Work around our not caching the intermediate CA...

net/base/x509_certificate_nss.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424
 // until NSS 3.12.2 comes out and we update to it.
 #define Lock FOO_NSS_Lock
 #include <cert.h>
 #include <prtime.h>
 #include <secder.h>
 #include <sechash.h>
 #undef Lock
 
-#include "base/histogram.h"
 #include "base/logging.h"
 #include "base/time.h"
 #include "base/nss_init.h"
 
 namespace net {
 
-// Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-// (all zero) fingerprint on failure.
-X509Certificate::Fingerprint CalculateFingerprint(
-    X509Certificate::OSCertHandle cert) {
-  X509Certificate::Fingerprint sha1;
-  memset(sha1.data, 0, sizeof(sha1.data));
-  
-  DCHECK(NULL != cert->derCert.data);
-  DCHECK(0 != cert->derCert.len);
-  
-  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, 
-                              cert->derCert.data, cert->derCert.len);
-  DCHECK(rv == SECSuccess);
-
-  return sha1;
-}
-
 namespace {
 
 // TODO(port): Implement this more simply, and put it in the right place
 base::Time PRTimeToBaseTime(PRTime prtime) {
   PRExplodedTime prxtime;
   PR_ExplodeTime(prtime, PR_GMTParameters, &prxtime);
   
   base::Time::Exploded exploded;
   exploded.year         = prxtime.tm_year;
   exploded.month        = prxtime.tm_month + 1;
   exploded.day_of_week  = prxtime.tm_wday;
   exploded.day_of_month = prxtime.tm_mday;
   exploded.hour         = prxtime.tm_hour;
   exploded.minute       = prxtime.tm_min;
   exploded.second       = prxtime.tm_sec;
   exploded.millisecond  = prxtime.tm_usec / 1000;
   
   return base::Time::FromUTCExploded(exploded);
 }
 
-void ParsePrincipal(SECItem *der_name,
+void ParsePrincipal(SECItem* der_name,
                     X509Certificate::Principal* principal) {
 
   CERTName name;
-  PRArenaPool *arena = NULL;
+  PRArenaPool* arena = NULL;
 
   arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
   DCHECK(arena != NULL);
   if (arena == NULL)
     return;
 
   // TODO(dkegel): is CERT_NameTemplate what we always want here?
   SECStatus rv;
   rv = SEC_QuickDERDecodeItem(arena, &name, CERT_NameTemplate, der_name);
   DCHECK(rv == SECSuccess);
@@ skipping 28 matching lines @@
   CERTRDN** rdns = name.rdns;
   for (size_t rdn = 0; rdns[rdn]; ++rdn) {
     CERTAVA** avas = rdns[rdn]->avas;
     for (size_t pair = 0; avas[pair] != 0; ++pair) {
       SECOidTag tag = CERT_GetAVATag(avas[pair]);
       for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) {
         if (kOIDs[oid] == tag) {
           SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value);
           if (!decode_item)
             break;
-          std::string value(reinterpret_cast<char *>(decode_item->data), 
+          std::string value(reinterpret_cast<char*>(decode_item->data), 
                             decode_item->len);
           values[oid]->push_back(value);
           SECITEM_FreeItem(decode_item, PR_TRUE);
           break;
         }
       }
     }
   }
 
   // We don't expect to have more than one CN, L, S, and C.
@@ skipping 34 matching lines @@
   alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name);
 
   CERTGeneralName* name = alt_name_list;
   while (name) {
     // For future extension: We're assuming that these values are of types
     // RFC822Name, DNSName or URI.  See the mac code for notes.
     DCHECK(name->type == certRFC822Name ||
            name->type == certDNSName ||
            name->type == certURI);
     if (name->type == name_type) {
-      unsigned char *p = name->name.other.data;
+      unsigned char* p = name->name.other.data;
       int len = name->name.other.len;
-      std::string value = std::string(reinterpret_cast<char *>(p), len);
+      std::string value = std::string(reinterpret_cast<char*>(p), len);
       result->push_back(value);
     }
     name = CERT_GetNextGeneralName(name);
     if (name == alt_name_list)
       break;
   }
   PORT_FreeArena(arena, PR_FALSE);
 }
 
