Convert SSLClientSocketNSS to use the NSS Channel ID callback.

BUG=129174,127506
TEST=run a TLS Channel ID supporting server, try connecting to it.
TBR=joi@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10560020

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@144093 0039d316-1c4b-4281-b951-d872f2087c98

chrome/app/generated_resources.grd

@@ -9786,22 +9786,22 @@ experiment id: "<ph name="EXPERIMENT_ID">$5<ex>ar1</ex></ph>"
       <message name="IDS_COOKIES_LAST_ACCESSED_LABEL" desc="The last access date label">
         Last accessed:
       </message>
-      <message name="IDS_COOKIES_SERVER_BOUND_CERT" desc="The text shown when there is a server bound cert in the Cookies table">
-        Domain Bound Certificate
+      <message name="IDS_COOKIES_SERVER_BOUND_CERT" desc="The text shown when there is a channel id in the Cookies table">
+        Channel ID
       </message>
-      <message name="IDS_COOKIES_SERVER_BOUND_CERTS" desc="Label for the folder under which a list of server bound certs (name of an internet standard) are displayed">
-        Domain Bound Certificates
+      <message name="IDS_COOKIES_SERVER_BOUND_CERTS" desc="Label for the folder under which a list of TLS Channel IDs (name of an internet standard) are displayed">
+        Channel IDs
       </message>
-      <message name="IDS_COOKIES_SERVER_BOUND_CERT_ORIGIN_LABEL" desc="The server bound certificate label for the server domain">
+      <message name="IDS_COOKIES_SERVER_BOUND_CERT_ORIGIN_LABEL" desc="The channel id label for the server domain">
         Domain:
       </message>
-      <message name="IDS_COOKIES_SERVER_BOUND_CERT_TYPE_LABEL" desc="The server bound certificate Type label">
+      <message name="IDS_COOKIES_SERVER_BOUND_CERT_TYPE_LABEL" desc="The channel id Type label">
         Certificate Type:
       </message>
-      <message name="IDS_COOKIES_SERVER_BOUND_CERT_CREATED_LABEL" desc="The server bound certificate Created label">
+      <message name="IDS_COOKIES_SERVER_BOUND_CERT_CREATED_LABEL" desc="The channel id Created label">
         Created:
       </message>
-      <message name="IDS_COOKIES_SERVER_BOUND_CERT_EXPIRES_LABEL" desc="The server bound certificate Expires label">
+      <message name="IDS_COOKIES_SERVER_BOUND_CERT_EXPIRES_LABEL" desc="The channel id Expires label">
         Expires:
       </message>
       <message name="IDS_CLIENT_CERT_RSA_SIGN" translateable="false" desc="">

chrome/browser/net/ssl_config_service_manager_pref.cc

@@ -174,7 +174,7 @@ class SSLConfigServiceManagerPref
   BooleanPrefMember rev_checking_enabled_;
   StringPrefMember ssl_version_min_;
   StringPrefMember ssl_version_max_;
-  BooleanPrefMember domain_bound_certs_enabled_;
+  BooleanPrefMember channel_id_enabled_;
   BooleanPrefMember ssl_record_splitting_disabled_;
 
   // The cached list of disabled SSL cipher suites.
@@ -194,8 +194,7 @@ SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
                              local_state, this);
   ssl_version_min_.Init(prefs::kSSLVersionMin, local_state, this);
   ssl_version_max_.Init(prefs::kSSLVersionMax, local_state, this);
-  domain_bound_certs_enabled_.Init(prefs::kEnableOriginBoundCerts,
-                                   local_state, this);
+  channel_id_enabled_.Init(prefs::kEnableOriginBoundCerts, local_state, this);
   ssl_record_splitting_disabled_.Init(prefs::kDisableSSLRecordSplitting,
                                       local_state, this);
   pref_change_registrar_.Init(local_state);
@@ -219,7 +218,7 @@ void SSLConfigServiceManagerPref::RegisterPrefs(PrefService* prefs) {
   prefs->RegisterStringPref(prefs::kSSLVersionMin, version_min_str);
   prefs->RegisterStringPref(prefs::kSSLVersionMax, version_max_str);
   prefs->RegisterBooleanPref(prefs::kEnableOriginBoundCerts,
-                             default_config.domain_bound_certs_enabled);
+                             default_config.channel_id_enabled);
   prefs->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting,
                              !default_config.false_start_enabled);
   prefs->RegisterListPref(prefs::kCipherSuiteBlacklist);
@@ -280,7 +279,7 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs(
     config->version_max = std::min(supported_version_max, version_max);
   }
   config->disabled_cipher_suites = disabled_cipher_suites_;
-  config->domain_bound_certs_enabled = domain_bound_certs_enabled_.GetValue();
+  config->channel_id_enabled = channel_id_enabled_.GetValue();
   // disabling False Start also happens to disable record splitting.
   config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue();
   SSLConfigServicePref::SetSSLConfigFlags(config);

chrome/common/chrome_switches.cc

@@ -570,6 +570,10 @@ const char kEnableNpn[]                     = "enable-npn";
 // HTTP is still used for all requests.
 const char kEnableNpnHttpOnly[]             = "enable-npn-http";
 
