Fix a regression on Windows introduced by r48650....

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 638 matching lines @@
 }
 
 bool SSLClientSocketNSS::SetReceiveBufferSize(int32 size) {
   return transport_->SetReceiveBufferSize(size);
 }
 
 bool SSLClientSocketNSS::SetSendBufferSize(int32 size) {
   return transport_->SetSendBufferSize(size);
 }
 
+#if defined(OS_WIN)
+// static
+X509Certificate::OSCertHandle SSLClientSocketNSS::CreateOSCert(
+    const SECItem& der_cert) {
+  // TODO(wtc): close cert_store_ at shutdown.
+  if (!cert_store_)
+    cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
+
+  X509Certificate::OSCertHandle cert_handle = NULL;
+  BOOL ok = CertAddEncodedCertificateToStore(
+      cert_store_, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+      der_cert.data, der_cert.len, CERT_STORE_ADD_USE_EXISTING, &cert_handle);
+  return ok ? cert_handle : NULL;
+}
+#elif defined(OS_MACOSX)
+// static
+X509Certificate::OSCertHandle SSLClientSocketNSS::CreateOSCert(
+    const SECItem& der_cert) {
+  return X509Certificate::CreateOSCertHandleFromBytes(
+      reinterpret_cast<char*>(der_cert.data), der_cert.len);
+}
+#endif
+
 X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
   // We set the server_cert_ from OwnAuthCertHandler(), but this handler
   // does not necessarily get called if we are continuing a cached SSL
   // session.
   if (server_cert_ == NULL) {
     server_cert_nss_ = SSL_PeerCertificate(nss_fd_);
     if (server_cert_nss_) {
 #if defined(OS_MACOSX) || defined(OS_WIN)
       // Get each of the intermediate certificates in the server's chain.
       // These will be added to the server's X509Certificate object, making
@@ skipping 10 matching lines @@
             continue;
 #if defined(OS_WIN)
           // Work around http://crbug.com/43538 by not importing the
           // problematic COMODO EV SGC CA certificate.  CryptoAPI will
           // download a good certificate for that CA, issued by COMODO
           // Certification Authority, using the AIA extension in the server
           // certificate.
           if (IsProblematicComodoEVCACert(*node->cert))
             continue;
 #endif
-          cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-              reinterpret_cast<char*>(node->cert->derCert.data),
-              node->cert->derCert.len);
+          cert_handle = CreateOSCert(node->cert->derCert);
           DCHECK(cert_handle);
           intermediate_ca_certs.push_back(cert_handle);
         }
         CERT_DestroyCertList(cert_list);
       }
 
       // Finally create the X509Certificate object.
-      cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-          reinterpret_cast<char*>(server_cert_nss_->derCert.data),
-          server_cert_nss_->derCert.len);
+      cert_handle = CreateOSCert(server_cert_nss_->derCert);
       DCHECK(cert_handle);
       server_cert_ = X509Certificate::CreateFromHandle(
           cert_handle,
           X509Certificate::SOURCE_FROM_NETWORK,
           intermediate_ca_certs);
       for (size_t i = 0; i < intermediate_ca_certs.size(); ++i)
         X509Certificate::FreeOSCertHandle(intermediate_ca_certs[i]);
 #else
       server_cert_ = X509Certificate::CreateFromHandle(
           CERT_DupCertificate(server_cert_nss_),
@@ skipping 785 matching lines @@
   PRErrorCode prerr = PR_GetError();
   if (prerr == PR_WOULD_BLOCK_ERROR) {
     LeaveFunction("");
     return ERR_IO_PENDING;
   }
   LeaveFunction("");
   return MapNSPRError(prerr);
 }
 
 }  // namespace net