_state_(context.transport_security_state),
       policy_enforcer_(context.cert_policy_enforcer),
       net_log_(transport_->socket()->NetLog()),
       weak_factory_(this) {
   DCHECK(cert_verifier_);
 }
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
@@ skipping 101 matching lines @@
   recv_buffer_ = NULL;
 
   user_connect_callback_.Reset();
   user_read_callback_.Reset();
   user_write_callback_.Reset();
   user_read_buf_         = NULL;
   user_read_buf_len_     = 0;
   user_write_buf_        = NULL;
   user_write_buf_len_    = 0;
 
-  pending_read_error_ = kNoPendingReadResult;
+  pending_read_error_ = kNoPendingResult;
   pending_read_ssl_error_ = SSL_ERROR_NONE;
   pending_read_error_info_ = OpenSSLErrorInfo();
 
   transport_read_error_ = OK;
   transport_write_error_ = OK;
 
   server_cert_verify_result_.Reset();
   completed_connect_ = false;
 
   cert_authorities_.clear();
   cert_key_types_.clear();
 
   start_cert_verification_time_ = base::TimeTicks();
 
   npn_status_ = kNextProtoUnsupported;
   npn_proto_.clear();
 
   channel_id_sent_ = false;
   handshake_completed_ = false;
   certificate_verified_ = false;
   channel_id_request_.Cancel();
   ssl_failure_state_ = SSL_FAILURE_NONE;
+
+  private_key_.reset();
+  signature_result_ = kNoPendingResult;
+  signature_.clear();
 }
 
 bool SSLClientSocketOpenSSL::IsConnected() const {
   // If the handshake has not yet completed.
   if (!completed_connect_)
     return false;
   // If an asynchronous operation is still pending.
   if (user_read_buf_.get() || user_write_buf_.get())
     return true;
 
@@ skipping 393 matching lines @@
     if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
       // The server supports channel ID. Stop to look one up before returning to
       // the handshake.
       GotoState(STATE_CHANNEL_ID_LOOKUP);
       return OK;
     }
     if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP &&
         !ssl_config_.send_client_cert) {
       return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
     }
+    if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
+      DCHECK(private_key_);
+      DCHECK_NE(kNoPendingResult, signature_result_);
+      GotoState(STATE_HANDSHAKE);
+      return ERR_IO_PENDING;
+    }
 
     OpenSSLErrorInfo error_info;
     net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
     if (net_error == ERR_IO_PENDING) {
       // If not done, stay in this state
       GotoState(STATE_HANDSHAKE);
       return ERR_IO_PENDING;
     }
 
     LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
@@ skipping 308 matching lines @@
   }
 }
 
 void SSLClientSocketOpenSSL::OnSendComplete(int result) {
   if (next_handshake_state_ == STATE_HANDSHAKE) {
     // In handshake phase.
     OnHandshakeIOComplete(result);
     return;
   }
 
-  // OnSendComplete may need to call DoPayloadRead while the renegotiation
-  // handshake is in progress.
-  int rv_read = ERR_IO_PENDING;
-  int rv_write = ERR_IO_PENDING;
-  bool network_moved;
-  do {
-    if (user_read_buf_.get())
-      rv_read = DoPayloadRead();
-    if (user_write_buf_.get())
-      rv_write = DoPayloadWrite();
-    network_moved = DoTransportIO();
-  } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
-           (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
-
-  // Performing the Read callback may cause |this| to be deleted. If this
-  // happens, the Write callback should not be invoked. Guard against this by
-  // holding a WeakPtr to |this| and ensuring it's still valid.
-  base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr());
-  if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
-    DoReadCallback(rv_read);
-
-  if (!guard.get())
-    return;
-
-  if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
-    DoWriteCallback(rv_write);
+  // OnSendComplete may need to run the Read state machine while a
+  // renegotiation handshake is in progress.

[Ryan Sleevi, 2015/06/15 22:55:22]

I find this comment less clear then the original (ambiguity as to what the
"Read" state machine is; the original comment was clear it was about
DoPayloadRead)

[davidben, 2015/06/17 20:47:02]

The problem is the original comment is wrong. We need to run the *entire* Read
state machine, including DoReadCallback. See long reply to your other comment.