+// Enables TLS Channel ID extension.  (The switch is still called
+// "enable-origin-bound-certs" for backwards compatability.)
+const char kEnableOriginBoundCerts[]        = "enable-origin-bound-certs";
+
 // Enables panels (always on-top docked pop-up windows).
 const char kEnablePanels[]                  = "enable-panels";
 

chrome/common/chrome_switches.h

@@ -163,6 +163,7 @@ extern const char kEnableNaClIPCProxy[];
 extern const char kEnableNpn[];
 extern const char kDisableSyncTabs[];
 extern const char kEnableNpnHttpOnly[];
+extern const char kEnableOriginBoundCerts[];
 extern const char kEnablePanels[];
 extern const char kEnablePasswordGeneration[];
 extern const char kEnablePnacl[];

content/public/common/content_switches.cc

@@ -300,9 +300,6 @@ const char kEnablePeerConnection[]          = "enable-peer-connection";
 // assumed to be sRGB.
 const char kEnableMonitorProfile[]          = "enable-monitor-profile";
 
-// Enables TLS domain bound certificate extension.
-const char kEnableOriginBoundCerts[]  = "enable-origin-bound-certs";
-
 // Enables partial swaps in the WK compositor on platforms that support it.
 const char kEnablePartialSwap[]             = "enable-partial-swap";
 

content/public/common/content_switches.h

@@ -101,7 +101,6 @@ CONTENT_EXPORT extern const char kEnableLogging[];
 extern const char kEnableMediaSource[];
 extern const char kEnablePeerConnection[];
 extern const char kEnableMonitorProfile[];
-extern const char kEnableOriginBoundCerts[];
 extern const char kEnablePartialSwap[];
 extern const char kEnablePinch[];
 extern const char kEnablePreparsedJsCaching[];

crypto/ec_private_key_nss.cc

@@ -114,7 +114,7 @@ bool ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
     bool sensitive,
     SECKEYPrivateKey** key,
     SECKEYPublicKey** public_key) {
-  ScopedPK11Slot slot(GetPrivateNSSKeySlot());
+  ScopedPK11Slot slot(GetPublicNSSKeySlot());
   if (!slot.get())
     return false;
 

net/base/net_log_event_type_list.h

@@ -466,6 +466,12 @@ EVENT_TYPE(SSL_CLIENT_CERT_REQUESTED)
 //   }
 EVENT_TYPE(SSL_GET_DOMAIN_BOUND_CERT)
 
+// The SSL server requested a channel id.
+EVENT_TYPE(SSL_CHANNEL_ID_REQUESTED)
+
+// A channel ID was provided to the SSL library to be sent to the SSL server.
+EVENT_TYPE(SSL_CHANNEL_ID_PROVIDED)
+
 // A client certificate (or none) was provided to the SSL library to be sent
 // to the SSL server.
 // The following parameters are attached to the event:

net/base/server_bound_cert_service.cc

@@ -206,6 +206,8 @@ class ServerBoundCertServiceWorker {
                                                   &expiration_time_,
                                                   &private_key_,
                                                   &cert_);
+    DVLOG(1) << "GenerateCert " << server_identifier_ << " " << type_
+             << " returned " << error_;
 #if defined(USE_NSS)
     // Detach the thread from NSPR.
     // Calling NSS functions attaches the thread to NSPR, which stores
@@ -382,6 +384,9 @@ int ServerBoundCertService::GetDomainBoundCert(
     std::string* cert,
     const CompletionCallback& callback,
     RequestHandle* out_req) {
+  DVLOG(1) << __FUNCTION__ << " " << origin << " "
+           << (requested_types.empty() ? -1 : requested_types[0])
+           << (requested_types.size() > 1 ? "..." : "");
   DCHECK(CalledOnValidThread());
   base::TimeTicks request_start = base::TimeTicks::Now();
 
