Refactoring output of ProofSource::GetProof (no functional changes).

net/quic/core/crypto/quic_crypto_server_config.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/core/crypto/quic_crypto_server_config.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <memory>
@@ skipping 482 matching lines @@
     scids->push_back(it->first);
   }
 }
 
 void QuicCryptoServerConfig::ValidateClientHello(
     const CryptoHandshakeMessage& client_hello,
     const IPAddress& client_ip,
     const IPAddress& server_ip,
     QuicVersion version,
     const QuicClock* clock,
-    scoped_refptr<QuicCryptoProof> crypto_proof,
+    scoped_refptr<QuicSignedServerConfig> signed_config,
     std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const {
   const QuicWallTime now(clock->WallNow());
 
   scoped_refptr<ValidateClientHelloResultCallback::Result> result(
       new ValidateClientHelloResultCallback::Result(client_hello, client_ip,
                                                     now));
 
   StringPiece requested_scid;
   client_hello.GetStringPiece(kSCID, &requested_scid);
 
   scoped_refptr<Config> requested_config;
   scoped_refptr<Config> primary_config;
   {
     base::AutoLock locked(configs_lock_);
 
     if (!primary_config_.get()) {
       result->error_code = QUIC_CRYPTO_INTERNAL_ERROR;
       result->error_details = "No configurations loaded";
     } else {
       if (!next_config_promotion_time_.IsZero() &&
           next_config_promotion_time_.IsAfter(now)) {
         SelectNewPrimaryConfig(now);
         DCHECK(primary_config_.get());
         DCHECK_EQ(configs_.find(primary_config_->id)->second, primary_config_);
       }
     }
 
     requested_config = GetConfigWithScid(requested_scid);
     primary_config = primary_config_;
-    crypto_proof->config = primary_config_;
+    signed_config->config = primary_config_;
   }
 
   if (result->error_code == QUIC_NO_ERROR) {
     // QUIC requires a new proof for each CHLO so clear any existing proof.
-    crypto_proof->chain = nullptr;
-    crypto_proof->signature = "";
-    crypto_proof->cert_sct = "";
+    signed_config->chain = nullptr;
+    signed_config->signature = "";
+    signed_config->cert_sct = "";
     EvaluateClientHello(server_ip, version, requested_config, primary_config,
-                        crypto_proof, result, std::move(done_cb));
+                        signed_config, result, std::move(done_cb));
   } else {
     done_cb->Run(result, /* details = */ nullptr);
   }
 }
 
 class ProcessClientHelloHelper {
  public:
   explicit ProcessClientHelloHelper(
       std::unique_ptr<ProcessClientHelloResultCallback>* done_cb)
       : done_cb_(done_cb) {}
@@ skipping 37 matching lines @@
       QuicConnectionId connection_id,
       const IPEndPoint& client_address,
       QuicVersion version,
       const QuicVersionVector& supported_versions,
       bool use_stateless_rejects,
       QuicConnectionId server_designated_connection_id,
       const QuicClock* clock,
       QuicRandom* rand,
       QuicCompressedCertsCache* compressed_certs_cache,
       scoped_refptr<QuicCryptoNegotiatedParameters> params,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> signed_config,
       QuicByteCount total_framing_overhead,
       QuicByteCount chlo_packet_size,
       const scoped_refptr<QuicCryptoServerConfig::Config>& requested_config,
       const scoped_refptr<QuicCryptoServerConfig::Config>& primary_config,
       std::unique_ptr<ProcessClientHelloResultCallback> done_cb)
       : config_(config),
         validate_chlo_result_(std::move(validate_chlo_result)),
         reject_only_(reject_only),
         connection_id_(connection_id),
         client_address_(client_address),
         version_(version),
         supported_versions_(supported_versions),
         use_stateless_rejects_(use_stateless_rejects),
         server_designated_connection_id_(server_designated_connection_id),
         clock_(clock),
         rand_(rand),
         compressed_certs_cache_(compressed_certs_cache),
         params_(params),
-        crypto_proof_(crypto_proof),
+        signed_config_(signed_config),
         total_framing_overhead_(total_framing_overhead),
         chlo_packet_size_(chlo_packet_size),
         requested_config_(requested_config),
         primary_config_(primary_config),
         done_cb_(std::move(done_cb)) {}
 
