Don't use X509Certificate in SSLConfig.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 460 matching lines @@
 
 // static
 void SSLClientSocketNSS::ClearSessionCache() {
   SSL_ClearSessionCache();
 }
 
 void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
   EnterFunction("");
   ssl_info->Reset();
 
-  if (!server_cert_)
+  if (!server_cert_nss_)
     return;
 
   ssl_info->cert_status = server_cert_verify_result_->cert_status;
-  DCHECK(server_cert_ != NULL);
   ssl_info->cert = server_cert_;
   ssl_info->connection_status = ssl_connection_status_;
   ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_->is_issued_by_known_root;
 
   PRUint16 cipher_suite =
       SSLConnectionStatusToCipherSuite(ssl_connection_status_);
   SSLCipherSuiteInfo cipher_info;
   SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
@@ skipping 535 matching lines @@
   std::string peer_id = host_and_port_.ToString();
   SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
 
   return OK;
 }
 
 
 // Sets server_cert_ and server_cert_nss_ if not yet set.
-// Returns server_cert_.
-X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
+void SSLClientSocketNSS::UpdateServerCert() {
   // We set the server_cert_ from HandshakeCallback().
   if (server_cert_ == NULL) {
     server_cert_nss_ = SSL_PeerCertificate(nss_fd_);
     if (server_cert_nss_) {
       PeerCertificateChain certs(nss_fd_);
+      // This call may fail when SSL is used inside sandbox. In that
+      // case CreateFromDERCertChain() returns NULL.
       server_cert_ = X509Certificate::CreateFromDERCertChain(
           certs.AsStringPieceVector());
     }
   }
-  return server_cert_;
 }
 
 // Sets ssl_connection_status_.
 void SSLClientSocketNSS::UpdateConnectionStatus() {
   SSLChannelInfo channel_info;
   SECStatus ok = SSL_GetChannelInfo(nss_fd_,
                                     &channel_info, sizeof(channel_info));
   if (ok == SECSuccess &&
       channel_info.length == sizeof(channel_info) &&
       channel_info.cipherSuite) {
@@ skipping 451 matching lines @@
     GotoState(STATE_VERIFY_CERT_COMPLETE);
     return OK;
   }
 
   GotoState(STATE_VERIFY_CERT);
 
   return OK;
 }
 
 int SSLClientSocketNSS::DoVerifyCert(int result) {
-  DCHECK(server_cert_);
+  DCHECK(server_cert_nss_);
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
 
-  // If the certificate is expected to be bad we can use the expectation as the
-  // cert status.
+  // If the certificate is expected to be bad we can use the
+  // expectation as the cert status. Don't use |server_cert_| here
+  // because it can be set to NULL in case we failed to create
+  // X509Certificate in UpdateServerCert(). This may happen when this
+  // code is used inside sandbox.
+  base::StringPiece der_cert(
+      reinterpret_cast<char*>(server_cert_nss_->derCert.data),
+      server_cert_nss_->derCert.len);
   int cert_status;
-  if (ssl_config_.IsAllowedBadCert(server_cert_, &cert_status)) {
+  if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) {
     DCHECK(start_cert_verification_time_.is_null());
     VLOG(1) << "Received an expected bad cert with status: " << cert_status;
     server_cert_verify_result_ = &local_server_cert_verify_result_;
     local_server_cert_verify_result_.Reset();
     local_server_cert_verify_result_.cert_status = cert_status;
     return OK;
   }
 
+  // We may have failed to create X509Certificate object if we are
+  // running inside sandbox.
+  if (!server_cert_) {
+    server_cert_verify_result_ = &local_server_cert_verify_result_;
+    local_server_cert_verify_result_.Reset();
+    local_server_cert_verify_result_.cert_status = CERT_STATUS_INVALID;
+    return ERR_CERT_INVALID;
+  }
+
   start_cert_verification_time_ = base::TimeTicks::Now();
 
   if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() &&
       predicted_cert_chain_correct_) {
     // If the SSLHostInfo had a prediction for the certificate chain of this
     // server then it will have optimistically started a verification of that
     // chain. So, if the prediction was correct, we should wait for that
     // verification to finish rather than start our own.
     net_log_.AddEvent(NetLog::TYPE_SSL_VERIFICATION_MERGED, NULL);
     UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 1 /* true */, 2);
@@ skipping 716 matching lines @@
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 }  // namespace net