Move the NSS functions out of CertDatabase into a new NSSCertDatabase class.

chrome/browser/chromeos/cros/certificate_pattern.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/certificate_pattern.h"
 
 #include <algorithm>
 #include <list>
 #include <string>
 #include <vector>
 
 #include <cert.h>
 #include <pk11pub.h>
 
 #include "base/logging.h"
 #include "base/values.h"
 #include "net/base/cert_database.h"
 #include "net/base/net_errors.h"
+#include "net/base/nss_cert_database.h"
 #include "net/base/x509_cert_types.h"
 #include "net/base/x509_certificate.h"
 
 // To shorten some of those long lines below.
 using base::DictionaryValue;
 using base::ListValue;
 using std::find;
 using std::list;
 using std::string;
 using std::vector;
@@ skipping 74 matching lines @@
 
 // Functor to filter out certs that don't have an issuer in the associated
 // IssuerCARef list.
 class IssuerCaRefFilter {
  public:
   explicit IssuerCaRefFilter(const vector<string>& issuer_ca_ref_list)
     : issuer_ca_ref_list_(issuer_ca_ref_list) {}
   bool operator()(const scoped_refptr<net::X509Certificate>& cert) const {
     // Find the certificate issuer for each certificate.
     // TODO(gspencer): this functionality should be available from
-    // X509Certificate or CertDatabase.
+    // X509Certificate or NSSCertDatabase.
     CERTCertificate* issuer_cert = CERT_FindCertIssuer(
         cert.get()->os_cert_handle(), PR_Now(), certUsageAnyCA);
 
     if (issuer_cert && issuer_cert->nickname) {
       // Separate the nickname stored in the certificate at the colon, since
       // NSS likes to store it as token:nickname.
       const char* delimiter = ::strchr(issuer_cert->nickname, ':');
       if (delimiter) {
         delimiter++;  // move past the colon.
         vector<string>::const_iterator pat_iter = issuer_ca_ref_list_.begin();
@@ skipping 113 matching lines @@
   subject_.Clear();
   enrollment_uri_list_.clear();
 }
 
 scoped_refptr<net::X509Certificate> CertificatePattern::GetMatch() const {
   typedef list<scoped_refptr<net::X509Certificate> > CertificateStlList;
 
   // Start with all the certs, and narrow it down from there.
   net::CertificateList all_certs;
   CertificateStlList matching_certs;
-  net::CertDatabase cert_db;
-  cert_db.ListCerts(&all_certs);
+  net::NSSCertDatabase nss_cert_db;
+  nss_cert_db.ListCerts(&all_certs);
 
   if (all_certs.empty())
     return NULL;
 
   for (net::CertificateList::iterator iter = all_certs.begin();
        iter != all_certs.end(); ++iter) {
     matching_certs.push_back(*iter);
   }
 
   // Strip off any certs that don't have the right issuer and/or subject.
@@ skipping 12 matching lines @@
   if (!issuer_ca_ref_list_.empty()) {
     matching_certs.remove_if(IssuerCaRefFilter(issuer_ca_ref_list_));
     if (matching_certs.empty())
       return NULL;
   }
 
   // Eliminate any certs that don't have private keys associated with
   // them.  The CheckUserCert call in the filter is a little slow (because of
   // underlying PKCS11 calls), so we do this last to reduce the number of times
   // we have to call it.
+  net::CertDatabase cert_db;
   PrivateKeyFilter private_filter(&cert_db);
   matching_certs.remove_if(private_filter);
 
   if (matching_certs.empty())
     return NULL;
 
   // We now have a list of certificates that match the pattern we're
   // looking for.  Now we find the one with the latest start date.
   scoped_refptr<net::X509Certificate> latest(NULL);
 
@@ skipping 52 matching lines @@
   // If we didn't copy anything from the dictionary, then it had better be
   // empty.
   DCHECK(dict.empty() == Empty());
   if (dict.empty() != Empty())
     return false;
 
   return true;
 }
 
 }  // namespace chromeos