   void Run(bool ok,
            const scoped_refptr<ProofSource::Chain>& chain,
-           const string& signature,
-           const string& leaf_cert_sct,
+           const QuicCryptoProof& proof,
            std::unique_ptr<ProofSource::Details> details) override {
     if (ok) {
-      crypto_proof_->chain = chain;
-      crypto_proof_->signature = signature;
-      crypto_proof_->cert_sct = leaf_cert_sct;
+      signed_config_->chain = chain;
+      signed_config_->signature = proof.signature;
+      signed_config_->cert_sct = proof.leaf_cert_scts;
     }
     config_->ProcessClientHelloAfterGetProof(
         !ok, std::move(details), *validate_chlo_result_, reject_only_,
         connection_id_, client_address_, version_, supported_versions_,
         use_stateless_rejects_, server_designated_connection_id_, clock_, rand_,
-        compressed_certs_cache_, params_, crypto_proof_,
+        compressed_certs_cache_, params_, signed_config_,
         total_framing_overhead_, chlo_packet_size_, requested_config_,
         primary_config_, std::move(done_cb_));
   }
 
  private:
   const QuicCryptoServerConfig* config_;
   const scoped_refptr<ValidateClientHelloResultCallback::Result>
       validate_chlo_result_;
   const bool reject_only_;
   const QuicConnectionId connection_id_;
   const IPEndPoint client_address_;
   const QuicVersion version_;
   const QuicVersionVector supported_versions_;
   const bool use_stateless_rejects_;
   const QuicConnectionId server_designated_connection_id_;
   const QuicClock* const clock_;
   QuicRandom* const rand_;
   QuicCompressedCertsCache* compressed_certs_cache_;
   scoped_refptr<QuicCryptoNegotiatedParameters> params_;
-  scoped_refptr<QuicCryptoProof> crypto_proof_;
+  scoped_refptr<QuicSignedServerConfig> signed_config_;
   const QuicByteCount total_framing_overhead_;
   const QuicByteCount chlo_packet_size_;
   const scoped_refptr<QuicCryptoServerConfig::Config> requested_config_;
   const scoped_refptr<QuicCryptoServerConfig::Config> primary_config_;
   std::unique_ptr<ProcessClientHelloResultCallback> done_cb_;
 };
 
 void QuicCryptoServerConfig::ProcessClientHello(
     scoped_refptr<ValidateClientHelloResultCallback::Result>
         validate_chlo_result,
     bool reject_only,
     QuicConnectionId connection_id,
     const IPAddress& server_ip,
     const IPEndPoint& client_address,
     QuicVersion version,
     const QuicVersionVector& supported_versions,
     bool use_stateless_rejects,
     QuicConnectionId server_designated_connection_id,
     const QuicClock* clock,
     QuicRandom* rand,
     QuicCompressedCertsCache* compressed_certs_cache,
     scoped_refptr<QuicCryptoNegotiatedParameters> params,
-    scoped_refptr<QuicCryptoProof> crypto_proof,
+    scoped_refptr<QuicSignedServerConfig> signed_config,
     QuicByteCount total_framing_overhead,
     QuicByteCount chlo_packet_size,
     std::unique_ptr<ProcessClientHelloResultCallback> done_cb) const {
   DCHECK(done_cb);
 
   ProcessClientHelloHelper helper(&done_cb);
 
   const CryptoHandshakeMessage& client_hello =
       validate_chlo_result->client_hello;
   const ClientHelloInfo& info = validate_chlo_result->info;
@@ skipping 21 matching lines @@
     } else {
       if (!next_config_promotion_time_.IsZero() &&
           next_config_promotion_time_.IsAfter(now)) {
         SelectNewPrimaryConfig(now);
         DCHECK(primary_config_.get());
         DCHECK_EQ(configs_.find(primary_config_->id)->second, primary_config_);
       }
 
