SSLCertRequestInfo: Add |valid_cas| and |valid_key_types|

net/base/ssl_cert_request_info.h

Index: net/base/ssl_cert_request_info.h
diff --git a/net/base/ssl_cert_request_info.h b/net/base/ssl_cert_request_info.h
index 3be3b94259b892cac7ce4a2b796f2de27e388143..46dc3864b4a7ab82c4653dd36152dbd267ebf668 100644
--- a/net/base/ssl_cert_request_info.h
+++ b/net/base/ssl_cert_request_info.h
@@ -10,6 +10,7 @@
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
+#include "net/base/ssl_client_cert_type.h"
 
 namespace net {
 
@@ -31,6 +32,12 @@ class NET_EXPORT SSLCertRequestInfo
   // the request.  False, if the server was the origin server.
   bool is_proxy;
 
+  // True if |client_certs| is always empty because it is not possible
+  // to generate the list of compatible client certificates before
+  // prompting the user. This happens on Android. In this case, the values
+  // of |valid_cas| and |valid_key_types| must be used instead.
+  bool no_client_certs;

[Ryan Sleevi, 2012/12/11 21:30:24]

I don't think we should be expressing this value on the SSLCertRequestInfo
itself.

It should be in the code, and it SHOULD be fixed so that all platforms behave
the same (at some later point).

You should put a TODO here to reference the bug (or, ideally, attempt the
refactoring yourself, since all the implementation exists for the other
platforms and just needs to be brought out)

[digit1, 2012/12/11 23:05:31]

There is some code in the content or browser layer that currently assumes that
an empty |client_certs| means there are no matching certificates. In this case,
any certificate selection is short-cutted and nothing works. That's why I had to
add this field.

I assume we could add a ::GetClientCertificates() method here instead, but it
will have to be callable from multiple threads.

+
   // A list of client certificates that match the server's criteria in the
   // SSL CertificateRequest message.  In TLS 1.0, the CertificateRequest
   // message is defined as:
@@ -47,6 +54,16 @@ class NET_EXPORT SSLCertRequestInfo
   //   } CertificateRequest;
   std::vector<scoped_refptr<X509Certificate> > client_certs;
 
+#if defined(USE_OPENSSL)

[Ryan Sleevi, 2012/12/11 21:30:24]

I strongly dislike #ifdefs for shared code like this.

+  // The list of valid certificate authorities the server recognizes.
+  // Each item is a DER-encoded X.509 DistinguishedName.
+  std::vector<std::string> valid_cas;
+
+  // The list of certificate signing key types that the server
+  // supports.
+  std::vector<SSLClientCertType> valid_key_types;
+#endif
+
  private:
   friend class base::RefCountedThreadSafe<SSLCertRequestInfo>;