NSS Channel ID: don't check ECC support on every socket creation.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index c303829f9cdb17391bc580d839ff3e19d30577ca..8d677efec639731f741315c0ba4964c8a00eb676 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1074,13 +1074,7 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
   }
 
   if (ssl_config_.channel_id_enabled) {
-    // TODO(mattm): we can do this check on the network task runner only because
-    // we use the NSS internal slot.  If we support other slots in the future,
-    // checking whether they support ECDSA may block NSS, and thus this check
-    // would have to be moved to the NSS task runner.
-    crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
-    if (PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) &&
-        PK11_DoesMechanism(slot.get(), CKM_ECDSA)) {
+    if (crypto::ECPrivateKey::IsSupported()) {
       rv = SSL_SetClientChannelIDCallback(
           nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this);
       if (rv != SECSuccess)
@@ -2523,7 +2517,8 @@ void SSLClientSocketNSS::Core::RecordChannelIDSupport() const {
   } supported = DISABLED;
   if (channel_id_xtn_negotiated_)
     supported = CLIENT_AND_SERVER;
-  else if (ssl_config_.channel_id_enabled)
+  else if (ssl_config_.channel_id_enabled &&
+           crypto::ECPrivateKey::IsSupported())
     supported = CLIENT_ONLY;
   UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
                             DOMAIN_BOUND_CERT_USAGE_MAX);