Support for client certs in ssl_server_socket.

net/socket/ssl_server_socket.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_SERVER_SOCKET_H_
 #define NET_SOCKET_SSL_SERVER_SOCKET_H_
 
+#include <vector>
+
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "net/base/completion_callback.h"
 #include "net/base/net_export.h"
 #include "net/socket/ssl_socket.h"
 #include "net/socket/stream_socket.h"
+#include "net/ssl/ssl_client_cert_type.h"
 
 namespace crypto {
 class RSAPrivateKey;
 }  // namespace crypto
 
 namespace net {
 
+class CertVerifier;
 struct SSLServerConfig;
 class X509Certificate;
+typedef std::vector<scoped_refptr<X509Certificate>> CertificateList;
 
 class SSLServerSocket : public SSLSocket {
  public:
   ~SSLServerSocket() override {}
 
   // Perform the SSL server handshake, and notify the supplied callback
   // if the process completes asynchronously.  If Disconnect is called before
   // completion then the callback will be silently, as for other StreamSocket
   // calls.
   virtual int Handshake(const CompletionCallback& callback) = 0;
+
+  // Indicates whether a client certificate is to be required by the upcoming
+  // Handshake.
+  virtual void SetRequireClientCert(bool require_client_cert) = 0;
+
+  // Provides the list of certificates whose names are to be included in the
+  // CertificateRequest handshake message. Calling this function is only useful
+  // if certificates are allowed.
+  virtual void SetClientCertCAList(
+      const CertificateList& client_cert_ca_list) = 0;
+
+  // Indicates that a client certificate is not only allowed but required, and
+  // provides the CertificateVerifier that is to be used to verify it during the
+  // handshake. The |client_cert_verifier| continues to be owned by the caller,
+  // and must exist at least until the handshake has completed.
+  // This function is meaningful only if client certificates are allowed.
+  // NOTES:
+  // 1. If no CertificateVerifier is provided, then a client certificate may
+  // still be allowed (if ssl_config.send_client_cert is true), but in that case
+  // verification must be done after the handshake has completed, by which time
+  // the session will have been cached, and may be subject to resumption.
+  // 2. The |client_cert_verifier| must provide its response synchronously, and
+  // blocks the IO thread while it runs. This results from a limitation of NSS.
+  // If ERR_IO_PENDING is returned, this is considered a verification failure.
+  // 3. For verifying a client certificate, the CertVerifier::Verify method
+  // will be called with input parameters as follows:
+  //    - cert: the cert to be verified
+  //    - hostname: empty string
+  //    - flags: 0
+  //    - crl_set: NULL
+  virtual void SetClientCertVerifier(CertVerifier* client_cert_verifier) = 0;
 };
 
 // Configures the underlying SSL library for the use of SSL server sockets.
 //
 // Due to the requirements of the underlying libraries, this should be called
 // early in process initialization, before any SSL socket, client or server,
 // has been used.
 //
 // Note: If a process does not use SSL server sockets, this call may be
 // omitted.
@@ skipping 12 matching lines @@
 // returned socket.
 NET_EXPORT scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
     scoped_ptr<StreamSocket> socket,
     X509Certificate* certificate,
     crypto::RSAPrivateKey* key,
     const SSLServerConfig& ssl_config);
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_SERVER_SOCKET_H_