Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate

net/base/x509_certificate.h

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
 #include <string>
 #include <vector>
 
 #include "base/gtest_prod_util.h"
 #include "base/ref_counted.h"
 #include "base/string_piece.h"
 #include "base/time.h"
 #include "net/base/x509_cert_types.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <wincrypt.h>
 #elif defined(OS_MACOSX)
 #include <CoreFoundation/CFArray.h>
 #include <Security/SecBase.h>
 
 #include "base/lock.h"
 #elif defined(USE_OPENSSL)
+#include <openssl/safestack.h>
 // Forward declaration; real one in <x509.h>
-struct x509_st;
+typedef struct x509_st X509;
+PREDECLARE_STACK_OF(X509);
 typedef struct x509_store_st X509_STORE;
 #elif defined(USE_NSS)
 // Forward declaration; real one in <cert.h>
 struct CERTCertificateStr;
 #endif
 
 class Pickle;
 
 namespace base {
 class RSAPrivateKey;
 }  // namespace base
 
 namespace net {
 
 class CertVerifyResult;
 
 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
 
-// X509Certificate represents an X.509 certificate used by SSL.
+// X509Certificate represents an X.509 certificate, which is comprised a

[agl, 2011/04/11 16:50:50]

s/a/of a/ (not sure about that grammar so ignore if you liked it previously.)

+// particular identity or end-entity certificate, such as an SSL server
+// identity or an SSL client certificate, and zero or more intermediate
+// certificates that may be used to build a path to a root certificate.
 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
  public:
-  // A handle to the certificate object in the underlying crypto library.
-  // We assume that OSCertHandle is a pointer type on all platforms and
-  // NULL is an invalid OSCertHandle.
+  // An OSCertHandle is a handle to the certificate object in the underlying
+  // crypo library. We assume that OSCertHandle is a pointer type on all

[agl, 2011/04/11 16:50:50]

typo: crypto

+  // platforms and that NULL represents an invalid OSCertHandle.
+  // An OSCertListHandle is a handle to the underlying crypto library that
+  // represents a collection of certificates, with one of the certificates
+  // marked as an identity certificate and the remaining certificates marked
+  // as supplementary certificates for path building. Like OSCertHandle, it
+  // is assumed to be a pointer type on all platforms and that NULL
+  // represents an invalid OSCertListHandle.
+  //
+  // It should be noted that depending on the underlying cryptographic
+  // library, an OSCertHandle or OSCertListHandle may not be thread-safe.
 #if defined(OS_WIN)
   typedef PCCERT_CONTEXT OSCertHandle;
+  // Though the same type as an OSCertHandle, a unique HCERTSTORE member is
+  // used for the certificate containing just the subset of related
+  // certificates.
+  typedef PCCERT_CONTEXT OSCertListHandle;
 #elif defined(OS_MACOSX)
   typedef SecCertificateRef OSCertHandle;
+  typedef CFArrayRef OSCertListHandle;
 #elif defined(USE_OPENSSL)
   typedef struct x509_st* OSCertHandle;
+  typedef STACK_OF(X509)* OSCertListHandle;
 #elif defined(USE_NSS)
   typedef struct CERTCertificateStr* OSCertHandle;
+  // TODO(rsleevi): With NSS, it is not currently necessary to use a
+  // separate type, because of how certificate path building/verification is
+  // implemented.
+  typedef OSCertHandle OSCertListHandle;
 #else
   // TODO(ericroman): not implemented
   typedef void* OSCertHandle;
+  typedef void* OSCertListHandle;
 #endif
 
   typedef std::vector<OSCertHandle> OSCertHandles;
 
   // Predicate functor used in maps when X509Certificate is used as the key.
   class LessThan {
    public:
     bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
   };
 