       // Use the config that the client requested in order to do key-agreement.
       // Otherwise give it a copy of |primary_config_| to use.
-      primary_config = crypto_proof->config;
+      primary_config = signed_config->config;
       requested_config = GetConfigWithScid(requested_scid);
     }
   }
   if (no_primary_config) {
     helper.Fail(QUIC_CRYPTO_INTERNAL_ERROR, "No configurations loaded");
     return;
   }
 
   if (validate_chlo_result->error_code != QUIC_NO_ERROR) {
     helper.Fail(validate_chlo_result->error_code,
                 validate_chlo_result->error_details);
     return;
   }
 
   if (!ClientDemandsX509Proof(client_hello)) {
     helper.Fail(QUIC_UNSUPPORTED_PROOF_DEMAND, "Missing or invalid PDMD");
     return;
   }
   DCHECK(proof_source_.get());
   string chlo_hash;
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
 
   // No need to get a new proof if one was already generated.
-  if (!crypto_proof->chain) {
+  if (!signed_config->chain) {
     const QuicTag* tag_ptr;
     size_t num_tags;
     QuicTagVector connection_options;
     if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) {
       connection_options.assign(tag_ptr, tag_ptr + num_tags);
     }
     if (FLAGS_enable_async_get_proof) {
       std::unique_ptr<ProcessClientHelloCallback> cb(
           new ProcessClientHelloCallback(
               this, validate_chlo_result, reject_only, connection_id,
               client_address, version, supported_versions,
               use_stateless_rejects, server_designated_connection_id, clock,
-              rand, compressed_certs_cache, params, crypto_proof,
+              rand, compressed_certs_cache, params, signed_config,
               total_framing_overhead, chlo_packet_size, requested_config,
               primary_config, std::move(done_cb)));
       proof_source_->GetProof(server_ip, info.sni.as_string(),
                               primary_config->serialized, version, chlo_hash,
                               connection_options, std::move(cb));
       helper.DetachCallback();
       return;
     }
 
-    if (!proof_source_->GetProof(
-            server_ip, info.sni.as_string(), primary_config->serialized,
-            version, chlo_hash, connection_options, &crypto_proof->chain,
-            &crypto_proof->signature, &crypto_proof->cert_sct)) {
+    QuicCryptoProof proof;
+    if (!proof_source_->GetProof(server_ip, info.sni.as_string(),
+                                 primary_config->serialized, version, chlo_hash,
+                                 connection_options, &signed_config->chain,
+                                 &proof)) {
       helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof.");
       return;
     }
+    signed_config->signature = proof.signature;
+    signed_config->cert_sct = proof.leaf_cert_scts;
   }
 
   helper.DetachCallback();
   ProcessClientHelloAfterGetProof(
       /* found_error = */ false, /* proof_source_details = */ nullptr,
       *validate_chlo_result, reject_only, connection_id, client_address,
       version, supported_versions, use_stateless_rejects,
       server_designated_connection_id, clock, rand, compressed_certs_cache,
-      params, crypto_proof, total_framing_overhead, chlo_packet_size,
+      params, signed_config, total_framing_overhead, chlo_packet_size,
       requested_config, primary_config, std::move(done_cb));
 }
 
 void QuicCryptoServerConfig::ProcessClientHelloAfterGetProof(
     bool found_error,
     std::unique_ptr<ProofSource::Details> proof_source_details,
     const ValidateClientHelloResultCallback::Result& validate_chlo_result,
     bool reject_only,
     QuicConnectionId connection_id,
     const IPEndPoint& client_address,
     QuicVersion version,
     const QuicVersionVector& supported_versions,
     bool use_stateless_rejects,
     QuicConnectionId server_designated_connection_id,
     const QuicClock* clock,
     QuicRandom* rand,
     QuicCompressedCertsCache* compressed_certs_cache,
     scoped_refptr<QuicCryptoNegotiatedParameters> params,
-    scoped_refptr<QuicCryptoProof> crypto_proof,
+    scoped_refptr<QuicSignedServerConfig> signed_config,
     QuicByteCount total_framing_overhead,
     QuicByteCount chlo_packet_size,
     const scoped_refptr<Config>& requested_config,
     const scoped_refptr<Config>& primary_config,
     std::unique_ptr<ProcessClientHelloResultCallback> done_cb) const {
   ProcessClientHelloHelper helper(&done_cb);
 
   if (found_error) {
     helper.Fail(QUIC_HANDSHAKE_FAILED, "Failed to get proof");
     return;
   }
 
   const CryptoHandshakeMessage& client_hello =
       validate_chlo_result.client_hello;
   const ClientHelloInfo& info = validate_chlo_result.info;
   std::unique_ptr<DiversificationNonce> out_diversification_nonce(
       new DiversificationNonce);
 
