Move client certificates retrieval logic out of the SSL sockets.

content/browser/loader/resource_loader.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/loader/resource_loader.h"
 
 #include "base/command_line.h"
 #include "base/message_loop.h"
 #include "base/time.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/loader/doomed_resource_handler.h"
 #include "content/browser/loader/resource_loader_delegate.h"
 #include "content/browser/loader/resource_request_info_impl.h"
 #include "content/browser/ssl/ssl_client_auth_handler.h"
 #include "content/browser/ssl/ssl_manager.h"
 #include "content/common/ssl_status_serialization.h"
 #include "content/public/browser/cert_store.h"
 #include "content/public/browser/resource_dispatcher_host_login_delegate.h"
 #include "content/public/browser/site_instance.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/resource_response.h"
 #include "content/public/common/url_constants.h"
+#include "net/base/client_cert_store.h"
+#include "net/base/client_cert_store_impl.h"
 #include "net/base/load_flags.h"
 #include "net/http/http_response_headers.h"
 #include "webkit/appcache/appcache_interceptor.h"
 
 using base::TimeDelta;
 using base::TimeTicks;
 
 namespace content {
 namespace {
 
@@ skipping 228 matching lines @@
 void ResourceLoader::OnCertificateRequested(
     net::URLRequest* unused,
     net::SSLCertRequestInfo* cert_info) {
   DCHECK_EQ(request_.get(), unused);
 
   if (!delegate_->AcceptSSLClientCertificateRequest(this, cert_info)) {
     request_->Cancel();
     return;
   }
 
+#if defined(USE_NSS) && !defined(OS_IOS)
+  scoped_ptr<net::ClientCertStore> store(new net::ClientCertStoreImpl());

[Ryan Sleevi, 2013/01/29 19:59:49]

Rather than creating a new object every time, you should create it when the
ResourceLoader is created.

I expect that in the future, we'll do some of the following changes:
1) Make it asynchronous
2) When #1 happens, we'll want to make it pooled (based on the CAs requested),
so that we're not spinning up a ton of workers all to request the same client
certs (eg: when using an SSL proxy, a very common scenario)
3) To potentially allow the ClientCertStore to cache results, only flushing when
the OS store changes (which we can get notifications for).
4) If/when we dep-inject

Having it be a member variable sets it up for the transition of
ownership/lifetime in the long-term, and in the near-term it just ensures that
no wrong assumptions get baked in on the lifetime of |store|

[ppi, 2013/01/30 15:34:56]

Sounds good, thanks! Made the pointer a member variable initialized in
ResourceLoader constructor in patch set 4.

+  store->GetClientCerts(*cert_info, &cert_info->client_certs);
+#endif
+
   if (cert_info->client_certs.empty()) {
     // No need to query the user if there are no certs to choose from.
     request_->ContinueWithCertificate(NULL);
     return;
   }
 
   DCHECK(!ssl_client_auth_handler_) <<
       "OnCertificateRequested called with ssl_client_auth_handler pending";
   ssl_client_auth_handler_ = new SSLClientAuthHandler(request_.get(),
                                                       cert_info);
@@ skipping 337 matching lines @@
     // we resume.
     deferred_stage_ = DEFERRED_FINISH;
   }
 }
 
 void ResourceLoader::CallDidFinishLoading() {
   delegate_->DidFinishLoading(this);
 }
 
 }  // namespace content