Refactor client cert private key handling.

remoting/host/token_validator_base.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/host/token_validator_base.h"
 
 #include <stddef.h>
 
 #include "base/base64.h"
 #include "base/bind.h"
@@ skipping 12 matching lines @@
 #include "net/base/upload_data_stream.h"
 #include "net/ssl/client_cert_store.h"
 #if defined(USE_NSS_CERTS)
 #include "net/ssl/client_cert_store_nss.h"
 #elif defined(OS_WIN)
 #include "net/ssl/client_cert_store_win.h"
 #elif defined(OS_MACOSX)
 #include "net/ssl/client_cert_store_mac.h"
 #endif
 #include "net/ssl/ssl_cert_request_info.h"
-#include "net/ssl/ssl_platform_key.h"
 #include "net/ssl/ssl_private_key.h"
 #include "net/url_request/redirect_info.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_status.h"
 #include "remoting/base/logging.h"
 #include "url/gurl.h"
 
 namespace {
 
 const int kBufferSize = 4096;
 const char kCertIssuerWildCard[] = "*";
 
 // The certificate is valid if:
 // * The certificate issuer matches exactly |issuer| or the |issuer| is a
 //   wildcard. And
 // * |now| is within [valid_start, valid_expiry].
 bool IsCertificateValid(const std::string& issuer,
                         const base::Time& now,
-                        const scoped_refptr<net::X509Certificate>& cert) {
+                        const net::X509Certificate* cert) {
   return (issuer == kCertIssuerWildCard ||
       issuer == cert->issuer().common_name) &&
       cert->valid_start() <= now && cert->valid_expiry() > now;
 }
 
 // Returns true if the certificate |c1| is worse than |c2|.
 //
 // Criteria:
 // 1. An invalid certificate is always worse than a valid certificate.
 // 2. Invalid certificates are equally bad, in which case false will be
 //    returned.
 // 3. A certificate with earlier |valid_start| time is worse.
 // 4. When |valid_start| are the same, the certificate with earlier
 //    |valid_expiry| is worse.
 bool WorseThan(const std::string& issuer,
                const base::Time& now,
-               const scoped_refptr<net::X509Certificate>& c1,
-               const scoped_refptr<net::X509Certificate>& c2) {
+               const std::unique_ptr<net::ClientCertIdentity>& i1,
+               const std::unique_ptr<net::ClientCertIdentity>& i2) {
+  net::X509Certificate* c1 = i1->certificate();
+  net::X509Certificate* c2 = i2->certificate();
+
   if (!IsCertificateValid(issuer, now, c2))
     return false;
 
   if (!IsCertificateValid(issuer, now, c1))
     return true;
 
   if (c1->valid_start() != c2->valid_start())
     return c1->valid_start() < c2->valid_start();
 
   return c1->valid_expiry() < c2->valid_expiry();
@@ skipping 121 matching lines @@
   // client_cert_store to stay alive until the callback is called. So we must
   // give it a WeakPtr for |this|, and ownership of the other parameters.
   client_cert_store->GetClientCerts(
       *cert_request_info,
       base::Bind(&TokenValidatorBase::OnCertificatesSelected,
                  weak_factory_.GetWeakPtr(), base::Owned(client_cert_store)));
 }
 
 void TokenValidatorBase::OnCertificatesSelected(
     net::ClientCertStore* unused,
-    net::CertificateList selected_certs) {
+    net::ClientCertIdentityList selected_certs) {
   const std::string& issuer =
       third_party_auth_config_.token_validation_cert_issuer;
 
   base::Time now = base::Time::Now();
 
   auto best_match_position =
       std::max_element(selected_certs.begin(), selected_certs.end(),
                        std::bind(&WorseThan, issuer, now, std::placeholders::_1,
                                  std::placeholders::_2));
 
   if (best_match_position == selected_certs.end() ||
-      !IsCertificateValid(issuer, now, *best_match_position)) {
+      !IsCertificateValid(issuer, now, (*best_match_position)->certificate())) {
     ContinueWithCertificate(nullptr, nullptr);
   } else {
-    ContinueWithCertificate(
-        best_match_position->get(),
-        net::FetchClientCertPrivateKey(best_match_position->get()).get());
+    scoped_refptr<net::X509Certificate> cert =
+        (*best_match_position)->certificate();
+    net::ClientCertIdentity::SelfOwningAcquirePrivateKey(
+        std::move(*best_match_position),
+        base::Bind(&TokenValidatorBase::ContinueWithCertificate,
+                   weak_factory_.GetWeakPtr(), std::move(cert)));
   }
 }
 
 void TokenValidatorBase::ContinueWithCertificate(
-    net::X509Certificate* client_cert,
-    net::SSLPrivateKey* client_private_key) {
+    scoped_refptr<net::X509Certificate> client_cert,
+    scoped_refptr<net::SSLPrivateKey> client_private_key) {
   if (request_) {
     if (client_cert) {
       HOST_LOG << "Using certificate issued by: '"
                << client_cert->issuer().common_name << "' with start date: '"
                << client_cert->valid_start() << "' and expiry date: '"
                << client_cert->valid_expiry() << "'";
     }
 
-    request_->ContinueWithCertificate(client_cert, client_private_key);
+    request_->ContinueWithCertificate(std::move(client_cert),
+                                      std::move(client_private_key));
   }
 }
 
 bool TokenValidatorBase::IsValidScope(const std::string& token_scope) {
   // TODO(rmsousa): Deal with reordering/subsets/supersets/aliases/etc.
   return token_scope == token_scope_;
 }
 
 std::string TokenValidatorBase::ProcessResponse(int net_result) {
   // Verify that we got a successful response.
@@ skipping 25 matching lines @@
     return std::string();
   }
 
   std::string shared_secret;
   // Everything is valid, so return the shared secret to the caller.
   dict->GetStringWithoutPathExpansion("access_token", &shared_secret);
   return shared_secret;
 }
 
 }  // namespace remoting