Ensure X509Certificate::OSCertHandles are safe to be used on both UI and IO threads on Win

net/base/x509_util_win.cc

Index: net/base/x509_util_win.cc
diff --git a/net/base/x509_util_win.cc b/net/base/x509_util_win.cc
new file mode 100644
index 0000000000000000000000000000000000000000..90b9f084895850da55151ad0c7bc50a1f9a813e8
--- /dev/null
+++ b/net/base/x509_util_win.cc
@@ -0,0 +1,62 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/x509_util_win.h"
+
+#include "base/memory/scoped_ptr.h"
+#include "crypto/scoped_capi_types.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+namespace x509_util {
+
+namespace {
+
+typedef crypto::ScopedCAPIHandle<
+    HCERTSTORE,
+    crypto::CAPIDestroyerWithFlags<HCERTSTORE,
+                                   CertCloseStore, 0> > ScopedHCERTSTORE;
+
+}  // namespace
+
+PCCERT_CONTEXT CreateOSCertChainForCert(const X509Certificate* cert) {
+  // Create an in-memory certificate store to hold |cert| and any
+  // associated intermediate certificates. The store will be referenced in the
+  // returned OSCertListHandle, and will not be freed until the
+  // OSCertListHandle is freed.

[wtc, 2011/10/16 14:55:49]

Change the two occurrences of OSCertListHandle to
PCCERT_CONTEXT in this paragraph.

+  ScopedHCERTSTORE store(CertOpenStore(
+      CERT_STORE_PROV_MEMORY, 0, NULL,
+      CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL));
+  if (!store.get())
+    return NULL;
+
+  // NOTE: This preserves all of the properties of |cert->os_cert_handle()|
+  // except for CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_CONTEXT_PROP_ID -
+  // the two properties that hold access to already-opened private keys. If a
+  // handle has already been unlocked (eg: PIN prompt), then the first time
+  // that the identity is used for client auth, it may prompt the user again.

[wtc, 2011/10/16 14:55:49]

Nit: the identity => the returned PCCERT_CONTEXT

+  PCCERT_CONTEXT primary_cert;
+  BOOL ok = CertAddCertificateContextToStore(
+      store.get(), cert->os_cert_handle(), CERT_STORE_ADD_ALWAYS,
+      &primary_cert);
+  if (!ok || !primary_cert)
+    return NULL;
+
+  const X509Certificate::OSCertHandles& intermediates =
+      cert->GetIntermediateCertificates();
+  for (size_t i = 0; i < intermediates.size(); ++i) {
+    CertAddCertificateContextToStore(store.get(), intermediates[i],
+                                     CERT_STORE_ADD_ALWAYS, NULL);
+  }
+
+  // Note: |store| is explicitly not released, as the call to CertCloseStore()
+  // when |store| goes out of scope will not actually free the store. Instead,
+  // the store will be freed when |scoped_cert| is freed.

[wtc, 2011/10/16 14:55:49]

|scoped_cert| => |primary_cert|

+  return primary_cert;
+}
+
+} // namespace x509_util
+
+} // namespace net