Support for client certs in ssl_server_socket.

net/ssl/ssl_server_config.h

Index: net/ssl/ssl_server_config.h
diff --git a/net/ssl/ssl_server_config.h b/net/ssl/ssl_server_config.h
index 6e712fb88c2719e12f0cb5eef8a9b9f0cc1058a2..dd5e1abc2b7453be64e9e42eacac7aa540887833 100644
--- a/net/ssl/ssl_server_config.h
+++ b/net/ssl/ssl_server_config.h
@@ -14,6 +14,8 @@
 
 namespace net {
 
+class ClientCertVerifier;
+
 // A collection of server-side SSL-related configuration settings.
 struct NET_EXPORT SSLServerConfig {
   // Defaults
@@ -56,6 +58,29 @@ struct NET_EXPORT SSLServerConfig {
   // Requires a client certificate for client authentication from the client.
   // This doesn't currently enforce certificate validity.
   bool require_client_cert;
+
+  // Provides the list of certificates whose names are to be included in the
+  // CertificateRequest handshake message. This member is only useful if
+  // certificates are allowed.

[davidben, 2015/12/14 23:56:51]

Nit: Slightly shorter:

  // A list of certificates whose names are to be included in the
  // CertificateRequest handshake message, if client certificates are
  // required.

[ryanchung, 2015/12/16 22:40:03]

Done.

+  CertificateList client_cert_ca_list;
+
+  // Indicates that a client certificate is required, and provides the

[davidben, 2015/12/14 23:56:51]

This isn't actually true, no? require_client_cert is that. (Could we perhaps
merge the two and have EmbeddedTestServer pass in a dummy CertificateVerifier
that just accepts everything?)

[ryanchung, 2015/12/16 22:40:03]

You're right. The CertVerifyCallback in SSLServerSocketOpenSSL now accepts
everything if a verifier is not provided.

+  // CertificateVerifier that is to be used to verify it during the handshake.
+  // The |client_cert_verifier| continues to be owned by the caller,
+  // and must exist at least until the handshake has completed.

[davidben, 2015/12/14 23:56:51]

and must exist [...] -> and must outlive any sockets using this SSLServerConfig.

Since the socket makes a copy of the SSLServerConfig, even if it doesn't touch
the field before the handshake is done, I think we're much better off with the
simpler API contract.

For instance, if we supported client-initiated renego (we don't, and aren't
going to), this API contract could be wrong.

[ryanchung, 2015/12/16 22:40:03]

Done.

+  // This field is meaningful only if client certificates are required.
+  // NOTES:
+  // 1. If no CertificateVerifier is provided, then a client certificate may
+  // still be allowed (if ssl_server_config.send_client_cert is true),

[davidben, 2015/12/14 23:56:51]

What's send_client_cert?

[ryanchung, 2015/12/16 22:40:02]

Sorry, this is now called require_client_cert.

+  // but in that case verification must be done after the handshake
+  // has completed, by which time the session will have been cached,
+  // and may be subject to resumption.

[davidben, 2015/12/14 23:56:51]

This API doesn't do session caching right now.

[ryanchung, 2015/12/16 22:40:03]

Done.

+  // 2. OpenSSL expects the certificate verification callback to complete
+  // synchronously.

[davidben, 2015/12/14 23:56:51]

This note seems unnecessary. If you want to make it asynchronous, file a bug and
attach a TODO comment somewhere.

[ryanchung, 2015/12/16 22:40:03]

Done. Removed note.

+  // 3. For verifying a client certificate, the CertVerifier::Verify method
+  // will be called with input parameters as follows:
+  //    - cert: the cert to be verified

[davidben, 2015/12/14 23:56:51]

This seems unnecessary.

[ryanchung, 2015/12/16 22:40:03]

Done.

+  ClientCertVerifier* client_cert_verifier;
 };
 
 }  // namespace net