Plumbing SSLPrivateKey (//net)

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/ssl.h>
 #include <string.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
+#include "base/environment.h"

[davidben, 2015/11/04 00:17:38]

(Stray change? Guessing a funny rebase.)

[svaldez, 2015/11/04 16:55:52]

Done.

 #include "base/lazy_instance.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/stl_util.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
-#include "base/threading/sequenced_worker_pool.h"
 #include "base/threading/thread_local.h"
 #include "base/values.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/ip_address_number.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_ev_whitelist.h"
@@ skipping 123 matching lines @@
       *hash = SSLPrivateKey::Hash::SHA384;
       return true;
     case NID_sha512:
       *hash = SSLPrivateKey::Hash::SHA512;
       return true;
     default:
       return false;
   }
 }
 
-#if !defined(OS_NACL)
-class PlatformKeyTaskRunner {
- public:
-  PlatformKeyTaskRunner() {
-    // Serialize all the private key operations on a single background
-    // thread to avoid problems with buggy smartcards.
-    worker_pool_ = new base::SequencedWorkerPool(1, "Platform Key Thread");
-    task_runner_ = worker_pool_->GetSequencedTaskRunnerWithShutdownBehavior(
-        worker_pool_->GetSequenceToken(),
-        base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN);
-  }
-
-  scoped_refptr<base::SequencedTaskRunner> task_runner() {
-    return task_runner_;
-  }
-
- private:
-  scoped_refptr<base::SequencedWorkerPool> worker_pool_;
-  scoped_refptr<base::SequencedTaskRunner> task_runner_;
-
-  DISALLOW_COPY_AND_ASSIGN(PlatformKeyTaskRunner);
-};
-
-base::LazyInstance<PlatformKeyTaskRunner>::Leaky g_platform_key_task_runner =
-    LAZY_INSTANCE_INITIALIZER;
-#endif
-
 }  // namespace
 
 class SSLClientSocketOpenSSL::SSLContext {
  public:
   static SSLContext* GetInstance() {
     return base::Singleton<SSLContext>::get();
   }
   SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
   SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; }
 
@@ skipping 398 matching lines @@
 
   npn_status_ = kNextProtoUnsupported;
   npn_proto_.clear();
 
   channel_id_sent_ = false;
   session_pending_ = false;
   certificate_verified_ = false;
   channel_id_request_.Cancel();
   ssl_failure_state_ = SSL_FAILURE_NONE;
 
-  private_key_.reset();

[davidben, 2015/11/04 00:17:38]

Hrm. Actually, I think you can do away with this field completely and just
reference it out of ssl_config_.

[svaldez, 2015/11/04 16:55:52]

Done.

   signature_result_ = kNoPendingResult;
   signature_.clear();
 }
 
 bool SSLClientSocketOpenSSL::IsConnected() const {
   // If the handshake has not yet completed.
   if (!completed_connect_)
     return false;
   // If an asynchronous operation is still pending.
   if (user_read_buf_.get() || user_write_buf_.get())
@@ skipping 1167 matching lines @@
       return -1;
     }
 
     if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
         !SSL_set1_chain(ssl_, chain.get())) {
       LOG(WARNING) << "Failed to set client certificate";
       return -1;
     }
 
 #if defined(OS_NACL)
-      OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
-      return -1;
+    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
+    return -1;
 #else
-    // TODO(davidben): Lift this call up to the embedder so we can actually test
-    // this code. https://crbug.com/394131
-    private_key_ = FetchClientCertPrivateKey(
-        ssl_config_.client_cert.get(),
-        g_platform_key_task_runner.Get().task_runner());
+    private_key_ = ssl_config_.client_private_key;
+
     if (!private_key_) {
-      // Could not find the private key. Fail the handshake and surface an
-      // appropriate error to the caller.
+      // The caller supplied a null private key. Fail the handshake and surface
+      // an appropriate error to the caller.
       LOG(WARNING) << "Client cert found without private key";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
       return -1;
     }
 
     SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod);
 
     std::vector<SSLPrivateKey::Hash> digest_prefs =
         private_key_->GetDigestPreferences();
 
@@ skipping 334 matching lines @@
     OnHandshakeIOComplete(signature_result_);
     return;
   }
 
   // During a renegotiation, either Read or Write calls may be blocked on an
   // asynchronous private key operation.
   PumpReadWriteEvents();
 }
 
 }  // namespace net