Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate

net/base/x509_certificate_mac.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <Security/Security.h>
 #include <time.h>
 
@@ skipping 391 matching lines @@
 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
   dns_names->clear();
 
   GetCertGeneralNamesForOID(cert_handle_, CSSMOID_SubjectAltName, GNT_DNSName,
                             dns_names);
 
   if (dns_names->empty())
     dns_names->push_back(subject_.common_name);
 }
 
+X509Certificate::OSCertListHandle
+X509Certificate::CreateOSCertListHandle() const {
+  CFMutableArrayRef cert_list =
+      CFArrayCreateMutable(kCFAllocatorDefault, 0,
+                           &kCFTypeArrayCallBacks);
+  if (!cert_list)
+    return NULL;
+
+  CFArrayAppendValue(cert_list, cert_handle_);
+  for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
+    CFArrayAppendValue(cert_list, intermediate_ca_certs_[i]);
+  }
+
+  return cert_list;
+}
+
 int X509Certificate::Verify(const std::string& hostname, int flags,
                             CertVerifyResult* verify_result) const {
   verify_result->Reset();
 
   // Create an SSL SecPolicyRef, and configure it to perform hostname
   // validation. The hostname check does 99% of what we want, with the
   // exception of dotted IPv4 addreses, which we handle ourselves below.
   CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = {
     CSSM_APPLE_TP_SSL_OPTS_VERSION,
     hostname.size(),
     hostname.data(),
     0
   };
   SecPolicyRef ssl_policy;
   OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_SSL,
                                  &tp_ssl_options,
                                  sizeof(tp_ssl_options),
                                  &ssl_policy);
   if (status)
     return NetErrorFromOSStatus(status);
   ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy);
 
   // Create and configure a SecTrustRef, which takes our certificate(s)
   // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an
   // array of certificates, the first of which is the certificate we're
   // verifying, and the subsequent (optional) certificates are used for
   // chain building.
-  CFMutableArrayRef cert_array = CFArrayCreateMutable(kCFAllocatorDefault, 0,
-                                                      &kCFTypeArrayCallBacks);
-  if (!cert_array)
-    return ERR_OUT_OF_MEMORY;
-  ScopedCFTypeRef<CFArrayRef> scoped_cert_array(cert_array);
-  CFArrayAppendValue(cert_array, cert_handle_);
-  for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i)
-    CFArrayAppendValue(cert_array, intermediate_ca_certs_[i]);
+  ScopedCFTypeRef<CFArrayRef> cert_array(CreateOSCertListHandle());
 
   // From here on, only one thread can be active at a time. We have had a number
   // of sporadic crashes in the SecTrustEvaluate call below, way down inside
   // Apple's cert code, which we suspect are caused by a thread-safety issue.
   // So as a speculative fix allow only one thread to use SecTrust on this cert.
   AutoLock lock(verification_lock_);
 
   SecTrustRef trust_ref = NULL;
   status = SecTrustCreateWithCertificates(cert_array, ssl_policy, &trust_ref);
   if (status)
@@ skipping 257 matching lines @@
     return NULL;
   return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
 }
 
 // static
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
   CFRelease(cert_handle);
 }
 
 // static
+void X509Certificate::FreeOSCertListHandle(OSCertListHandle identity) {
+  CFRelease(identity);
+}
+
+// static
 SHA1Fingerprint X509Certificate::CalculateFingerprint(
     OSCertHandle cert) {
   SHA1Fingerprint sha1;
   memset(sha1.data, 0, sizeof(sha1.data));
 
   CSSM_DATA cert_data;
   OSStatus status = SecCertificateGetData(cert, &cert_data);
   if (status)
     return sha1;
 
@@ skipping 78 matching lines @@
     return false;
   ScopedCFTypeRef<CFArrayRef> scoped_cert_chain(cert_chain);
 
   // Check all the certs in the chain for a match.
   int n = CFArrayGetCount(cert_chain);
   for (int i = 0; i < n; ++i) {
     SecCertificateRef cert_handle = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
     scoped_refptr<X509Certificate> cert(X509Certificate::CreateFromHandle(
         cert_handle,
-        X509Certificate::SOURCE_LONE_CERT_IMPORT,
         X509Certificate::OSCertHandles()));
     for (unsigned j = 0; j < valid_issuers.size(); j++) {
       if (cert->issuer().Matches(valid_issuers[j]))
         return true;
     }
   }
   return false;
 }
 
 // static
@@ skipping 41 matching lines @@
       break;
     ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);
 
     SecCertificateRef cert_handle;
     err = SecIdentityCopyCertificate(identity, &cert_handle);
     if (err != noErr)
       continue;
     ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
 
     scoped_refptr<X509Certificate> cert(
-        CreateFromHandle(cert_handle, SOURCE_LONE_CERT_IMPORT,
-                         OSCertHandles()));
+        CreateFromHandle(cert_handle, OSCertHandles()));
     if (cert->HasExpired() || !cert->SupportsSSLClientAuth())
       continue;
 
     // Skip duplicates (a cert may be in multiple keychains).
     const SHA1Fingerprint& fingerprint = cert->fingerprint();
     unsigned i;
     for (i = 0; i < certs->size(); ++i) {
       if ((*certs)[i]->fingerprint().Equals(fingerprint))
         break;
     }
@@ skipping 54 matching lines @@
                          cert_chain,
                          CFRangeMake(1, chain_count - 1));
     }
     CFRelease(cert_chain);
   }
 
   return chain.release();
 }
 
 }  // namespace net