Support for client certs in ssl_server_socket.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 500 matching lines @@
   bool WasEverUsed() const;
 
   // Called on the network task runner.
   // Causes the associated SSL/TLS session ID to be added to NSS's session
   // cache, but only if the connection has not been False Started.
   //
   // This should only be called after the server's certificate has been
   // verified, and may not be called within an NSS callback.
   void CacheSessionIfNecessary();
 
+  // Only for unit testing.
+  // This should only be called before Connect().
+  void ForceClientCertificateAndKeyForTest(
+      scoped_refptr<X509Certificate> client_cert,
+      scoped_ptr<crypto::RSAPrivateKey> client_private_key);
+
  private:
   friend class base::RefCountedThreadSafe<Core>;
   ~Core();
 
   enum State {
     STATE_NONE,
     STATE_HANDSHAKE,
     STATE_GET_DOMAIN_BOUND_CERT_COMPLETE,
   };
 
@@ skipping 241 matching lines @@
   // Dereferenced only on the network task runner, but bound to tasks destined
   // for the network task runner from the NSS task runner.
   base::WeakPtr<BoundNetLog> weak_net_log_;
 
   // Written on the network task runner by the |channel_id_service_|,
   // prior to invoking OnHandshakeIOComplete.
   // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
   // on the NSS task runner.
   scoped_ptr<crypto::ECPrivateKey> channel_id_key_;
 
+  // Used only for unit testing.
+  scoped_ptr<crypto::RSAPrivateKey> client_private_key_;
+
   DISALLOW_COPY_AND_ASSIGN(Core);
 };
 
 SSLClientSocketNSS::Core::Core(
     base::SequencedTaskRunner* network_task_runner,
     base::SequencedTaskRunner* nss_task_runner,
     ClientSocketHandle* transport,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     BoundNetLog* net_log,
@@ skipping 397 matching lines @@
 
   // Regular client certificate requested.
   core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
   void* wincx  = SSL_RevealPinArg(socket);
 
   if (core->ssl_config_.send_client_cert) {
     // Second pass: a client certificate should have been selected.
     if (core->ssl_config_.client_cert.get()) {
       CERTCertificate* cert =
           CERT_DupCertificate(core->ssl_config_.client_cert->os_cert_handle());
-      SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
+      SECKEYPrivateKey* privkey = NULL;
+      if (core->client_private_key_.get()) {
+        privkey = SECKEY_CopyPrivateKey(core->client_private_key_->key());
+      } else {
+        privkey = PK11_FindKeyByAnyCert(cert, wincx);
+      }
       if (privkey) {
         // TODO(jsorianopastor): We should wait for server certificate
         // verification before sending our credentials.  See
         // http://crbug.com/13934.
         *result_certificate = cert;
         *result_private_key = privkey;
         // A cert_count of -1 means the number of certificates is unknown.
         // NSS will construct the certificate chain.
         core->AddCertProvidedEvent(-1);
 
@@ skipping 1136 matching lines @@
       FROM_HERE, base::Bind(&AddLogEvent, weak_net_log_,
                             NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED));
   nss_handshake_state_.channel_id_sent = true;
   // Update the network task runner's view of the handshake state now that
   // channel id has been sent.
   PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
                             nss_handshake_state_));
 }
 
+void SSLClientSocketNSS::Core::ForceClientCertificateAndKeyForTest(
+    scoped_refptr<X509Certificate> client_cert,
+    scoped_ptr<crypto::RSAPrivateKey> client_private_key) {
+  ssl_config_.send_client_cert = true;
+  ssl_config_.client_cert = client_cert;
+  client_private_key_ = client_private_key.Pass();
+}
+
 SSLClientSocketNSS::SSLClientSocketNSS(
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       cert_verifier_(context.cert_verifier),
       cert_transparency_verifier_(context.cert_transparency_verifier),
@@ skipping 812 matching lines @@
     return;
   }
 
   NextProto fallback_proto = next_protos->back();
   for (size_t i = next_protos->size() - 1; i > 0; --i) {
     (*next_protos)[i] = (*next_protos)[i - 1];
   }
   (*next_protos)[0] = fallback_proto;
 }
 
+void SSLClientSocketNSS::ForceClientCertificateAndKeyForTest(
+    scoped_refptr<X509Certificate> client_cert,
+    scoped_ptr<crypto::RSAPrivateKey> client_private_key) {
+  core_->ForceClientCertificateAndKeyForTest(client_cert,
+                                             client_private_key.Pass());
+}
+
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const {
   if (completed_handshake_)
     return SSL_FAILURE_NONE;
   return SSL_FAILURE_UNKNOWN;
 }
 
 }  // namespace net