Remember if a user declines to provide a server with a client certificate

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index bc2d3225debcce2f182e1b4aea4ba757d4838eeb..69d02417e40d2c5ab38913c052bcacfa76902e0a 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -96,7 +96,6 @@ HttpNetworkTransaction::HttpNetworkTransaction(HttpNetworkSession* session)
   session->ssl_config_service()->GetSSLConfig(&ssl_config_);
   if (session->http_stream_factory()->next_protos())
     ssl_config_.next_protos = *session->http_stream_factory()->next_protos();
-
 }
 
 HttpNetworkTransaction::~HttpNetworkTransaction() {
@@ -171,10 +170,8 @@ int HttpNetworkTransaction::RestartWithCertificate(
   DCHECK_EQ(STATE_NONE, next_state_);
 
   ssl_config_.client_cert = client_cert;
-  if (client_cert) {
-    session_->ssl_client_auth_cache()->Add(GetHostAndPort(request_->url),
-                                           client_cert);
-  }
+  session_->ssl_client_auth_cache()->Add(GetHostAndPort(request_->url),
+                                         client_cert);
   ssl_config_.send_client_cert = true;
   // Reset the other member variables.
   // Note: this is necessary only with SSL renegotiation.
@@ -978,28 +975,44 @@ int HttpNetworkTransaction::HandleCertificateRequest(int error) {
   stream_request_.reset();
 
   // If the user selected one of the certificate in client_certs for this

[agl, 2010/11/09 17:04:06]

I think this comment has some grammar issues. (Not your new stuff, the original
comment.)

[wtc, 2010/11/18 01:33:07]

Please fix my grammatical errors.  I guess we should say
"one of the certificates" (plural).  How about:
  If the user selected one of the certificates in client_certs
  or declined to provide one for this server before, use the
  past decision automatically.

-  // server before, use it automatically.
-  X509Certificate* client_cert = session_->ssl_client_auth_cache()->
-                                 Lookup(GetHostAndPort(request_->url));
+  // server before, or previously declined to provide one, use it
+  // automatically.
+  X509Certificate* client_cert = NULL;
+  bool found_cached_cert = session_->ssl_client_auth_cache()->Lookup(
+      GetHostAndPort(request_->url), &client_cert);
+  if (!found_cached_cert)
+    return error;
+
+  // If the user previously selected a specific certificate, as opposed to

[wtc, 2010/11/18 01:33:07]

Nit: remove
  If the user previously selected a specific certificate, as opposed to
  declining to provide one,

+  // declining to provide one, check that the certificate selected is still a
+  // certificate the server is likely to accept, based on the criteria it
+  // supplied in the CertificateRequest message.
   if (client_cert) {
     const std::vector<scoped_refptr<X509Certificate> >& client_certs =
         response_.cert_request_info->client_certs;
+    bool cert_still_valid = false;
     for (size_t i = 0; i < client_certs.size(); ++i) {
-      if (client_cert->fingerprint().Equals(client_certs[i]->fingerprint())) {
-        // TODO(davidben): Add a unit test which covers this path; we need to be
-        // able to send a legitimate certificate and also bypass/clear the
-        // SSL session cache.
-        ssl_config_.client_cert = client_cert;
-        ssl_config_.send_client_cert = true;
-        next_state_ = STATE_CREATE_STREAM;
-        // Reset the other member variables.
-        // Note: this is necessary only with SSL renegotiation.
-        ResetStateForRestart();
-        return OK;
+      if (X509Certificate::IsSameOSCert(client_cert->os_cert_handle(),

[wtc, 2010/11/18 01:33:07]

Use the new X509Certificate::Equals method:
  if (client_cert->Equals(client_certs[i])) {

+                                        client_certs[i]->os_cert_handle())) {
+        cert_still_valid = true;
+        break;
       }
     }
+
+    if (!cert_still_valid)
+      return error;
   }
-  return error;
+
+  // TODO(davidben): Add a unit test which covers this path; we need to be
+  // able to send a legitimate certificate and also bypass/clear the
+  // SSL session cache.
+  ssl_config_.client_cert = client_cert;
+  ssl_config_.send_client_cert = true;
+  next_state_ = STATE_CREATE_STREAM;
+  // Reset the other member variables.
+  // Note: this is necessary only with SSL renegotiation.
+  ResetStateForRestart();
+  return OK;
 }
 
 // This method determines whether it is safe to resend the request after an