Honor server requested origin bound client cert types.

BUG=88782
TEST=changed certificate_types struct in local copy of nss selfserv,
reloaded, checked "echo .dump | sqlite3 'Origin Bound Certs'" to see if
new cert was generated.


Review URL: http://codereview.chromium.org/8821002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113159 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 10 insertions, 12 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 5925a6b..1e95fc8 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -2152,13 +2152,15 @@ bool SSLClientSocketNSS::OriginBoundCertNegotiated(PRFileDesc* socket) {
 }
 
 SECStatus SSLClientSocketNSS::OriginBoundClientAuthHandler(
-    const std::vector<uint8>& requested_cert_types,
+    const SECItem* cert_types,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   ob_cert_xtn_negotiated_ = true;
 
   // We have negotiated the origin-bound certificate extension.
   std::string origin = "https://" + host_and_port_.ToString();
+  std::vector<uint8> requested_cert_types(cert_types->data,
+                                          cert_types->data + cert_types->len);
   net_log_.BeginEvent(NetLog::TYPE_SSL_GET_ORIGIN_BOUND_CERT, NULL);
   int error = origin_bound_cert_service_->GetOriginBoundCert(
       origin,
@@ -2211,14 +2213,12 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
+  const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
+
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
-    // TODO(mattm): Once NSS supports it, pass the actual requested types.
-    std::vector<uint8> requested_cert_types;
-    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
-    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        requested_cert_types, result_nss_certificate, result_nss_private_key);
+        cert_types, result_nss_certificate, result_nss_private_key);
   }
 
   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
@@ -2520,14 +2520,12 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
 
   that->net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED, NULL);
 
+  const SECItem* cert_types = SSL_GetRequestedClientCertificateTypes(socket);
+
   // Check if an origin-bound certificate is requested.
   if (OriginBoundCertNegotiated(socket)) {
-    // TODO(mattm): Once NSS supports it, pass the actual requested types.
-    std::vector<uint8> requested_cert_types;
-    requested_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
-    requested_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
     return that->OriginBoundClientAuthHandler(
-        requested_cert_types, result_certificate, result_private_key);
+        cert_types, result_certificate, result_private_key);
   }
 
   // Regular client certificate requested.
diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index 4114fd7..019412a 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -168,7 +168,7 @@ class SSLClientSocketNSS : public SSLClientSocket {
   // Origin bound cert client auth handler.
   // Returns the value the ClientAuthHandler function should return.
   SECStatus OriginBoundClientAuthHandler(
-      const std::vector<uint8>& requested_cert_types,
+      const SECItem* cert_types,
       CERTCertificate** result_certificate,
       SECKEYPrivateKey** result_private_key);
 #if defined(NSS_PLATFORM_CLIENT_AUTH)