+  RunReadWriteLoops();
 }
 
 void SSLClientSocketOpenSSL::OnRecvComplete(int result) {
   if (next_handshake_state_ == STATE_HANDSHAKE) {
     // In handshake phase.
     OnHandshakeIOComplete(result);
     return;
   }
 
   // Network layer received some data, check if client requested to read
@@ skipping 77 matching lines @@
   return rv;
 }
 
 int SSLClientSocketOpenSSL::DoPayloadRead() {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   DCHECK_LT(0, user_read_buf_len_);
   DCHECK(user_read_buf_.get());
 
   int rv;
-  if (pending_read_error_ != kNoPendingReadResult) {
+  if (pending_read_error_ != kNoPendingResult) {
     rv = pending_read_error_;
-    pending_read_error_ = kNoPendingReadResult;
+    pending_read_error_ = kNoPendingResult;
     if (rv == 0) {
       net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
                                     rv, user_read_buf_->data());
     } else {
       net_log_.AddEvent(
           NetLog::TYPE_SSL_READ_ERROR,
           CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
                                            pending_read_error_info_));
     }
     pending_read_ssl_error_ = SSL_ERROR_NONE;
@@ skipping 21 matching lines @@
     //
     // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED
     // error, so it does not occur. The second and third are distinguished by
     // SSL_ERROR_ZERO_RETURN.
     pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret);
     if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
       pending_read_error_ = 0;
     } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP &&
                !ssl_config_.send_client_cert) {
       pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
+    } else if (pending_read_ssl_error_ ==
+               SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
+      DCHECK(private_key_);
+      DCHECK_NE(kNoPendingResult, signature_result_);
+      pending_read_error_ = ERR_IO_PENDING;
     } else {
       pending_read_error_ = MapOpenSSLErrorWithDetails(
           pending_read_ssl_error_, err_tracer, &pending_read_error_info_);
     }
 
     // Many servers do not reliably send a close_notify alert when shutting down
     // a connection, and instead terminate the TCP connection. This is reported
     // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a
     // graceful EOF, instead of treating it as an error as it should be.
     if (pending_read_error_ == ERR_CONNECTION_CLOSED)
       pending_read_error_ = 0;
   }
 
   if (total_bytes_read > 0) {
     // Return any bytes read to the caller. The error will be deferred to the
     // next call of DoPayloadRead.
     rv = total_bytes_read;
 
     // Do not treat insufficient data as an error to return in the next call to
     // DoPayloadRead() - instead, let the call fall through to check SSL_read()
     // again. This is because DoTransportIO() may complete in between the next
     // call to DoPayloadRead(), and thus it is important to check SSL_read() on
     // subsequent invocations to see if a complete record may now be read.
     if (pending_read_error_ == ERR_IO_PENDING)
-      pending_read_error_ = kNoPendingReadResult;
+      pending_read_error_ = kNoPendingResult;
   } else {
     // No bytes were returned. Return the pending read error immediately.
-    DCHECK_NE(kNoPendingReadResult, pending_read_error_);
+    DCHECK_NE(kNoPendingResult, pending_read_error_);
     rv = pending_read_error_;
-    pending_read_error_ = kNoPendingReadResult;
+    pending_read_error_ = kNoPendingResult;
   }
 
   if (rv >= 0) {
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
                                   user_read_buf_->data());
   } else if (rv != ERR_IO_PENDING) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_READ_ERROR,
         CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
                                          pending_read_error_info_));
     pending_read_ssl_error_ = SSL_ERROR_NONE;
     pending_read_error_info_ = OpenSSLErrorInfo();
   }
   return rv;
 }
 
 int SSLClientSocketOpenSSL::DoPayloadWrite() {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
   int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
 
   if (rv >= 0) {
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
                                   user_write_buf_->data());
     return rv;
   }
 
   int ssl_error = SSL_get_error(ssl_, rv);
+  if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION)
+    return ERR_IO_PENDING;
   OpenSSLErrorInfo error_info;
   int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer,
                                              &error_info);
 
   if (net_error != ERR_IO_PENDING) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_WRITE_ERROR,
         CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
   }
   return net_error;
 }
 
