Refactor client cert private key handling.

chrome/browser/ui/cocoa/ssl_client_certificate_selector_cocoa.mm

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "chrome/browser/ui/cocoa/ssl_client_certificate_selector_cocoa.h"
 
 #import <SecurityInterface/SFChooseIdentityPanel.h>
 #include <stddef.h>
 
 #include <utility>
 
 #include "base/logging.h"
 #include "base/mac/foundation_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/ssl/ssl_client_auth_observer.h"
 #import "chrome/browser/ui/cocoa/constrained_window/constrained_window_mac.h"
 #include "chrome/grit/generated_resources.h"
 #include "components/guest_view/browser/guest_view_base.h"
 #include "components/strings/grit/components_strings.h"
 #include "components/web_modal/web_contents_modal_dialog_manager.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/client_certificate_delegate.h"
 #include "content/public/browser/web_contents.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_mac.h"
 #include "net/ssl/ssl_cert_request_info.h"
+#include "net/ssl/ssl_platform_key_mac.h"
 #include "ui/base/cocoa/window_size_constants.h"
 #include "ui/base/l10n/l10n_util_mac.h"
 
 using content::BrowserThread;
 
 @interface SFChooseIdentityPanel (SystemPrivate)
 // A system-private interface that dismisses a panel whose sheet was started by
 // -beginSheetForWindow:modalDelegate:didEndSelector:contextInfo:identities:message:
 // as though the user clicked the button identified by returnCode. Verified
-// present in 10.5 through 10.8.
+// present in 10.5 through 10.12.
 - (void)_dismissWithCode:(NSInteger)code;
 @end
 
 @interface SSLClientCertificateSelectorCocoa ()
 - (void)onConstrainedWindowClosed;
 @end
 
 class SSLClientAuthObserverCocoaBridge : public SSLClientAuthObserver,
                                          public ConstrainedWindowMacDelegate {
  public:
@@ skipping 24 matching lines @@
 
  private:
   SSLClientCertificateSelectorCocoa* controller_;  // weak
 };
 
 namespace chrome {
 
 void ShowSSLClientCertificateSelector(
     content::WebContents* contents,
     net::SSLCertRequestInfo* cert_request_info,
-    net::CertificateList client_certs,
+    net::ClientCertIdentityList client_certs,
     std::unique_ptr<content::ClientCertificateDelegate> delegate) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 
   // Not all WebContentses can show modal dialogs.
   //
   // Use the top-level embedder if |contents| is a guest.
   // GetTopLevelWebContents() will return |contents| otherwise.
   // TODO(davidben): Move this hook to the WebContentsDelegate and only try to
   // show a dialog in Browser's implementation. https://crbug.com/456255
   if (web_modal::WebContentsModalDialogManager::FromWebContents(
@@ skipping 75 matching lines @@
   if ((self = [super init])) {
     observer_.reset(new SSLClientAuthObserverCocoaBridge(
         browserContext, certRequestInfo, std::move(delegate), self));
   }
   return self;
 }
 
 - (void)sheetDidEnd:(NSWindow*)sheet
          returnCode:(NSInteger)returnCode
             context:(void*)context {
-  net::X509Certificate* cert = NULL;
+  net::ClientCertIdentity* cert = nullptr;
   if (returnCode == NSFileHandlingPanelOKButton) {
-    CFRange range = CFRangeMake(0, CFArrayGetCount(identities_));
+    CFRange range = CFRangeMake(0, CFArrayGetCount(sec_identities_));
     CFIndex index =
-        CFArrayGetFirstIndexOfValue(identities_, range, [panel_ identity]);
+        CFArrayGetFirstIndexOfValue(sec_identities_, range, [panel_ identity]);
     if (index != -1)
-      cert = certificates_[index].get();
+      cert = cert_identities_[index].get();
     else
       NOTREACHED();
   }
 
