Work around our not caching the intermediate CA...

net/base/x509_certificate_win.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
-#include "base/histogram.h"
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/scoped_cert_chain_context.h"
 
 #pragma comment(lib, "crypt32.lib")
 
 using base::Time;
 
 namespace net {
 
 namespace {
 
-// Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-// (all zero) fingerprint on failure.
-X509Certificate::Fingerprint CalculateFingerprint(PCCERT_CONTEXT cert) {
-  DCHECK(NULL != cert->pbCertEncoded);
-  DCHECK(0 != cert->cbCertEncoded);
-
-  BOOL rv;
-  X509Certificate::Fingerprint sha1;
-  DWORD sha1_size = sizeof(sha1.data);
-  rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
-                            cert->cbCertEncoded, sha1.data, &sha1_size);
-  DCHECK(rv && sha1_size == sizeof(sha1.data));
-  if (!rv)
-    memset(sha1.data, 0, sizeof(sha1.data));
-  return sha1;
-}
-
 // Wrappers of malloc and free for CRYPT_DECODE_PARA, which requires the
 // WINAPI calling convention.
 void* WINAPI MyCryptAlloc(size_t size) {
   return malloc(size);
 }
 
 void WINAPI MyCryptFree(void* p) {
   free(p);
 }
 
@@ skipping 197 matching lines @@
   valid_start_ = Time::FromFileTime(cert_handle_->pCertInfo->NotBefore);
   valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
 
   // Store the certificate in the cache in case we need it later.
   X509Certificate::Cache::GetInstance()->Insert(this);
 }
 
 // static
-X509Certificate* X509Certificate::CreateFromHandle(OSCertHandle cert_handle) {
-  DCHECK(cert_handle);
-
-  // Check if we already have this certificate in memory.
-  X509Certificate::Cache* cache = X509Certificate::Cache::GetInstance();
-  X509Certificate* cert = cache->Find(CalculateFingerprint(cert_handle));
-  if (cert) {
-    // We've found a certificate with the same fingerprint in our cache.  We own
-    // the |cert_handle|, which makes it our job to free it.
-    CertFreeCertificateContext(cert_handle);
-    DHISTOGRAM_COUNTS(L"X509CertificateReuseCount", 1);
-    return cert;
-  }
-  // Otherwise, allocate a new object.
-  return new X509Certificate(cert_handle);
-}
-
-// static
-X509Certificate* X509Certificate::CreateFromBytes(const char* data,
-                                                  int length) {
-  OSCertHandle cert_handle = NULL;
-  if (!CertAddEncodedCertificateToStore(
-      NULL,  // the cert won't be persisted in any cert store
-      X509_ASN_ENCODING,
-      reinterpret_cast<const BYTE*>(data), length,
-      CERT_STORE_ADD_USE_EXISTING,
-      &cert_handle))
-    return NULL;
-
-  return CreateFromHandle(cert_handle);
-}
-
-// static
 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle,
                                                    void** pickle_iter) {
   const char* data;
   int length;
   if (!pickle.ReadData(pickle_iter, &data, &length))
     return NULL;
 
   OSCertHandle cert_handle = NULL;
   if (!CertAddSerializedElementToStore(
       NULL,  // the cert won't be persisted in any cert store
       reinterpret_cast<const BYTE*>(data), length,
       CERT_STORE_ADD_USE_EXISTING, 0, CERT_STORE_CERTIFICATE_CONTEXT_FLAG,
       NULL, reinterpret_cast<const void **>(&cert_handle)))
     return NULL;
 