   StringPiece cert_sct;
   if (client_hello.GetStringPiece(kCertificateSCTTag, &cert_sct) &&
       cert_sct.empty()) {
     params->sct_supported_by_client = true;
   }
 
   std::unique_ptr<CryptoHandshakeMessage> out(new CryptoHandshakeMessage);
   if (!info.reject_reasons.empty() || !requested_config.get()) {
     BuildRejection(version, clock->WallNow(), *primary_config, client_hello,
                    info, validate_chlo_result.cached_network_params,
                    use_stateless_rejects, server_designated_connection_id, rand,
-                   compressed_certs_cache, params, *crypto_proof,
+                   compressed_certs_cache, params, *signed_config,
                    total_framing_overhead, chlo_packet_size, out.get());
     if (FLAGS_quic_export_rej_for_all_rejects &&
         rejection_observer_ != nullptr) {
       rejection_observer_->OnRejectionBuilt(info.reject_reasons, out.get());
     }
     helper.Succeed(std::move(out), std::move(out_diversification_nonce),
                    std::move(proof_source_details));
     return;
   }
 
@@ skipping 72 matching lines @@
   string hkdf_suffix;
   const QuicData& client_hello_serialized = client_hello.GetSerialized();
   hkdf_suffix.reserve(sizeof(connection_id) + client_hello_serialized.length() +
                       requested_config->serialized.size());
   hkdf_suffix.append(reinterpret_cast<char*>(&connection_id),
                      sizeof(connection_id));
   hkdf_suffix.append(client_hello_serialized.data(),
                      client_hello_serialized.length());
   hkdf_suffix.append(requested_config->serialized);
   DCHECK(proof_source_.get());
-  if (crypto_proof->chain->certs.empty()) {
+  if (signed_config->chain->certs.empty()) {
     helper.Fail(QUIC_CRYPTO_INTERNAL_ERROR, "Failed to get certs");
     return;
   }
-  hkdf_suffix.append(crypto_proof->chain->certs.at(0));
+  hkdf_suffix.append(signed_config->chain->certs.at(0));
 
   StringPiece cetv_ciphertext;
   if (requested_config->channel_id_enabled &&
       client_hello.GetStringPiece(kCETV, &cetv_ciphertext)) {
     CryptoHandshakeMessage client_hello_copy(client_hello);
     client_hello_copy.Erase(kCETV);
     client_hello_copy.Erase(kPAD);
 
     const QuicData& client_hello_copy_serialized =
         client_hello_copy.GetSerialized();
@@ skipping 257 matching lines @@
 class QuicCryptoServerConfig::EvaluateClientHelloCallback
     : public ProofSource::Callback {
  public:
   EvaluateClientHelloCallback(
       const QuicCryptoServerConfig& config,
       bool found_error,
       const IPAddress& server_ip,
       QuicVersion version,
       scoped_refptr<QuicCryptoServerConfig::Config> requested_config,
       scoped_refptr<QuicCryptoServerConfig::Config> primary_config,
-      scoped_refptr<QuicCryptoProof> crypto_proof,
+      scoped_refptr<QuicSignedServerConfig> signed_config,
       scoped_refptr<ValidateClientHelloResultCallback::Result>
           client_hello_state,
       std::unique_ptr<ValidateClientHelloResultCallback> done_cb)
       : config_(config),
         found_error_(found_error),
         server_ip_(server_ip),
         version_(version),
         requested_config_(std::move(requested_config)),
         primary_config_(std::move(primary_config)),
-        crypto_proof_(crypto_proof),
+        signed_config_(signed_config),
         client_hello_state_(std::move(client_hello_state)),
         done_cb_(std::move(done_cb)) {}
 