@@ -433,6 +438,8 @@ int ServerBoundCertService::GetDomainBoundCert(
       DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
                << domain;
     } else {
+      DVLOG(1) << "Cert store had valid cert for " << domain
+               << " of type " << *type;
       cert_store_hits_++;
       RecordGetDomainBoundCertResult(SYNC_SUCCESS);
       base::TimeDelta request_time = base::TimeTicks::Now() - request_start;

net/base/ssl_config_service.cc

@@ -38,7 +38,7 @@ SSLConfig::SSLConfig()
       version_min(g_default_version_min),
       version_max(g_default_version_max),
       cached_info_enabled(false),
-      domain_bound_certs_enabled(false),
+      channel_id_enabled(false),
       false_start_enabled(true),
       send_client_cert(false),
       verify_ev_cert(false),
@@ -156,10 +156,8 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
       (orig_config.version_max != new_config.version_max) ||
       (orig_config.disabled_cipher_suites !=
        new_config.disabled_cipher_suites) ||
-      (orig_config.domain_bound_certs_enabled !=
-       new_config.domain_bound_certs_enabled) ||
-      (orig_config.false_start_enabled !=
-       new_config.false_start_enabled);
+      (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
+      (orig_config.false_start_enabled != new_config.false_start_enabled);
 
   if (config_changed)
     FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());

net/base/ssl_config_service.h

@@ -88,8 +88,7 @@ struct NET_EXPORT SSLConfig {
   std::vector<uint16> disabled_cipher_suites;
 
   bool cached_info_enabled;  // True if TLS cached info extension is enabled.
-  bool domain_bound_certs_enabled;  // True if TLS origin bound cert extension
-                                    // is enabled.
+  bool channel_id_enabled;  // True if TLS channel ID extension is enabled.
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
   // TODO(wtc): move the following members to a new SSLParams structure.  They
@@ -153,7 +152,7 @@ class NET_EXPORT SSLConfigService
     //     version_min
     //     version_max
     //     disabled_cipher_suites
-    //     domain_bound_certs_enabled
+    //     channel_id_enabled
     //     false_start_enabled
     virtual void OnSSLConfigChanged() = 0;
 

net/base/ssl_info.cc

@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -27,6 +27,7 @@ SSLInfo& SSLInfo::operator=(const SSLInfo& info) {
   connection_status = info.connection_status;
   is_issued_by_known_root = info.is_issued_by_known_root;
   client_cert_sent = info.client_cert_sent;
+  channel_id_sent = info.channel_id_sent;
   handshake_type = info.handshake_type;
   public_key_hashes = info.public_key_hashes;
   return *this;
@@ -39,6 +40,7 @@ void SSLInfo::Reset() {
   connection_status = 0;
   is_issued_by_known_root = false;
   client_cert_sent = false;
+  channel_id_sent = false;
   handshake_type = HANDSHAKE_UNKNOWN;
   public_key_hashes.clear();
 }

net/base/ssl_info.h

@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -67,6 +67,9 @@ class NET_EXPORT SSLInfo {
   // a Certificate message with no client certificate in it does not count.
   bool client_cert_sent;
 
+  // True if a channel ID was sent to the server.
+  bool channel_id_sent;
+
   HandshakeType handshake_type;
 
   // The hashes of the SubjectPublicKeyInfos from each certificate in the chain.

net/socket/socket_test_util.cc

@@ -262,7 +262,7 @@ SSLSocketDataProvider::SSLSocketDataProvider(IoMode mode, int result)
       protocol_negotiated(kProtoUnknown),
       client_cert_sent(false),
       cert_request_info(NULL),
-      domain_bound_cert_type(CLIENT_CERT_INVALID_TYPE) {
+      channel_id_sent(false) {
 }
 
 SSLSocketDataProvider::~SSLSocketDataProvider() {
@@ -1157,8 +1157,8 @@ base::TimeDelta MockSSLClientSocket::GetConnectTimeMicros() const {
 void MockSSLClientSocket::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->Reset();
   ssl_info->cert = data_->cert;
-  ssl_info->client_cert_sent = WasDomainBoundCertSent() ||
-      data_->client_cert_sent;
+  ssl_info->client_cert_sent = data_->client_cert_sent;
+  ssl_info->channel_id_sent = data_->channel_id_sent;
 }
 
 void MockSSLClientSocket::GetSSLCertRequestInfo(
@@ -1203,17 +1203,12 @@ void MockSSLClientSocket::set_protocol_negotiated(
   protocol_negotiated_ = protocol_negotiated;
 }
 
-bool MockSSLClientSocket::WasDomainBoundCertSent() const {
-  return data_->domain_bound_cert_type != CLIENT_CERT_INVALID_TYPE;
+bool MockSSLClientSocket::WasChannelIDSent() const {
+  return data_->channel_id_sent;
 }
 
-SSLClientCertType MockSSLClientSocket::domain_bound_cert_type() const {
-  return data_->domain_bound_cert_type;
-}
-
-SSLClientCertType MockSSLClientSocket::set_domain_bound_cert_type(
-    SSLClientCertType type) {
-  return data_->domain_bound_cert_type = type;
+void MockSSLClientSocket::set_channel_id_sent(bool channel_id_sent) {
+  data_->channel_id_sent = channel_id_sent;
 }
 
