Refactor client cert private key handling.

net/ssl/client_cert_identity.h

Index: net/ssl/client_cert_identity.h
diff --git a/net/ssl/client_cert_identity.h b/net/ssl/client_cert_identity.h
new file mode 100644
index 0000000000000000000000000000000000000000..c79dc6e779b7b11af034dbf12c83e7d393d1445b
--- /dev/null
+++ b/net/ssl/client_cert_identity.h
@@ -0,0 +1,99 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_SSL_CLIENT_CERT_IDENTITY_H_
+#define NET_SSL_SSL_CLIENT_CERT_IDENTITY_H_
+
+#include "base/callback.h"
+#include "net/base/net_export.h"
+#include "net/cert/x509_certificate.h"
+
+#if defined(OS_MACOSX)
+#include <Security/SecBase.h>
+#endif
+
+namespace base {
+class Time;
+}
+
+namespace net {
+
+class SSLPrivateKey;
+
+// XXX does this make sense as a standalone file, or should it be part of
+// ClientCertStore header?
+
+// XXX comment
+class NET_EXPORT ClientCertIdentity {
+ public:
+  explicit ClientCertIdentity(scoped_refptr<net::X509Certificate> cert);
+  virtual ~ClientCertIdentity();
+
+  // XXX comments.
+  // // XXX should this be const?
+  X509Certificate* certificate() const { return cert_.get(); }
+
+  // XXX idea: instead of doing a callback to aquire the private key and then
+  // doing ContinueWithCertificate(cert,key), just do
+  // ContinueWithCertificate(clientcertidentity), put off doing the lookup all
+  // the way to SSLClientSocketImpl::PrivateKeySignDigestCallback.  Might mess
+  // up error handling though (eg, would auth cache record it even when there
+  // was no matching key?)
+
+  // XXX
+  // caller responsible for keeping the ClientCertIdentity alive until the
+  // callback is run. callback may be called with null private key callback may
+  // be called synchronously (?) (XXX : verify all usages as sync safe)
+  virtual void AcquirePrivateKey(
+      const base::Callback<void(scoped_refptr<SSLPrivateKey>)>&
+          private_key_callback) = 0;
+
+#if defined(OS_MACOSX)
+  // XXX gross, but it allows ssl_client_certificate_selector_cocoa.mm to avoid
+  // doing SecIdentityCreateWithCertificate on UI thread.
+  virtual SecIdentityRef sec_identity_ref() const = 0;
+#endif
+
+  // XXX comment
+  static void SelfOwningAcquirePrivateKey(
+      std::unique_ptr<ClientCertIdentity> self,
+      const base::Callback<void(scoped_refptr<SSLPrivateKey>)>&
+          private_key_callback);
+
+  // Sets the intermediates of |certificate()| to |intermediates|. Note that
+  // this will change the value of |certificate()|, and any references that
+  // were retained to the previous value will not reflect the updated
+  // intermediates list.
+  void SetIntermediates(X509Certificate::OSCertHandles intermediates);
+
+ private:
+  scoped_refptr<net::X509Certificate> cert_;
+};
+
+// Comparator for use in STL algorithms that will sort client certificates by
+// order of preference.
+// Returns true if |a| is more preferable than |b|, allowing it to be used
+// with any algorithm that compares according to strict weak ordering.
+//
+// Criteria include:
+// - Prefer certificates that have a longer validity period (later
+//   expiration dates)
+// - If equal, prefer certificates that were issued more recently
+// - If equal, prefer shorter chains (if available)
+class NET_EXPORT_PRIVATE ClientCertIdentitySorter {
+ public:
+  ClientCertIdentitySorter();
+
+  bool operator()(const std::unique_ptr<ClientCertIdentity>& a,
+                  const std::unique_ptr<ClientCertIdentity>& b) const;
+
+ private:
+  base::Time now_;
+};
+
+using ClientCertIdentityList = std::vector<std::unique_ptr<ClientCertIdentity>>;
+
+}  // namespace net
+
+#endif  // NET_SSL_SSL_CLIENT_CERT_IDENTITY_H_