   void Run(bool ok,
            const scoped_refptr<ProofSource::Chain>& chain,
-           const string& signature,
-           const string& leaf_cert_sct,
+           const QuicCryptoProof& proof,
            std::unique_ptr<ProofSource::Details> details) override {
     if (ok) {
-      crypto_proof_->chain = chain;
-      crypto_proof_->signature = signature;
-      crypto_proof_->cert_sct = leaf_cert_sct;
+      signed_config_->chain = chain;
+      signed_config_->signature = proof.signature;
+      signed_config_->cert_sct = proof.leaf_cert_scts;
     }
     config_.EvaluateClientHelloAfterGetProof(
         found_error_, server_ip_, version_, requested_config_, primary_config_,
-        crypto_proof_, std::move(details), !ok, client_hello_state_,
+        signed_config_, std::move(details), !ok, client_hello_state_,
         std::move(done_cb_));
   }
 
  private:
   const QuicCryptoServerConfig& config_;
   const bool found_error_;
   const IPAddress& server_ip_;
   const QuicVersion version_;
   const scoped_refptr<QuicCryptoServerConfig::Config> requested_config_;
   const scoped_refptr<QuicCryptoServerConfig::Config> primary_config_;
-  scoped_refptr<QuicCryptoProof> crypto_proof_;
+  scoped_refptr<QuicSignedServerConfig> signed_config_;
   scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state_;
   std::unique_ptr<ValidateClientHelloResultCallback> done_cb_;
 };
 
 void QuicCryptoServerConfig::EvaluateClientHello(
     const IPAddress& server_ip,
     QuicVersion version,
     scoped_refptr<Config> requested_config,
     scoped_refptr<Config> primary_config,
-    scoped_refptr<QuicCryptoProof> crypto_proof,
+    scoped_refptr<QuicSignedServerConfig> signed_config,
     scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state,
     std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, &done_cb);
 
   const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (client_hello.size() < kClientHelloMinimumSize) {
     helper.ValidationComplete(QUIC_CRYPTO_INVALID_VALUE_LENGTH,
                               "Client hello too small", nullptr);
@@ skipping 51 matching lines @@
     info->reject_reasons.push_back(source_address_token_error);
     // No valid source address token.
     found_error = true;
   }
 
   bool get_proof_failed = false;
   string serialized_config = primary_config->serialized;
   string chlo_hash;
   CryptoUtils::HashHandshakeMessage(client_hello, &chlo_hash);
   bool need_proof = true;
-  need_proof = !crypto_proof->chain;
+  need_proof = !signed_config->chain;
   const QuicTag* tag_ptr;
   size_t num_tags;
   QuicTagVector connection_options;
   if (client_hello.GetTaglist(kCOPT, &tag_ptr, &num_tags) == QUIC_NO_ERROR) {
     connection_options.assign(tag_ptr, tag_ptr + num_tags);
   }
   if (FLAGS_enable_async_get_proof) {
     if (need_proof) {
       // Make an async call to GetProof and setup the callback to trampoline
       // back into EvaluateClientHelloAfterGetProof
       std::unique_ptr<EvaluateClientHelloCallback> cb(
           new EvaluateClientHelloCallback(
               *this, found_error, server_ip, version, requested_config,
-              primary_config, crypto_proof, client_hello_state,
+              primary_config, signed_config, client_hello_state,
               std::move(done_cb)));
       proof_source_->GetProof(server_ip, info->sni.as_string(),
                               serialized_config, version, chlo_hash,
                               connection_options, std::move(cb));
       helper.DetachCallback();
       return;
     }
   }
 
   // No need to get a new proof if one was already generated.
-  if (need_proof &&
-      !proof_source_->GetProof(
-          server_ip, info->sni.as_string(), serialized_config, version,
-          chlo_hash, connection_options, &crypto_proof->chain,
-          &crypto_proof->signature, &crypto_proof->cert_sct)) {
-    get_proof_failed = true;
+  if (need_proof) {
+    QuicCryptoProof proof;
+
+    if (proof_source_->GetProof(
+            server_ip, info->sni.as_string(), serialized_config, version,
+            chlo_hash, connection_options, &signed_config->chain, &proof)) {
+      signed_config->signature = proof.signature;
+      signed_config->cert_sct = proof.leaf_cert_scts;
+    } else {
+      get_proof_failed = true;
+    }
   }
 