   // See comment at definition; this works around a 10.12 bug.
   ClearTableViewDataSourcesIfNeeded(sheet);
 
   if (!closePending_) {
     // If |closePending_| is already set, |closeSheetWithAnimation:| was called
     // already to cancel the selection rather than continue with no
     // certificate. Otherwise, tell the backend which identity (or none) the
     // user selected.
     userResponded_ = YES;
-    observer_->CertificateSelected(cert);
+
+    if (cert) {
+      observer_->CertificateSelected(
+          cert->certificate(),
+          CreateSSLPrivateKeyForSecIdentity(cert->certificate(),
+                                            cert->sec_identity_ref())
+              .get());
+    } else {
+      observer_->CertificateSelected(nullptr, nullptr);
+    }
 
     constrainedWindow_->CloseWebContentsModalDialog();
   }
 }
 
 - (void)displayForWebContents:(content::WebContents*)webContents
-                  clientCerts:(net::CertificateList)inputClientCerts {
+                  clientCerts:(net::ClientCertIdentityList)inputClientCerts {
+  cert_identities_ = std::move(inputClientCerts);
   // Create an array of CFIdentityRefs for the certificates:
-  size_t numCerts = inputClientCerts.size();
-  identities_.reset(CFArrayCreateMutable(
-      kCFAllocatorDefault, numCerts, &kCFTypeArrayCallBacks));
+  size_t numCerts = cert_identities_.size();
+  sec_identities_.reset(CFArrayCreateMutable(kCFAllocatorDefault, numCerts,
+                                             &kCFTypeArrayCallBacks));
   for (size_t i = 0; i < numCerts; ++i) {
-    base::ScopedCFTypeRef<SecCertificateRef> cert(
-        net::x509_util::CreateSecCertificateFromX509Certificate(
-            inputClientCerts[i].get()));
-    if (!cert)
-      continue;
-    SecIdentityRef identity;
-    if (SecIdentityCreateWithCertificate(NULL, cert, &identity) == noErr) {
-      CFArrayAppendValue(identities_, identity);
-      CFRelease(identity);
-      certificates_.push_back(inputClientCerts[i]);
-    }
+    DCHECK(cert_identities_[i]->sec_identity_ref());
+    CFArrayAppendValue(sec_identities_,
+                       cert_identities_[i]->sec_identity_ref());
   }
 
   // Get the message to display:
   NSString* message = l10n_util::GetNSStringF(
       IDS_CLIENT_CERT_DIALOG_TEXT,
       base::ASCIIToUTF16(
           observer_->cert_request_info()->host_and_port.ToString()));
 
   // Create and set up a system choose-identity panel.
   panel_.reset([[SFChooseIdentityPanel alloc] init]);
@@ skipping 24 matching lines @@
   return panel_;
 }
 
 - (void)showSheetForWindow:(NSWindow*)window {
   NSString* title = l10n_util::GetNSString(IDS_CLIENT_CERT_DIALOG_TITLE);
   overlayWindow_.reset([window retain]);
   [panel_ beginSheetForWindow:window
                 modalDelegate:self
                didEndSelector:@selector(sheetDidEnd:returnCode:context:)
                   contextInfo:NULL
-                   identities:base::mac::CFToNSCast(identities_)
+                   identities:base::mac::CFToNSCast(sec_identities_)
                       message:title];
 }
 
 - (void)closeSheetWithAnimation:(BOOL)withAnimation {
   if (!userResponded_) {
     // If the sheet is closed by closing the tab rather than the user explicitly
     // hitting Cancel, |closeSheetWithAnimation:| gets called before
     // |sheetDidEnd:|. In this case, the selection should be canceled rather
     // than continue with no certificate. The |returnCode| parameter to
     // |sheetDidEnd:| is the same in both cases.
@@ skipping 43 matching lines @@
 }
 
 - (void)onConstrainedWindowClosed {
   observer_->StopObserving();
   panel_.reset();
   constrainedWindow_.reset();
   [self release];
 }
 
 @end