Enable SSLClientSocketTest unit tests on Mac OS X by implementing our own certificate validation code. This gives us proper hostname matching, multiple error codes (e.g., before a certificate could be marked as expired or untrusted, but not both), revocation checking, and EV certificate checking.

BUG=19286,10910,14733
TEST=https://www.paypal.com should work without warning. https://paypal.com should get a warning about a hostname mismatch. https://test-ssev.verisign.com:1443/test-SSEV-expired-verisign.html should give a warning about an expired certificate.
Review URL: http://codereview.chromium.org/174102

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24625 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 1 deletions

diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index 7a5a669..e8db7c7 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -169,7 +169,11 @@ X509Certificate* X509Certificate::CreateFromBytes(const char* data,
 }
 
 X509Certificate::X509Certificate(OSCertHandle cert_handle, Source source)
-    : cert_handle_(cert_handle), source_(source) {
+    : cert_handle_(cert_handle),
+#if defined(OS_MACOSX)
+      intermediate_ca_certs_(NULL),
+#endif
+      source_(source) {
   Initialize();
 }
 
@@ -182,6 +186,9 @@ X509Certificate::X509Certificate(const std::string& subject,
       valid_start_(start_date),
       valid_expiry_(expiration_date),
       cert_handle_(NULL),
+#if defined(OS_MACOSX)
+      intermediate_ca_certs_(NULL),
+#endif
       source_(SOURCE_UNUSED) {
   memset(fingerprint_.data, 0, sizeof(fingerprint_.data));
 }
@@ -191,6 +198,10 @@ X509Certificate::~X509Certificate() {
   X509Certificate::Cache::GetInstance()->Remove(this);
   if (cert_handle_)
     FreeOSCertHandle(cert_handle_);
+#if defined(OS_MACOSX)
+  if (intermediate_ca_certs_)
+    CFRelease(intermediate_ca_certs_);
+#endif
 }
 
 bool X509Certificate::HasExpired() const {