   // Details are null because the synchronous version of GetProof does not
   // return any stats.  Eventually the synchronous codepath will be eliminated.
   EvaluateClientHelloAfterGetProof(
       found_error, server_ip, version, requested_config, primary_config,
-      crypto_proof, nullptr /* proof_source_details */, get_proof_failed,
+      signed_config, nullptr /* proof_source_details */, get_proof_failed,
       client_hello_state, std::move(done_cb));
   helper.DetachCallback();
 }
 
 void QuicCryptoServerConfig::EvaluateClientHelloAfterGetProof(
     bool found_error,
     const IPAddress& server_ip,
     QuicVersion version,
     scoped_refptr<Config> requested_config,
     scoped_refptr<Config> primary_config,
-    scoped_refptr<QuicCryptoProof> crypto_proof,
+    scoped_refptr<QuicSignedServerConfig> signed_config,
     std::unique_ptr<ProofSource::Details> proof_source_details,
     bool get_proof_failed,
     scoped_refptr<ValidateClientHelloResultCallback::Result> client_hello_state,
     std::unique_ptr<ValidateClientHelloResultCallback> done_cb) const {
   ValidateClientHelloHelper helper(client_hello_state, &done_cb);
   const CryptoHandshakeMessage& client_hello = client_hello_state->client_hello;
   ClientHelloInfo* info = &(client_hello_state->info);
 
   if (get_proof_failed) {
     found_error = true;
     info->reject_reasons.push_back(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
   }
 
-  if (!ValidateExpectedLeafCertificate(client_hello, *crypto_proof)) {
+  if (!ValidateExpectedLeafCertificate(client_hello, *signed_config)) {
     found_error = true;
     info->reject_reasons.push_back(INVALID_EXPECTED_LEAF_CERTIFICATE);
   }
 
   if (info->client_nonce.size() != kNonceSize) {
     info->reject_reasons.push_back(CLIENT_NONCE_INVALID_FAILURE);
     // Invalid client nonce.
     LOG(ERROR) << "Invalid client nonce: " << client_hello.DebugString();
     DVLOG(1) << "Invalid client nonce.";
     found_error = true;
@@ skipping 106 matching lines @@
         clock->WallNow(), cached_network_params);
   }
 
   out->set_tag(kSCUP);
   out->SetStringPiece(kSCFG, serialized);
   out->SetStringPiece(kSourceAddressTokenTag, source_address_token);
   out->SetValue(kSTTL,
                 expiry_time.AbsoluteDifference(clock->WallNow()).ToSeconds());
 
   scoped_refptr<ProofSource::Chain> chain;
-  string signature;
-  string cert_sct;
+  QuicCryptoProof proof;
   if (!proof_source_->GetProof(server_ip, params.sni, serialized, version,
-                               chlo_hash, connection_options, &chain,
-                               &signature, &cert_sct)) {
+                               chlo_hash, connection_options, &chain, &proof)) {
     DVLOG(1) << "Server: failed to get proof.";
     return false;
   }
 
   const string compressed = CompressChain(
       compressed_certs_cache, chain, params.client_common_set_hashes,
       params.client_cached_cert_hashes, common_cert_sets);
 
   out->SetStringPiece(kCertificateTag, compressed);
-  out->SetStringPiece(kPROF, signature);
+  out->SetStringPiece(kPROF, proof.signature);
   if (params.sct_supported_by_client && enable_serving_sct_) {
-    if (cert_sct.empty()) {
+    if (proof.leaf_cert_scts.empty()) {
       DLOG(WARNING) << "SCT is expected but it is empty. sni: " << params.sni
                     << " server_ip: " << server_ip.ToString();
     } else {
-      out->SetStringPiece(kCertificateSCTTag, cert_sct);
+      out->SetStringPiece(kCertificateSCTTag, proof.leaf_cert_scts);
     }
   }
   return true;
 }
 
