Support for client certs in ssl_server_socket.

net/socket/ssl_client_socket_openssl.cc

Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index d8713f28f9e37e3fc48e0d94d38dba708b895380..4209229dde667bfbf29b4d4377fd83d525f15125 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -24,6 +24,7 @@
 #include "base/threading/thread_local.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
+#include "crypto/rsa_private_key.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_policy_enforcer.h"
@@ -35,6 +36,7 @@
 #include "net/cert/x509_util_openssl.h"
 #include "net/http/transport_security_state.h"
 #include "net/socket/ssl_session_cache_openssl.h"
+#include "net/ssl/openssl_ssl_util.h"
 #include "net/ssl/scoped_openssl_types.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
@@ -1814,18 +1816,26 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
       return -1;
     }
 
-    // TODO(davidben): With Linux client auth support, this should be
-    // conditioned on OS_ANDROID and then, with https://crbug.com/394131,
-    // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the
-    // net/ client auth API lacking a private key handle.
+    crypto::ScopedEVP_PKEY privkey;

[davidben, 2015/03/25 00:05:33]

This entire mess should be EVP_PKEY_dup (which bumps the reference count).

+    if (client_private_key_.get()) {

[Ryan Sleevi, 2015/03/19 04:38:24]

STYLE: Don't use .get() for scoped_ptr bool testing. 

if (client_private_key_) {

+      privkey.reset(EVP_PKEY_new());
+      crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(client_private_key_->key()));
+      if (!EVP_PKEY_set1_RSA(privkey.get(), rsa.get())) {
+        privkey.reset(NULL);
+      }

[Ryan Sleevi, 2015/03/19 04:38:24]

STYLE: no braces for single-line if
STYLE: nullptr ?

+    } else {
+// TODO(davidben): With Linux client auth support, this should be
+// conditioned on OS_ANDROID and then, with https://crbug.com/394131,
+// removed altogether. OpenSSLClientKeyStore is mostly an artifact of the
+// net/ client auth API lacking a private key handle.

[Ryan Sleevi, 2015/03/19 04:38:24]

STYLE: This comment style is ugly.

If nececessary, force a newline between 1830 and 1831 to stop clang-format from
doing that ugliness.

 #if defined(USE_OPENSSL_CERTS)
-    crypto::ScopedEVP_PKEY privkey =
-        OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
-            ssl_config_.client_cert.get());
+      privkey = OpenSSLClientKeyStore::GetInstance()
+                    ->FetchClientCertPrivateKey(ssl_config_.client_cert.get())
+                    .Pass();
 #else  // !defined(USE_OPENSSL_CERTS)
-    crypto::ScopedEVP_PKEY privkey =
-        FetchClientCertPrivateKey(ssl_config_.client_cert.get());
+      privkey = FetchClientCertPrivateKey(ssl_config_.client_cert.get()).Pass();
 #endif  // defined(USE_OPENSSL_CERTS)
+    }
     if (!privkey) {
       // Could not find the private key. Fail the handshake and surface an
       // appropriate error to the caller.
@@ -2049,4 +2059,12 @@ SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const {
   return server_cert_;
 }
 
+void SSLClientSocketOpenSSL::ForceClientCertificateAndKeyForTest(
+    scoped_refptr<X509Certificate> client_cert,
+    scoped_ptr<crypto::RSAPrivateKey> client_private_key) {
+  ssl_config_.send_client_cert = true;
+  ssl_config_.client_cert = client_cert;
+  client_private_key_ = client_private_key.Pass();
+}
+
 }  // namespace net