Refactor client cert private key handling.

net/ssl/ssl_platform_key_mac.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/ssl_platform_key_mac.h"
 
 #include <dlfcn.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/cssm.h>
 #include <Security/SecBase.h>
@@ skipping 13 matching lines @@
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/memory/scoped_policy.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/synchronization/lock.h"
 #include "crypto/mac_security_services_lock.h"
 #include "crypto/openssl_util.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_mac.h"
-#include "net/ssl/ssl_platform_key.h"
 #include "net/ssl/ssl_platform_key_util.h"
 #include "net/ssl/ssl_private_key.h"
 #include "net/ssl/threaded_ssl_private_key.h"
 #include "third_party/boringssl/src/include/openssl/ecdsa.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 #include "third_party/boringssl/src/include/openssl/mem.h"
 #include "third_party/boringssl/src/include/openssl/nid.h"
 #include "third_party/boringssl/src/include/openssl/rsa.h"
 
 #if !defined(MAC_OS_X_VERSION_10_12) || \
@@ skipping 26 matching lines @@
       CSSM_DeleteContext(handle_);
     handle_ = 0;
   }
 
  private:
   CSSM_CC_HANDLE handle_;
 
   DISALLOW_COPY_AND_ASSIGN(ScopedCSSM_CC_HANDLE);
 };
 
-// Looks up the private key for |certificate| in |keychain| and returns
-// a SecKeyRef or nullptr on failure. The caller takes ownership of the
-// result.
-SecKeyRef FetchSecKeyRefForCertificate(const X509Certificate* certificate,
-                                       SecKeychainRef keychain) {
-  OSStatus status;
-  base::ScopedCFTypeRef<SecIdentityRef> identity;
-  {
-    base::ScopedCFTypeRef<SecCertificateRef> os_cert(
-        x509_util::CreateSecCertificateFromX509Certificate(certificate));
-    if (!os_cert)
-      return nullptr;
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    status = SecIdentityCreateWithCertificate(keychain, os_cert.get(),
-                                              identity.InitializeInto());
-  }
-  if (status != noErr) {
-    OSSTATUS_LOG(WARNING, status);
-    return nullptr;
-  }
-
-  base::ScopedCFTypeRef<SecKeyRef> private_key;
-  status = SecIdentityCopyPrivateKey(identity, private_key.InitializeInto());
-  if (status != noErr) {
-    OSSTATUS_LOG(WARNING, status);
-    return nullptr;
-  }
-
-  return private_key.release();
-}
-
 // These symbols were added in the 10.12 SDK, but we currently use an older SDK,
 // so look them up with dlsym.
 //
 // TODO(davidben): After https://crbug.com/669240 is fixed, use the APIs
 // directly.
 struct SecKeyAPIs {
   SecKeyAPIs() { Init(); }
 
   void Init() {
     SecKeyCreateSignature = reinterpret_cast<SecKeyCreateSignatureFunc>(
@@ skipping 247 matching lines @@
     return OK;
   }
 
  private:
   int type_;
   base::ScopedCFTypeRef<SecKeyRef> key_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeySecKey);
 };
 
-}  // namespace
-
-scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKeyFromKeychain(
+scoped_refptr<SSLPrivateKey> CreateSSLPrivateKeyForSecKey(
     const X509Certificate* certificate,
-    SecKeychainRef keychain) {
-  // Look up the private key.
-  base::ScopedCFTypeRef<SecKeyRef> private_key(
-      FetchSecKeyRefForCertificate(certificate, keychain));
-  if (!private_key)
-    return nullptr;
-
+    SecKeyRef private_key) {
   int key_type;
   size_t max_length;
   if (!GetClientCertInfo(certificate, &key_type, &max_length))
     return nullptr;
 
   if (base::mac::IsAtLeastOS10_12()) {
     return make_scoped_refptr(
         new ThreadedSSLPrivateKey(base::MakeUnique<SSLPlatformKeySecKey>(
-                                      key_type, max_length, private_key.get()),
+                                      key_type, max_length, private_key),
                                   GetSSLPlatformKeyTaskRunner()));
   }
 
   const CSSM_KEY* cssm_key;
-  OSStatus status = SecKeyGetCSSMKey(private_key.get(), &cssm_key);
+  OSStatus status = SecKeyGetCSSMKey(private_key, &cssm_key);
   if (status != noErr) {
     OSSTATUS_LOG(WARNING, status);
     return nullptr;
   }
 
   return make_scoped_refptr(new ThreadedSSLPrivateKey(
-      base::MakeUnique<SSLPlatformKeyCSSM>(key_type, max_length,
-                                           private_key.get(), cssm_key),
+      base::MakeUnique<SSLPlatformKeyCSSM>(key_type, max_length, private_key,
+                                           cssm_key),
       GetSSLPlatformKeyTaskRunner()));
 }
 
-scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
-    const X509Certificate* certificate) {
-  return FetchClientCertPrivateKeyFromKeychain(certificate, nullptr);
+}  // namespace
+
+scoped_refptr<SSLPrivateKey> CreateSSLPrivateKeyForSecIdentity(
+    const X509Certificate* certificate,
+    SecIdentityRef identity) {
+  base::ScopedCFTypeRef<SecKeyRef> private_key;
+  OSStatus status =
+      SecIdentityCopyPrivateKey(identity, private_key.InitializeInto());
+  if (status != noErr) {
+    OSSTATUS_LOG(WARNING, status);
+    return nullptr;
+  }
+
+  return CreateSSLPrivateKeyForSecKey(certificate, private_key.get());
 }
 
 #pragma clang diagnostic pop  // "-Wdeprecated-declarations"
 
 }  // namespace net