Wire up SSL client authentication for OpenSSL/Android through the net/ stack

net/base/openssl_client_key_store.cc

Index: net/base/openssl_client_key_store.cc
diff --git a/net/base/openssl_client_key_store.cc b/net/base/openssl_client_key_store.cc
new file mode 100644
index 0000000000000000000000000000000000000000..01a989f9d86cdd3fc1591cc35e5248585f4dc928
--- /dev/null
+++ b/net/base/openssl_client_key_store.cc
@@ -0,0 +1,131 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/openssl_client_key_store.h"
+
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include "base/memory/scoped_ptr.h"
+#include "base/memory/singleton.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+namespace {
+
+typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;
+
+// Increment the reference count of a given EVP_PKEY. This function
+// is similar to EVP_PKEY_dup which is not available from the OpenSSL
+// version used by Chromium at the moment. Its name is distinct to
+// avoid compiler warnings about ambiguous function calls at caller
+// sites.
+EVP_PKEY* CopyEVP_PKEY(EVP_PKEY* key) {
+  if (key != NULL)

[Ryan Sleevi, 2013/02/27 01:08:20]

nit: if (key)

[digit1, 2013/02/27 10:24:27]

Done.

+    CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
+  return key;
+}
+
+// Return the EVP_PKEY holding the public key of a given certificate.
+// |cert| is a certificate.
+// Returns a scoped EVP_PKEY for it.
+ScopedEVP_PKEY GetOpenSSLPublicKey(const X509Certificate* cert) {
+  // X509_PUBKEY_get() increments the reference count of its result.
+  // Unlike X509_get_X509_PUBKEY() which simply returns a direct pointer.
+  EVP_PKEY* pkey =
+      X509_PUBKEY_get(X509_get_X509_PUBKEY(cert->os_cert_handle()));
+  if (!pkey)
+    LOG(ERROR) << "Can't extract private key from certificate!";
+  return ScopedEVP_PKEY(pkey);
+}
+
+}  // namespace
+
+OpenSSLClientKeyStore::OpenSSLClientKeyStore() {
+}
+
+OpenSSLClientKeyStore::~OpenSSLClientKeyStore() {
+}
+
+OpenSSLClientKeyStore::KeyPair::KeyPair(EVP_PKEY* pub_key,
+                                        EVP_PKEY* priv_key) {
+  public_key_ = CopyEVP_PKEY(pub_key);
+  private_key_ = CopyEVP_PKEY(priv_key);
+}
+
+OpenSSLClientKeyStore::KeyPair::~KeyPair() {
+  EVP_PKEY_free(public_key_);
+  EVP_PKEY_free(private_key_);
+}
+
+OpenSSLClientKeyStore::KeyPair::KeyPair(const KeyPair& other) {
+  public_key_ = CopyEVP_PKEY(other.public_key_);
+  private_key_ = CopyEVP_PKEY(other.private_key_);
+}
+
+int OpenSSLClientKeyStore::FindKeyPairIndex(EVP_PKEY* public_key) {
+  if (!public_key)
+    return -1;
+  for (size_t n = 0; n < pairs_.size(); ++n) {
+    if (EVP_PKEY_cmp(pairs_[n].public_key_, public_key) == 1)
+      return static_cast<int>(n);
+  }
+  return -1;
+}
+
+void OpenSSLClientKeyStore::AddKeyPair(EVP_PKEY* pub_key,
+                                       EVP_PKEY* private_key) {
+  int index = FindKeyPairIndex(pub_key);
+  if (index < 0)
+    pairs_.push_back(KeyPair(pub_key, private_key));
+}
+
+// Common code for OpenSSLClientKeyStore. Shared by all OpenSSL-based
+// builds.
+bool OpenSSLClientKeyStore::RecordClientCertPrivateKey(
+    const X509Certificate* client_cert, EVP_PKEY* private_key) {

[Ryan Sleevi, 2013/02/27 01:08:20]

nit: Chromium style is to add a line break after client_cert, per
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Functi...

also consistent with the rest of this file

[digit1, 2013/02/27 10:24:27]

Done.

+  // Sanity check.
+  if (client_cert == NULL || private_key == NULL)

[Ryan Sleevi, 2013/02/27 01:08:20]

nit: if (!client_cert || !private_key) [consistent with the rest of this file]

[digit1, 2013/02/27 10:24:27]

Done.

+    return false;
+
+  // Get public key from certificate.
+  ScopedEVP_PKEY pub_key(GetOpenSSLPublicKey(client_cert));
+  if (!pub_key.get())
+    return false;
+
+  AddKeyPair(pub_key.get(), private_key);
+  return true;
+}
+
+bool OpenSSLClientKeyStore::FetchClientCertPrivateKey(
+    const X509Certificate* client_cert,
+    ScopedEVP_PKEY* private_key) {
+  if (!client_cert)
+    return false;
+
+  ScopedEVP_PKEY pub_key(GetOpenSSLPublicKey(client_cert));
+  if (!pub_key.get())
+    return false;
+
+  int index = FindKeyPairIndex(pub_key.get());
+  if (index < 0)
+    return false;
+
+  ScopedEVP_PKEY result(CopyEVP_PKEY(pairs_[index].private_key_));
+  private_key->swap(result);

[Ryan Sleevi, 2013/02/27 01:08:20]

Why create a temp and swap? Why not just directly .reset() ?

[digit1, 2013/02/27 10:24:27]

I've changed it to use reset() instead.

+  return true;
+}
+
+void OpenSSLClientKeyStore::Flush() {
+  pairs_.clear();
+}
+
+OpenSSLClientKeyStore* OpenSSLClientKeyStore::GetInstance() {
+    return Singleton<OpenSSLClientKeyStore>::get();
+}
+
+}  // namespace net
+
+