Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 1638 matching lines @@
     if (!chain_context) {
       DWORD err = GetLastError();
       if (err != CRYPT_E_NOT_FOUND)
         DLOG(ERROR) << "CertFindChainInStore failed: " << err;
       break;
     }
 
     // Get the leaf certificate.
     PCCERT_CONTEXT cert_context =
         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Copy it to our own certificate store, so that we can close the "MY"
-    // certificate store before returning from this function.
+    // Copy the certificate into a NULL store, so that we can close the "MY"
+    // store before returning from this function.
     PCCERT_CONTEXT cert_context2;
-    BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(),
-                                               cert_context,
+    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
                                                CERT_STORE_ADD_USE_EXISTING,
                                                &cert_context2);
     if (!ok) {
       NOTREACHED();
       continue;
     }
 
     // Copy the rest of the chain to our own store as well. Copying the chain
     // stops gracefully if an error is encountered, with the partial chain
     // being used as the intermediates, rather than failing to consider the
     // client certificate.
     net::X509Certificate::OSCertHandles intermediates;
     for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) {
       PCCERT_CONTEXT intermediate_copy;
-      ok = CertAddCertificateContextToStore(X509Certificate::cert_store(),
+      ok = CertAddCertificateContextToStore(
+          NULL,
           chain_context->rgpChain[0]->rgpElement[i]->pCertContext,
           CERT_STORE_ADD_USE_EXISTING, &intermediate_copy);
       if (!ok) {
         NOTREACHED();
         break;
       }
       intermediates.push_back(intermediate_copy);
     }
 
     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-        cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT,
-        intermediates);
+        cert_context2, intermediates);
     that->client_certs_.push_back(cert);
 
     X509Certificate::FreeOSCertHandle(cert_context2);
     for (net::X509Certificate::OSCertHandles::iterator it =
         intermediates.begin(); it != intermediates.end(); ++it) {
       net::X509Certificate::FreeOSCertHandle(*it);
     }
   }
 
   BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG);
@@ skipping 141 matching lines @@
           secCertTimeValid)
         continue;
       // Filter by issuer.
       //
       // TODO(davidben): This does a binary comparison of the DER-encoded
       // issuers. We should match according to RFC 5280 sec. 7.1. We should find
       // an appropriate NSS function or add one if needbe.
       if (ca_names->nnames &&
           NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess)
         continue;
+      // TODO(rsleevi): Explicitly specify the intermediates for the client
+      // certificate. As implemented, the current behaviour is that NSS will
+      // rebuild the chain any time it needs to, such as to display or send
+      // to the server.
       X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
-          node->cert, X509Certificate::SOURCE_LONE_CERT_IMPORT,
-          net::X509Certificate::OSCertHandles());
+          node->cert, net::X509Certificate::OSCertHandles());
       that->client_certs_.push_back(x509_cert);
     }
     CERT_DestroyCertList(client_certs);
   }
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 }
 #endif  // NSS_PLATFORM_CLIENT_AUTH
@@ skipping 618 matching lines @@
     case SSL_CONNECTION_VERSION_TLS1_1:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
       break;
     case SSL_CONNECTION_VERSION_TLS1_2:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
       break;
   };
 }
 
 }  // namespace net