When performing SSL client certificate authentication on Windows, and an operation using the certificate's private key fails, remove the cached provider handle from the client certificate.

If a user is using a smart-card based certificate, and removes the card from their reader, SSLClientSocketNSS will rightly fail the handshake because it's unable to generate the CertificateVerify message as part of the client certificate handshake. However, because the HCRYPTPROV used to obtain the private key is optimistically cached in the X509Certificate, all future attempts to use the private key, even after the card has been re-inserted, end up failing because the cached handle was invalidated once the card was removed. By removing the cached provider handle from the certificate, the user should be able to re-authenticate with the card/reader and, as a result, re-authenticate with the peer.

BUG=none
TEST=none

Review URL: http://codereview.chromium.org/6250042

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@73914 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 0 deletions

diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index f0e089c..836c279 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -139,6 +139,10 @@ class SSLClientSocketNSS : public SSLClientSocket {
   int BufferRecv(void);
   void BufferRecvComplete(int result);
 
+  // Handles an NSS error generated while handshaking or performing IO.
+  // Returns a network error code mapped from the original NSS error.
+  int HandleNSSError(PRErrorCode error, bool handshake_error);
+
   // NSS calls this when checking certificates. We pass 'this' as the first
   // argument.
   static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket,