OpenSSL/NSS implementation of ProofVerfifier.

net/quic/crypto/proof_verifier.h

Index: net/quic/crypto/proof_verifier.h
diff --git a/net/quic/crypto/proof_verifier.h b/net/quic/crypto/proof_verifier.h
index 29ed7ea3fc3c339f79b0c196d80450224eb27227..62c6f1a2f64f3534972d35965d15322860b3bfaa 100644
--- a/net/quic/crypto/proof_verifier.h
+++ b/net/quic/crypto/proof_verifier.h
@@ -8,6 +8,7 @@
 #include <string>
 #include <vector>
 
+#include "net/base/completion_callback.h"
 #include "net/base/net_export.h"
 
 namespace net {
@@ -20,20 +21,24 @@ class NET_EXPORT_PRIVATE ProofVerifier {
 
   // VerifyProof checks that |signature| is a valid signature of
   // |server_config| by the public key in the leaf certificate of |certs|, and
-  // that |certs| is a valid chain for |hostname|. On success, it returns true.
-  // On failure, it returns false and sets |*error_details| to a description of
-  // the problem.
+  // that |certs| is a valid chain for |hostname|. On success, it returns OK.
+  // On failure, it returns ERR_FAILED. This function may also return
+  // ERR_IO_PENDING, in which case the |callback| will be run with the final
+  // OK/ERR_FAILED result when the proof is verified.
   //
   // The signature uses SHA-256 as the hash function and PSS padding in the
   // case of RSA.
   //
   // Note: this is just for testing. The CN of the certificate is ignored and
   // wildcards in the SANs are not supported.
-  virtual bool VerifyProof(const std::string& hostname,
-                           const std::string& server_config,
-                           const std::vector<std::string>& certs,
-                           const std::string& signature,
-                           std::string* error_details) const = 0;
+  virtual int VerifyProof(const std::string& hostname,
+                          const std::string& server_config,
+                          const std::vector<std::string>& certs,
+                          const std::string& signature,
+                          const CompletionCallback& callback) = 0;
+
+  // If VerifyProof has failed, it returns the description of the problem.
+  virtual std::string error_details() = 0;

[agl, 2013/07/01 16:23:18]

This can't work, right? It's a method of the ProofVerifier, but it's a function
of the specific VerifyProof call. How would it find the right error message?

[wtc, 2013/07/02 00:56:38]

|error_details| should still be an output argument of VerifyProof().
VerifyProof() can return an output (in addition to the 'int' result)
asynchronously. The caller needs to make sure the memory pointed to
by |error_details| remains valid until VerifyProof() completes or is
aborted.

This reminds me that the ProofVerifier destructor needs to abort a
pending VerifyProof() operation.

[ramant (doing other things), 2013/07/02 14:19:50]

For |error_details| to be valid until ProofVerifier, stored errors in
|error_details| on ProofVerifier for both synchronous and asynchronous calls.
The other choice is to store the error details in |session|. Hope this is ok.

We call ~SingleRequestCertVerifier and it does a CancelRequest.
Done.

[Ryan Hamilton, 2013/07/02 16:24:50]

Or, alternatively, instead of taking a completion callback it could take a
ProofVerifierDelegate* where ProofVerifierDelegate could be defined to have:

  void OnProffVerificationComplete(int rv, const std::string& error_details) =
0;

That also has the virutal of being google3 compatible.

 };
 
 }  // namespace net