Support for client certs in ssl_server_socket.

net/socket/ssl_client_socket.h

Index: net/socket/ssl_client_socket.h
diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h
index 90dbd01ca387e290df3c8d6dd6779b0dc68ba562..cbda578713bf8c40e668ef1fe434c46f057482d3 100644
--- a/net/socket/ssl_client_socket.h
+++ b/net/socket/ssl_client_socket.h
@@ -14,6 +14,10 @@
 #include "net/socket/ssl_socket.h"
 #include "net/socket/stream_socket.h"
 
+namespace crypto {
+class RSAPrivateKey;

[Ryan Sleevi, 2015/03/19 04:38:24]

I really don't want to force a dependency on //crypto/RSAPrivateKey. I don't
think it's a good interface fit.

David?

[davidben, 2015/03/25 00:05:33]

Eventually SSLConfig will take both a net::X509Certificate and a <some handle to
a private key>. I hadn't thought too hard about exactly what that handle should
be. crypto::RSAPrivateKey is certainly right out since we do ECDSA as well.
crypto::ScopedEVP_PKEY is a possibility. As is some kind of common base between
crypto::RSAPrivateKey and crypto::ECPrivateKey.

+}
+
 namespace net {
 
 class CertPolicyEnforcer;
@@ -233,6 +237,12 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()
       const = 0;
 
+  // For unit testing only.
+  // Specify a client certificate and the RSA private key to be used with it.
+  virtual void ForceClientCertificateAndKeyForTest(

[Ryan Sleevi, 2015/03/19 04:38:24]

ForTesting, to get the presubmit

+      scoped_refptr<X509Certificate> client_cert,

[Ryan Sleevi, 2015/03/19 04:38:24]

STYLE: const scoped_refptr<X509Certificate>&

+      scoped_ptr<crypto::RSAPrivateKey> client_private_key) {}

[Ryan Sleevi, 2015/03/19 04:38:24]

It's not clear to me that this method is needed/appropriate, given that the
SSLConfig contains the client cert.

If you're trying to avoid the OS-key dependency, you should likely work with
David on his proposed refactoring of those bits as appropriate.

+
  private:
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
   // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
@@ -244,6 +254,7 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
                            ConnectSignedCertTimestampsDisabled);
   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
                            VerifyServerChainProperlyOrdered);
+  friend class SSLServerSocketTest;
 
   // True if NPN was responded to, independent of selecting SPDY or HTTP.
   bool was_npn_negotiated_;