SSLCertRequestInfo: Add |valid_cas| and |valid_key_types|

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/ssl.h>
@@ skipping 620 matching lines @@
       << " compression = "
       << SSLConnectionStatusToCompression(ssl_info->connection_status)
       << " version = "
       << SSLConnectionStatusToVersion(ssl_info->connection_status);
   return true;
 }
 
 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   cert_request_info->host_and_port = host_and_port_.ToString();
-  cert_request_info->client_certs = client_certs_;
+  cert_request_info->no_client_certs = true;
+  cert_request_info->client_certs.clear();
+  cert_request_info->valid_cas.clear();
+  cert_request_info->valid_key_types.clear();
+
+  // Convert the list of CA Principals to encoded form.
+  // Note that SSL_get_client_CA_list() doesn't increment the
+  // reference count of the returned list items, there is no
+  // need to used a scoped type here.
+  STACK_OF(X509_NAME)* client_cas = SSL_get_client_CA_list(ssl_);
+  if (client_cas != NULL) {
+    int count = 0;
+    for (int n = 0; n < sk_X509_NAME_num(client_cas); ++n) {
+      X509_NAME* ca_name = sk_X509_NAME_value(client_cas, n);
+      if (ca_name == NULL)
+        continue;
+
+      unsigned char* encoded_name = NULL;
+      int encoded_len = i2d_X509_NAME(ca_name, &encoded_name);
+      if (encoded_len > 0) {
+        // push an empty string in the vector, then assign it the
+        // encoded content, this avoids an extra copy.
+        cert_request_info->valid_cas.push_back(std::string());
+        cert_request_info->valid_cas[count].assign(
+            reinterpret_cast<const char*>(encoded_name),
+            static_cast<size_t>(encoded_len));
+        count++;
+        OPENSSL_free(encoded_name);
+      }
+    }
+  }
+
+  // There is no OpenSSL API to retrieve the list of certificate key
+  // types from the "CertificateRequest" message for now, so hard-code
+  // RSA, which is by far the most common one. crbug.com/165446
+  cert_request_info->valid_key_types.push_back(CLIENT_CERT_RSA_SIGN);
 }
 
 int SSLClientSocketOpenSSL::ExportKeyingMaterial(
     const base::StringPiece& label,
     bool has_context, const base::StringPiece& context,
     unsigned char* out, unsigned int outlen) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   int rv = SSL_export_keying_material(
       ssl_, out, outlen, const_cast<char*>(label.data()),
@@ skipping 101 matching lines @@
   user_read_callback_.Reset();
   user_write_callback_.Reset();
   user_read_buf_         = NULL;
   user_read_buf_len_     = 0;
   user_write_buf_        = NULL;
   user_write_buf_len_    = 0;
 
   server_cert_verify_result_.Reset();
   completed_handshake_ = false;
 
-  client_certs_.clear();
   client_auth_cert_needed_ = false;
 }
 
 int SSLClientSocketOpenSSL::DoHandshakeLoop(int last_io_result) {
   int rv = last_io_result;
   do {
     // Default to STATE_NONE for next state.
     // (This is a quirk carried over from the windows
     // implementation.  It makes reading the logs a bit harder.)
     // State handlers can and often do call GotoState just
@@ skipping 548 matching lines @@
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
                                   user_write_buf_->data());
     return rv;
   }
 
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err, err_tracer);
 }
 
 }  // namespace net