Change the HTTP cache to cache the entire certificate chain for SSL sites

net/base/x509_certificate.h

Index: net/base/x509_certificate.h
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 7f2c8815a8d53dde9b1293872f8e6738f8ece318..6376b43d7dbaefa43a96fd221d96dac7d9875a38 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -79,8 +79,11 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   enum Source {
     SOURCE_UNUSED = 0,            // The source_ member is not used.
     SOURCE_LONE_CERT_IMPORT = 1,  // From importing a certificate without
-                                  // its intermediate CA certificates.
-    SOURCE_FROM_NETWORK = 2,      // From the network.
+                                  // any intermediate CA certificates.
+    SOURCE_FROM_CACHE = 2,        // From the disk cache - which contains
+                                  // intermediate CA certificates, but may be
+                                  // stale.
+    SOURCE_FROM_NETWORK = 3,      // From the network.
   };

[wtc, 2011/04/20 23:07:58]

IMPORTANT: I added the enum Source to work around this bug.
Therefore, when we fixed this bug, we should be able to
remove enum Source, rather than extending it.

SOURCE_LONE_CERT_IMPORT was intended to mean importing a
certificate from the HTTP cache.  So it is exactly what
SOURCE_FROM_CACHE is, for version 1.

In any case, please try to remove enum Source.

[Ryan Sleevi, 2011/04/20 23:59:10]

The motivation for extending it in M12 was to minimize a regression of the
original issue. Because the user's existing cache only contains single
certificates, any cached resources the user loads after upgrading to M12 would
regress, while any newly cached resources would be fine.

By deferring removal to M13 (as part of the X509Certificate* cache changes),
this allowed a full release for users to transition from single-cert V1 to
chained V2. This should reduce the potential impact to just users who skip M12
entirely.

The preference here is:
1) < M12 HTTP Cache (cached EE only)
2) M12 HTTP Cache (cached EE + cached intermediates)
3) Network in current browsing session (EE + intermediates)

 
   enum VerifyFlags {
@@ -110,6 +113,17 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
                   FORMAT_PKCS7,
   };
 
+  enum PickleType {

[wtc, 2011/04/20 23:07:58]

The motivation for enum PickleType should be documented.
It is not obvious why PickleType does not apply to writing
a certificate to a Pickle unless one also looks at the
corresponding code in http_response_info.cc.

+    // When reading a certificate from a Pickle, the Pickle only contains a
+    // single certificate.
+    PICKLETYPE_SINGLE_CERTIFICATE,
+
+    // When reading a certificate from a Pickle, the Pickle contains the
+    // the certificate plus any certificates that were stored in
+    // |intermediate_ca_certificates_| at the time it was serialized.
+    PICKLETYPE_CERTIFICATE_CHAIN,
+  };
+
   // Creates a X509Certificate from the ground up.  Used by tests that simulate
   // SSL connections.
   X509Certificate(const std::string& subject, const std::string& issuer,
@@ -123,8 +137,8 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // (http://crbug.com/7065).
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
-      Source source,
-      const OSCertHandles& intermediates);
+                                           Source source,
+                                           const OSCertHandles& intermediates);
 
   // Create an X509Certificate from a chain of DER encoded certificates. The
   // first certificate in the chain is the end-entity certificate to which a
@@ -148,7 +162,8 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromPickle(const Pickle& pickle,
-                                           void** pickle_iter);
+                                           void** pickle_iter,
+                                           PickleType type);
 
   // Parses all of the certificates possible from |data|. |format| is a
   // bit-wise OR of Format, indicating the possible formats the
@@ -389,6 +404,17 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
                                       const uint8* array,
                                       size_t array_byte_len);
 
+  // Reads a single certificate from |pickle| and returns a platform-specific
+  // certificate handle. The format of the certificate stored in |pickle| is
+  // not guaranteed to be the same across different underlying cryptographic
+  // libraries, nor acceptable to CreateFromBytes(). Returns an invalid
+  // handle, NULL, on failure.
+  static OSCertHandle ReadCertHandleFromPickle(const Pickle& pickle,
+                                               void** pickle_iter);
+
+  // Writes a single certificate to |pickle|. Returns false on failure.
+  static bool WriteCertHandleToPickle(OSCertHandle handle, Pickle* pickle);

[wtc, 2011/04/20 23:07:58]

Nit: these two function names should say "OSCertHandle" instead
of just "CertHandle".

+
   // The subject of the certificate.
   CertPrincipal subject_;