Add server certificate request parameters to be stored in SSLCertRequestInfo.

net/base/ssl_cert_request_info.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_SSL_CERT_REQUEST_INFO_H_
 #define NET_BASE_SSL_CERT_REQUEST_INFO_H_
 
 #include <string>
 #include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
+#include "net/base/ssl_client_cert_type.h"
 
 namespace net {
 
 class X509Certificate;
 
-// The SSLCertRequestInfo class contains the info that allows a user to
-// select a certificate to send to the SSL server for client authentication.
+// The SSLCertRequestInfo class represents server criteria regarding client
+// certificate required for a secure connection.
+//
+// In TLS 1.1, the CertificateRequest
+// message is defined as:
+//   enum {
+//   rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
+//   rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
+//   fortezza_dms_RESERVED(20), (255)
+//   } ClientCertificateType;
+//
+//   opaque DistinguishedName<1..2^16-1>;
+//
+//   struct {
+//       ClientCertificateType certificate_types<1..2^8-1>;
+//       DistinguishedName certificate_authorities<3..2^16-1>;
+//   } CertificateRequest;

[digit1, 2013/01/07 11:24:10]

For the record, TLS 1.2 extends the CertificateRequest structure with a new
field named "supported_signature_algorithms" (see 7.4.4. at
http://www.ietf.org/rfc/rfc5246.txt).

I'm not sure if the current win/mac/ios/nss implementations support 1.2 though.
If one of them does, this change would result in a regression once
'client_certs' is effectively removed and the filtering moved to a different
API.

I'd suggest adding a 'cert_signature_algorithms' field here as a
std::vector<SSLClientSignatureAlgorithm>, where SSLClientSignatureAlgorithm is a
new struct type defined according to section A.4.1. of the TLS 1.2 RFC (I don't
think there is already an appropriate structure for this in the net code).

 class NET_EXPORT SSLCertRequestInfo
     : public base::RefCountedThreadSafe<SSLCertRequestInfo> {
  public:
   SSLCertRequestInfo();
 
   void Reset();
 
   // The host and port of the SSL server that requested client authentication.
   std::string host_and_port;
 
   // True if the server that issues this request was the HTTPS proxy used in
   // the request.  False, if the server was the origin server.
   bool is_proxy;
 
-  // A list of client certificates that match the server's criteria in the
-  // SSL CertificateRequest message.  In TLS 1.0, the CertificateRequest
-  // message is defined as:
-  //   enum {
-  //     rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
-  //     (255)
-  //   } ClientCertificateType;
-  //
-  //   opaque DistinguishedName<1..2^16-1>;
-  //
-  //   struct {
-  //       ClientCertificateType certificate_types<1..2^8-1>;
-  //       DistinguishedName certificate_authorities<3..2^16-1>;
-  //   } CertificateRequest;
+  // List of DER-encoded X.509 DistinguishedName of certificate authorities
+  // allowed by the server.
+  std::vector<std::string> cert_authorities;
+
+  std::vector<SSLClientCertType> cert_key_types;
+
+  // Client certificates matching the server criteria. This should be removed
+  // soon as being tracked in http://crbug.com/166642.
   std::vector<scoped_refptr<X509Certificate> > client_certs;
 
  private:
   friend class base::RefCountedThreadSafe<SSLCertRequestInfo>;
 
   ~SSLCertRequestInfo();
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_SSL_CERT_REQUEST_INFO_H_