Support for client certs in ssl_server_socket.

net/ssl/ssl_server_config.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SSL_SSL_SERVER_CONFIG_H_
 #define NET_SSL_SSL_SERVER_CONFIG_H_
 
 #include <stdint.h>
 #include <vector>
 
 #include "base/basictypes.h"
 #include "net/base/net_export.h"
 #include "net/ssl/ssl_config.h"
 
 namespace net {
 
+class ClientCertVerifier;
+
 // A collection of server-side SSL-related configuration settings.
 struct NET_EXPORT SSLServerConfig {
   // Defaults
   SSLServerConfig();
   ~SSLServerConfig();
 
   // The minimum and maximum protocol versions that are enabled.
   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h)
   // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it
   // means no protocol versions are enabled.
@@ skipping 22 matching lines @@
   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
   std::vector<uint16_t> disabled_cipher_suites;
 
   // If true, causes only ECDHE cipher suites to be enabled.
   bool require_ecdhe;
 
   // Requires a client certificate for client authentication from the client.
   // This doesn't currently enforce certificate validity.
   bool require_client_cert;
+
+  // A list of certificates whose names are to be included in the
+  // CertificateRequest handshake message, if client certificates are
+  // required.
+  CertificateList client_cert_ca_list;

[Ryan Sleevi, 2015/12/17 03:47:36]

DESIGN: Why does this take certificates, rather than distinguished names, which
would then match both TLS (in implementation) and SSLCertRequestInfo

[ryanchung, 2015/12/18 00:00:56]

A STACK_OF(X509_NAME) needs to be set into ssl_ using SSL_set_client_CA_list().
Storing a list of names in string form will require converting back to
X509_NAME.
This list is provided by the server code outside of //net.

Any suggestions for a clean way to store the list of DN here?

[Ryan Sleevi, 2015/12/18 00:07:09]

The client cert code stores it in the DER-encoded form. You can convert to/from
the X509_NAME form using i2d_/d2i_X509_NAME.

[ryanchung, 2016/01/14 00:16:40]

Done. To populate this list in the unittests, OpenSSL will be used directly to
extract the DER-encoded DN out of the certificate because currently there's no
easy way to extract that using chromium's API.

+
+  // Provides the CertificateVerifier that is to be used to verify
+  // client certificates during the handshake.
+  // The |client_cert_verifier| continues to be owned by the caller,
+  // and must outlive any sockets using this SSLServerConfig.
+  // This field is meaningful only if client certificates are required.
+  // If a verifier is not provided then all certificates are accepted.
+  ClientCertVerifier* client_cert_verifier;
 };
 
 }  // namespace net
 
 #endif  // NET_SSL_SSL_SERVER_CONFIG_H_