Mac: implement <keygen> support, including adding generated cert to the Keychain.

net/base/cert_database_mac.cc

Index: net/base/cert_database_mac.cc
diff --git a/net/base/cert_database_mac.cc b/net/base/cert_database_mac.cc
index 5caf9dbbdba99daf0e02d4edd6f3eb0ddd8f945a..f2158e9bf403ea63bfce6492aaf753b40ac4de95 100644
--- a/net/base/cert_database_mac.cc
+++ b/net/base/cert_database_mac.cc
@@ -4,21 +4,55 @@
 
 #include "net/base/cert_database.h"
 
+#include <Security/Security.h>
+
 #include "base/logging.h"
+#include "net/base/net_errors.h"
 
 namespace net {
 
 CertDatabase::CertDatabase() {
-  NOTIMPLEMENTED();
 }
 
-bool CertDatabase::AddUserCert(const char* data, int len) {
-  NOTIMPLEMENTED();
-  return false;
+void CertDatabase::Init() {
 }
 
-void CertDatabase::Init() {
-  NOTIMPLEMENTED();
+int CertDatabase::CheckUserCert(X509Certificate* cert) {
+  if (!cert)
+    return ERR_CERT_INVALID;
+  if (cert->HasExpired())
+    return ERR_CERT_DATE_INVALID;
+  if (!cert->SupportsSSLClientAuth())
+    return ERR_CERT_INVALID;
+
+  // Verify the Keychain already has the corresponding private key:
+  SecIdentityRef identity = NULL;
+  OSStatus err = SecIdentityCreateWithCertificate(NULL, cert->os_cert_handle(),
+                                                  &identity);
+  if (err == errSecItemNotFound) {
+    LOG(ERROR) << "CertDatabase couldn't find private key for user cert";
+    return ERR_CERT_NO_PRIVATE_KEY;
+  }
+  if (err != noErr || !identity) {
+    // TODO(snej): Map the error code more intelligently.
+    return ERR_CERT_INVALID;
+  }
+  
+  CFRelease(identity);
+  return OK;
+}
+
+int CertDatabase::AddUserCert(X509Certificate* cert) {
+  OSStatus err = SecCertificateAddToKeychain(cert->os_cert_handle(), NULL);
+  switch(err) {
+    case noErr:
+    case errSecDuplicateItem:
+      return OK;
+    default:
+      LOG(ERROR) << "CertDatabase failed to add cert to keychain: " << err;
+      // TODO(snej): Map the error code more intelligently.
+      return ERR_FAILED;
+  }
 }
 
 }  // namespace net