Add server certificate request parameters to be stored in SSLCertRequestInfo.

net/base/ssl_cert_request_info.h

Index: net/base/ssl_cert_request_info.h
diff --git a/net/base/ssl_cert_request_info.h b/net/base/ssl_cert_request_info.h
index 3be3b94259b892cac7ce4a2b796f2de27e388143..e9e64deafe1dfe3ee20113d43e221491551d9127 100644
--- a/net/base/ssl_cert_request_info.h
+++ b/net/base/ssl_cert_request_info.h
@@ -10,13 +10,29 @@
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
+#include "net/base/ssl_client_cert_type.h"
 
 namespace net {
 
 class X509Certificate;
 
-// The SSLCertRequestInfo class contains the info that allows a user to
-// select a certificate to send to the SSL server for client authentication.
+// The SSLCertRequestInfo class represents server criteria regarding client
+// certificate required for a secure connection.
+//
+// In TLS 1.1, the CertificateRequest
+// message is defined as:
+//   enum {
+//   rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
+//   rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
+//   fortezza_dms_RESERVED(20), (255)
+//   } ClientCertificateType;
+//
+//   opaque DistinguishedName<1..2^16-1>;
+//
+//   struct {
+//       ClientCertificateType certificate_types<1..2^8-1>;
+//       DistinguishedName certificate_authorities<3..2^16-1>;
+//   } CertificateRequest;

[digit1, 2013/01/07 11:24:10]

For the record, TLS 1.2 extends the CertificateRequest structure with a new
field named "supported_signature_algorithms" (see 7.4.4. at
http://www.ietf.org/rfc/rfc5246.txt).

I'm not sure if the current win/mac/ios/nss implementations support 1.2 though.
If one of them does, this change would result in a regression once
'client_certs' is effectively removed and the filtering moved to a different
API.

I'd suggest adding a 'cert_signature_algorithms' field here as a
std::vector<SSLClientSignatureAlgorithm>, where SSLClientSignatureAlgorithm is a
new struct type defined according to section A.4.1. of the TLS 1.2 RFC (I don't
think there is already an appropriate structure for this in the net code).

 class NET_EXPORT SSLCertRequestInfo
     : public base::RefCountedThreadSafe<SSLCertRequestInfo> {
  public:
@@ -31,20 +47,14 @@ class NET_EXPORT SSLCertRequestInfo
   // the request.  False, if the server was the origin server.
   bool is_proxy;
 
-  // A list of client certificates that match the server's criteria in the
-  // SSL CertificateRequest message.  In TLS 1.0, the CertificateRequest
-  // message is defined as:
-  //   enum {
-  //     rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
-  //     (255)
-  //   } ClientCertificateType;
-  //
-  //   opaque DistinguishedName<1..2^16-1>;
-  //
-  //   struct {
-  //       ClientCertificateType certificate_types<1..2^8-1>;
-  //       DistinguishedName certificate_authorities<3..2^16-1>;
-  //   } CertificateRequest;
+  // List of DER-encoded X.509 DistinguishedName of certificate authorities
+  // allowed by the server.
+  std::vector<std::string> cert_authorities;
+
+  std::vector<SSLClientCertType> cert_key_types;
+
+  // Client certificates matching the server criteria. This should be removed
+  // soon as being tracked in http://crbug.com/166642.
   std::vector<scoped_refptr<X509Certificate> > client_certs;
 
  private: