OpenSSL/NSS implementation of ProofVerfifier.

net/quic/crypto/proof_verifier_chromium.h

+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
+#define NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
+
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_ptr.h"
+#include "net/base/completion_callback.h"
+#include "net/base/net_export.h"
+#include "net/base/net_log.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_certificate.h"
+#include "net/quic/crypto/proof_verifier.h"
+
+namespace net {
+
+class BoundNetLog;
+class CertVerifier;
+class CertVerifyResult;
+class SingleRequestCertVerifier;
+class X509Certificate;
+
+// ProofVerifierChromium implements the QUIC ProofVerifier interface.
+class NET_EXPORT_PRIVATE ProofVerifierChromium : public ProofVerifier {
+ public:
+  explicit ProofVerifierChromium(CertVerifier* cert_verifier);
+  virtual ~ProofVerifierChromium();
+
+  // ProofVerifier interface
+  virtual int VerifyProof(const std::string& hostname,
+                          const std::string& server_config,
+                          const std::vector<std::string>& certs,
+                          const std::string& signature,
+                          const CompletionCallback& callback) OVERRIDE;
+  virtual std::string error_details() OVERRIDE;
+
+ private:
+  enum State {
+    STATE_NONE,
+    STATE_VERIFY_CERT,
+    STATE_VERIFY_CERT_COMPLETE,
+  };
+
+  int VerifyChain();
+
+  int DoLoop(int last_io_result);
+  void OnIOComplete(int result);
+  int DoVerifyCert(int result);
+  int DoVerifyCertComplete(int result);
+
+  bool VerifySignature(const std::string& signed_data,
+                       const std::string& signature,
+                       const std::string& cert);
+
+  // |cert_verifier_| and |verifier_| are used for verifying certificates.
+  CertVerifier* const cert_verifier_;
+  scoped_ptr<SingleRequestCertVerifier> verifier_;
+
+  // |hostname| specifies the hostname for which |certs| is a valid chain.
+  std::string hostname_;
+
+  CompletionCallback callback_;
+
+  // The result of certificate verification.
+  CertVerifyResult cert_verify_result_;

[agl, 2013/07/01 16:23:18]

These members suggest that you're going to have to create a new ProofVerifier
for every connection, is that the plan? I think that needs more changes than you
have made because the ProofVerifier is still attached to the
QuicCryptoClientConfig and many connections share the same
QuicCryptoClientConfig.

Rather, I think you need one ProofVerifier per process (i.e. it's a global), and
this state needs to be wrapped up in an internal object that's created for each
call to VerifyProof.

[ramant (doing other things), 2013/07/02 14:19:50]

We thought we would have one ProofVerifier per Session. Added a TODO to support
multiple requests for one ProofVerifier per process. Added a DCHECK that we
don't have multiple requests for one ProofVerifier.

+  std::string error_details_;
+
+  // X509Certificate from a chain of DER encoded certificates.
+  scoped_refptr<X509Certificate> cert_;
+
+  State next_state_;
+
+  BoundNetLog net_log_;

[wtc, 2013/07/02 00:56:38]

The net_log_ member probably should be initialized by an argument to the
constructor.

Take SSLClientSocketNSS for an example. Its net_log_ member is initialized by
the
NetLog of the transport_socket input to the constructor.

[ramant (doing other things), 2013/07/02 14:19:50]

Done.

+
+  DISALLOW_COPY_AND_ASSIGN(ProofVerifierChromium);
+};
+
+}  // namespace net
+
+#endif  // NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_