Resolve certificate references in ONC by PEM.

chrome/browser/chromeos/cros/cert_library.cc

Index: chrome/browser/chromeos/cros/cert_library.cc
diff --git a/chrome/browser/chromeos/cros/cert_library.cc b/chrome/browser/chromeos/cros/cert_library.cc
index 736d6cb0642dc41b2d70ecbecdbeef18c56e4ee9..952f14f1358b1f079e9cd7258b2fbb94c0e07173 100644
--- a/chrome/browser/chromeos/cros/cert_library.cc
+++ b/chrome/browser/chromeos/cros/cert_library.cc
@@ -19,6 +19,7 @@
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/login/login_state.h"
+#include "chromeos/network/onc/onc_utils.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/nss_util.h"
 #include "grit/generated_resources.h"
@@ -61,6 +62,16 @@ string16 GetDisplayString(net::X509Certificate* cert, bool hardware_backed) {
   }
 }
 
+std::string CertToPEM(const net::X509Certificate& cert) {
+  std::string pem_encoded_cert;
+  if (!net::X509Certificate::GetPEMEncoded(cert.os_cert_handle(),
+                                           &pem_encoded_cert)) {
+    LOG(ERROR) << "Couldn't PEM-encode certificate";
+    return std::string();
+  }
+  return pem_encoded_cert;
+}
+
 }  // namespace
 
 class CertNameComparator {
@@ -148,9 +159,8 @@ string16 CertLibrary::GetCertDisplayStringAt(CertType type, int index) const {
   return GetDisplayString(cert, hardware_backed);
 }
 
-std::string CertLibrary::GetCertNicknameAt(CertType type, int index) const {
-  net::X509Certificate* cert = GetCertificateAt(type, index);
-  return x509_certificate_model::GetNickname(cert->os_cert_handle());
+std::string CertLibrary::GetCertPEMAt(CertType type, int index) const {
+  return CertToPEM(*GetCertificateAt(type, index));
 }
 
 std::string CertLibrary::GetCertPkcs11IdAt(CertType type, int index) const {
@@ -168,17 +178,16 @@ bool CertLibrary::IsCertHardwareBackedAt(CertType type, int index) const {
       NetworkHandler::Get()->cert_loader()->tpm_token_name();
 }
 
-int CertLibrary::GetCertIndexByNickname(CertType type,
-                                        const std::string& nickname) const {
+int CertLibrary::GetCertIndexByPEM(CertType type,
+                                   const std::string& pem_encoded) const {
   int num_certs = NumCertificates(type);
   for (int index = 0; index < num_certs; ++index) {
     net::X509Certificate* cert = GetCertificateAt(type, index);
-    net::X509Certificate::OSCertHandle cert_handle = cert->os_cert_handle();
-    std::string nick = x509_certificate_model::GetNickname(cert_handle);
-    if (nick == nickname)
-      return index;
+    if (CertToPEM(*cert) != pem_encoded)

[Mattias Nissler (ping if slow), 2013/07/02 13:00:35]

Is this fast enough for the UI thread? For large numbers of certificates, this
might be a problem. I guess this is the downside of not using fingerprints :)

[pneubeck (no reviews), 2013/07/02 14:38:43]

We _could_ calculate the fingerprint of pem_encoded here and compare it with
cert->fingerprint (which is precalculated). This could be done locally in this
function and without dependency on NSS (i.e. without creating a temporary cert
and without using NSS to calculate the SHA1).

Not sure that it's worth the effort.
However, we should better avoid using PEMs in the upcoming JS UI.

[stevenjb, 2013/07/02 16:16:26]

As far as I recall, this function only gets called when we display a network
configuration dialog, at which point a minor block is reasonable, but we should
comment that in the header, and add a TODO to make this asynchronous or remove
it.

[pneubeck (no reviews), 2013/07/03 13:45:56]

Done.

+      continue;
+    return index;
   }
-  return -1;  // Not found.
+  return -1;
 }
 
 int CertLibrary::GetCertIndexByPkcs11Id(CertType type,
@@ -272,4 +281,4 @@ const net::CertificateList& CertLibrary::GetCertificateListForType(
   return certs_;
 }
 
-}  // chromeos
+}  // namespace chromeos