/**
  * Called by JNI when the native HTTPS stack gets a client certificate request.
  *
  * <p>We delegate the request to CallbackProxy, and route its response to {@link
  * #nativeSslClientCert(int, X509Certificate)}.
  */
 private void requestClientCert(int handle, String hostAndPort) {
   SslClientCertLookupTable table = SslClientCertLookupTable.getInstance();
   if (table.IsAllowed(hostAndPort)) {
     // previously allowed
     PrivateKey pkey = table.PrivateKey(hostAndPort);
     if (pkey instanceof OpenSSLKeyHolder) {
       OpenSSLKey sslKey = ((OpenSSLKeyHolder) pkey).getOpenSSLKey();
       nativeSslClientCert(handle, sslKey.getPkeyContext(), table.CertificateChain(hostAndPort));
     } else {
       nativeSslClientCert(handle, pkey.getEncoded(), table.CertificateChain(hostAndPort));
     }
   } else if (table.IsDenied(hostAndPort)) {
     // previously denied
     nativeSslClientCert(handle, 0, null);
   } else {
     // previously ignored or new
     mCallbackProxy.onReceivedClientCertRequest(
         new ClientCertRequestHandler(this, handle, hostAndPort, table), hostAndPort);
   }
 }