OpenSSL/NSS implementation of ProofVerfifier.

net/quic/crypto/proof_verifier_chromium.h

Index: net/quic/crypto/proof_verifier_chromium.h
diff --git a/net/quic/crypto/proof_verifier_chromium.h b/net/quic/crypto/proof_verifier_chromium.h
new file mode 100644
index 0000000000000000000000000000000000000000..2466507d50f03e3328c22d4b689fc334c224537d
--- /dev/null
+++ b/net/quic/crypto/proof_verifier_chromium.h
@@ -0,0 +1,89 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
+#define NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
+
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_ptr.h"
+#include "net/base/completion_callback.h"
+#include "net/base/net_export.h"
+#include "net/base/net_log.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_certificate.h"
+#include "net/quic/crypto/proof_verifier.h"
+
+namespace net {
+
+class BoundNetLog;
+class CertVerifier;
+class CertVerifyResult;
+class SingleRequestCertVerifier;
+class X509Certificate;

[wtc, 2013/07/03 00:20:26]

Nit: some of these forward declarations are not necessary because the
headers that define these types are already included. For example,
CertVerifyResult and X509Certificate, and maybe BoundNetLog.

Nit: it is possible that X509Certificate just needs a forward declaration
in this file.

[ramant (doing other things), 2013/07/03 05:46:34]

Done.

+
+// ProofVerifierChromium implements the QUIC ProofVerifier interface.
+// TODO(rtenneti): Add support for multiple requests for one ProofVerifier.
+class NET_EXPORT_PRIVATE ProofVerifierChromium : public ProofVerifier {
+ public:
+  explicit ProofVerifierChromium(CertVerifier* cert_verifier,
+                                 const BoundNetLog& net_log);

[wtc, 2013/07/03 00:20:26]

Remove "explicit" because this constructor has two arguments.

[ramant (doing other things), 2013/07/03 05:46:34]

Done.

+  virtual ~ProofVerifierChromium();
+
+  // ProofVerifier interface
+  virtual int VerifyProof(const std::string& hostname,
+                          const std::string& server_config,
+                          const std::vector<std::string>& certs,
+                          const std::string& signature,
+                          std::string* error_details,
+                          const CompletionCallback& callback) OVERRIDE;
+
+ private:
+  enum State {
+    STATE_NONE,
+    STATE_VERIFY_CERT,
+    STATE_VERIFY_CERT_COMPLETE,
+  };
+
+  int DoLoop(int last_io_result);
+  void OnIOComplete(int result);
+  int DoVerifyCert(int result);
+  int DoVerifyCertComplete(int result);
+
+  bool VerifySignature(const std::string& signed_data,
+                       const std::string& signature,
+                       const std::string& cert);
+
+  // |cert_verifier_| and |verifier_| are used for verifying certificates.
+  CertVerifier* const cert_verifier_;
+  scoped_ptr<SingleRequestCertVerifier> verifier_;
+
+  // |hostname| specifies the hostname for which |certs| is a valid chain.
+  std::string hostname_;
+
+  CompletionCallback callback_;
+
+  // The result of certificate verification.
+  CertVerifyResult cert_verify_result_;
+  std::string* error_details_;
+
+  // X509Certificate from a chain of DER encoded certificates.
+  scoped_refptr<X509Certificate> cert_;
+
+  // |generation_counter| passed to VerifyProof call.
+  uint64 generation_counter_;

[wtc, 2013/07/03 00:20:26]

I believe the generation_counter_ member is unused.

[ramant (doing other things), 2013/07/03 05:46:34]

Done.

+
+  State next_state_;
+
+  BoundNetLog net_log_;
+
+  DISALLOW_COPY_AND_ASSIGN(ProofVerifierChromium);
+};
+
+}  // namespace net
+
+#endif  // NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_