 void QuicCryptoServerConfig::BuildServerConfigUpdateMessage(
     QuicVersion version,
     StringPiece chlo_hash,
     const SourceAddressTokens& previous_source_address_tokens,
     const IPAddress& server_ip,
@@ skipping 55 matching lines @@
       common_cert_sets_(common_cert_sets),
       client_common_set_hashes_(params.client_common_set_hashes),
       client_cached_cert_hashes_(params.client_cached_cert_hashes),
       sct_supported_by_client_(params.sct_supported_by_client),
       message_(std::move(message)),
       cb_(std::move(cb)) {}
 
 void QuicCryptoServerConfig::BuildServerConfigUpdateMessageProofSourceCallback::
     Run(bool ok,
         const scoped_refptr<ProofSource::Chain>& chain,
-        const string& signature,
-        const string& leaf_cert_sct,
+        const QuicCryptoProof& proof,
         std::unique_ptr<ProofSource::Details> details) {
   config_->FinishBuildServerConfigUpdateMessage(
       version_, compressed_certs_cache_, common_cert_sets_,
       client_common_set_hashes_, client_cached_cert_hashes_,
-      sct_supported_by_client_, ok, chain, signature, leaf_cert_sct,
-      std::move(details), std::move(message_), std::move(cb_));
+      sct_supported_by_client_, ok, chain, proof.signature,
+      proof.leaf_cert_scts, std::move(details), std::move(message_),
+      std::move(cb_));
 }
 
 void QuicCryptoServerConfig::FinishBuildServerConfigUpdateMessage(
     QuicVersion version,
     QuicCompressedCertsCache* compressed_certs_cache,
     const CommonCertSets* common_cert_sets,
     const string& client_common_set_hashes,
     const string& client_cached_cert_hashes,
     bool sct_supported_by_client,
     bool ok,
@@ skipping 30 matching lines @@
     QuicWallTime now,
     const Config& config,
     const CryptoHandshakeMessage& client_hello,
     const ClientHelloInfo& info,
     const CachedNetworkParameters& cached_network_params,
     bool use_stateless_rejects,
     QuicConnectionId server_designated_connection_id,
     QuicRandom* rand,
     QuicCompressedCertsCache* compressed_certs_cache,
     scoped_refptr<QuicCryptoNegotiatedParameters> params,
-    const QuicCryptoProof& crypto_proof,
+    const QuicSignedServerConfig& signed_config,
     QuicByteCount total_framing_overhead,
     QuicByteCount chlo_packet_size,
     CryptoHandshakeMessage* out) const {
   if (FLAGS_enable_quic_stateless_reject_support && use_stateless_rejects) {
     DVLOG(1) << "QUIC Crypto server config returning stateless reject "
              << "with server-designated connection ID "
              << server_designated_connection_id;
     out->set_tag(kSREJ);
     out->SetValue(kRCID, server_designated_connection_id);
   } else {
@@ skipping 23 matching lines @@
   if (client_hello.GetStringPiece(kCCS, &client_common_set_hashes)) {
     params->client_common_set_hashes = client_common_set_hashes.as_string();
   }
 
   StringPiece client_cached_cert_hashes;
   if (client_hello.GetStringPiece(kCCRT, &client_cached_cert_hashes)) {
     params->client_cached_cert_hashes = client_cached_cert_hashes.as_string();
   }
 
   const string compressed =
-      CompressChain(compressed_certs_cache, crypto_proof.chain,
+      CompressChain(compressed_certs_cache, signed_config.chain,
                     params->client_common_set_hashes,
                     params->client_cached_cert_hashes, config.common_cert_sets);
 
