Support for client certs in ssl_server_socket.

net/socket/ssl_server_socket.h

Index: net/socket/ssl_server_socket.h
diff --git a/net/socket/ssl_server_socket.h b/net/socket/ssl_server_socket.h
index ceb9c0a27a898f85e8d812611fc2c9da3cb58c96..ee4cef86211e7ac5183656a483ddb2294de29225 100644
--- a/net/socket/ssl_server_socket.h
+++ b/net/socket/ssl_server_socket.h
@@ -5,12 +5,15 @@
 #ifndef NET_SOCKET_SSL_SERVER_SOCKET_H_
 #define NET_SOCKET_SSL_SERVER_SOCKET_H_
 
+#include <vector>
+
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "net/base/completion_callback.h"
 #include "net/base/net_export.h"
 #include "net/socket/ssl_socket.h"
 #include "net/socket/stream_socket.h"
+#include "net/ssl/ssl_client_cert_type.h"
 
 namespace crypto {
 class RSAPrivateKey;
@@ -18,9 +21,38 @@ class RSAPrivateKey;
 
 namespace net {
 
+class ClientCertVerifier;
 struct SSLServerConfig;
 class X509Certificate;
 
+// This struct groups together several fields which are used by various
+// classes related to SSLServerSocket.
+struct SSLServerSocketContext {

[davidben, 2015/12/01 22:35:17]

SSLClientSocketContext was kind of absurd to begin with and causes problems. We
need to fix that one. Don't use it as something to pattern against. If you're
going to go add an SSLServerSocketContext now, let's try to get a more sensible
API. (Otherwise, we pass ClientCertVerifier into CreateSSLServerSocket and
resolve the SSLServerSocketContext mess later as a blocker for adding a session
cache.)

I was thinking that SSLServerSocketContext is a type you scoped_ptr and it takes
SSLServerConfig, ClientCertVerifier, certificate, key, etc. (Or maybe we just
put all of them into SSLServerConfig, I dunno.)

Then rather than have this global EnableSSLServerSockets and global
CreateSSLServerSocket, SSLServerSocketContext has a CreateServerSocket method
that takes just the StreamSocket.

*Then* we won't have any problems adding a session cache or whatever else
because SSLServerSocketContextOpenSSL will just have its own SSL_CTX with its
own session cache.

[ryanchung, 2015/12/02 23:57:03]

I think putting it with SSLServerConfig seem to make sense... at least for now.

+  SSLServerSocketContext() : client_cert_verifier(NULL) {}
+
+  // Indicates that a client certificate is required, and provides the
+  // CertificateVerifier that is to be used to verify it during the handshake.
+  // The |client_cert_verifier| continues to be owned by the caller,
+  // and must exist at least until the handshake has completed.
+  // This function is meaningful only if client certificates are required.
+  // NOTES:
+  // 1. If no CertificateVerifier is provided, then a client certificate may
+  // still be allowed (if ssl_server_config.send_client_cert is true),
+  // but in that case verification must be done after the handshake
+  // has completed, by which time the session will have been cached,
+  // and may be subject to resumption.
+  // 2. The |client_cert_verifier| must provide its response synchronously, and
+  // blocks the IO thread while it runs. This results from a limitation of NSS.
+  // If ERR_IO_PENDING is returned, this is considered a verification failure.

[davidben, 2015/12/01 22:35:17]

This isn't even implemented in NSS, no?

[ryanchung, 2015/12/02 23:57:03]

Sorry, that was outdated. I believe OpenSSL also requires the certification
verification to be completed synchronously. Bug: 347402
Updated comment.

+  // 3. For verifying a client certificate, the CertVerifier::Verify method
+  // will be called with input parameters as follows:
+  //    - cert: the cert to be verified
+  //    - hostname: empty string
+  //    - flags: 0
+  //    - crl_set: NULL

[davidben, 2015/12/01 22:35:17]

?

[ryanchung, 2015/12/02 23:57:03]

Sorry, that was outdated. Fixed.

+  ClientCertVerifier* client_cert_verifier;
+};
+
 class SSLServerSocket : public SSLSocket {
  public:
   ~SSLServerSocket() override {}
@@ -48,8 +80,8 @@ NET_EXPORT void EnableSSLServerSockets();
 // The returned SSLServerSocket takes ownership of |socket|.  Stubbed versions
 // of CreateSSLServerSocket will delete |socket| and return NULL.
 // It takes a reference to |certificate|.
-// The |key| and |ssl_config| parameters are copied.  |key| cannot be const
-// because the methods used to copy its contents are non-const.
+// The |key| and |ssl_server_config| parameters are copied.  |key| cannot be
+// const because the methods used to copy its contents are non-const.
 //
 // The caller starts the SSL server handshake by calling Handshake on the
 // returned socket.
@@ -57,7 +89,16 @@ NET_EXPORT scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
     scoped_ptr<StreamSocket> socket,
     X509Certificate* certificate,
     crypto::RSAPrivateKey* key,
-    const SSLServerConfig& ssl_config);
+    const SSLServerConfig& ssl_server_config);
+
+// Creates an SSL server socket over an already-connected transport socket.
+// Overloads the original to add an optional context
+NET_EXPORT scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
+    scoped_ptr<StreamSocket> socket,
+    X509Certificate* certificate,
+    crypto::RSAPrivateKey* key,
+    const SSLServerConfig& ssl_server_config,
+    const SSLServerSocketContext& context);
 
 }  // namespace net