Implement TLS client auth in the OS X OpenSSL port.

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 1c00180be94ca7866754dd231994f163c916fc20..154f54b0b31c079e52f059c8a60ed453eecc8c87 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -23,14 +23,19 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
-#include "net/socket/openssl_ssl_util.h"
 #include "net/socket/ssl_error_params.h"
 #include "net/socket/ssl_session_cache_openssl.h"
-#include "net/ssl/openssl_client_key_store.h"
+#include "net/ssl/openssl_ssl_util.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 
+#if defined(USE_OPENSSL_CERTS)

[Ryan Sleevi, 2014/07/23 22:38:47]

USE_OPENSSL_CERTS is only meant to apply to the representation of an
X509Certificate object, not keys.

I'm not sure I understand why this #ifdef

+#include "net/ssl/openssl_client_key_store.h"
+#else
+#include "net/ssl/openssl_platform_key.h"
+#endif
+
 namespace net {
 
 namespace {
@@ -1323,6 +1328,11 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
   DCHECK(ssl == ssl_);
   DCHECK(*x509 == NULL);
   DCHECK(*pkey == NULL);
+
+#if defined(OS_IOS)
+  // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
+  LOG(WARNING) << "Client auth is not supported";
+#else  // !defined(OS_IOS)
   if (!ssl_config_.send_client_cert) {
     // First pass: we know that a client certificate is needed, but we do not
     // have one at hand.
@@ -1361,25 +1371,25 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
       return -1;
     }
 
-    crypto::ScopedEVP_PKEY privkey;
+    // TODO(davidben): With Linux client auth support, this should be
+    // conditioned on OS_ANDROID and then, with https://crbug.com/394131,
+    // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the
+    // net/ client auth API lacking a private key handle.
 #if defined(USE_OPENSSL_CERTS)
-    // A note about ownership: FetchClientCertPrivateKey() increments
-    // the reference count of the EVP_PKEY. Ownership of this reference
-    // is passed directly to OpenSSL, which will release the reference
-    // using EVP_PKEY_free() when the SSL object is destroyed.
-    if (!OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
-            ssl_config_.client_cert.get(), &privkey)) {
+    crypto::ScopedEVP_PKEY privkey =
+        OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
+            ssl_config_.client_cert.get());
+#else  // !defined(USE_OPENSSL_CERTS)
+    crypto::ScopedEVP_PKEY privkey =
+        FetchClientCertPrivateKey(ssl_config_.client_cert.get());
+#endif  // defined(USE_OPENSSL_CERTS)
+    if (!privkey) {
       // Could not find the private key. Fail the handshake and surface an
       // appropriate error to the caller.
       LOG(WARNING) << "Client cert found without private key";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
       return -1;
     }
-#else  // !defined(USE_OPENSSL_CERTS)
-    // OS handling of private keys is not yet implemented.
-    NOTIMPLEMENTED();
-    return 0;
-#endif  // defined(USE_OPENSSL_CERTS)
 
     // TODO(joth): (copied from NSS) We should wait for server certificate
     // verification before sending our credentials. See http://crbug.com/13934
@@ -1387,6 +1397,7 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
     *pkey = privkey.release();
     return 1;
   }
+#endif  // defined(OS_IOS)
 
   // Send no client certificate.
   return 0;