Add a ClientKeyStore to allow injection of non-platform keys for TLS client auth.

net/ssl/client_key_store.cc

Index: net/ssl/client_key_store.cc
diff --git a/net/ssl/client_key_store.cc b/net/ssl/client_key_store.cc
new file mode 100644
index 0000000000000000000000000000000000000000..24ddf96d28921b85e5ce978037a1e98c34d08871
--- /dev/null
+++ b/net/ssl/client_key_store.cc
@@ -0,0 +1,58 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/ssl/client_key_store.h"
+
+#include "base/memory/singleton.h"
+#include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_private_key.h"
+
+namespace net {
+
+ClientKeyStore::CertAndKey::CertAndKey() {}
+ClientKeyStore::CertAndKey::~CertAndKey() {}
+
+ClientKeyStore::ClientKeyStore() {}
+
+ClientKeyStore::~ClientKeyStore() {}
+
+// static
+ClientKeyStore* ClientKeyStore::GetInstance() {
+  return Singleton<ClientKeyStore, LeakySingletonTraits<ClientKeyStore>>::get();
+}
+
+ClientKeyStore::ProviderHandle ClientKeyStore::CreateNewProvider() {
+  base::AutoLock auto_lock(lock_);
+  return ProviderHandle(next_free_provider_id_++);
+}
+
+void ClientKeyStore::RemoveProvider(ProviderHandle provider) {
+  base::AutoLock auto_lock(lock_);
+  certs_per_provider_.erase(provider.id);
+}
+
+void ClientKeyStore::SetCertificates(ProviderHandle provider,
+                                     CertsAndKeys* certs) {
+  {
+    base::AutoLock auto_lock(lock_);
+    CertsAndKeys& stored_certs = certs_per_provider_[provider.id];
+    stored_certs.swap(*certs);
+  }
+  certs->clear();
+}
+
+scoped_ptr<SSLPrivateKey> ClientKeyStore::FetchClientCertPrivateKey(
+    const X509Certificate* certificate) {
+  base::AutoLock auto_lock(lock_);
+  for (const auto& provider_and_certs : certs_per_provider_) {
+    const CertsAndKeys& certs_and_keys = provider_and_certs.second;
+    for (const auto& cert_and_key : certs_and_keys) {
+      if (certificate->Equals(cert_and_key.certificate.get()))

[Ryan Sleevi, 2015/08/08 00:14:22]

This also seems quite inefficient; a linear scan.

Why not store these as a map of (SHA256HashOfCertificate -> Private Key)?

[pneubeck (no reviews), 2015/08/13 08:20:19]

refactored. (I will do so in the implementation of the Provider)

+        return cert_and_key.key_getter.Run();
+    }
+  }
+  return nullptr;
+}
+
+}  // namespace net