+void SSLClientSocketOpenSSL::RunReadWriteLoops() {
+  int rv_read = ERR_IO_PENDING;
+  int rv_write = ERR_IO_PENDING;
+  bool network_moved;
+  do {
+    if (user_read_buf_.get())
+      rv_read = DoPayloadRead();
+    if (user_write_buf_.get())
+      rv_write = DoPayloadWrite();
+    network_moved = DoTransportIO();
+  } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
+           (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
+
+  // Performing the Read callback may cause |this| to be deleted. If this
+  // happens, the Write callback should not be invoked. Guard against this by
+  // holding a WeakPtr to |this| and ensuring it's still valid.
+  base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr());
+  if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
+    DoReadCallback(rv_read);
+
+  if (!guard.get())
+    return;
+
+  if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
+    DoWriteCallback(rv_write);
+}
+
 int SSLClientSocketOpenSSL::BufferSend(void) {
   if (transport_send_busy_)
     return ERR_IO_PENDING;
 
   size_t buffer_read_offset;
   uint8_t* read_buf;
   size_t max_read;
   int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf,
                                           &buffer_read_offset, &max_read);
   DCHECK_EQ(status, 1);  // Should never fail.
@@ skipping 163 matching lines @@
     }
 
     ScopedX509Stack chain = OSCertHandlesToOpenSSL(
         ssl_config_.client_cert->GetIntermediateCertificates());
     if (!chain) {
       LOG(WARNING) << "Failed to import intermediate certificates";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
       return -1;
     }
 
-    // TODO(davidben): With Linux client auth support, this should be
-    // conditioned on OS_ANDROID and then, with https://crbug.com/394131,
-    // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the
-    // net/ client auth API lacking a private key handle.
+    if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
+        !SSL_set1_chain(ssl_, chain.get())) {
+      LOG(WARNING) << "Failed to set client certificate";
+      return -1;
+    }
+
 #if defined(USE_OPENSSL_CERTS)
     crypto::ScopedEVP_PKEY privkey =
         OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
             ssl_config_.client_cert.get());
-#else  // !defined(USE_OPENSSL_CERTS)
-    crypto::ScopedEVP_PKEY privkey =
-        FetchClientCertPrivateKey(ssl_config_.client_cert.get());
-#endif  // defined(USE_OPENSSL_CERTS)
     if (!privkey) {
       // Could not find the private key. Fail the handshake and surface an
       // appropriate error to the caller.
       LOG(WARNING) << "Client cert found without private key";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
       return -1;
     }
+    if (!SSL_use_PrivateKey(ssl_, privkey.get())) {
+      LOG(WARNING) << "Failed to set private key";
+      return -1;
+    }
+#else   // !USE_OPENSSL_CERTS
+    // TODO(davidben): Move Android to the SSLPrivateKey codepath and disable
+    // client auth on NaCl altogether.
+    //
+    // TODO(davidben): Lift this call up to the embedder so we can actually test
+    // this code. https://crbug.com/394131
+    private_key_ = FetchClientCertPrivateKey(
+        ssl_config_.client_cert.get(),
+        base::WorkerPool::GetTaskRunner(true /* task_is_slow */));

[Ryan Sleevi, 2015/06/15 22:55:22]

Per our chat, doesn't this need to be explicitly supplied?

[davidben, 2015/06/17 20:47:02]

Done.

+    if (!private_key_) {
+      // Could not find the private key. Fail the handshake and surface an
+      // appropriate error to the caller.
+      LOG(WARNING) << "Client cert found without private key";
+      OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
+      return -1;
+    }
 
-    if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
-        !SSL_use_PrivateKey(ssl_, privkey.get()) ||
-        !SSL_set1_chain(ssl_, chain.get())) {
-      LOG(WARNING) << "Failed to set client certificate";
-      return -1;
-    }
+    static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod = {
+        &SSLClientSocketOpenSSL::PrivateKeyTypeCallback,
+        &SSLClientSocketOpenSSL::PrivateKeySupportsDigestCallback,
+        &SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback,
+        &SSLClientSocketOpenSSL::PrivateKeySignCallback,
+        &SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback,
+    };
+    SSL_set_private_key_method(ssl_, &kPrivateKeyMethod);
+#endif  // USE_OPENSSL_CERTS
 
     int cert_count = 1 + sk_X509_num(chain.get());
     net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
                       NetLog::IntegerCallback("cert_count", cert_count));
     return 1;
   }
 #endif  // defined(OS_IOS)
 
   // Send no client certificate.
   net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
@@ skipping 201 matching lines @@
     return ssl_config_.renego_allowed_default;
 
   NextProto next_proto = NextProtoFromString(npn_proto_);
   for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
     if (next_proto == allowed)
       return true;
   }
   return false;
 }
 
