NSS Channel ID: don't check ECC support on every socket creation.

Add static function to ECPrivateKey to get which NSS slot it uses.

BUG=127506


Review URL: https://chromiumcodereview.appspot.com/10700099

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@145777 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 8 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index c303829..8d677ef 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1074,13 +1074,7 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
   }
 
   if (ssl_config_.channel_id_enabled) {
-    // TODO(mattm): we can do this check on the network task runner only because
-    // we use the NSS internal slot.  If we support other slots in the future,
-    // checking whether they support ECDSA may block NSS, and thus this check
-    // would have to be moved to the NSS task runner.
-    crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
-    if (PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) &&
-        PK11_DoesMechanism(slot.get(), CKM_ECDSA)) {
+    if (crypto::ECPrivateKey::IsSupported()) {
       rv = SSL_SetClientChannelIDCallback(
           nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this);
       if (rv != SECSuccess)
@@ -2523,7 +2517,8 @@ void SSLClientSocketNSS::Core::RecordChannelIDSupport() const {
   } supported = DISABLED;
   if (channel_id_xtn_negotiated_)
     supported = CLIENT_AND_SERVER;
-  else if (ssl_config_.channel_id_enabled)
+  else if (ssl_config_.channel_id_enabled &&
+           crypto::ECPrivateKey::IsSupported())
     supported = CLIENT_ONLY;
   UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
                             DOMAIN_BOUND_CERT_USAGE_MAX);