-  return CreateFromHandle(cert_handle);
-}
-
-X509Certificate::X509Certificate(OSCertHandle cert_handle)
-    : cert_handle_(cert_handle) {
-  Initialize();
-}
-
-X509Certificate::X509Certificate(std::string subject, std::string issuer,
-                                 Time start_date, Time expiration_date)
-    : subject_(subject),
-      issuer_(issuer),
-      valid_start_(start_date),
-      valid_expiry_(expiration_date),
-      cert_handle_(NULL) {
-  memset(fingerprint_.data, 0, sizeof(fingerprint_.data));
+  return CreateFromHandle(cert_handle, SOURCE_LONE_CERT_IMPORT);
 }
 
 void X509Certificate::Persist(Pickle* pickle) {
   DWORD length;
   if (!CertSerializeCertificateStoreElement(cert_handle_, 0,
       NULL, &length)) {
     NOTREACHED();
     return;
   }
   BYTE* data = reinterpret_cast<BYTE*>(pickle->BeginWriteData(length));
   if (!CertSerializeCertificateStoreElement(cert_handle_, 0,
       data, &length)) {
     NOTREACHED();
     length = 0;
   }
   pickle->TrimWriteData(length);
 }
 
-X509Certificate::~X509Certificate() {
-  // We might not be in the cache, but it is safe to remove ourselves anyway.
-  X509Certificate::Cache::GetInstance()->Remove(this);
-  if (cert_handle_)
-    CertFreeCertificateContext(cert_handle_);
-}
-
 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
   dns_names->clear();
   scoped_ptr_malloc<CERT_ALT_NAME_INFO> alt_name_info;
   GetCertSubjectAltName(cert_handle_, &alt_name_info);
   CERT_ALT_NAME_INFO* alt_name = alt_name_info.get();
   if (alt_name) {
     int num_entries = alt_name->cAltEntry;
     for (int i = 0; i < num_entries; i++) {
       // dNSName is an ASN.1 IA5String representing a string of ASCII
       // characters, so we can use WideToASCII here.
@@ skipping 42 matching lines @@
   // Check the end certificate simple chain (chain_context->rgpChain[0]).
   // If the end certificate's certificatePolicies extension contains the
   // EV policy OID of the root CA, return true.
   PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
   int num_elements = chain_context->rgpChain[0]->cElement;
   if (num_elements < 2)
     return false;
 
   // Look up the EV policy OID of the root CA.
   PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
-  X509Certificate::Fingerprint fingerprint = CalculateFingerprint(root_cert);
+  Fingerprint fingerprint = CalculateFingerprint(root_cert);
   std::string ev_policy_oid;
   if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid))
     return false;
   DCHECK(!ev_policy_oid.empty());
 
   // Get the certificatePolicies extension of the end certificate.
   PCCERT_CONTEXT end_cert = element[0]->pCertContext;
   scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
   GetCertPoliciesInfo(end_cert, &policies_info);
   if (!policies_info.get())
     return false;
 
   return ContainsPolicy(policies_info.get(), ev_policy_oid.c_str());
 }
 
+// static
+X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
+    const char* data, int length) {
+  OSCertHandle cert_handle = NULL;
+  if (!CertAddEncodedCertificateToStore(
+      NULL,  // the cert won't be persisted in any cert store
+      X509_ASN_ENCODING,
+      reinterpret_cast<const BYTE*>(data), length,
+      CERT_STORE_ADD_USE_EXISTING,
+      &cert_handle))
+    return NULL;
+
+  return cert_handle;
+}
+
+// static
+void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
+  CertFreeCertificateContext(cert_handle);
+}
+
+// static
+X509Certificate::Fingerprint X509Certificate::CalculateFingerprint(
+    OSCertHandle cert) {
+  DCHECK(NULL != cert->pbCertEncoded);
+  DCHECK(0 != cert->cbCertEncoded);
+
+  BOOL rv;
+  Fingerprint sha1;
+  DWORD sha1_size = sizeof(sha1.data);
+  rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
+                            cert->cbCertEncoded, sha1.data, &sha1_size);
+  DCHECK(rv && sha1_size == sizeof(sha1.data));
+  if (!rv)
+    memset(sha1.data, 0, sizeof(sha1.data));
+  return sha1;
+}
+
 }  // namespace net