Add X509Certificate::Verify stubs for Mac and Linux.

They do nothing but return ERR_NOT_IMPLEMENTED.

In SSLClientSocketWin, call
X509Certificate::CreateFromHandle only once and store
the result in the server_cert_ member.

Add the CertVerifyResult::Reset method to clear all
members.

R=eroman
BUG=3592
Review URL: http://codereview.chromium.org/21071

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9272 0039d316-1c4b-4281-b951-d872f2087c98

7 files changed, 51 insertions, 39 deletions

diff --git a/net/base/cert_verify_result.h b/net/base/cert_verify_result.h
index 825ce4c..5169e4f 100644
--- a/net/base/cert_verify_result.h
+++ b/net/base/cert_verify_result.h
@@ -7,12 +7,19 @@
 
 namespace net {
 
-// The result of certificate verification.
+// The result of certificate verification.  Eventually this may contain the
+// certificate chain that was constructed during certificate verification.
 class CertVerifyResult {
  public:
-  CertVerifyResult()
-      : cert_status(0), has_md5(false), has_md2(false), has_md4(false),
-        has_md5_ca(false), has_md2_ca(false) {
+  CertVerifyResult() { Reset(); }
+
+  void Reset() {
+    cert_status = 0;
+    has_md5 = false;
+    has_md2 = false;
+    has_md4 = false;
+    has_md5_ca = false;
+    has_md2_ca = false;
   }
 
   int cert_status;
diff --git a/net/base/ssl_client_socket_win.cc b/net/base/ssl_client_socket_win.cc
index dc3ccf3..5f73746 100644
--- a/net/base/ssl_client_socket_win.cc
+++ b/net/base/ssl_client_socket_win.cc
@@ -215,7 +215,6 @@ SSLClientSocketWin::SSLClientSocketWin(ClientSocket* transport_socket,
       user_buf_(NULL),
       user_buf_len_(0),
       next_state_(STATE_NONE),
-      server_cert_(NULL),
       creds_(NULL),
       payload_send_buffer_len_(0),
       bytes_sent_(0),
@@ -237,29 +236,20 @@ SSLClientSocketWin::~SSLClientSocketWin() {
 }
 
 void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) {
-  SECURITY_STATUS status = SEC_E_OK;
-  if (server_cert_ == NULL) {
-    status = QueryContextAttributes(&ctxt_,
-                                    SECPKG_ATTR_REMOTE_CERT_CONTEXT,
-                                    &server_cert_);
-  }
-  if (status == SEC_E_OK) {
-    DCHECK(server_cert_);
-    PCCERT_CONTEXT dup_cert = CertDuplicateCertificateContext(server_cert_);
-    ssl_info->cert = X509Certificate::CreateFromHandle(
-        dup_cert, X509Certificate::SOURCE_FROM_NETWORK);
-  }
+  if (!server_cert_)
+    return;
+
+  ssl_info->cert = server_cert_;
+  ssl_info->cert_status = server_cert_verify_result_.cert_status;
   SecPkgContext_ConnectionInfo connection_info;
-  status = QueryContextAttributes(&ctxt_,
-                                  SECPKG_ATTR_CONNECTION_INFO,
-                                  &connection_info);
+  SECURITY_STATUS status = QueryContextAttributes(
+      &ctxt_, SECPKG_ATTR_CONNECTION_INFO, &connection_info);
   if (status == SEC_E_OK) {
     // TODO(wtc): compute the overall security strength, taking into account
     // dwExchStrength and dwHashStrength.  dwExchStrength needs to be
     // normalized.
     ssl_info->security_bits = connection_info.dwCipherStrength;
   }
-  ssl_info->cert_status = server_cert_verify_result_.cert_status;
 }
 
 int SSLClientSocketWin::Connect(CompletionCallback* callback) {
@@ -306,10 +296,8 @@ void SSLClientSocketWin::Disconnect() {
     DeleteSecurityContext(&ctxt_);
     memset(&ctxt_, 0, sizeof(ctxt_));
   }
-  if (server_cert_) {
-    CertFreeCertificateContext(server_cert_);
+  if (server_cert_)
     server_cert_ = NULL;
-  }
 
   // TODO(wtc): reset more members?
   bytes_decrypted_ = 0;
@@ -697,12 +685,8 @@ int SSLClientSocketWin::DoVerifyCert() {
   next_state_ = STATE_VERIFY_CERT_COMPLETE;
 
