Wire up SSL client authentication for OpenSSL/Android through the net/ stack

net/base/openssl_private_key_store.h

Index: net/base/openssl_private_key_store.h
diff --git a/net/base/openssl_private_key_store.h b/net/base/openssl_private_key_store.h
index edd54f38aa150159336a088bbc74475106a0c211..799d60eba087a963f052b9132b291393ddf219c9 100644
--- a/net/base/openssl_private_key_store.h
+++ b/net/base/openssl_private_key_store.h
@@ -5,44 +5,43 @@
 #ifndef NET_BASE_OPENSSL_PRIVATE_KEY_STORE_H_
 #define NET_BASE_OPENSSL_PRIVATE_KEY_STORE_H_
 
-#include "base/basictypes.h"
+#include <vector>
 
-// Avoid including <openssl/evp.h> here.
+// Avoid including <openssl/evp.h>
 typedef struct evp_pkey_st EVP_PKEY;
 
+#include "base/basictypes.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/synchronization/lock.h"

[Ryan Sleevi, 2013/02/28 00:58:35]

IWYU: You don't need scoped_ptr, lock, or openssl_util

[digit1, 2013/02/28 15:46:56]

That's correct, they're no longer needed, I've fixed this.

+#include "crypto/openssl_util.h"
+#include "net/base/net_export.h"
+
 class GURL;
 
 namespace net {
 
-// Defines an abstract store for private keys; the OpenSSL library does not
-// provide this service so it is left to individual platforms to provide it.
-//
-// The contract is that the private key will be stored in an appropriate secure
-// system location, and be available to the SSLClientSocketOpenSSL when using a
-// client certificate created against the associated public key for client
-// authentication.
-class OpenSSLPrivateKeyStore {
- public:
-  // Platforms must define this factory function as appropriate.
-  static OpenSSLPrivateKeyStore* GetInstance();
-
-  virtual ~OpenSSLPrivateKeyStore() {}
+class X509Certificate;
 
-  // Called to store a private key generated via <keygen> while visiting |url|.
-  // Does not takes ownership of |pkey|, the caller reamins responsible to
-  // EVP_PKEY_free it. (Internally, a copy maybe made or the reference count
-  // incremented).
+// OpenSSLPrivateKeyStore provides an interface for storing
+// public/private key pairs to system storage on platforms where
+// OpenSSL is used.
+// This class shall only be used from the network thread.
+class NET_EXPORT OpenSSLPrivateKeyStore {
+ public:
+  // Called to permanently store a private/public key pair, generated
+  // via <keygen> while visiting |url|, to an appropriate system
+  // location. Increments |pkey|'s reference count, so the caller is still
+  // responsible for calling EVP_PKEY_free on it. Note that this has
+  // nothing to do with the methods RecordClientCertPrivateKey() and
+  // FetchClientCertPrivateKey() below.

[Ryan Sleevi, 2013/02/28 00:58:35]

Comment needs updating.

[digit1, 2013/02/28 15:46:56]

Done.

+  // |url| is the corresponding server URL.
+  // |pkey| is the key pair handle.
   // Returns false if an error occurred whilst attempting to store the key.
-  virtual bool StorePrivateKey(const GURL& url, EVP_PKEY* pkey) = 0;
-
-  // Given a |public_key| part returns the corresponding private key, or NULL
-  // if no key found. Does NOT return ownership.
-  virtual EVP_PKEY* FetchPrivateKey(EVP_PKEY* public_key) = 0;
-
- protected:
-  OpenSSLPrivateKeyStore() {}
+  static bool StoreKeyPair(const GURL& url, EVP_PKEY* pkey);
 
  private:
+  OpenSSLPrivateKeyStore();  // not implemented.
+  ~OpenSSLPrivateKeyStore();  // not implemented.
   DISALLOW_COPY_AND_ASSIGN(OpenSSLPrivateKeyStore);
 };