Support for client certs in ssl_server_socket.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 626 matching lines @@
   bool WasEverUsed() const;
 
   // Called on the network task runner.
   // Causes the associated SSL/TLS session ID to be added to NSS's session
   // cache, but only if the connection has not been False Started.
   //
   // This should only be called after the server's certificate has been
   // verified, and may not be called within an NSS callback.
   void CacheSessionIfNecessary();
 
+  // Only for unit testing.
+  // This should only be called before Connect().
+  void ForceClientCertificateAndKeyForTest(
+      scoped_refptr<X509Certificate> client_cert,
+      scoped_ptr<crypto::RSAPrivateKey> client_private_key);
+
  private:
   friend class base::RefCountedThreadSafe<Core>;
   ~Core();
 
   enum State {
     STATE_NONE,
     STATE_HANDSHAKE,
     STATE_GET_DOMAIN_BOUND_CERT_COMPLETE,
   };
 
@@ skipping 255 matching lines @@
   // for the network task runner from the NSS task runner.
   base::WeakPtr<BoundNetLog> weak_net_log_;
 
   // Written on the network task runner by the |channel_id_service_|,
   // prior to invoking OnHandshakeIOComplete.
   // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
   // on the NSS task runner.
   std::string domain_bound_private_key_;
   std::string domain_bound_cert_;
 
+  // Used only for unit testing.
+  scoped_ptr<crypto::RSAPrivateKey> client_private_key_;
+
   DISALLOW_COPY_AND_ASSIGN(Core);
 };
 
 SSLClientSocketNSS::Core::Core(
     base::SequencedTaskRunner* network_task_runner,
     base::SequencedTaskRunner* nss_task_runner,
     ClientSocketHandle* transport,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     BoundNetLog* net_log,
@@ skipping 613 matching lines @@
 
   // Regular client certificate requested.
   core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
   void* wincx  = SSL_RevealPinArg(socket);
 
   if (core->ssl_config_.send_client_cert) {
     // Second pass: a client certificate should have been selected.
     if (core->ssl_config_.client_cert.get()) {
       CERTCertificate* cert =
           CERT_DupCertificate(core->ssl_config_.client_cert->os_cert_handle());
-      SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
+      SECKEYPrivateKey* privkey = NULL;
+      if (core->client_private_key_.get()) {
+        privkey = SECKEY_CopyPrivateKey(core->client_private_key_->key());
+      } else {
+        privkey = PK11_FindKeyByAnyCert(cert, wincx);
+      }
       if (privkey) {
         // TODO(jsorianopastor): We should wait for server certificate
         // verification before sending our credentials.  See
         // http://crbug.com/13934.
         *result_certificate = cert;
         *result_private_key = privkey;
         // A cert_count of -1 means the number of certificates is unknown.
         // NSS will construct the certificate chain.
         core->AddCertProvidedEvent(-1);
 
@@ skipping 1253 matching lines @@
       FROM_HERE, base::Bind(&AddLogEvent, weak_net_log_,
                             NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED));
   nss_handshake_state_.channel_id_sent = true;
   // Update the network task runner's view of the handshake state now that
   // channel id has been sent.
   PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
                             nss_handshake_state_));
 }
 
+void SSLClientSocketNSS::Core::ForceClientCertificateAndKeyForTest(
+    scoped_refptr<X509Certificate> client_cert,
+    scoped_ptr<crypto::RSAPrivateKey> client_private_key) {
+  ssl_config_.send_client_cert = true;
+  ssl_config_.client_cert = client_cert;
+  client_private_key_ = client_private_key.Pass();
+}
+
 SSLClientSocketNSS::SSLClientSocketNSS(
     base::SequencedTaskRunner* nss_task_runner,
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : nss_task_runner_(nss_task_runner),
       transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
@@ skipping 795 matching lines @@
         SignedCertificateTimestampAndStatus(*iter,
                                             ct::SCT_STATUS_LOG_UNKNOWN));
   }
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
+void SSLClientSocketNSS::ForceClientCertificateAndKeyForTest(
+    scoped_refptr<X509Certificate> client_cert,
+    scoped_ptr<crypto::RSAPrivateKey> client_private_key) {
+  core_->ForceClientCertificateAndKeyForTest(client_cert,
+                                             client_private_key.Pass());
+}
+
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net