Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate

net/socket/ssl_client_socket_win.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 #include <map>
 
 #include "base/compiler_specific.h"
@@ skipping 319 matching lines @@
   if (!CertGetCertificateContextProperty(
           cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) {
     return FALSE;
   }
 
   return TRUE;
 }
 
 //-----------------------------------------------------------------------------
 
-// A memory certificate store for client certificates.  This allows us to
-// close the "MY" system certificate store when we finish searching for
-// client certificates.
-class ClientCertStore {
- public:
-  ClientCertStore() {
-    store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
-  }
-
-  ~ClientCertStore() {
-    if (store_) {
-      BOOL ok = CertCloseStore(store_, CERT_CLOSE_STORE_CHECK_FLAG);
-      DCHECK(ok);
-    }
-  }
-
-  PCCERT_CONTEXT CopyCertContext(PCCERT_CONTEXT client_cert) {
-    PCCERT_CONTEXT copy;
-    BOOL ok = CertAddCertificateContextToStore(store_, client_cert,
-                                               CERT_STORE_ADD_USE_EXISTING,
-                                               &copy);
-    DCHECK(ok);
-    return ok ? copy : NULL;
-  }
-
- private:
-  HCERTSTORE store_;
-};
-
-static base::LazyInstance<ClientCertStore> g_client_cert_store(
-    base::LINKER_INITIALIZED);
-
-//-----------------------------------------------------------------------------
-
 // Size of recv_buffer_
 //
 // Ciphertext is decrypted one SSL record at a time, so recv_buffer_ needs to
 // have room for a full SSL record, with the header and trailer.  Here is the
 // breakdown of the size:
 //   5: SSL record header
 //   16K: SSL record maximum size
 //   64: >= SSL record trailer (16 or 20 have been observed)
 static const int kRecvBufferSize = (5 + 16*1024 + 64);
 
@@ skipping 131 matching lines @@
     if (!chain_context) {
       DWORD err = GetLastError();
       if (err != CRYPT_E_NOT_FOUND)
         DLOG(ERROR) << "CertFindChainInStore failed: " << err;
       break;
     }
 
     // Get the leaf certificate.
     PCCERT_CONTEXT cert_context =
         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Copy it to our own certificate store, so that we can close the "MY"
-    // certificate store before returning from this function.
-    PCCERT_CONTEXT cert_context2 =
-        g_client_cert_store.Get().CopyCertContext(cert_context);
-    if (!cert_context2) {
+    // Copy the certificate into a NULL store, so that we can close the "MY"
+    // store before returning from this function.
+    PCCERT_CONTEXT cert_context2 = NULL;
+    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
+                                               CERT_STORE_ADD_USE_EXISTING,
+                                               &cert_context2);
+    if (!ok) {
       NOTREACHED();
       continue;
     }
     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-        cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT,
-        X509Certificate::OSCertHandles());
+        cert_context2, X509Certificate::OSCertHandles());
     cert_request_info->client_certs.push_back(cert);
     CertFreeCertificateContext(cert_context2);
   }
 
   FreeContextBuffer(issuer_list.aIssuers);
 
   BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG);
   DCHECK(ok);
 }
 
@@ skipping 961 matching lines @@
     return MapSecurityError(status);
   }
   if (renegotiating_ &&
       X509Certificate::IsSameOSCert(server_cert_->os_cert_handle(),
                                     server_cert_handle)) {
     // We already verified the server certificate.  Either it is good or the
     // user has accepted the certificate error.
     DidCompleteRenegotiation();
   } else {
     server_cert_ = X509Certificate::CreateFromHandle(
-        server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK,
-        X509Certificate::OSCertHandles());
+        server_cert_handle, X509Certificate::OSCertHandles());
 
     next_state_ = STATE_VERIFY_CERT;
   }
   CertFreeCertificateContext(server_cert_handle);
   return OK;
 }
 
 // Called when a renegotiation is completed.  |result| is the verification
 // result of the server certificate received during renegotiation.
 void SSLClientSocketWin::DidCompleteRenegotiation() {
@@ skipping 17 matching lines @@
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net