Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types.

net/ssl/client_cert_store_mac.cc

Index: net/ssl/client_cert_store_mac.cc
diff --git a/net/ssl/client_cert_store_mac.cc b/net/ssl/client_cert_store_mac.cc
index d94ab1856d04c6ee2a6a15cec9c9607642e65570..a3ef5899155d3a1f3fec7da227c3af7845724fd7 100644
--- a/net/ssl/client_cert_store_mac.cc
+++ b/net/ssl/client_cert_store_mac.cc
@@ -91,9 +91,12 @@ bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
   DCHECK(cert);
   DCHECK(cert->get());
 
-  X509Certificate::OSCertHandle cert_handle = (*cert)->os_cert_handle();
+  base::ScopedCFTypeRef<SecCertificateRef> os_cert(
+      x509_util::CreateSecCertificateFromX509Certificate(cert->get()));
+  if (!os_cert)
+    return false;
   CFArrayRef cert_chain = NULL;
-  OSStatus result = CopyCertChain(cert_handle, &cert_chain);
+  OSStatus result = CopyCertChain(os_cert.get(), &cert_chain);
   if (result) {
     OSSTATUS_LOG(ERROR, result) << "CopyCertChain error";
     return false;
@@ -102,7 +105,7 @@ bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
   if (!cert_chain)
     return false;
 
-  X509Certificate::OSCertHandles intermediates;
+  std::vector<SecCertificateRef> intermediates;
   for (CFIndex i = 1, chain_count = CFArrayGetCount(cert_chain);
        i < chain_count; ++i) {
     SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
@@ -110,8 +113,9 @@ bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
     intermediates.push_back(cert);
   }
 
-  scoped_refptr<X509Certificate> new_cert(X509Certificate::CreateFromHandle(
-      cert_handle, intermediates));
+  scoped_refptr<X509Certificate> new_cert(
+      x509_util::CreateX509CertificateFromSecCertificate(os_cert.get(),
+                                                         intermediates));
   CFRelease(cert_chain);  // Also frees |intermediates|.
 
   if (!new_cert || !new_cert->IsIssuedByEncoded(valid_issuers))
@@ -193,7 +197,7 @@ void GetClientCertsImpl(const scoped_refptr<X509Certificate>& preferred_cert,
   selected_certs->clear();
   for (size_t i = 0; i < preliminary_list.size(); ++i) {
     scoped_refptr<X509Certificate>& cert = preliminary_list[i];
-    if (cert->HasExpired() || !SupportsSSLClientAuth(cert->os_cert_handle()))
+    if (cert->HasExpired())
       continue;
 
     // Skip duplicates (a cert may be in multiple keychains).
@@ -287,9 +291,12 @@ void ClientCertStoreMac::GetClientCerts(const SSLCertRequestInfo& request,
       continue;
     ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
 
+    if (!SupportsSSLClientAuth(cert_handle))

[eroman, 2017/03/29 23:06:55]

Can you explain this line? Was this a check that would being done inernally by
CreateFromHandle() and previously manifesting as a null |cert| ?

[mattm, 2017/03/30 04:38:10]

This is moved from GetClientCertsImpl (the previous block in the diff) to
ClientCertStoreMac::GetClientCerts, because it requires a SecCertificateRef.
GetClientCertsImpl now only has a X509Certificate, so it would need to create a
new SecCertificate if we left the SupportsSSLClientAuth check in there (or would
need to re-write SupportsSSLClientAuth to not depend on OS calls).

Moving it here should be safe, since GetClientCertsImpl is only called by this
function or by unittests, and the unittests, at least currently, only pass in
client certs anyway and are just testing the issuer filtering.

+      continue;
+
     scoped_refptr<X509Certificate> cert(
-        X509Certificate::CreateFromHandle(cert_handle,
-                                          X509Certificate::OSCertHandles()));
+        x509_util::CreateX509CertificateFromSecCertificate(
+            cert_handle, std::vector<SecCertificateRef>()));
     if (!cert)
       continue;