ClientCertStoreChromeOS: support additional non-platform certs.

chrome/browser/chromeos/net/client_cert_store_chromeos.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_CHROMEOS_NET_CLIENT_CERT_STORE_CHROMEOS_H_
 #define CHROME_BROWSER_CHROMEOS_NET_CLIENT_CERT_STORE_CHROMEOS_H_
 
 #include <string>
+#include <vector>
 
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "net/ssl/client_cert_store_nss.h"
 
 namespace net {
 class X509Certificate;
+typedef std::vector<scoped_refptr<X509Certificate>> CertificateList;

[davidben, 2015/08/20 00:40:34]

Ditto.

[pneubeck (no reviews), 2015/08/20 07:18:23]

Done.

 }
 
 namespace chromeos {
 
-class ClientCertStoreChromeOS : public net::ClientCertStoreNSS {
+class CertificateProvider;
+
+class ClientCertStoreChromeOS : public net::ClientCertStore {
  public:
   class CertFilter {
    public:
     virtual ~CertFilter() {}
 
     // Initializes this filter. Returns true if it finished initialization,
     // otherwise returns false and calls |callback| once the initialization is
     // completed.
     // Must be called at most once.
     virtual bool Init(const base::Closure& callback) = 0;
 
     // Returns true if |cert| is allowed to be used as a client certificate
     // (e.g. for a certain browser context or user).
     // This is only called once initialization is finished, see Init().
     virtual bool IsCertAllowed(
         const scoped_refptr<net::X509Certificate>& cert) const = 0;
   };
 
-  // This ClientCertStore will return only client certs that pass the filter
-  // |cert_filter|.
+  // This ClientCertStore will return client certs from NSS certificate
+  // databases that pass the filter |cert_filter| and additionally return
+  // certificates provided by |cert_provider|.
   ClientCertStoreChromeOS(
+      scoped_ptr<CertificateProvider> cert_provider,
       scoped_ptr<CertFilter> cert_filter,
-      const PasswordDelegateFactory& password_delegate_factory);
+      const net::ClientCertStoreNSS::PasswordDelegateFactory&

[davidben, 2015/08/20 00:40:34]

ProfileIOData seems to supply one. Whether it's actually possible for it to do
anything, I'm not sure. I would think not since you guys don't support random
PKCS#11 modules, but I'm not confident in my understanding of any of that. Ryan
might know more definitively.

[davidben, 2015/08/20 00:40:34]

Optional: If you want to keep the type inside ClientCertStoreChromeOS so the
consumers don't have to change, I think a

  using PasswordDelegateFactory =
net::ClientCertStoreNSS::PasswordDelegateFactory;

would also be fine. I suppose doing that somewhat abstracts
net::ClientCertStoreNSS from the consumer, which isn't a bad idea? I dunno. I
don't really have preferences, so your call.

[pneubeck (no reviews), 2015/08/20 07:18:23]

I'm rather sure that we can remove it, but let's defer the removal until Ryan is
back.
In general there's always the totally unknown of another project using
chromeos=1 builds for... something and they will not run the binary in a
chromeos environment.

+          password_delegate_factory);
   ~ClientCertStoreChromeOS() override;
 
-  // net::ClientCertStoreNSS:
+  // net::ClientCertStore:
   void GetClientCerts(const net::SSLCertRequestInfo& cert_request_info,
                       net::CertificateList* selected_certs,
                       const base::Closure& callback) override;
 
- protected:
-  // net::ClientCertStoreNSS:
-  void GetClientCertsImpl(CERTCertList* cert_list,
-                          const net::SSLCertRequestInfo& request,
-                          bool query_nssdb,
-                          net::CertificateList* selected_certs) override;
+ private:
+  void GotAdditionalCerts(const net::SSLCertRequestInfo* request,
+                          net::CertificateList* selected_certs,
+                          const base::Closure& callback,
+                          const net::CertificateList& additional_certs);
 
- private:
-  void CertFilterInitialized(const net::SSLCertRequestInfo* request,
-                             net::CertificateList* selected_certs,
-                             const base::Closure& callback);
+  void GetAndFilterCertsOnWorkerThread(
+      scoped_ptr<crypto::CryptoModuleBlockingPasswordDelegate>
+          password_delegate,
+      const net::SSLCertRequestInfo* request,
+      const net::CertificateList& additional_certs,
+      net::CertificateList* selected_certs);
 
+  scoped_ptr<CertificateProvider> cert_provider_;
   scoped_ptr<CertFilter> cert_filter_;
 
+  // The factory for creating the delegate for requesting a password to a
+  // PKCS#11 token. May be null.
+  net::ClientCertStoreNSS::PasswordDelegateFactory password_delegate_factory_;
+
   DISALLOW_COPY_AND_ASSIGN(ClientCertStoreChromeOS);
 };
 
 }  // namespace chromeos
 
 #endif  // CHROME_BROWSER_CHROMEOS_NET_CLIENT_CERT_STORE_CHROMEOS_H_