Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types.

net/cert/x509_certificate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <limits.h>
 #include <stdlib.h>
 
 #include <algorithm>
@@ skipping 30 matching lines @@
 const X509Certificate::Format kFormatDecodePriority[] = {
   X509Certificate::FORMAT_SINGLE_CERTIFICATE,
   X509Certificate::FORMAT_PKCS7
 };
 
 // The PEM block header used for DER certificates
 const char kCertificateHeader[] = "CERTIFICATE";
 // The PEM block header used for PKCS#7 data
 const char kPKCS7Header[] = "PKCS7";
 
-#if !defined(USE_NSS_CERTS)
+#if !defined(USE_NSS_CERTS) && !defined(USE_BYTE_CERTS)
 // A thread-safe cache for OS certificate handles.
 //
 // Within each of the supported underlying crypto libraries, a certificate
 // handle is represented as a ref-counted object that contains the parsed
 // data for the certificate. In addition, the underlying OS handle may also
 // contain a copy of the original ASN.1 DER used to constructed the handle.
 //
 // In order to reduce the memory usage when multiple SSL connections exist,
 // with each connection storing the server's identity certificate plus any
 // intermediates supplied, the certificate handles are cached. Any two
@@ skipping 120 matching lines @@
     return;  // A hash collision where the winning cert is still around.
 
   if (--pos->second.ref_count == 0) {
     // The last reference to |cert_handle| has been removed, so release the
     // Entry's OS handle and remove the Entry. The caller still holds a
     // reference to |cert_handle| and is responsible for freeing it.
     X509Certificate::FreeOSCertHandle(pos->second.cert_handle);
     cache_.erase(pos);
   }
 }
 #endif  // !defined(USE_NSS_CERTS)

[eroman, 2017/03/29 23:06:54]

nit: Update comments?

[mattm, 2017/03/30 04:38:09]

Done.

 
 // See X509CertificateCache::InsertOrUpdate. NSS has a built-in cache, so there
-// is no point in wrapping another cache around it.
+// is no point in wrapping another cache around it. With USE_BYTE_CERTS, the
+// CYRPTO_BUFFERs are deduped by a CRYPTO_BUFFER_POOL.
 void InsertOrUpdateCache(X509Certificate::OSCertHandle* cert_handle) {
-#if !defined(USE_NSS_CERTS)
+#if !defined(USE_NSS_CERTS) && !defined(USE_BYTE_CERTS)
   g_x509_certificate_cache.Pointer()->InsertOrUpdate(cert_handle);
 #endif
 }
 
 // See X509CertificateCache::Remove.
 void RemoveFromCache(X509Certificate::OSCertHandle cert_handle) {
-#if !defined(USE_NSS_CERTS)
+#if !defined(USE_NSS_CERTS) && !defined(USE_BYTE_CERTS)
   g_x509_certificate_cache.Pointer()->Remove(cert_handle);
 #endif
 }
 
 // Utility to split |src| on the first occurrence of |c|, if any. |right| will
 // either be empty if |c| was not found, or will contain the remainder of the
 // string including the split character itself.
 void SplitOnChar(const base::StringPiece& src,
                  char c,
                  base::StringPiece* left,
@@ skipping 516 matching lines @@
     RemoveFromCache(cert_handle_);
     FreeOSCertHandle(cert_handle_);
   }
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     RemoveFromCache(intermediate_ca_certs_[i]);
     FreeOSCertHandle(intermediate_ca_certs_[i]);
   }
 }
 
 }  // namespace net