Support for client certs in ssl_server_socket.

net/socket/ssl_server_socket.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_SERVER_SOCKET_H_
 #define NET_SOCKET_SSL_SERVER_SOCKET_H_
 
+#include <vector>
+
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "net/base/completion_callback.h"
 #include "net/base/net_export.h"
 #include "net/socket/ssl_socket.h"
 #include "net/socket/stream_socket.h"
+#include "net/ssl/ssl_client_cert_type.h"
 
 namespace crypto {
 class RSAPrivateKey;
 }  // namespace crypto
 
 namespace net {
 
+class ClientCertVerifier;
 struct SSLServerConfig;
 class X509Certificate;
 
+// This struct groups together several fields which are used by various
+// classes related to SSLServerSocket.
+struct SSLServerSocketContext {

[davidben, 2015/12/01 22:35:17]

SSLClientSocketContext was kind of absurd to begin with and causes problems. We
need to fix that one. Don't use it as something to pattern against. If you're
going to go add an SSLServerSocketContext now, let's try to get a more sensible
API. (Otherwise, we pass ClientCertVerifier into CreateSSLServerSocket and
resolve the SSLServerSocketContext mess later as a blocker for adding a session
cache.)

I was thinking that SSLServerSocketContext is a type you scoped_ptr and it takes
SSLServerConfig, ClientCertVerifier, certificate, key, etc. (Or maybe we just
put all of them into SSLServerConfig, I dunno.)

Then rather than have this global EnableSSLServerSockets and global
CreateSSLServerSocket, SSLServerSocketContext has a CreateServerSocket method
that takes just the StreamSocket.

*Then* we won't have any problems adding a session cache or whatever else
because SSLServerSocketContextOpenSSL will just have its own SSL_CTX with its
own session cache.

[ryanchung, 2015/12/02 23:57:03]

I think putting it with SSLServerConfig seem to make sense... at least for now.

+  SSLServerSocketContext() : client_cert_verifier(NULL) {}
+
+  // Indicates that a client certificate is required, and provides the
+  // CertificateVerifier that is to be used to verify it during the handshake.
+  // The |client_cert_verifier| continues to be owned by the caller,
+  // and must exist at least until the handshake has completed.
+  // This function is meaningful only if client certificates are required.
+  // NOTES:
+  // 1. If no CertificateVerifier is provided, then a client certificate may
+  // still be allowed (if ssl_server_config.send_client_cert is true),
+  // but in that case verification must be done after the handshake
+  // has completed, by which time the session will have been cached,
+  // and may be subject to resumption.
+  // 2. The |client_cert_verifier| must provide its response synchronously, and
+  // blocks the IO thread while it runs. This results from a limitation of NSS.
+  // If ERR_IO_PENDING is returned, this is considered a verification failure.

[davidben, 2015/12/01 22:35:17]

This isn't even implemented in NSS, no?

[ryanchung, 2015/12/02 23:57:03]

Sorry, that was outdated. I believe OpenSSL also requires the certification
verification to be completed synchronously. Bug: 347402
Updated comment.

+  // 3. For verifying a client certificate, the CertVerifier::Verify method
+  // will be called with input parameters as follows:
+  //    - cert: the cert to be verified
+  //    - hostname: empty string
+  //    - flags: 0
+  //    - crl_set: NULL

[davidben, 2015/12/01 22:35:17]

?

[ryanchung, 2015/12/02 23:57:03]

Sorry, that was outdated. Fixed.

+  ClientCertVerifier* client_cert_verifier;
+};
+
 class SSLServerSocket : public SSLSocket {
  public:
   ~SSLServerSocket() override {}
 
   // Perform the SSL server handshake, and notify the supplied callback
   // if the process completes asynchronously.  If Disconnect is called before
   // completion then the callback will be silently, as for other StreamSocket
   // calls.
   virtual int Handshake(const CompletionCallback& callback) = 0;
 };
 
 // Configures the underlying SSL library for the use of SSL server sockets.
 //
 // Due to the requirements of the underlying libraries, this should be called
 // early in process initialization, before any SSL socket, client or server,
 // has been used.
 //
 // Note: If a process does not use SSL server sockets, this call may be
 // omitted.
 NET_EXPORT void EnableSSLServerSockets();
 
 // Creates an SSL server socket over an already-connected transport socket.
 // The caller must provide the server certificate and private key to use.
 //
 // The returned SSLServerSocket takes ownership of |socket|.  Stubbed versions
 // of CreateSSLServerSocket will delete |socket| and return NULL.
 // It takes a reference to |certificate|.
-// The |key| and |ssl_config| parameters are copied.  |key| cannot be const
-// because the methods used to copy its contents are non-const.
+// The |key| and |ssl_server_config| parameters are copied.  |key| cannot be
+// const because the methods used to copy its contents are non-const.
 //
 // The caller starts the SSL server handshake by calling Handshake on the
 // returned socket.
 NET_EXPORT scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
     scoped_ptr<StreamSocket> socket,
     X509Certificate* certificate,
     crypto::RSAPrivateKey* key,
-    const SSLServerConfig& ssl_config);
+    const SSLServerConfig& ssl_server_config);
+
+// Creates an SSL server socket over an already-connected transport socket.
+// Overloads the original to add an optional context
+NET_EXPORT scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
+    scoped_ptr<StreamSocket> socket,
+    X509Certificate* certificate,
+    crypto::RSAPrivateKey* key,
+    const SSLServerConfig& ssl_server_config,
+    const SSLServerSocketContext& context);
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_SERVER_SOCKET_H_