   DCHECK(server_cert_);
-
-  PCCERT_CONTEXT dup_cert = CertDuplicateCertificateContext(server_cert_);
-  scoped_refptr<X509Certificate> cert =
-      X509Certificate::CreateFromHandle(dup_cert,
-                                        X509Certificate::SOURCE_FROM_NETWORK);
-  return verifier_.Verify(cert, hostname_, ssl_config_.rev_checking_enabled,
+  return verifier_.Verify(server_cert_, hostname_,
+                          ssl_config_.rev_checking_enabled,
                           &server_cert_verify_result_, &io_callback_);
 }
 
@@ -924,12 +908,15 @@ int SSLClientSocketWin::DidCompleteHandshake() {
     return MapSecurityError(status);
   }
   DCHECK(!server_cert_);
+  PCCERT_CONTEXT server_cert_handle = NULL;
   status = QueryContextAttributes(
-      &ctxt_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &server_cert_);
+      &ctxt_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &server_cert_handle);
   if (status != SEC_E_OK) {
     DLOG(ERROR) << "QueryContextAttributes failed: " << status;
     return MapSecurityError(status);
   }
+  server_cert_ = X509Certificate::CreateFromHandle(
+      server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
 
   completed_handshake_ = true;
   next_state_ = STATE_VERIFY_CERT;
diff --git a/net/base/ssl_client_socket_win.h b/net/base/ssl_client_socket_win.h
index c0b5243..6fd19a0 100644
--- a/net/base/ssl_client_socket_win.h
+++ b/net/base/ssl_client_socket_win.h
@@ -99,7 +99,7 @@ class SSLClientSocketWin : public SSLClientSocket {
   State next_state_;
 
   SecPkgContext_StreamSizes stream_sizes_;
-  PCCERT_CONTEXT server_cert_;
+  scoped_refptr<X509Certificate> server_cert_;
   CertVerifier verifier_;
   CertVerifyResult server_cert_verify_result_;
 
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index dceb52f..80f085f 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -135,17 +135,23 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // prefers the handle from the network because our HTTP cache isn't
   // caching the corresponding intermediate CA certificates yet
   // (http://crbug.com/7065).
+  //
+  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
                                            Source source);
 
   // Create an X509Certificate from the BER-encoded representation.
   // Returns NULL on failure.
+  //
+  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromBytes(const char* data, int length);
 
   // Create an X509Certificate from the representation stored in the given
   // pickle.  The data for this object is found relative to the given
   // pickle_iter, which should be passed to the pickle's various Read* methods.
   // Returns NULL on failure.
+  //
+  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromPickle(const Pickle& pickle,
                                            void** pickle_iter);
 
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index ac60645..e231653 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -11,6 +11,7 @@
 #include "base/pickle.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/ev_root_ca_metadata.h"
+#include "net/base/net_errors.h"
 
 using base::Time;
 
@@ -251,6 +252,13 @@ void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
   if (dns_names->empty())
     dns_names->push_back(subject_.common_name);
 }
+
+int X509Certificate::Verify(const std::string& hostname,
+                            bool rev_checking_enabled,
+                            CertVerifyResult* verify_result) const {
+  NOTIMPLEMENTED();
+  return ERR_NOT_IMPLEMENTED;
+}
   
 // Returns true if the certificate is an extended-validation certificate.
 //
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index 2ca1255..2dcff9c 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -16,6 +16,7 @@
 #include "base/logging.h"
 #include "base/time.h"
 #include "base/nss_init.h"
+#include "net/base/net_errors.h"
 
 namespace net {
 
@@ -199,6 +200,13 @@ void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
     dns_names->push_back(subject_.common_name);
 }
 
+int X509Certificate::Verify(const std::string& hostname,
+                            bool rev_checking_enabled,
+                            CertVerifyResult* verify_result) const {
+  NOTIMPLEMENTED();
+  return ERR_NOT_IMPLEMENTED;
+}
+
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data, int length) {
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 4c2cf2c..c98d738 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -165,7 +165,8 @@ void GetCertSubjectAltName(PCCERT_CONTEXT cert,
 }
 
 // Saves some information about the certificate chain chain_context in
-// *verify_result.
+// *verify_result.  The caller MUST initialize *verify_result before calling
+// this function.
 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
                       CertVerifyResult* verify_result) {
   PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
@@ -433,12 +434,7 @@ bool X509Certificate::HasExpired() const {
 int X509Certificate::Verify(const std::string& hostname,
                             bool rev_checking_enabled,
                             CertVerifyResult* verify_result) const {
-  verify_result->cert_status = 0;
-  verify_result->has_md5 = false;
-  verify_result->has_md2 = false;
-  verify_result->has_md4 = false;
-  verify_result->has_md5_ca = false;
-  verify_result->has_md2_ca = false;
+  verify_result->Reset();
 
   // Build and validate certificate chain.