Generates the DTLS identity in browser process and returns it to render process.

content/browser/media/dtls_identity_store.h

Index: content/browser/media/dtls_identity_store.h
diff --git a/content/browser/media/dtls_identity_store.h b/content/browser/media/dtls_identity_store.h
new file mode 100644
index 0000000000000000000000000000000000000000..9e1483c010b947aeb31893923c02c3ae8e8eab1b
--- /dev/null
+++ b/content/browser/media/dtls_identity_store.h
@@ -0,0 +1,68 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_BROWSER_MEDIA_DTLS_IDENTITY_STORE_H_
+#define CONTENT_BROWSER_MEDIA_DTLS_IDENTITY_STORE_H_
+
+#include "base/callback.h"
+
+class GURL;
+
+namespace base {
+class TaskRunner;
+}  // namespace base
+
+namespace content {
+
+class DTLSIdentityRequest;
+class DTLSIdentityRequestHandle;
+
+// A class for creating and fetching DTLS identities, i.e. the private key and
+// the self-signed certificate.
+class DTLSIdentityStore {
+ public:
+  typedef base::Callback<void(int error,
+                              const std::string& certificate,
+                              const std::string& private_key)>
+      CompletionCallback;
+
+  DTLSIdentityStore();
+  virtual ~DTLSIdentityStore();
+
+  // Retrieve the DTLS identity for the given origin, or generate a new one
+  // if not existent. Asynchronous.
+  // |origin| is the origin of the PeerConnection requesting the identity;

[Ryan Sleevi, 2013/06/17 23:08:34]

comment: Your design indicates you're coupling this to "DTLS", except this
comment here indicates it's specific to PeerConnection.

Perhaps these classes should be named "WebRTCIdentityStore" ? That is, the DTLS
seems to be a lower-level detail of the WebRTC implementation, and you're really
trying to implement something for WebRTC/PeerConnection.

[jiayl, 2013/06/18 01:07:55]

This class does not really rely on any WebRTC feature. I changed the description
of origin to "origin of the DTLS connection" instead.

On 2013/06/17 23:08:34, Ryan Sleevi wrote:

+  // |identity_name| is used to identify an identity within an origin;
+  // |common_name| is the common name used to generate the certificate;

[Ryan Sleevi, 2013/06/17 23:08:34]

comment nit: Please provide clearer indication about these parameters. Namely
that |identity_name| remains private to the client, whereas |common_name| will
be shared with the peer.

You should also expand upon the comment to indicate whether or not multiple
certificates can share the same common_name but differing identity names
(presumably, yes), and whether the same identity name can share multiple common
names (presumably, no).

[jiayl, 2013/06/18 01:07:55]

I improved the comments.
On 2013/06/17 23:08:34, Ryan Sleevi wrote:

+  // |callback| is the callback to return the result.
+  // |canceller| will be set to the Closure used to cancel the request if the

[Ryan Sleevi, 2013/06/17 23:08:34]

naming nit: canceller -> cancel_callback

canceller is an awkward name.

[jiayl, 2013/06/18 01:07:55]

Done.

+  // request is accepted. The Closure can only be called before the request
+  // completes.
+  //
+  // Returns true if the request is accepted.
+  bool RequestIdentity(
+      const GURL& origin,
+      const std::string& identity_name,
+      const std::string& common_name,
+      const CompletionCallback& callback,
+      base::Closure* canceller);
+
+ protected:
+  explicit DTLSIdentityStore(
+      const scoped_refptr<base::TaskRunner>& task_runner);
+
+ private:
+  friend DTLSIdentityRequestHandle;
+
+  void CancelRequestInternal(DTLSIdentityRequest* request);
+
+  // The TaskRunner for doing work on a worker thread.
+  scoped_refptr<base::TaskRunner> task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(DTLSIdentityStore);
+};
+
+}  // namespace content
+
+#endif  // CONTENT_BROWSER_MEDIA_DTLS_IDENTITY_STORE_H_