Support for client certs in ssl_server_socket.

net/socket/ssl_client_socket.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_
 
 #include <string>
 
 #include "base/gtest_prod_util.h"
 #include "net/base/completion_callback.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
 #include "net/socket/ssl_socket.h"
 #include "net/socket/stream_socket.h"
 
+namespace crypto {
+class RSAPrivateKey;

[Ryan Sleevi, 2015/03/19 04:38:24]

I really don't want to force a dependency on //crypto/RSAPrivateKey. I don't
think it's a good interface fit.

David?

[davidben, 2015/03/25 00:05:33]

Eventually SSLConfig will take both a net::X509Certificate and a <some handle to
a private key>. I hadn't thought too hard about exactly what that handle should
be. crypto::RSAPrivateKey is certainly right out since we do ECDSA as well.
crypto::ScopedEVP_PKEY is a possibility. As is some kind of common base between
crypto::RSAPrivateKey and crypto::ECPrivateKey.

+}
+
 namespace net {
 
 class CertPolicyEnforcer;
 class CertVerifier;
 class ChannelIDService;
 class CTVerifier;
 class HostPortPair;
 class ServerBoundCertService;
 class SSLCertRequestInfo;
 struct SSLConfig;
@@ skipping 199 matching lines @@
       const NextProtoVector& next_protos,
       bool can_advertise_http2);
 
   // For unit testing only.
   // Returns the unverified certificate chain as presented by server.
   // Note that chain may be different than the verified chain returned by
   // StreamSocket::GetSSLInfo().
   virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()
       const = 0;
 
+  // For unit testing only.
+  // Specify a client certificate and the RSA private key to be used with it.
+  virtual void ForceClientCertificateAndKeyForTest(

[Ryan Sleevi, 2015/03/19 04:38:24]

ForTesting, to get the presubmit

+      scoped_refptr<X509Certificate> client_cert,

[Ryan Sleevi, 2015/03/19 04:38:24]

STYLE: const scoped_refptr<X509Certificate>&

+      scoped_ptr<crypto::RSAPrivateKey> client_private_key) {}

[Ryan Sleevi, 2015/03/19 04:38:24]

It's not clear to me that this method is needed/appropriate, given that the
SSLConfig contains the client cert.

If you're trying to avoid the OS-key dependency, you should likely work with
David on his proposed refactoring of those bits as appropriate.

+
  private:
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
   // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
                            ConnectSignedCertTimestampsEnabledTLSExtension);
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
                            ConnectSignedCertTimestampsEnabledOCSP);
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
                            ConnectSignedCertTimestampsDisabled);
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
                            VerifyServerChainProperlyOrdered);
+  friend class SSLServerSocketTest;
 
   // True if NPN was responded to, independent of selecting SPDY or HTTP.
   bool was_npn_negotiated_;
   // True if NPN successfully negotiated SPDY.
   bool was_spdy_negotiated_;
   // Protocol that we negotiated with the server.
   NextProto protocol_negotiated_;
   // True if a channel ID was sent.
   bool channel_id_sent_;
   // True if SCTs were received via a TLS extension.
   bool signed_cert_timestamps_received_;
   // True if a stapled OCSP response was received.
   bool stapled_ocsp_response_received_;
   // Protocol negotiation extension used.
   SSLNegotiationExtension negotiation_extension_;
 };
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_H_