Plumbing SSLPrivateKey (//net)

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 0d39f6483f2b3bcfed6a543a61e78995d917828a..b66b767fe5047bd6a8e2be346b98a43476401867 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -23,7 +23,6 @@
 #include "base/stl_util.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
-#include "base/threading/sequenced_worker_pool.h"
 #include "base/threading/thread_local.h"
 #include "base/values.h"
 #include "crypto/ec_private_key.h"
@@ -167,33 +166,6 @@ bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
   }
 }
 
-#if !defined(OS_NACL)
-class PlatformKeyTaskRunner {
- public:
-  PlatformKeyTaskRunner() {
-    // Serialize all the private key operations on a single background
-    // thread to avoid problems with buggy smartcards.
-    worker_pool_ = new base::SequencedWorkerPool(1, "Platform Key Thread");
-    task_runner_ = worker_pool_->GetSequencedTaskRunnerWithShutdownBehavior(
-        worker_pool_->GetSequenceToken(),
-        base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN);
-  }
-
-  scoped_refptr<base::SequencedTaskRunner> task_runner() {
-    return task_runner_;
-  }
-
- private:
-  scoped_refptr<base::SequencedWorkerPool> worker_pool_;
-  scoped_refptr<base::SequencedTaskRunner> task_runner_;
-
-  DISALLOW_COPY_AND_ASSIGN(PlatformKeyTaskRunner);
-};
-
-base::LazyInstance<PlatformKeyTaskRunner>::Leaky g_platform_key_task_runner =
-    LAZY_INSTANCE_INITIALIZER;
-#endif
-
 }  // namespace
 
 class SSLClientSocketOpenSSL::SSLContext {
@@ -612,7 +584,6 @@ void SSLClientSocketOpenSSL::Disconnect() {
   channel_id_request_.Cancel();
   ssl_failure_state_ = SSL_FAILURE_NONE;
 
-  private_key_.reset();
   signature_result_ = kNoPendingResult;
   signature_.clear();
 }
@@ -1040,7 +1011,7 @@ int SSLClientSocketOpenSSL::DoHandshake() {
       return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
     }
     if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
-      DCHECK(private_key_);
+      DCHECK(ssl_config_.client_private_key);
       DCHECK_NE(kNoPendingResult, signature_result_);
       GotoState(STATE_HANDSHAKE);
       return ERR_IO_PENDING;
@@ -1506,7 +1477,7 @@ int SSLClientSocketOpenSSL::DoPayloadRead() {
       pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
     } else if (pending_read_ssl_error_ ==
                SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
-      DCHECK(private_key_);
+      DCHECK(ssl_config_.client_private_key);
       DCHECK_NE(kNoPendingResult, signature_result_);
       pending_read_error_ = ERR_IO_PENDING;
     } else {
@@ -1797,17 +1768,12 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
     }
 
 #if defined(OS_NACL)

[davidben, 2015/11/06 21:47:45]

I think this is no longer necessary. We'll just never call
ContinueWithCertificate. (Would be good to also get rid of the OS_IOS one, but I
think that's not quite a no-op. NaCl right now requires you to call
ContinueWithCertificate(null, null) while iOS does it for you silently. Though
it'd be good to unify that at some point...)

[svaldez, 2015/11/09 17:32:16]

Done.

-      OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
-      return -1;
+    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
+    return -1;
 #else
-    // TODO(davidben): Lift this call up to the embedder so we can actually test
-    // this code. https://crbug.com/394131
-    private_key_ = FetchClientCertPrivateKey(
-        ssl_config_.client_cert.get(),
-        g_platform_key_task_runner.Get().task_runner());
-    if (!private_key_) {
-      // Could not find the private key. Fail the handshake and surface an
-      // appropriate error to the caller.
+    if (!ssl_config_.client_private_key) {
+      // The caller supplied a null private key. Fail the handshake and surface
+      // an appropriate error to the caller.
       LOG(WARNING) << "Client cert found without private key";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
       return -1;
@@ -1816,7 +1782,7 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
     SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod);
 
     std::vector<SSLPrivateKey::Hash> digest_prefs =
-        private_key_->GetDigestPreferences();
+        ssl_config_.client_private_key->GetDigestPreferences();
 
     size_t digests_len = digest_prefs.size();
     std::vector<int> digests;
@@ -2073,7 +2039,7 @@ bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const {
 }
 
 int SSLClientSocketOpenSSL::PrivateKeyTypeCallback() {
-  switch (private_key_->GetType()) {
+  switch (ssl_config_.client_private_key->GetType()) {
     case SSLPrivateKey::Type::RSA:
       return EVP_PKEY_RSA;
     case SSLPrivateKey::Type::ECDSA:
@@ -2084,7 +2050,7 @@ int SSLClientSocketOpenSSL::PrivateKeyTypeCallback() {
 }
 
 size_t SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback() {
-  return private_key_->GetMaxSignatureLengthInBytes();
+  return ssl_config_.client_private_key->GetMaxSignatureLengthInBytes();
 }
 
 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback(
@@ -2096,7 +2062,7 @@ ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback(
     size_t in_len) {
   DCHECK_EQ(kNoPendingResult, signature_result_);
   DCHECK(signature_.empty());
-  DCHECK(private_key_);
+  DCHECK(ssl_config_.client_private_key);
 
   net_log_.BeginEvent(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION);
 
@@ -2107,7 +2073,7 @@ ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback(
   }
 
   signature_result_ = ERR_IO_PENDING;
-  private_key_->SignDigest(
+  ssl_config_.client_private_key->SignDigest(
       hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len),
       base::Bind(&SSLClientSocketOpenSSL::OnPrivateKeySignComplete,
                  weak_factory_.GetWeakPtr()));
@@ -2119,7 +2085,7 @@ ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback(
     size_t* out_len,
     size_t max_out) {
   DCHECK_NE(kNoPendingResult, signature_result_);
-  DCHECK(private_key_);
+  DCHECK(ssl_config_.client_private_key);
 
   if (signature_result_ == ERR_IO_PENDING)
     return ssl_private_key_retry;
@@ -2142,7 +2108,7 @@ void SSLClientSocketOpenSSL::OnPrivateKeySignComplete(
     const std::vector<uint8_t>& signature) {
   DCHECK_EQ(ERR_IO_PENDING, signature_result_);
   DCHECK(signature_.empty());
-  DCHECK(private_key_);
+  DCHECK(ssl_config_.client_private_key);
 
   net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION,
                                     error);