Populate cert_key_types on OpenSSL.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/err.h>
@@ skipping 494 matching lines @@
       net_log_(transport_->socket()->NetLog()) {}
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
 
 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   cert_request_info->host_and_port = host_and_port_;
   cert_request_info->cert_authorities = cert_authorities_;
+  cert_request_info->cert_key_types = cert_key_types_;
 }
 
 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto(
     std::string* proto, std::string* server_protos) {
   *proto = npn_proto_;
   *server_protos = server_protos_;
   return npn_status_;
 }
 
 ServerBoundCertService*
@@ skipping 84 matching lines @@
   user_write_buf_        = NULL;
   user_write_buf_len_    = 0;
 
   pending_read_error_ = kNoPendingReadResult;
   transport_write_error_ = OK;
 
   server_cert_verify_result_.Reset();
   completed_handshake_ = false;
 
   cert_authorities_.clear();
+  cert_key_types_.clear();
   client_auth_cert_needed_ = false;
 }
 
 bool SSLClientSocketOpenSSL::IsConnected() const {
   // If the handshake has not yet completed.
   if (!completed_handshake_)
     return false;
   // If an asynchronous operation is still pending.
   if (user_read_buf_.get() || user_write_buf_.get())
     return true;
@@ skipping 776 matching lines @@
 
 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
                                                       X509** x509,
                                                       EVP_PKEY** pkey) {
   DVLOG(3) << "OpenSSL ClientCertRequestCallback called";
   DCHECK(ssl == ssl_);
   DCHECK(*x509 == NULL);
   DCHECK(*pkey == NULL);
 #if defined(USE_OPENSSL_CERTS)
   if (!ssl_config_.send_client_cert) {
     // First pass: we know that a client certificate is needed, but we do not

[wtc, 2014/04/25 18:52:40]

Hmm... I believe almost the code in the first pass, with the possible exception
of the "return -1" on line 1440, is also usable when USE_OPENSSL_CERTS is not
defined.

So, if we restructure the ifdef here, we should be able to run the new
SSLClientSocketCertRequestInfoTest.ClientKeyTypes test with just #if
defined(USE_OPENSSL).

[davidben, 2014/04/25 20:52:31]

Hrm. Yeah, looks like it. I suspect it was done this way just because the client
auth code is otherwise not hooked up to anything? I dunno. Not sure what the
plan is. (Ryan?)

[Ryan Sleevi, 2014/04/26 01:47:33]

Yeah, when we support platform native auth, this will all move from being gated
behind USE_OPENSSL_CERTS, with the exception of line 1454/1455, which will need
to shim OS cert into OpenSSL cert. That is, platform-native auth will be
implemented using an OpenSSLClientKeyStore that vends an EVP_PKEY that talks to
the OS-layer for signing when OpenSSL calls into it.

I'm fine making some of that change here.

[davidben, 2014/04/30 21:48:17]

Alright. Moved stuff out from there.

     // have one at hand.
     client_auth_cert_needed_ = true;
     STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl);
     for (int i = 0; i < sk_X509_NAME_num(authorities); i++) {
       X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i);
       unsigned char* str = NULL;
       int length = i2d_X509_NAME(ca_name, &str);
       cert_authorities_.push_back(std::string(
           reinterpret_cast<const char*>(str),
           static_cast<size_t>(length)));
       OPENSSL_free(str);
     }
 
+    char* client_cert_types;
+    size_t num_client_cert_types;
+    SSL_get_client_certificate_types(ssl, &client_cert_types,
+                                     &num_client_cert_types);
+    for (size_t i = 0; i < num_client_cert_types; i++) {
+      cert_key_types_.push_back(
+          static_cast<SSLClientCertType>(client_cert_types[i]));
+    }
+
     return -1;  // Suspends handshake.
   }
 
   // Second pass: a client certificate should have been selected.
   if (ssl_config_.client_cert.get()) {
     // A note about ownership: FetchClientCertPrivateKey() increments
     // the reference count of the EVP_PKEY. Ownership of this reference
     // is passed directly to OpenSSL, which will release the reference
     // using EVP_PKEY_free() when the SSL object is destroyed.
     OpenSSLClientKeyStore::ScopedEVP_PKEY privkey;
@@ skipping 126 matching lines @@
   DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_;
   return SSL_TLSEXT_ERR_OK;
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
 }  // namespace net