Refactor X509Certificate caching to cache the OS handle, rather than the X509Certificate

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 30 matching lines @@
 class StringPiece;
 class RSAPrivateKey;
 }  // namespace crypto
 
 namespace net {
 
 class CertVerifyResult;
 
 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
 
-// X509Certificate represents an X.509 certificate used by SSL.
+// X509Certificate represents a X.509 certificate, which is comprised a
+// particular identity or end-entity certificate, such as an SSL server
+// identity or an SSL client certificate, and zero or more intermediate
+// certificates that may be used to build a path to a root certificate.
 class NET_API X509Certificate
     : public base::RefCountedThreadSafe<X509Certificate> {
  public:
   // A handle to the certificate object in the underlying crypto library.
   // We assume that OSCertHandle is a pointer type on all platforms and
   // NULL is an invalid OSCertHandle.
 #if defined(OS_WIN)
   typedef PCCERT_CONTEXT OSCertHandle;
 #elif defined(OS_MACOSX)
   typedef SecCertificateRef OSCertHandle;
 #elif defined(USE_OPENSSL)
   typedef struct x509_st* OSCertHandle;
 #elif defined(USE_NSS)
   typedef struct CERTCertificateStr* OSCertHandle;
 #else
   // TODO(ericroman): not implemented
   typedef void* OSCertHandle;
 #endif
 
   typedef std::vector<OSCertHandle> OSCertHandles;
 
   // Predicate functor used in maps when X509Certificate is used as the key.
   class NET_API LessThan {
    public:
     bool operator() (X509Certificate* lhs,  X509Certificate* rhs) const;
   };
 
-  // Where the certificate comes from.  The enumeration constants are
-  // listed in increasing order of preference.
-  enum Source {
-    SOURCE_UNUSED = 0,            // The source_ member is not used.
-    SOURCE_LONE_CERT_IMPORT = 1,  // From importing a certificate without
-                                  // any intermediate CA certificates.
-    SOURCE_FROM_CACHE = 2,        // From the disk cache - which contains
-                                  // intermediate CA certificates, but may be
-                                  // stale.
-    SOURCE_FROM_NETWORK = 3,      // From the network.
-  };
-
   enum VerifyFlags {
     VERIFY_REV_CHECKING_ENABLED = 1 << 0,
     VERIFY_EV_CERT = 1 << 1,
   };
 
   enum Format {
     // The data contains a single DER-encoded certificate, or a PEM-encoded
     // DER certificate with the PEM encoding block name of "CERTIFICATE".
     // Any subsequent blocks will be ignored.
     FORMAT_SINGLE_CERTIFICATE = 1 << 0,
@@ skipping 28 matching lines @@
     // |intermediate_ca_certificates_| at the time it was serialized.
     PICKLETYPE_CERTIFICATE_CHAIN,
   };
 
   // Creates a X509Certificate from the ground up.  Used by tests that simulate
   // SSL connections.
   X509Certificate(const std::string& subject, const std::string& issuer,
                   base::Time start_date, base::Time expiration_date);
 
   // Create an X509Certificate from a handle to the certificate object in the
-  // underlying crypto library. |source| specifies where |cert_handle| comes
-  // from.  Given two certificate handles for the same certificate, our
-  // certificate cache prefers the handle from the network because our HTTP
-  // cache isn't caching the corresponding intermediate CA certificates yet
-  // (http://crbug.com/7065).
-  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
+  // underlying crypto library. The returned pointer must be stored in a
+  // scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
-                                           Source source,
                                            const OSCertHandles& intermediates);
 
   // Create an X509Certificate from a chain of DER encoded certificates. The
   // first certificate in the chain is the end-entity certificate to which a
   // handle is returned. The other certificates in the chain are intermediate
-  // certificates. See the comment for |CreateFromHandle| about the |source|
-  // argument.
-  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
+  // certificates. The returned pointer must be stored in a
+  // scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromDERCertChain(
       const std::vector<base::StringPiece>& der_certs);
 
   // Create an X509Certificate from the DER-encoded representation.
   // Returns NULL on failure.
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromBytes(const char* data, int length);
 
   // Create an X509Certificate from the representation stored in the given
@@ skipping 129 matching lines @@
   // by one of the given names will be included in the list.
   static bool GetSSLClientCertificates(
       const std::string& server_domain,
       const std::vector<CertPrincipal>& valid_issuers,
       CertificateList* certs);
 
   // Creates the chain of certs to use for this client identity cert.
   CFArrayRef CreateClientCertificateChain() const;
 #endif
 
-#if defined(OS_WIN)
-  // Returns a handle to a global, in-memory certificate store. We use it for
-  // two purposes:
-  // 1. Import server certificates into this store so that we can verify and
-  //    display the certificates using CryptoAPI.
-  // 2. Copy client certificates from the "MY" system certificate store into
-  //    this store so that we can close the system store when we finish
-  //    searching for client certificates.
-  static HCERTSTORE cert_store();
-#endif
-
 #if defined(USE_OPENSSL)
   // Returns a handle to a global, in-memory certificate store. We
   // use it for test code, e.g. importing the test server's certificate.
   static X509_STORE* cert_store();
 #endif
 
   // Verifies the certificate against the given hostname.  Returns OK if
   // successful or an error code upon failure.
   //
   // The |*verify_result| structure, including the |verify_result->cert_status|
@@ skipping 39 matching lines @@
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
+  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
+  // (all zero) fingerprint on failure.
+  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
-  X509Certificate(OSCertHandle cert_handle, Source source,
+  X509Certificate(OSCertHandle cert_handle,
                   const OSCertHandles& intermediates);
 
   ~X509Certificate();
 
   // Common object initialization code.  Called by the constructors only.
   void Initialize();
 
 #if defined(OS_WIN)
   bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
                const char* policy_oid) const;
   static bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context);
 #endif
 #if defined(OS_MACOSX)
   static bool IsIssuedByKnownRoot(CFArrayRef chain);
 #endif
 #if defined(USE_NSS)
   bool VerifyEV() const;
 #endif
 #if defined(USE_OPENSSL)
   // Resets the store returned by cert_store() to default state. Used by
   // TestRootCerts to undo modifications.
   static void ResetCertStore();
 #endif
 
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
-
   // Verifies that |hostname| matches one of the certificate names or IP
   // addresses supplied, based on TLS name matching rules - specifically,
   // following http://tools.ietf.org/html/rfc6125.
   // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject().
   // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled
   // from the dNSName and iPAddress components of the subject alternative name
   // extension, if present. Note these IP addresses are NOT ascii-encoded:
   // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6
   // addresses, respectively.
   static bool VerifyHostname(const std::string& hostname,
@@ skipping 61 matching lines @@
   // Untrusted intermediate certificates associated with this certificate
   // that may be needed for chain building.
   OSCertHandles intermediate_ca_certs_;
 
 #if defined(OS_MACOSX)
   // Blocks multiple threads from verifying the cert simultaneously.
   // (Marked mutable because it's used in a const method.)
   mutable base::Lock verification_lock_;
 #endif
 
-  // Where the certificate comes from.
-  Source source_;
-
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_