Convert Windows to use X509CertificateBytes.

net/cert/cert_verify_proc_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_win.h"
 
 #include <memory>
 #include <string>
 #include <vector>
 
 #include "base/memory/free_deleter.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/sha1.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_local.h"
 #include "crypto/capi_util.h"
 #include "crypto/scoped_capi_types.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/known_roots_win.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util_win.h"
 
 #if !defined(CERT_TRUST_HAS_WEAK_SIGNATURE)
 // This was introduced in Windows 8 / Windows Server 2012, but retroactively
 // ported as far back as Windows XP via system update.
 #define CERT_TRUST_HAS_WEAK_SIGNATURE 0x00100000
 #endif
 
 namespace net {
 
 namespace {
 
 struct FreeChainEngineFunctor {
   void operator()(HCERTCHAINENGINE engine) const {
     if (engine)
       CertFreeCertificateChainEngine(engine);
   }
 };
 
 struct FreeCertChainContextFunctor {
   void operator()(PCCERT_CHAIN_CONTEXT chain_context) const {
     if (chain_context)
       CertFreeCertificateChain(chain_context);
   }
 };
 
-struct FreeCertContextFunctor {
-  void operator()(PCCERT_CONTEXT context) const {
-    if (context)
-      CertFreeCertificateContext(context);
-  }
-};
-
 typedef crypto::ScopedCAPIHandle<HCERTCHAINENGINE, FreeChainEngineFunctor>
     ScopedHCERTCHAINENGINE;
 
 typedef std::unique_ptr<const CERT_CHAIN_CONTEXT, FreeCertChainContextFunctor>
     ScopedPCCERT_CHAIN_CONTEXT;
 
-typedef std::unique_ptr<const CERT_CONTEXT, FreeCertContextFunctor>
-    ScopedPCCERT_CONTEXT;
-
 //-----------------------------------------------------------------------------
 
 int MapSecurityError(SECURITY_STATUS err) {
   // There are numerous security error codes, but these are the ones we thus
   // far find interesting.
   switch (err) {
     case SEC_E_WRONG_PRINCIPAL:  // Schannel
     case CERT_E_CN_NO_MATCH:  // CryptoAPI
       return ERR_CERT_COMMON_NAME_INVALID;
     case SEC_E_UNTRUSTED_ROOT:  // Schannel
@@ skipping 243 matching lines @@
     } else {
       verified_chain.push_back(cert);
     }
   }
 
   if (verified_cert) {
     // Add the root certificate, if present, as it was not added above.
     if (has_root_ca)
       verified_chain.push_back(element[num_elements]->pCertContext);
     scoped_refptr<X509Certificate> verified_cert_with_chain =
-        X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+        x509_util::CreateX509CertificateFromCertContexts(verified_cert,
+                                                         verified_chain);
     if (verified_cert_with_chain)
       verify_result->verified_cert = std::move(verified_cert_with_chain);
     else
       verify_result->cert_status |= CERT_STATUS_INVALID;
   }
 }
 
 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO
 // structure and stores it in *output.
 void GetCertPoliciesInfo(
@@ skipping 518 matching lines @@
     const std::string& hostname,
     const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
   // Ensure the Revocation Provider has been installed and configured for this
   // CRLSet.
   ScopedThreadLocalCRLSet thread_local_crlset(crl_set);
 
-  PCCERT_CONTEXT cert_handle = cert->os_cert_handle();
-  if (!cert_handle)
-    return ERR_UNEXPECTED;
+  ScopedPCCERT_CONTEXT cert_list = x509_util::CreateCertContextWithChain(cert);
+  if (!cert_list) {
+    verify_result->cert_status |= CERT_STATUS_INVALID;
+    return ERR_CERT_INVALID;
+  }
 
   // Build and validate certificate chain.
   CERT_CHAIN_PARA chain_para;
   memset(&chain_para, 0, sizeof(chain_para));
   chain_para.cbSize = sizeof(chain_para);
   // ExtendedKeyUsage.
   // We still need to request szOID_SERVER_GATED_CRYPTO and szOID_SGC_NETSCAPE
   // today because some certificate chains need them.  IE also requests these
   // two usages.
   static const LPCSTR usage[] = {
     szOID_PKIX_KP_SERVER_AUTH,
     szOID_SERVER_GATED_CRYPTO,
     szOID_SGC_NETSCAPE
   };
   chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
   chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);
   chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =
       const_cast<LPSTR*>(usage);
 
   // Get the certificatePolicies extension of the certificate.
   std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter> policies_info;
   LPSTR ev_policy_oid = NULL;
   if (flags & CertVerifier::VERIFY_EV_CERT) {
-    GetCertPoliciesInfo(cert_handle, &policies_info);
+    GetCertPoliciesInfo(cert_list.get(), &policies_info);
     if (policies_info.get()) {
       EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
       for (DWORD i = 0; i < policies_info->cPolicyInfo; ++i) {
         LPSTR policy_oid = policies_info->rgPolicyInfo[i].pszPolicyIdentifier;
         if (metadata->IsEVPolicyOID(policy_oid)) {
           ev_policy_oid = policy_oid;
           chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND;
           chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1;
           chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
               &ev_policy_oid;
@@ skipping 30 matching lines @@
   // cache between runs.
   //
   // This is not the most efficient means of doing so; it's possible to mark the
   // Root store used by TestRootCerts as changed, via CertControlStore with the
   // CERT_STORE_CTRL_NOTIFY_CHANGE / CERT_STORE_CTRL_RESYNC, but that's more
   // complexity for what is test-only code.
   ScopedHCERTCHAINENGINE chain_engine(NULL);
   if (TestRootCerts::HasInstance())
     chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine());
 
-  ScopedPCCERT_CONTEXT cert_list(cert->CreateOSCertChainForCert());
-
   // Add stapled OCSP response data, which will be preferred over online checks
   // and used when in cache-only mode.
   if (!ocsp_response.empty()) {
     CRYPT_DATA_BLOB ocsp_response_blob;
     ocsp_response_blob.cbData = ocsp_response.size();
     ocsp_response_blob.pbData =
         reinterpret_cast<BYTE*>(const_cast<char*>(ocsp_response.data()));
     CertSetCertificateContextProperty(
         cert_list.get(), CERT_OCSP_RESPONSE_PROP_ID,
         CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &ocsp_response_blob);
@@ skipping 150 matching lines @@
       verify_result->cert_status |= CERT_STATUS_REVOKED;
     }
   }
 
   ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context);
 
   verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
       chain_context->TrustStatus.dwErrorStatus);
 
   // Flag certificates that have a Subject common name with a NULL character.
-  if (CertSubjectCommonNameHasNull(cert_handle))
+  if (CertSubjectCommonNameHasNull(cert_list.get()))
     verify_result->cert_status |= CERT_STATUS_INVALID;
 
   base::string16 hostname16 = base::ASCIIToUTF16(hostname);
 
   SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para;
   memset(&extra_policy_para, 0, sizeof(extra_policy_para));
   extra_policy_para.cbSize = sizeof(extra_policy_para);
   extra_policy_para.dwAuthType = AUTHTYPE_SERVER;
   // Certificate name validation happens separately, later, using an internal
   // routine that has better support for RFC 6125 name matching.
@@ skipping 44 matching lines @@
     return MapCertStatusToNetError(verify_result->cert_status);
 
   if (ev_policy_oid &&
       CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
   return OK;
 }
 
 }  // namespace net