Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types.

net/ssl/client_cert_store_mac.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/client_cert_store_mac.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreFoundation/CFArray.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/SecBase.h>
@@ skipping 73 matching lines @@
 
 // Returns true if |*cert| is issued by an authority in |valid_issuers|
 // according to Keychain Services, rather than using |cert|'s intermediate
 // certificates. If it is, |*cert| is updated to point to the completed
 // certificate
 bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
                           scoped_refptr<X509Certificate>* cert) {
   DCHECK(cert);
   DCHECK(cert->get());
 
-  X509Certificate::OSCertHandle cert_handle = (*cert)->os_cert_handle();
+  base::ScopedCFTypeRef<SecCertificateRef> os_cert(
+      x509_util::CreateSecCertificateFromX509Certificate(cert->get()));
+  if (!os_cert)
+    return false;
   CFArrayRef cert_chain = NULL;
-  OSStatus result = CopyCertChain(cert_handle, &cert_chain);
+  OSStatus result = CopyCertChain(os_cert.get(), &cert_chain);
   if (result) {
     OSSTATUS_LOG(ERROR, result) << "CopyCertChain error";
     return false;
   }
 
   if (!cert_chain)
     return false;
 
-  X509Certificate::OSCertHandles intermediates;
+  std::vector<SecCertificateRef> intermediates;
   for (CFIndex i = 1, chain_count = CFArrayGetCount(cert_chain);
        i < chain_count; ++i) {
     SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
     intermediates.push_back(cert);
   }
 
-  scoped_refptr<X509Certificate> new_cert(X509Certificate::CreateFromHandle(
-      cert_handle, intermediates));
+  scoped_refptr<X509Certificate> new_cert(
+      x509_util::CreateX509CertificateFromSecCertificate(os_cert.get(),
+                                                         intermediates));
   CFRelease(cert_chain);  // Also frees |intermediates|.
 
   if (!new_cert || !new_cert->IsIssuedByEncoded(valid_issuers))
     return false;
 
   cert->swap(new_cert);
   return true;
 }
 
 // Returns true if |purpose| is listed as allowed in |usage|. This
@@ skipping 61 matching lines @@
                         CertificateList* selected_certs) {
   CertificateList preliminary_list;
   if (preferred_cert.get())
     preliminary_list.push_back(preferred_cert);
   preliminary_list.insert(preliminary_list.end(), regular_certs.begin(),
                           regular_certs.end());
 
   selected_certs->clear();
   for (size_t i = 0; i < preliminary_list.size(); ++i) {
     scoped_refptr<X509Certificate>& cert = preliminary_list[i];
-    if (cert->HasExpired() || !SupportsSSLClientAuth(cert->os_cert_handle()))
+    if (cert->HasExpired())
       continue;
 
     // Skip duplicates (a cert may be in multiple keychains).
     auto cert_iter = std::find_if(
         selected_certs->begin(), selected_certs->end(),
         [&cert](const scoped_refptr<X509Certificate>& other_cert) {
           return X509Certificate::IsSameOSCert(cert->os_cert_handle(),
                                                other_cert->os_cert_handle());
         });
     if (cert_iter != selected_certs->end())
@@ skipping 73 matching lines @@
     if (err)
       break;
     ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);
 
     SecCertificateRef cert_handle;
     err = SecIdentityCopyCertificate(identity, &cert_handle);
     if (err != noErr)
       continue;
     ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
 
+    if (!SupportsSSLClientAuth(cert_handle))

[eroman, 2017/03/29 23:06:55]

Can you explain this line? Was this a check that would being done inernally by
CreateFromHandle() and previously manifesting as a null |cert| ?

[mattm, 2017/03/30 04:38:10]

This is moved from GetClientCertsImpl (the previous block in the diff) to
ClientCertStoreMac::GetClientCerts, because it requires a SecCertificateRef.
GetClientCertsImpl now only has a X509Certificate, so it would need to create a
new SecCertificate if we left the SupportsSSLClientAuth check in there (or would
need to re-write SupportsSSLClientAuth to not depend on OS calls).

Moving it here should be safe, since GetClientCertsImpl is only called by this
function or by unittests, and the unittests, at least currently, only pass in
client certs anyway and are just testing the issuer filtering.

+      continue;
+
     scoped_refptr<X509Certificate> cert(
-        X509Certificate::CreateFromHandle(cert_handle,
-                                          X509Certificate::OSCertHandles()));
+        x509_util::CreateX509CertificateFromSecCertificate(
+            cert_handle, std::vector<SecCertificateRef>()));
     if (!cert)
       continue;
 
     if (preferred_identity && CFEqual(preferred_identity, identity)) {
       // Only one certificate should match.
       DCHECK(!preferred_cert.get());
       preferred_cert = cert;
     } else {
       regular_certs.push_back(cert);
     }
@@ skipping 25 matching lines @@
     const SSLCertRequestInfo& request,
     CertificateList* selected_certs) {
   GetClientCertsImpl(
       preferred_cert, regular_certs, request, false, selected_certs);
   return true;
 }
 
 #pragma clang diagnostic pop  // "-Wdeprecated-declarations"
 
 }  // namespace net