Remove certificates from Channel ID

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 99320efd9273027ee821c213eba532fea0de91a8..7f613accf070bc0e5c48dfcd78712ba168a1f29a 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -830,7 +830,7 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
 
   // The service for retrieving Channel ID keys.  May be NULL.
   ChannelIDService* channel_id_service_;
-  ChannelIDService::RequestHandle domain_bound_cert_request_handle_;
+  ChannelIDService::RequestHandle channel_id_request_handle_;
 
   // The information about NSS task runner.
   int unhandled_buffer_size_;
@@ -915,8 +915,7 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
   // prior to invoking OnHandshakeIOComplete.
   // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
   // on the NSS task runner.
-  std::string domain_bound_private_key_;
-  std::string domain_bound_cert_;
+  scoped_ptr<crypto::ECPrivateKey> channel_id_key_;
 
   DISALLOW_COPY_AND_ASSIGN(Core);
 };
@@ -1091,7 +1090,7 @@ void SSLClientSocketNSS::Core::Detach() {
 
   network_handshake_state_.Reset();
 
-  domain_bound_cert_request_handle_.Cancel();
+  channel_id_request_handle_.Cancel();
 }
 
 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
@@ -2322,34 +2321,11 @@ SECStatus SSLClientSocketNSS::Core::ClientChannelIDHandler(
 
 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key,
                                                   SECKEYPrivateKey** key) {
-  // Set the certificate.
-  SECItem cert_item;
-  cert_item.data = (unsigned char*) domain_bound_cert_.data();
-  cert_item.len = domain_bound_cert_.size();
-  ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                                     &cert_item,
-                                                     NULL,
-                                                     PR_FALSE,
-                                                     PR_TRUE));
-  if (cert == NULL)
-    return MapNSSError(PORT_GetError());
+  if (channel_id_key_.get() == nullptr)

[Ryan Sleevi, 2015/04/09 22:40:09]

if (!channel_id_key_)

[nharper, 2015/04/10 00:32:08]

Done.

+    return SECFailure;
 
-  crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
-  // Set the private key.
-  if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
-          slot.get(),
-          ChannelIDService::kEPKIPassword,
-          reinterpret_cast<const unsigned char*>(
-              domain_bound_private_key_.data()),
-          domain_bound_private_key_.size(),
-          &cert->subjectPublicKeyInfo,
-          false,
-          false,
-          key,
-          public_key)) {
-    int error = MapNSSError(PORT_GetError());
-    return error;
-  }
+  *public_key = channel_id_key_->public_key();
+  *key = channel_id_key_->key();

[mattm, 2015/04/10 01:00:27]

Need to SECKEY_CopyPrivateKey and SECKEY_CopyPublicKey here.

[nharper, 2015/04/25 02:59:18]

Done.

 
   return OK;
 }
@@ -2611,11 +2587,9 @@ int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) {
   weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
 
   int rv = channel_id_service_->GetOrCreateChannelID(
-      host,
-      &domain_bound_private_key_,
-      &domain_bound_cert_,
+      host, &channel_id_key_,
       base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)),
-      &domain_bound_cert_request_handle_);
+      &channel_id_request_handle_);
 
   if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) {
     nss_task_runner_->PostTask(