Revert r92977 partially to fix a certificate verification regression

net/socket/ssl_client_socket_win.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 #include <map>
 
 #include "base/compiler_specific.h"
@@ skipping 319 matching lines @@
   if (!CertGetCertificateContextProperty(
           cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) {
     return FALSE;
   }
 
   return TRUE;
 }
 
 //-----------------------------------------------------------------------------
 
+// A memory certificate store for client certificates.  This allows us to
+// close the "MY" system certificate store when we finish searching for
+// client certificates.
+class ClientCertStore {
+ public:
+  ClientCertStore() {
+    store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
+  }
+
+  ~ClientCertStore() {
+    if (store_) {
+      BOOL ok = CertCloseStore(store_, CERT_CLOSE_STORE_CHECK_FLAG);
+      DCHECK(ok);
+    }
+  }
+
+  PCCERT_CONTEXT CopyCertContext(PCCERT_CONTEXT client_cert) {
+    PCCERT_CONTEXT copy;
+    BOOL ok = CertAddCertificateContextToStore(store_, client_cert,
+                                               CERT_STORE_ADD_USE_EXISTING,
+                                               &copy);
+    DCHECK(ok);
+    return ok ? copy : NULL;
+  }
+
+ private:
+  HCERTSTORE store_;
+};
+
+static base::LazyInstance<ClientCertStore> g_client_cert_store(
+    base::LINKER_INITIALIZED);
+
+//-----------------------------------------------------------------------------
+
 // Size of recv_buffer_
 //
 // Ciphertext is decrypted one SSL record at a time, so recv_buffer_ needs to
 // have room for a full SSL record, with the header and trailer.  Here is the
 // breakdown of the size:
 //   5: SSL record header
 //   16K: SSL record maximum size
 //   64: >= SSL record trailer (16 or 20 have been observed)
 static const int kRecvBufferSize = (5 + 16*1024 + 64);
 
@@ skipping 131 matching lines @@
     if (!chain_context) {
       DWORD err = GetLastError();
       if (err != CRYPT_E_NOT_FOUND)
         DLOG(ERROR) << "CertFindChainInStore failed: " << err;
       break;
     }
 
     // Get the leaf certificate.
     PCCERT_CONTEXT cert_context =
         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Copy the certificate into a NULL store, so that we can close the "MY"
-    // store before returning from this function.
-    PCCERT_CONTEXT cert_context2 = NULL;
-    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
-                                               CERT_STORE_ADD_USE_EXISTING,
-                                               &cert_context2);
-    if (!ok) {
+    // Copy it to our own certificate store, so that we can close the "MY"
+    // certificate store before returning from this function.
+    PCCERT_CONTEXT cert_context2 =
+        g_client_cert_store.Get().CopyCertContext(cert_context);
+    if (!cert_context2) {
       NOTREACHED();
       continue;
     }
     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
         cert_context2, X509Certificate::OSCertHandles());
     cert_request_info->client_certs.push_back(cert);
     CertFreeCertificateContext(cert_context2);
   }
 
   FreeContextBuffer(issuer_list.aIssuers);
@@ skipping 1004 matching lines @@
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net