From d84b3729c73df5ca7679bf827a348c97810fc4b3 Mon Sep 17 00:00:00 2001
From: "wtc@chromium.org"
 <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 15 Oct 2009 21:23:37 +0000
Subject: Provides a certificate for SSL client authentication on NSS sockets.
 GUI is still missing, so certificates and private keys have to be stored
 manually, p.e.: $ pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12 Adds
 --auto-ssl-client-auth command-line option to enable this feature.

Patch contributed by Jaime Soriano <jsorianopastor@gmail.com>.
Original review URL: http://codereview.chromium.org/220009

R=wtc
BUG=16830
TEST=Try to connect to a web page that requires SSL authentication and
confirm that it connects if and only if a valid certificate is stored in
the ~/.pki/nssdb database.
Review URL: http://codereview.chromium.org/276037

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29188 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/socket/ssl_client_socket_nss.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'net/socket/ssl_client_socket_nss.h')

diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
index 1535e04f..73e63d0 100644
--- a/net/socket/ssl_client_socket_nss.h
+++ b/net/socket/ssl_client_socket_nss.h
@@ -10,8 +10,10 @@
 #define Lock FOO_NSS_Lock
 #include <certt.h>
 #undef Lock
+#include <keyt.h>
 #include <nspr.h>
 #include <nss.h>
+
 #include <string>
 
 #include "base/scoped_ptr.h"
@@ -85,6 +87,12 @@ class SSLClientSocketNSS : public SSLClientSocket {
   // argument.
   static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket,
                                       PRBool checksig, PRBool is_server);
+  // NSS calls this when client authentication is requested.
+  static SECStatus ClientAuthHandler(void* arg,
+                                     PRFileDesc* socket,
+                                     CERTDistNames* ca_names,
+                                     CERTCertificate** result_certificate,
+                                     SECKEYPrivateKey** result_private_key);
   // NSS calls this when handshake is completed.  We pass 'this' as the second
   // argument.
   static void HandshakeCallback(PRFileDesc* socket, void* arg);
@@ -116,6 +124,11 @@ class SSLClientSocketNSS : public SSLClientSocket {
   scoped_refptr<X509Certificate> server_cert_;
   CertVerifyResult server_cert_verify_result_;
 
+  // Stores client authentication information between ClientAuthHandler and
+  // GetSSLCertRequestInfo calls.
+  CERTDistNames* client_auth_ca_names_;
+  bool client_auth_cert_needed_;
+
   scoped_ptr<CertVerifier> verifier_;
 
   bool completed_handshake_;
-- 
cgit v1.1