Call the platform certificate parser in WorkerPool.

net/socket/ssl_client_socket_impl.cc

Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index bdbce02cc97fcb7eefd8971e9ee52a1a281cceb3..e292666f945f0b2444e40d8bde596e0831b23c8a 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -24,7 +24,9 @@
 #include "base/strings/string_piece.h"
 #include "base/strings/stringprintf.h"
 #include "base/synchronization/lock.h"
+#include "base/task_runner_util.h"
 #include "base/threading/thread_local.h"
+#include "base/threading/worker_pool.h"
 #include "base/trace_event/process_memory_dump.h"
 #include "base/trace_event/trace_event.h"
 #include "base/values.h"
@@ -234,11 +236,11 @@ bool AreLegacyECDSACiphersEnabled() {
 }
 #endif
 
-scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) *
-                                                  openssl_chain) {
+int GetOSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) * openssl_chain,
+                          scoped_refptr<X509Certificate>* server_cert) {
   if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) {
     NOTREACHED();
-    return nullptr;
+    return ERR_SSL_SERVER_CERT_BAD_FORMAT;
   }
 
   // Convert the certificate chains to a platform certificate handle.
@@ -251,7 +253,14 @@ scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) *
         reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)),
         CRYPTO_BUFFER_len(cert)));
   }
-  return X509Certificate::CreateFromDERCertChain(der_chain);
+  *server_cert = X509Certificate::CreateFromDERCertChain(der_chain);
+
+  // OpenSSL decoded the certificate, but the platform certificate
+  // implementation could not. This is treated as a fatal SSL-level protocol
+  // error rather than a certificate error. See https://crbug.com/91341.
+  if (!*server_cert)
+    return ERR_SSL_SERVER_CERT_BAD_FORMAT;
+  return OK;
 }
 
 #if !defined(OS_IOS)
@@ -1130,8 +1139,8 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
                                 signature_algorithm);
   }
 
-  // Verify the certificate.
-  next_handshake_state_ = STATE_VERIFY_CERT;
+  // Decode the certificate.
+  next_handshake_state_ = STATE_DECODE_CERT;
   return OK;
 }
 
@@ -1169,21 +1178,34 @@ int SSLClientSocketImpl::DoChannelIDLookupComplete(int result) {
   return OK;
 }
 
-int SSLClientSocketImpl::DoVerifyCert(int result) {
-  DCHECK(start_cert_verification_time_.is_null());
-
-  server_cert_ = OSChainFromBuffers(SSL_get0_peer_certificates(ssl_.get()));
+int SSLClientSocketImpl::DoDecodeCert(int result) {
+  scoped_refptr<base::TaskRunner> slow_task_runner =
+      base::WorkerPool::GetTaskRunner(true /* task_is_slow */);
+  base::PostTaskAndReplyWithResult(
+      slow_task_runner.get(), FROM_HERE,
+      base::Bind(&GetOSChainFromBuffers, SSL_get0_peer_certificates(ssl_.get()),
+                 &server_cert_),
+      base::Bind(&SSLClientSocketImpl::OnHandshakeIOComplete,
+                 base::Unretained(this)));
+  next_handshake_state_ = STATE_DECODE_CERT_COMPLETE;
+  return ERR_IO_PENDING;
+}
 
-  // OpenSSL decoded the certificate, but the platform certificate
-  // implementation could not. This is treated as a fatal SSL-level protocol
-  // error rather than a certificate error. See https://crbug.com/91341.
-  if (!server_cert_)
-    return ERR_SSL_SERVER_CERT_BAD_FORMAT;
+int SSLClientSocketImpl::DoDecodeCertComplete(int result) {
+  if (result != OK)
+    return result;
 
   net_log_.AddEvent(NetLogEventType::SSL_CERTIFICATES_RECEIVED,
                     base::Bind(&NetLogX509CertificateCallback,
                                base::Unretained(server_cert_.get())));
 
+  next_handshake_state_ = STATE_VERIFY_CERT;
+  return OK;
+}
+
+int SSLClientSocketImpl::DoVerifyCert(int result) {
+  DCHECK(start_cert_verification_time_.is_null());
+
   next_handshake_state_ = STATE_VERIFY_CERT_COMPLETE;
 
   // If the certificate is bad and has been previously accepted, use
@@ -1323,6 +1345,13 @@ int SSLClientSocketImpl::DoHandshakeLoop(int last_io_result) {
       case STATE_CHANNEL_ID_LOOKUP_COMPLETE:
         rv = DoChannelIDLookupComplete(rv);
         break;
+      case STATE_DECODE_CERT:
+        DCHECK_EQ(OK, rv);
+        rv = DoDecodeCert(rv);
+        break;
+      case STATE_DECODE_CERT_COMPLETE:
+        rv = DoDecodeCertComplete(rv);
+        break;
       case STATE_VERIFY_CERT:
         DCHECK_EQ(OK, rv);
         rv = DoVerifyCert(rv);