Wire up SSL client authentication for OpenSSL/Android through the net/ stack

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/ssl.h>
@@ skipping 572 matching lines @@
           reinterpret_cast<const char*>(str),
           static_cast<size_t>(length)));
       OPENSSL_free(str);
     }
 
     return -1;  // Suspends handshake.
   }
 
   // Second pass: a client certificate should have been selected.
   if (ssl_config_.client_cert) {
-    EVP_PKEY* privkey = OpenSSLPrivateKeyStore::GetInstance()->FetchPrivateKey(
-        X509_PUBKEY_get(X509_get_X509_PUBKEY(
-            ssl_config_.client_cert->os_cert_handle())));
-    if (privkey) {
+    // A note about ownership: FetchClientCertPrivateKey() increments
+    // the reference count of the EVP_PKEY. Ownership of this reference
+    // is passed directly to OpenSSL, which will release the reference
+    // using EVP_PKEY_free() when the SSL object is destroyed.
+    OpenSSLPrivateKeyStore::ScopedEVP_PKEY privkey;
+    if (OpenSSLPrivateKeyStore::GetInstance()->FetchClientCertPrivateKey(
+            ssl_config_.client_cert.get(), &privkey)) {
       // TODO(joth): (copied from NSS) We should wait for server certificate
       // verification before sending our credentials. See http://crbug.com/13934
       *x509 = X509Certificate::DupOSCertHandle(
           ssl_config_.client_cert->os_cert_handle());
-      *pkey = privkey;
+      *pkey = privkey.release();
       return 1;
     }
     LOG(WARNING) << "Client cert found without private key";
   }
 
   // Send no client certificate.
   return 0;
 }
 
 // SSLClientSocket methods
 
 bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->Reset();
+
+  ssl_info->client_cert_sent =
+      ssl_config_.send_client_cert && ssl_config_.client_cert;

[Ryan Sleevi, 2013/02/25 19:51:07]

Why did you move this here? This seems to violate the invariants that previously
existed.

[digit1, 2013/02/26 11:03:13]

Because this would always return a false value in |client_cert_sent| even if the
client certificates were actually sent, but the connection was refused by the
server.

Give that we don't have a unit test where the server actually refuses the
connection anymore, I've removed this.

+
   if (!server_cert_)
     return false;
 
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->public_key_hashes =
     server_cert_verify_result_.public_key_hashes;
-  ssl_info->client_cert_sent =
-      ssl_config_.send_client_cert && ssl_config_.client_cert;
   ssl_info->channel_id_sent = WasChannelIDSent();
 
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
   CHECK(cipher);
   ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
   const COMP_METHOD* compression = SSL_get_current_compression(ssl_);
 
   ssl_info->connection_status = EncodeSSLConnectionStatus(
       SSL_CIPHER_get_id(cipher),
       compression ? compression->type : 0,
@@ skipping 780 matching lines @@
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
                                   user_write_buf_->data());
     return rv;
   }
 
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err, err_tracer);
 }
 
 }  // namespace net