Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types.

net/cert/x509_util_mac.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_X509_UTIL_MAC_H_
 #define NET_CERT_X509_UTIL_MAC_H_
 
 #include <CoreFoundation/CFArray.h>
 #include <Security/Security.h>
 
 #include <string>
 
+#include "base/mac/scoped_cftyperef.h"
 #include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/hash_value.h"
 #include "net/base/net_export.h"
 
 namespace net {
 
+class X509Certificate;
+
 namespace x509_util {
 
+// Test that a given |cert_handle| is actually a valid X.509 certificate, and

[eroman, 2017/04/03 19:52:03]

nit: Test -> Tests

[mattm, 2017/04/03 23:36:16]

Done.

+// return true if it is.

[eroman, 2017/04/03 19:52:03]

nit: return -> returns

[mattm, 2017/04/03 23:36:16]

Done.

+//
+// On OS X, SecCertificateCreateFromData() does not return any errors if
+// called with invalid data, as long as data is present. The actual decoding
+// of the certificate does not happen until an API that requires a CSSM
+// handle is called. While SecCertificateGetCLHandle is the most likely
+// candidate, as it performs the parsing, it does not check whether the
+// parsing was actually successful. Instead, SecCertificateGetSubject is
+// used (supported since 10.3), as a means to check that the certificate
+// parsed as a valid X.509 certificate.
+NET_EXPORT bool IsValidSecCertificate(SecCertificateRef cert_handle);
+
+// Creates a SecCertificate handle from the DER-encoded representation.
+// Returns NULL on failure.
+NET_EXPORT base::ScopedCFTypeRef<SecCertificateRef>
+CreateSecCertificateFromBytes(const uint8_t* data, size_t length);
+
+// Returns a SecCertificate representing |cert|, or NULL on failure.
+NET_EXPORT base::ScopedCFTypeRef<SecCertificateRef>
+CreateSecCertificateFromX509Certificate(const X509Certificate* cert);
+
+// Returns a new CFMutableArrayRef containing this certificate and its
+// intermediate certificates in the form expected by Security.framework
+// and Keychain Services, or NULL on failure.
+// The first item in the array will be this certificate, followed by its
+// intermediates, if any.
+NET_EXPORT base::ScopedCFTypeRef<CFMutableArrayRef>
+CreateSecCertificateArrayForX509Certificate(X509Certificate* cert);
+
+// Creates an X509Certificate representing |sec_cert| with intermediates
+// |sec_chain|.
+NET_EXPORT scoped_refptr<X509Certificate>
+CreateX509CertificateFromSecCertificate(
+    SecCertificateRef sec_cert,
+    const std::vector<SecCertificateRef>& sec_chain);
+
+// Returns true if the certificate is self-signed.
+NET_EXPORT bool IsSelfSigned(SecCertificateRef cert_handle);
+
+// Calculates the SHA-256 fingerprint of the certificate.  Returns an empty
+// (all zero) fingerprint on failure.
+NET_EXPORT SHA256HashValue CalculateFingerprint256(SecCertificateRef cert);
+
 // Creates a security policy for certificates used as client certificates
 // in SSL.
 // If a policy is successfully created, it will be stored in
 // |*policy| and ownership transferred to the caller.
-OSStatus NET_EXPORT CreateSSLClientPolicy(SecPolicyRef* policy);
+NET_EXPORT OSStatus CreateSSLClientPolicy(SecPolicyRef* policy);
 
 // Create an SSL server policy. While certificate name validation will be
 // performed by SecTrustEvaluate(), it has the following limitations:
 // - Doesn't support IP addresses in dotted-quad literals (127.0.0.1)
 // - Doesn't support IPv6 addresses
 // - Doesn't support the iPAddress subjectAltName
 // Providing the hostname is necessary in order to locate certain user or
 // system trust preferences, such as those created by Safari. Preferences
 // created by Keychain Access do not share this requirement.
 // On success, stores the resultant policy in |*policy| and returns noErr.
-OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname,
+NET_EXPORT OSStatus CreateSSLServerPolicy(const std::string& hostname,
                                           SecPolicyRef* policy);
 
 // Creates a security policy for basic X.509 validation. If the policy is
 // successfully created, it will be stored in |*policy| and ownership
 // transferred to the caller.
-OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy);
+NET_EXPORT OSStatus CreateBasicX509Policy(SecPolicyRef* policy);
 
 // Creates security policies to control revocation checking (OCSP and CRL).
 // If |enable_revocation_checking| is true, revocation checking will be
 // explicitly enabled.
 // Otherwise, the policies returned will be explicitly prohibited from accessing
 // the network or the local cache, if possible.
 // If the policies are successfully created, they will be appended to
 // |policies|.
-OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking,
+NET_EXPORT OSStatus CreateRevocationPolicies(bool enable_revocation_checking,
                                              CFMutableArrayRef policies);
 
 // CSSM functions are deprecated as of OSX 10.7, but have no replacement.
 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
 
 // Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field
 // accessors (such as CSSM_CL_CertGet[First/Next]Value or
 // CSSM_CL_CertGet[First/Next]CachedValue).
@@ skipping 69 matching lines @@
   CSSM_HANDLE cached_cert_handle_;
 };
 
 #pragma clang diagnostic pop  // "-Wdeprecated-declarations"
 
 }  // namespace x509_util
 
 }  // namespace net
 
 #endif  // NET_CERT_X509_UTIL_MAC_H_