 ServerBoundCertService* MockSSLClientSocket::GetServerBoundCertService() const {

net/socket/socket_test_util.h

@@ -287,7 +287,7 @@ struct SSLSocketDataProvider {
   bool client_cert_sent;
   SSLCertRequestInfo* cert_request_info;
   scoped_refptr<X509Certificate> cert;
-  SSLClientCertType domain_bound_cert_type;
+  bool channel_id_sent;
   ServerBoundCertService* server_bound_cert_service;
 };
 
@@ -772,10 +772,8 @@ class MockSSLClientSocket : public MockClientSocket, public AsyncSocket {
   // This MockSocket does not implement the manual async IO feature.
   virtual void OnReadComplete(const MockRead& data) OVERRIDE;
 
-  virtual bool WasDomainBoundCertSent() const OVERRIDE;
-  virtual SSLClientCertType domain_bound_cert_type() const OVERRIDE;
-  virtual SSLClientCertType set_domain_bound_cert_type(
-      SSLClientCertType type) OVERRIDE;
+  virtual bool WasChannelIDSent() const OVERRIDE;
+  virtual void set_channel_id_sent(bool channel_id_sent) OVERRIDE;
   virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE;
 
  private:

net/socket/ssl_client_socket.cc

@@ -12,7 +12,7 @@ SSLClientSocket::SSLClientSocket()
     : was_npn_negotiated_(false),
       was_spdy_negotiated_(false),
       protocol_negotiated_(kProtoUnknown),
-      domain_bound_cert_type_(CLIENT_CERT_INVALID_TYPE) {
+      channel_id_sent_(false) {
 }
 
 // static
@@ -120,17 +120,12 @@ void SSLClientSocket::set_protocol_negotiated(NextProto protocol_negotiated) {
   protocol_negotiated_ = protocol_negotiated;
 }
 
-bool SSLClientSocket::WasDomainBoundCertSent() const {
-  return domain_bound_cert_type_ != CLIENT_CERT_INVALID_TYPE;
+bool SSLClientSocket::WasChannelIDSent() const {
+  return channel_id_sent_;
 }
 
-SSLClientCertType SSLClientSocket::domain_bound_cert_type() const {
-  return domain_bound_cert_type_;
-}
-
-SSLClientCertType SSLClientSocket::set_domain_bound_cert_type(
-    SSLClientCertType type) {
-  return domain_bound_cert_type_ = type;
+void SSLClientSocket::set_channel_id_sent(bool channel_id_sent) {
+  channel_id_sent_ = channel_id_sent;
 }
 
 }  // namespace net

net/socket/ssl_client_socket.h

@@ -11,7 +11,6 @@
 #include "net/base/completion_callback.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
-#include "net/base/ssl_client_cert_type.h"
 #include "net/socket/ssl_socket.h"
 #include "net/socket/stream_socket.h"
 
@@ -132,17 +131,13 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   // server bound certificates are not supported.
   virtual ServerBoundCertService* GetServerBoundCertService() const = 0;
 
-  // Returns true if a domain bound certificate was sent on this connection.
+  // Returns true if a channel ID was sent on this connection.
   // This may be useful for protocols, like SPDY, which allow the same
   // connection to be shared between multiple domains, each of which need
-  // a domain bound certificate.
-  virtual bool WasDomainBoundCertSent() const;
+  // a channel ID.
+  virtual bool WasChannelIDSent() const;
 
-  // Returns the type of the domain bound cert that was sent, or
-  // CLIENT_CERT_INVALID_TYPE if none was sent.
-  virtual SSLClientCertType domain_bound_cert_type() const;
-
-  virtual SSLClientCertType set_domain_bound_cert_type(SSLClientCertType type);
+  virtual void set_channel_id_sent(bool channel_id_sent);
 
  private:
   // True if NPN was responded to, independent of selecting SPDY or HTTP.
@@ -151,9 +146,8 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
   bool was_spdy_negotiated_;
   // Protocol that we negotiated with the server.
   NextProto protocol_negotiated_;
-  // Type of the domain bound cert that was sent, or CLIENT_CERT_INVALID_TYPE
-  // if none was sent.
-  SSLClientCertType domain_bound_cert_type_;
+  // True if a channel ID was sent.
+  bool channel_id_sent_;
 };
 
 }  // namespace net

net/socket/ssl_client_socket_mac.cc

@@ -725,8 +725,9 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
-  ssl_info->client_cert_sent = WasDomainBoundCertSent() ||
-      (ssl_config_.send_client_cert && ssl_config_.client_cert);
+  ssl_info->client_cert_sent =
+      ssl_config_.send_client_cert && ssl_config_.client_cert;
+  ssl_info->channel_id_sent = WasChannelIDSent();
 
   // security info
   SSLCipherSuite suite;