Fix client certificate authentication on Mac and Linux introduced in r178732

net/cert/x509_certificate_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
@@ skipping 95 matching lines @@
   OSStatus status = cached_cert.GetField(&CSSMOID_X509V1SerialNumber,
                                          &serial_number);
   if (status || !serial_number.field())
     return std::string();
 
   return std::string(
       reinterpret_cast<const char*>(serial_number.field()->Data),
       serial_number.field()->Length);
 }
 
-// Gets the issuer for a given cert, starting with the cert itself and
-// including the intermediate and finally root certificates (if any).
-// This function calls SecTrust but doesn't actually pay attention to the trust
-// result: it shouldn't be used to determine trust, just to traverse the chain.
-// Caller is responsible for releasing the value stored into *out_cert_chain.
-OSStatus CopyCertChain(SecCertificateRef cert_handle,
-                       CFArrayRef* out_cert_chain) {
-  DCHECK(cert_handle);
-  DCHECK(out_cert_chain);
-
-  // Create an SSL policy ref configured for client cert evaluation.
-  SecPolicyRef ssl_policy;
-  OSStatus result = x509_util::CreateSSLClientPolicy(&ssl_policy);
-  if (result)
-    return result;
-  ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy);
-
-  // Create a SecTrustRef.
-  ScopedCFTypeRef<CFArrayRef> input_certs(CFArrayCreate(
-      NULL, const_cast<const void**>(reinterpret_cast<void**>(&cert_handle)),
-      1, &kCFTypeArrayCallBacks));
-  SecTrustRef trust_ref = NULL;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecTrustCreateWithCertificates(input_certs, ssl_policy,
-                                            &trust_ref);
-  }
-  if (result)
-    return result;
-  ScopedCFTypeRef<SecTrustRef> trust(trust_ref);
-
-  // Evaluate trust, which creates the cert chain.
-  SecTrustResultType status;
-  CSSM_TP_APPLE_EVIDENCE_INFO* status_chain;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecTrustEvaluate(trust, &status);
-  }
-  if (result)
-    return result;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecTrustGetResult(trust, &status, out_cert_chain, &status_chain);
-  }
-  return result;
-}
-
 // Returns true if |purpose| is listed as allowed in |usage|. This
 // function also considers the "Any" purpose. If the attribute is
 // present and empty, we return false.
 bool ExtendedKeyUsageAllows(const CE_ExtendedKeyUsage* usage,
                             const CSSM_OID* purpose) {
   for (unsigned p = 0; p < usage->numPurposes; ++p) {
     if (CSSMOIDEqual(&usage->purposes[p], purpose))
       return true;
     if (CSSMOIDEqual(&usage->purposes[p], &CSSMOID_ExtendedKeyUsageAny))
       return true;
@@ skipping 532 matching lines @@
   if (status == CSSM_OK && key_usage.field()) {
     const CSSM_X509_EXTENSION* ext = key_usage.GetAs<CSSM_X509_EXTENSION>();
     const CE_ExtendedKeyUsage* ext_key_usage =
         reinterpret_cast<const CE_ExtendedKeyUsage*>(ext->value.parsedValue);
     if (!ExtendedKeyUsageAllows(ext_key_usage, &CSSMOID_ClientAuth))
       return false;
   }
   return true;
 }
 
-CFArrayRef X509Certificate::CreateClientCertificateChain() const {
-  // Initialize the result array with just the IdentityRef of the receiver:
-  SecIdentityRef identity;
-  OSStatus result;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    result = SecIdentityCreateWithCertificate(NULL, cert_handle_, &identity);
-  }
-  if (result) {
-    OSSTATUS_LOG(ERROR, result) << "SecIdentityCreateWithCertificate error";
-    return NULL;
-  }
-  ScopedCFTypeRef<CFMutableArrayRef> chain(
-      CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks));
-  CFArrayAppendValue(chain, identity);
-
-  CFArrayRef cert_chain = NULL;
-  result = CopyCertChain(cert_handle_, &cert_chain);
-  ScopedCFTypeRef<CFArrayRef> scoped_cert_chain(cert_chain);
-  if (result) {
-    OSSTATUS_LOG(ERROR, result) << "CreateIdentityCertificateChain error";
-    return chain.release();
-  }
-
-  // Append the intermediate certs from SecTrust to the result array:
-  if (cert_chain) {
-    int chain_count = CFArrayGetCount(cert_chain);
-    if (chain_count > 1) {
-      CFArrayAppendArray(chain,
-                         cert_chain,
-                         CFRangeMake(1, chain_count - 1));
-    }
-  }
-
-  return chain.release();
-}
-
 CFArrayRef X509Certificate::CreateOSCertChainForCert() const {
   CFMutableArrayRef cert_list =
       CFArrayCreateMutable(kCFAllocatorDefault, 0,
                            &kCFTypeArrayCallBacks);
   if (!cert_list)
     return NULL;
 
   CFArrayAppendValue(cert_list, os_cert_handle());
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i)
     CFArrayAppendValue(cert_list, intermediate_ca_certs_[i]);
@@ skipping 63 matching lines @@
       *type = kPublicKeyTypeDH;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
 }  // namespace net