 } // namespace
 
 void X509Certificate::Initialize() {
   ParsePrincipal(&cert_handle_->derSubject, &subject_);
   ParsePrincipal(&cert_handle_->derIssuer, &issuer_);
 
   ParseDate(&cert_handle_->validity.notBefore, &valid_start_);
   ParseDate(&cert_handle_->validity.notAfter, &valid_expiry_);
   
   fingerprint_ = CalculateFingerprint(cert_handle_);
 
   // Store the certificate in the cache in case we need it later.
   X509Certificate::Cache::GetInstance()->Insert(this);
 }
 
 // static
-X509Certificate* X509Certificate::CreateFromHandle(OSCertHandle cert_handle) {
-  DCHECK(cert_handle);
-
-  // Check if we already have this certificate in memory.
-  X509Certificate::Cache* cache = X509Certificate::Cache::GetInstance();
-  X509Certificate* cert = cache->Find(CalculateFingerprint(cert_handle));
-  if (cert) {
-    // We've found a certificate with the same fingerprint in our cache.  We own
-    // the |cert_handle|, which makes it our job to free it.
-    CERT_DestroyCertificate(cert_handle);
-    DHISTOGRAM_COUNTS(L"X509CertificateReuseCount", 1);
-    return cert;
-  }
-  // Otherwise, allocate a new object.
-  return new X509Certificate(cert_handle);
-}
-
-// static
-X509Certificate* X509Certificate::CreateFromBytes(const char* data,
-                                                  int length) {
-  base::EnsureNSSInit();
-
-  SECItem der_cert;
-  der_cert.data = reinterpret_cast<unsigned char *>(const_cast<char *>(data));
-  der_cert.len = length;
-  OSCertHandle cert_handle = 
-      CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, 
-                              NULL, PR_FALSE, PR_TRUE);
-  if (!cert_handle)
-    return NULL;
-
-  return CreateFromHandle(cert_handle);
-}
-
-// static
 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle,
                                                    void** pickle_iter) {
   NOTIMPLEMENTED();
   return NULL;
 }
 
-X509Certificate::X509Certificate(OSCertHandle cert_handle)
-    : cert_handle_(cert_handle) {
-  Initialize();
-}
-
 void X509Certificate::Persist(Pickle* pickle) {
   NOTIMPLEMENTED();
 }
 
-X509Certificate::~X509Certificate() {
-  // We might not be in the cache, but it is safe to remove ourselves anyway.
-  X509Certificate::Cache::GetInstance()->Remove(this);
-  if (cert_handle_)
-    CERT_DestroyCertificate(cert_handle_);
-}
-
 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
   dns_names->clear();
 
   // Compare with CERT_VerifyCertName().
   GetCertSubjectAltNamesOfType(cert_handle_, certDNSName, dns_names);
   
   // TODO(port): suppress nss's support of the obsolete extension
   //  SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME
   // by providing our own authCertificate callback.
 
   if (dns_names->empty())
     dns_names->push_back(subject_.common_name);
 }
+
+// static
+X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
+    const char* data, int length) {
+  base::EnsureNSSInit();
+
+  SECItem der_cert;
+  der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
+  der_cert.len = length;
+  return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert,
+                                 NULL, PR_FALSE, PR_TRUE);
+}
+
+// static
+void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
+  CERT_DestroyCertificate(cert_handle);
+}
+
+// static
+X509Certificate::Fingerprint X509Certificate::CalculateFingerprint(
+    OSCertHandle cert) {
+  Fingerprint sha1;
+  memset(sha1.data, 0, sizeof(sha1.data));
+
+  DCHECK(NULL != cert->derCert.data);
+  DCHECK(0 != cert->derCert.len);
+
+  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data,
+                              cert->derCert.data, cert->derCert.len);
+  DCHECK(rv == SECSuccess);
+
+  return sha1;
+}
   
 }  // namespace net