Convert Windows to use X509CertificateBytes.

net/ssl/client_cert_store_win.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/client_cert_store_win.h"
 
 #include <algorithm>
 #include <string>
 
 #define SECURITY_WIN32  // Needs to be defined before including security.h
 #include <windows.h>
 #include <security.h>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
+#include "base/numerics/safe_conversions.h"
 #include "base/task_runner_util.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "crypto/wincrypt_shim.h"
 #include "net/cert/x509_util.h"
+#include "net/cert/x509_util_win.h"
 #include "net/ssl/ssl_platform_key_win.h"
 #include "net/ssl/ssl_private_key.h"
 
 namespace net {
 
 namespace {
 
 class ClientCertIdentityWin : public ClientCertIdentity {
  public:
   // Takes ownership of |cert_context|.
@@ skipping 120 matching lines @@
     PCCERT_CONTEXT cert_context2 = NULL;
     BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
                                                CERT_STORE_ADD_USE_EXISTING,
                                                &cert_context2);
     if (!ok) {
       NOTREACHED();
       continue;
     }
 
     // Grab the intermediates, if any.
-    X509Certificate::OSCertHandles intermediates;
+    std::vector<PCCERT_CONTEXT> intermediates;
     for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; ++i) {
       PCCERT_CONTEXT chain_intermediate =
           chain_context->rgpChain[0]->rgpElement[i]->pCertContext;
       PCCERT_CONTEXT copied_intermediate = NULL;
       ok = CertAddCertificateContextToStore(NULL, chain_intermediate,
                                             CERT_STORE_ADD_USE_EXISTING,
                                             &copied_intermediate);
       if (ok)
         intermediates.push_back(copied_intermediate);
     }
 
     // Drop the self-signed root, if any. Match Internet Explorer in not sending
     // it. Although the root's signature is irrelevant for authentication, some
     // servers reject chains if the root is explicitly sent and has a weak
     // signature algorithm. See https://crbug.com/607264.
     //
     // The leaf or a intermediate may also have a weak signature algorithm but,
     // in that case, assume it is a configuration error.
     if (!intermediates.empty() &&
-        X509Certificate::IsSelfSigned(intermediates.back())) {
+        x509_util::IsSelfSigned(intermediates.back())) {
       CertFreeCertificateContext(intermediates.back());
       intermediates.pop_back();
     }
 
+    // TODO(mattm): The following comment is only true when not using
+    // USE_BYTE_CERTS. Remove it once the non-byte-certs code is also removed.
     // TODO(svaldez): cert currently wraps cert_context2 which may be backed
     // by a smartcard with threading difficulties. Instead, create a fresh
     // X509Certificate with CreateFromBytes and route cert_context2 into the
     // SSLPrivateKey. Probably changing CertificateList to be a
     // pair<X509Certificate, SSLPrivateKeyCallback>.
-    scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-        cert_context2, intermediates);
+    scoped_refptr<X509Certificate> cert =
+        x509_util::CreateX509CertificateFromCertContexts(cert_context2,
+                                                         intermediates);
     if (cert) {
       selected_identities->push_back(base::MakeUnique<ClientCertIdentityWin>(
           std::move(cert),
           cert_context2,     // Takes ownership of |cert_context2|.
           current_thread));  // The key must be acquired on the same thread, as
                              // the PCCERT_CONTEXT may not be thread safe.
     }
     for (size_t i = 0; i < intermediates.size(); ++i)
       CertFreeCertificateContext(intermediates[i]);
   }
@@ skipping 47 matching lines @@
     ClientCertIdentityList* selected_identities) {
   ScopedHCERTSTORE test_store(CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0,
                                             NULL));
   if (!test_store)
     return false;
 
   // Add available certificates to the test store.
   for (size_t i = 0; i < input_certs.size(); ++i) {
     // Add the certificate to the test store.
     PCCERT_CONTEXT cert = NULL;
-    if (!CertAddCertificateContextToStore(test_store,
-                                          input_certs[i]->os_cert_handle(),
-                                          CERT_STORE_ADD_NEW, &cert)) {
+    std::string der_cert;
+    X509Certificate::GetDEREncoded(input_certs[i]->os_cert_handle(), &der_cert);
+    if (!CertAddEncodedCertificateToStore(
+            test_store, X509_ASN_ENCODING,
+            reinterpret_cast<const BYTE*>(der_cert.data()),
+            base::checked_cast<DWORD>(der_cert.size()), CERT_STORE_ADD_NEW,
+            &cert)) {
       return false;
     }
+    // Hold the reference to the certificate (since we requested a copy).
+    ScopedPCCERT_CONTEXT scoped_cert(cert);
+
     // Add dummy private key data to the certificate - otherwise the certificate
     // would be discarded by the filtering routines.
     CRYPT_KEY_PROV_INFO private_key_data;
     memset(&private_key_data, 0, sizeof(private_key_data));
     if (!CertSetCertificateContextProperty(cert,
                                            CERT_KEY_PROV_INFO_PROP_ID,
                                            0, &private_key_data)) {
       return false;
     }
-    // Decrement the reference count of the certificate (since we requested a
-    // copy).
-    if (!CertFreeCertificateContext(cert))
-      return false;
   }
 
   GetClientCertsImpl(test_store.get(), request, selected_identities);
   return true;
 }
 
 }  // namespace net