SSLCertRequestInfo: Add |valid_cas| and |valid_key_types|

net/base/x509_certificate_openssl.cc

Index: net/base/x509_certificate_openssl.cc
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index 55c11acf8b3ef77f6966463c1782802e6dfd1046..1434a3681eae9a0063b8d201d9b0a0b148f8b8f9 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -21,6 +21,8 @@
 #include "crypto/openssl_util.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
+#include "net/base/ssl_cert_request_info.h"
+#include "net/base/x509_cert_types.h"
 #include "net/base/x509_util_openssl.h"
 
 #if defined(OS_ANDROID)
@@ -471,4 +473,65 @@ void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
   }
 }
 
+bool X509Certificate::IsValidClientCertificate(
+    const SSLCertRequestInfo& cert_info) {
+
+  bool cert_still_valid = true;
+  DCHECK(cert_info.no_client_certs == true);
+
+  // TODO(digit): Check certificate authorities.
+  // It's unclear what the best way to do this is, i.e. the specication
+  // states that about the "certificate_authorities" field of a
+  // CertificateRequest message:
+  //
+  //     A list of the distinguished names of acceptable certificate
+  //     authorities. These distinguished names may specify a desired
+  //     distinguished name for a root CA or for a subordinate CA;
+  //     thus, this message can be used both to describe known roots
+  //     and a desired authorization space.
+  //
+  // The "authorization space" seems to indicate that each listed
+  // distinguished name may only include a small set of strings that
+  // need to be matched against those in the certificate chain.
+  //
+  // For now, ignore this step, and assume that the server will
+  // perform the verification itself.
+  //
+
+  // Check the key type
+  crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> scoped_key(
+      X509_get_pubkey(cert_handle_));
+  if (!scoped_key.get())
+    return false;
+
+  SSLClientCertType key_type;
+  switch (scoped_key.get()->type) {
+    case EVP_PKEY_RSA:
+      key_type = CLIENT_CERT_RSA_SIGN;
+      break;
+#if 0
+    // TODO(digit): Add CLIENT_CERT_DSA_SIGN to SSLClientCertType.
+    case EVP_PKEY_DSA:
+      key_type = CLIENT_CERT_DSA_SIGN;
+      break;
+#endif

[Ryan Sleevi, 2012/12/11 21:30:24]

While NACKed, I don't think we should add unreachable code via #if 0. If it's
not being implemented in this go-around, it's better to leave it out than to
suggest it would work, since it may not at some later point, and if anyone
changes things, they may think they have to keep this code up to date when doing
so.

Further, TODOs like this should reference a bug.

[digit1, 2012/12/11 23:05:31]

Thanks, I'll remove the #if .. #endif block. A bug would be nice, but I doubt
I'll have the time to work on this any time soon (adding CLIENT_CERT_DSA_SIGN is
trivial, adding the proper unit tests and code coverage is,..., more interesting
:))

+    case EVP_PKEY_EC:
+      key_type = CLIENT_CERT_ECDSA_SIGN;
+      break;
+    default:
+      // Unknown key type
+      return false;
+  }
+
+  cert_still_valid = false;
+  for (size_t n = 0; n < cert_info.valid_key_types.size(); ++n) {
+    if (cert_info.valid_key_types[n] == key_type) {
+      cert_still_valid = true;
+      break;
+    }
+  }
+
+  return cert_still_valid;
+}
+
 }  // namespace net