Ensure X509Certificate::OSCertHandles are safe to be used on both UI and IO threads on Win

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 10 matching lines @@
 #if defined(OS_WIN)
 #include <windows.h>
 #include <wincrypt.h>
 #elif defined(OS_MACOSX)
 #include <CoreFoundation/CFArray.h>
 #include <Security/SecBase.h>
 
 #include "base/synchronization/lock.h"
 #elif defined(USE_OPENSSL)
 // Forward declaration; real one in <x509.h>
-struct x509_st;
+typedef struct x509_st X509;
 typedef struct x509_store_st X509_STORE;
 #elif defined(USE_NSS)
 // Forward declaration; real one in <cert.h>
 struct CERTCertificateStr;
 #endif
 
 class Pickle;
 
 namespace crypto {
 class StringPiece;
 class RSAPrivateKey;
 }  // namespace crypto
 
 namespace net {
 
 class CRLSet;
 class CertVerifyResult;
 
 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
 
 // X509Certificate represents a X.509 certificate, which is comprised a
 // particular identity or end-entity certificate, such as an SSL server
 // identity or an SSL client certificate, and zero or more intermediate
 // certificates that may be used to build a path to a root certificate.
 class NET_EXPORT X509Certificate
     : public base::RefCountedThreadSafe<X509Certificate> {
  public:
-  // A handle to the certificate object in the underlying crypto library.
-  // We assume that OSCertHandle is a pointer type on all platforms and
-  // NULL is an invalid OSCertHandle.
+  // An OSCertHandle is a handle to a certificate object in the underlying
+  // crypto library. We assume that OSCertHandle is a pointer type on all
+  // platforms and that NULL represents an invalid OSCertHandle.
 #if defined(OS_WIN)
   typedef PCCERT_CONTEXT OSCertHandle;
 #elif defined(OS_MACOSX)
   typedef SecCertificateRef OSCertHandle;
 #elif defined(USE_OPENSSL)
-  typedef struct x509_st* OSCertHandle;
+  typedef X509* OSCertHandle;
 #elif defined(USE_NSS)
   typedef struct CERTCertificateStr* OSCertHandle;
 #else
   // TODO(ericroman): not implemented
   typedef void* OSCertHandle;
 #endif
 
   typedef std::vector<OSCertHandle> OSCertHandles;
 
   // Predicate functor used in maps when X509Certificate is used as the key.
@@ skipping 203 matching lines @@
   // precedence and returned first in the output vector.)
   // If valid_issuers is non-empty, only certs that were transitively issued
   // by one of the given names will be included in the list.
   static bool GetSSLClientCertificates(
       const std::string& server_domain,
       const std::vector<CertPrincipal>& valid_issuers,
       CertificateList* certs);
 
   // Creates the chain of certs to use for this client identity cert.
   CFArrayRef CreateClientCertificateChain() const;
+
+  // Returns a new CFArrayRef containing this certificate and its intermediate
+  // certificates in the form expected by Security.framework and Keychain
+  // Services, or NULL on failure.
+  // The first item in the array will be this certificate, followed by its
+  // intermediates, if any.
+  CFArrayRef CreateOSCertChainForCert() const;
 #endif
 
 #if defined(OS_WIN)
   // Returns a handle to a global, in-memory certificate store. We use it for
   // two purposes:
   // 1. Import server certificates into this store so that we can verify and
   //    display the certificates using CryptoAPI.
   // 2. Copy client certificates from the "MY" system certificate store into
   //    this store so that we can close the system store when we finish
   //    searching for client certificates.
   static HCERTSTORE cert_store();
+
+  // Returns a new PCCERT_CONTEXT containing this certificate and its
+  // intermediate certificates, or NULL on failure. The returned
+  // PCCERT_CONTEXT *MUST NOT* be stored in an X509Certificate, as then
+  // os_cert_handle() will not return the correct result. This function is
+  // only necessary if the CERT_CONTEXT.hCertStore member will be accessed or
+  // enumerated, which is generally true for any CryptoAPI functions involving
+  // certificate chains, including validation or certificate display.
+  //
+  // Remarks:
+  // Depending on the CryptoAPI function, Windows may need to access the
+  // HCERTSTORE that the passed-in PCCERT_CONTEXT belongs to, such as to
+  // locate additional intermediates. However, in the current X509Certificate
+  // implementation on Windows, all X509Certificate::OSCertHandles belong to
+  // the same HCERTSTORE - X509Certificate::cert_store(). Since certificates
+  // may be created and accessed on any number of threads, if CryptoAPI is
+  // trying to read this global store while additional certificates are being
+  // added, it may return inconsistent results while enumerating the store.
+  // While the memory accesses themselves are thread-safe, the resultant view
+  // of what is in the store may be altered.
+  //
+  // If OSCertHandles were instead added to a NULL HCERTSTORE, which is valid
+  // in CryptoAPI, then Windows would be unable to locate any of the
+  // intermediates supplied in |intermediate_ca_certs_|, because the
+  // hCertStore will refer to a magic value that indicates "only this
+  // certificate."
+  //
+  // To avoid these problems, a new in-memory HCERTSTORE is created containing
+  // just this certificate and its intermediates. The handle to the version of
+  // this certificate in the new HCERTSTORE is then returned, with the
+  // HCERTSTORE set to be automatically freed when the returned certificate
+  // is freed.
+  //
+  // This function is only needed when the HCERTSTORE of the os_cert_handle()
+  // will be accessed, which is generally only during certificate validation
+  // or display. While the returned PCCERT_CONTEXT and its HCERTSTORE can
+  // safely be used on multiple threads if no further modifications happen, it
+  // is generally preferable for each thread that needs such a context to
+  // obtain its own, rather than risk thread-safety issues by sharing.
+  //
+  // Because of how X509Certificate caching is implemented, attempting to
+  // create an X509Certificate from the returned PCCERT_CONTEXT may result in
+  // the original handle (and thus the originall HCERTSTORE) being returned by
+  // os_cert_handle(). For this reason, the returned PCCERT_CONTEXT *MUST NOT*
+  // be stored in an X509Certificate.
+  PCCERT_CONTEXT CreateOSCertChainForCert() const;
 #endif
 
 #if defined(OS_ANDROID)
   // |chain_bytes| will contain the chain (including this certificate) encoded
   // using GetChainDEREncodedBytes below.
   void GetChainDEREncodedBytes(std::vector<std::string>* chain_bytes) const;
 #endif
 
 #if defined(USE_OPENSSL)
   // Returns a handle to a global, in-memory certificate store. We
@@ skipping 26 matching lines @@
   // Does not verify that the certificate is valid, only that the certificate
   // matches this host.
   // Returns true if it matches.
   bool VerifyNameMatch(const std::string& hostname) const;
 
   // This method returns the DER encoded certificate.
   // If the return value is true then the DER encoded certificate is available.
   // The content of the DER encoded certificate is written to |encoded|.
   bool GetDEREncoded(std::string* encoded);
 
+  // Returns the OSCertHandle of this object. Because of caching, this may
+  // differ from the OSCertHandle originally supplied during initialization.
+  // Note: On Windows, CryptoAPI may return unexpected results if this handle
+  // is used across multiple threads. For more details, see
+  // CreateOSCertChainForCert().
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
   // Returns true if two OSCertHandles refer to identical certificates.
   static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
 
   // Creates an OS certificate handle from the BER-encoded representation.
   // Returns NULL on failure.
   static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
                                                   int length);
 
@@ skipping 136 matching lines @@
   // (Marked mutable because it's used in a const method.)
   mutable base::Lock verification_lock_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_