-  // Where the certificate comes from.  The enumeration constants are
-  // listed in increasing order of preference.
-  enum Source {
-    SOURCE_UNUSED = 0,            // The source_ member is not used.
-    SOURCE_LONE_CERT_IMPORT = 1,  // From importing a certificate without
-                                  // any intermediate CA certificates.
-    SOURCE_FROM_CACHE = 2,        // From the disk cache - which contains
-                                  // intermediate CA certificates, but may be
-                                  // stale.
-    SOURCE_FROM_NETWORK = 3,      // From the network.
-  };
-
   enum VerifyFlags {
     VERIFY_REV_CHECKING_ENABLED = 1 << 0,
     VERIFY_EV_CERT = 1 << 1,
   };
 
   enum Format {
     // The data contains a single DER-encoded certificate, or a PEM-encoded
     // DER certificate with the PEM encoding block name of "CERTIFICATE".
     // Any subsequent blocks will be ignored.
     FORMAT_SINGLE_CERTIFICATE = 1 << 0,
@@ skipping 31 matching lines @@
                   base::Time start_date, base::Time expiration_date);
 
   // Create an X509Certificate from a handle to the certificate object in the
   // underlying crypto library. |source| specifies where |cert_handle| comes
   // from.  Given two certificate handles for the same certificate, our
   // certificate cache prefers the handle from the network because our HTTP
   // cache isn't caching the corresponding intermediate CA certificates yet
   // (http://crbug.com/7065).
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
-                                           Source source,
                                            const OSCertHandles& intermediates);
 
   // Create an X509Certificate from a chain of DER encoded certificates. The
   // first certificate in the chain is the end-entity certificate to which a
   // handle is returned. The other certificates in the chain are intermediate
   // certificates. See the comment for |CreateFromHandle| about the |source|
   // argument.
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromDERCertChain(
       const std::vector<base::StringPiece>& der_certs);
@@ skipping 86 matching lines @@
   const OSCertHandles& GetIntermediateCertificates() const {
     return intermediate_ca_certs_;
   }
 
   // Returns true if I already contain the given intermediate cert.
   bool HasIntermediateCertificate(OSCertHandle cert);
 
   // Returns true if I already contain all the given intermediate certs.
   bool HasIntermediateCertificates(const OSCertHandles& certs);
 
+  // Returns a new OSCertListHandle representing the certificate and any
+  // associated intermediates, or NULL on failure. Ownership is transferred
+  // to the caller and may be released by calling FreeOSCertListHandle()
+  // with the returned value.
+  OSCertListHandle CreateOSCertListHandle() const;
+
 #if defined(OS_MACOSX)
   // Does this certificate's usage allow SSL client authentication?
   bool SupportsSSLClientAuth() const;
 
   // Do any of the given issuer names appear in this cert's chain of trust?
   bool IsIssuedBy(const std::vector<CertPrincipal>& valid_issuers);
 
   // Creates a security policy for SSL client certificates.
   static OSStatus CreateSSLClientPolicy(SecPolicyRef* outPolicy);
 
@@ skipping 65 matching lines @@
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
+  // Frees (or releases a reference to) an OS certificate list handle.
+  static void FreeOSCertListHandle(OSCertListHandle cert_list);
+
+  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
+  // (all zero) fingerprint on failure.
+  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
-  X509Certificate(OSCertHandle cert_handle, Source source,
+  X509Certificate(OSCertHandle cert_handle,
                   const OSCertHandles& intermediates);
 
   ~X509Certificate();
 
   // Common object initialization code.  Called by the constructors only.
   void Initialize();
 
 #if defined(OS_WIN)
   bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
                const char* policy_oid) const;
 #endif
   bool VerifyEV() const;
 
 #if defined(USE_OPENSSL)
   // Resets the store returned by cert_store() to default state. Used by
   // TestRootCerts to undo modifications.
   static void ResetCertStore();
 #endif
 
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
-
   // Reads a single certificate from |pickle| and returns a platform-specific
   // certificate handle. The format of the certificate stored in |pickle| is
   // not guaranteed to be the same across different underlying cryptographic
   // libraries, nor acceptable to CreateFromBytes(). Returns an invalid
   // handle, NULL, on failure.
   static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle,
                                                void** pickle_iter);
 
   // Writes a single certificate to |pickle|. Returns false on failure.
   static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle);
@@ skipping 19 matching lines @@
   // Untrusted intermediate certificates associated with this certificate
   // that may be needed for chain building.
   OSCertHandles intermediate_ca_certs_;
 
 #if defined(OS_MACOSX)
   // Blocks multiple threads from verifying the cert simultaneously.
   // (Marked mutable because it's used in a const method.)
   mutable Lock verification_lock_;
 #endif
 
-  // Where the certificate comes from.
-  Source source_;
-
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_