   DCHECK_GT(chlo_packet_size, client_hello.size());
   // kREJOverheadBytes is a very rough estimate of how much of a REJ
   // message is taken up by things other than the certificates.
   // STK: 56 bytes
   // SNO: 56 bytes
   // SCFG
   //   SCID: 16 bytes
   //   PUBS: 38 bytes
   const size_t kREJOverheadBytes = 166;
   // max_unverified_size is the number of bytes that the certificate chain,
   // signature, and (optionally) signed certificate timestamp can consume before
   // we will demand a valid source-address token.
   const size_t max_unverified_size =
       chlo_multiplier_ * (chlo_packet_size - total_framing_overhead) -
       kREJOverheadBytes;
   static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes,
                 "overhead calculation may underflow");
   bool should_return_sct =
       params->sct_supported_by_client && enable_serving_sct_;
-  const size_t sct_size = should_return_sct ? crypto_proof.cert_sct.size() : 0;
+  const size_t sct_size = should_return_sct ? signed_config.cert_sct.size() : 0;
   const size_t total_size =
-      crypto_proof.signature.size() + compressed.size() + sct_size;
+      signed_config.signature.size() + compressed.size() + sct_size;
   if (info.valid_source_address_token || total_size < max_unverified_size) {
     out->SetStringPiece(kCertificateTag, compressed);
-    out->SetStringPiece(kPROF, crypto_proof.signature);
+    out->SetStringPiece(kPROF, signed_config.signature);
     if (should_return_sct) {
-      if (crypto_proof.cert_sct.empty()) {
+      if (signed_config.cert_sct.empty()) {
         DLOG(WARNING) << "SCT is expected but it is empty.";
       } else {
-        out->SetStringPiece(kCertificateSCTTag, crypto_proof.cert_sct);
+        out->SetStringPiece(kCertificateSCTTag, signed_config.cert_sct);
       }
     }
   } else {
     DLOG(WARNING) << "Sending inchoate REJ for hostname: " << info.sni
-                  << " signature: " << crypto_proof.signature.size()
+                  << " signature: " << signed_config.signature.size()
                   << " cert: " << compressed.size() << " sct:" << sct_size
                   << " total: " << total_size
                   << " max: " << max_unverified_size;
   }
 }
 
 string QuicCryptoServerConfig::CompressChain(
     QuicCompressedCertsCache* compressed_certs_cache,
     const scoped_refptr<ProofSource::Chain>& chain,
     const string& client_common_set_hashes,
@@ skipping 461 matching lines @@
     case STRIKE_REGISTER_TIMEOUT:
     case STRIKE_REGISTER_FAILURE:
     default:
       QUIC_BUG << "Unexpected server nonce error: " << nonce_error;
       return SERVER_NONCE_NOT_UNIQUE_FAILURE;
   }
 }
 
 bool QuicCryptoServerConfig::ValidateExpectedLeafCertificate(
     const CryptoHandshakeMessage& client_hello,
-    const QuicCryptoProof& crypto_proof) const {
-  if (crypto_proof.chain->certs.empty()) {
+    const QuicSignedServerConfig& signed_config) const {
+  if (signed_config.chain->certs.empty()) {
     return false;
   }
 
   uint64_t hash_from_client;
   if (client_hello.GetUint64(kXLCT, &hash_from_client) != QUIC_NO_ERROR) {
     return false;
   }
-  return CryptoUtils::ComputeLeafCertHash(crypto_proof.chain->certs.at(0)) ==
+  return CryptoUtils::ComputeLeafCertHash(signed_config.chain->certs.at(0)) ==
          hash_from_client;
 }
 
 bool QuicCryptoServerConfig::ClientDemandsX509Proof(
     const CryptoHandshakeMessage& client_hello) const {
   const QuicTag* their_proof_demands;
   size_t num_their_proof_demands;
 
   if (client_hello.GetTaglist(kPDMD, &their_proof_demands,
                               &num_their_proof_demands) != QUIC_NO_ERROR) {
@@ skipping 13 matching lines @@
     : channel_id_enabled(false),
       is_primary(false),
       primary_time(QuicWallTime::Zero()),
       expiry_time(QuicWallTime::Zero()),
       priority(0),
       source_address_token_boxer(nullptr) {}
 
 QuicCryptoServerConfig::Config::~Config() {
 }
 
-QuicCryptoProof::QuicCryptoProof() {}
-QuicCryptoProof::~QuicCryptoProof() {}
+QuicSignedServerConfig::QuicSignedServerConfig() {}
+QuicSignedServerConfig::~QuicSignedServerConfig() {}
 
 }  // namespace net