+// static
+int SSLClientSocketOpenSSL::PrivateKeyTypeCallback(SSL* ssl) {
+  SSLClientSocketOpenSSL* socket =
+      SSLContext::GetInstance()->GetClientSocketFromSSL(ssl);
+
+  switch (socket->private_key_->GetType()) {
+    case SSLPrivateKey::Type::RSA:
+      return EVP_PKEY_RSA;
+    case SSLPrivateKey::Type::ECDSA:
+      return EVP_PKEY_EC;
+  }
+  NOTREACHED();
+  return EVP_PKEY_NONE;
+}
+
+// static
+int SSLClientSocketOpenSSL::PrivateKeySupportsDigestCallback(SSL* ssl,
+                                                             const EVP_MD* md) {
+  SSLClientSocketOpenSSL* socket =
+      SSLContext::GetInstance()->GetClientSocketFromSSL(ssl);
+
+  SSLPrivateKey::Hash hash;
+  return EVP_MDToPrivateKeyHash(md, &hash) &&
+         socket->private_key_->SupportsHash(hash);
+}
+
+// static
+size_t SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback(SSL* ssl) {
+  SSLClientSocketOpenSSL* socket =
+      SSLContext::GetInstance()->GetClientSocketFromSSL(ssl);
+
+  return socket->private_key_->GetMaxSignatureLength();
+}
+
+// static
+ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback(
+    SSL* ssl,
+    uint8_t* out,
+    size_t* out_len,
+    size_t max_out,
+    const EVP_MD* md,
+    const uint8_t* in,
+    size_t in_len) {
+  SSLClientSocketOpenSSL* socket =
+      SSLContext::GetInstance()->GetClientSocketFromSSL(ssl);
+
+  DCHECK_EQ(kNoPendingResult, socket->signature_result_);
+  DCHECK(socket->signature_.empty());
+  DCHECK(socket->private_key_);
+
+  socket->net_log_.BeginEvent(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION);
+
+  SSLPrivateKey::Hash hash;
+  if (!EVP_MDToPrivateKeyHash(md, &hash)) {
+    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
+    return ssl_private_key_failure;
+  }
+
+  socket->signature_result_ = ERR_IO_PENDING;
+  socket->private_key_->SignDigest(
+      hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len),
+      base::Bind(&SSLClientSocketOpenSSL::OnPrivateKeySignComplete,
+                 socket->weak_factory_.GetWeakPtr()));
+  return ssl_private_key_retry;
+}
+
+// static
+ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback(
+    SSL* ssl,
+    uint8_t* out,
+    size_t* out_len,
+    size_t max_out) {
+  SSLClientSocketOpenSSL* socket =
+      SSLContext::GetInstance()->GetClientSocketFromSSL(ssl);
+
+  DCHECK_NE(kNoPendingResult, socket->signature_result_);
+  DCHECK(socket->private_key_);
+
+  if (socket->signature_result_ == ERR_IO_PENDING)
+    return ssl_private_key_retry;
+  if (socket->signature_result_ != OK) {
+    OpenSSLPutNetError(FROM_HERE, socket->signature_result_);
+    return ssl_private_key_failure;
+  }
+  if (socket->signature_.size() > max_out) {
+    LOG(ERROR) << "Buffer too small";
+    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
+    return ssl_private_key_failure;
+  }
+  memcpy(out, vector_as_array(&socket->signature_), socket->signature_.size());
+  *out_len = socket->signature_.size();
+  socket->signature_.clear();
+  return ssl_private_key_success;
+}
+
+void SSLClientSocketOpenSSL::OnPrivateKeySignComplete(
+    Error error,
+    const std::vector<uint8_t>& signature) {
+  DCHECK_EQ(ERR_IO_PENDING, signature_result_);
+  DCHECK(signature_.empty());
+  DCHECK(private_key_);
+
+  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION,
+                                    error);
+
+  signature_result_ = error;
+  if (signature_result_ == OK)
+    signature_ = signature;
+
+  if (next_handshake_state_ == STATE_HANDSHAKE) {
+    OnHandshakeIOComplete(signature_result_);
+    return;
+  }
+
+  // Either Read or Write may be blocked on an asynchronous private
+  // key operation during a renegotiation.
+  RunReadWriteLoops();
+}
+
 scoped_refptr<X509Certificate>
 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
 }  // namespace net