Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate

net/socket/ssl_client_socket_win.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 #include <map>
 
 #include "base/compiler_specific.h"
@@ skipping 312 matching lines @@
 
   // Verify the current time is within the certificate's validity period.
   if (CertVerifyTimeValidity(NULL, cert_context->pCertInfo) != 0)
     return FALSE;
 
   return TRUE;
 }
 
 //-----------------------------------------------------------------------------
 
-// A memory certificate store for client certificates.  This allows us to
-// close the "MY" system certificate store when we finish searching for
-// client certificates.
-class ClientCertStore {
- public:
-  ClientCertStore() {
-    store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
-  }
-
-  ~ClientCertStore() {
-    if (store_) {
-      BOOL ok = CertCloseStore(store_, CERT_CLOSE_STORE_CHECK_FLAG);
-      DCHECK(ok);
-    }
-  }
-
-  PCCERT_CONTEXT CopyCertContext(PCCERT_CONTEXT client_cert) {
-    PCCERT_CONTEXT copy;
-    BOOL ok = CertAddCertificateContextToStore(store_, client_cert,
-                                               CERT_STORE_ADD_USE_EXISTING,
-                                               &copy);
-    DCHECK(ok);
-    return ok ? copy : NULL;
-  }
-
- private:
-  HCERTSTORE store_;
-};
-
-static base::LazyInstance<ClientCertStore> g_client_cert_store(
-    base::LINKER_INITIALIZED);
-
-//-----------------------------------------------------------------------------
-
 // Size of recv_buffer_
 //
 // Ciphertext is decrypted one SSL record at a time, so recv_buffer_ needs to
 // have room for a full SSL record, with the header and trailer.  Here is the
 // breakdown of the size:
 //   5: SSL record header
 //   16K: SSL record maximum size
 //   64: >= SSL record trailer (16 or 20 have been observed)
 static const int kRecvBufferSize = (5 + 16*1024 + 64);
 
@@ skipping 128 matching lines @@
     if (!chain_context) {
       DWORD err = GetLastError();
       if (err != CRYPT_E_NOT_FOUND)
         DLOG(ERROR) << "CertFindChainInStore failed: " << err;
       break;
     }
 
     // Get the leaf certificate.
     PCCERT_CONTEXT cert_context =
         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Copy it to our own certificate store, so that we can close the "MY"
-    // certificate store before returning from this function.
-    PCCERT_CONTEXT cert_context2 =
-        g_client_cert_store.Get().CopyCertContext(cert_context);
-    if (!cert_context2) {
+    // Copy the certificate into a NULL store, so that we can close the "MY"
+    // store before returning from this function.
+    PCCERT_CONTEXT cert_context2 = NULL;
+    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
+                                               CERT_STORE_ADD_USE_EXISTING,
+                                               &cert_context2);
+    if (!ok) {
       NOTREACHED();
       continue;
     }
+
+    // Grab the intermediates, if any.
+    X509Certificate::OSCertHandles intermediates;
+    for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; ++i) {
+      PCCERT_CONTEXT chain_intermediate =
+          chain_context->rgpChain[0]->rgpElement[i]->pCertContext;
+      PCCERT_CONTEXT chain_intermediate2;
+      ok = CertAddCertificateContextToStore(NULL, chain_intermediate,
+                                            CERT_STORE_ADD_USE_EXISTING,
+                                            &chain_intermediate2);
+      if (ok)
+        intermediates.push_back(chain_intermediate2);
+    }
     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-        cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT,
-        X509Certificate::OSCertHandles());
+        cert_context2, intermediates);
     cert_request_info->client_certs.push_back(cert);
     CertFreeCertificateContext(cert_context2);
+    for (size_t i = 0; i < intermediates.size(); ++i)
+      CertFreeCertificateContext(intermediates[i]);
   }
 
   FreeContextBuffer(issuer_list.aIssuers);
 
   BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG);
   DCHECK(ok);
 }
 
 SSLClientSocket::NextProtoStatus
 SSLClientSocketWin::GetNextProto(std::string* proto) {
@@ skipping 928 matching lines @@
     return MapSecurityError(status);
   }
   DCHECK(!server_cert_ || renegotiating_);
   PCCERT_CONTEXT server_cert_handle = NULL;
   status = QueryContextAttributes(
       &ctxt_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &server_cert_handle);
   if (status != SEC_E_OK) {
     LOG(ERROR) << "QueryContextAttributes (remote cert) failed: " << status;
     return MapSecurityError(status);
   }
+
+  X509Certificate::OSCertHandles intermediates;
+  PCCERT_CONTEXT intermediate =
+      CertEnumCertificatesInStore(server_cert_handle->hCertStore, NULL);
+  while (intermediate != NULL) {
+    intermediates.push_back(CertDuplicateCertificateContext(intermediate));
+    intermediate = CertEnumCertificatesInStore(server_cert_handle->hCertStore,
+                                               intermediate);
+  }
+
   if (renegotiating_ &&
       X509Certificate::IsSameOSCert(server_cert_->os_cert_handle(),
-                                    server_cert_handle)) {
+                                    server_cert_handle) &&
+      server_cert_->HasIntermediateCertificates(intermediates) &&
+      server_cert_->GetIntermediateCertificates().size() ==
+          intermediates.size()) {
     // We already verified the server certificate.  Either it is good or the
     // user has accepted the certificate error.
     DidCompleteRenegotiation();
   } else {
     server_cert_ = X509Certificate::CreateFromHandle(
-        server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK,
-        X509Certificate::OSCertHandles());
+        server_cert_handle, intermediates);
 
     next_state_ = STATE_VERIFY_CERT;
   }
   CertFreeCertificateContext(server_cert_handle);
+  for (size_t i = 0; i < intermediates.size(); ++i)
+    CertFreeCertificateContext(intermediates[i]);
   return OK;
 }
 
 // Called when a renegotiation is completed.  |result| is the verification
 // result of the server certificate received during renegotiation.
 void SSLClientSocketWin::DidCompleteRenegotiation() {
   DCHECK(!user_connect_callback_);
   DCHECK(user_read_callback_);
   renegotiating_ = false;
   next_state_ = STATE_COMPLETED_RENEGOTIATION;
@@ skipping 13 matching lines @@
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net