Revert r92977 partially to fix a certificate verification regression

on Windows. We still need X509Certificate::cert_store(). Make it a leaky lazy instance. R=rsleevi@chromium.org,rvargas@chromium.org BUG=89899,49377 TEST=Visit https://bugs.webkit.org/show_bug.cgi?id=64580 on Windows. Should not get the untrusted certificate error. Review URL: http://codereview.chromium.org/7473009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93338 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-21 04:48:17 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-21 04:48:17 +0000
commit: 40a089c802ae7e4e514d2228c84c115842c4d371 (patch)
tree: e14688f6f48968f4c8ae432315323d78fe18342d /net/socket
parent: 1ab4ddf6636cdb88ea138aa5820ddeed29f72b98 (diff)
download: chromium_src-40a089c802ae7e4e514d2228c84c115842c4d371.zip
chromium_src-40a089c802ae7e4e514d2228c84c115842c4d371.tar.gz
chromium_src-40a089c802ae7e4e514d2228c84c115842c4d371.tar.bz2
2 files changed, 45 insertions, 12 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 83e866c..536b206 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -2056,10 +2056,11 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
     // Get the leaf certificate.
     PCCERT_CONTEXT cert_context =
         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Copy the certificate into a NULL store, so that we can close the "MY"
-    // store before returning from this function.
+    // Copy it to our own certificate store, so that we can close the "MY"
+    // certificate store before returning from this function.
     PCCERT_CONTEXT cert_context2;
-    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
+    BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(),
+                                               cert_context,
                                                CERT_STORE_ADD_USE_EXISTING,
                                                &cert_context2);
     if (!ok) {
@@ -2074,8 +2075,8 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
     net::X509Certificate::OSCertHandles intermediates;
     for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) {
       PCCERT_CONTEXT intermediate_copy;
-      ok = CertAddCertificateContextToStore(
-          NULL, chain_context->rgpChain[0]->rgpElement[i]->pCertContext,
+      ok = CertAddCertificateContextToStore(X509Certificate::cert_store(),
+          chain_context->rgpChain[0]->rgpElement[i]->pCertContext,
           CERT_STORE_ADD_USE_EXISTING, &intermediate_copy);
       if (!ok) {
         NOTREACHED();
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index a1a2396..6784b64 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -337,6 +337,40 @@ static BOOL WINAPI ClientCertFindCallback(PCCERT_CONTEXT cert_context,
 
 //-----------------------------------------------------------------------------
 
+// A memory certificate store for client certificates.  This allows us to
+// close the "MY" system certificate store when we finish searching for
+// client certificates.
+class ClientCertStore {
+ public:
+  ClientCertStore() {
+    store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
+  }
+
+  ~ClientCertStore() {
+    if (store_) {
+      BOOL ok = CertCloseStore(store_, CERT_CLOSE_STORE_CHECK_FLAG);
+      DCHECK(ok);
+    }
+  }
+
+  PCCERT_CONTEXT CopyCertContext(PCCERT_CONTEXT client_cert) {
+    PCCERT_CONTEXT copy;
+    BOOL ok = CertAddCertificateContextToStore(store_, client_cert,
+                                               CERT_STORE_ADD_USE_EXISTING,
+                                               &copy);
+    DCHECK(ok);
+    return ok ? copy : NULL;
+  }
+
+ private:
+  HCERTSTORE store_;
+};
+
+static base::LazyInstance<ClientCertStore> g_client_cert_store(
+    base::LINKER_INITIALIZED);
+
+//-----------------------------------------------------------------------------
+
 // Size of recv_buffer_
 //
 // Ciphertext is decrypted one SSL record at a time, so recv_buffer_ needs to
@@ -488,13 +522,11 @@ void SSLClientSocketWin::GetSSLCertRequestInfo(
     // Get the leaf certificate.
     PCCERT_CONTEXT cert_context =
         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
-    // Copy the certificate into a NULL store, so that we can close the "MY"
-    // store before returning from this function.
-    PCCERT_CONTEXT cert_context2 = NULL;
-    BOOL ok = CertAddCertificateContextToStore(NULL, cert_context,
-                                               CERT_STORE_ADD_USE_EXISTING,
-                                               &cert_context2);
-    if (!ok) {
+    // Copy it to our own certificate store, so that we can close the "MY"
+    // certificate store before returning from this function.
+    PCCERT_CONTEXT cert_context2 =
+        g_client_cert_store.Get().CopyCertContext(cert_context);
+    if (!cert_context2) {
       NOTREACHED();
       continue;
     }
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-21 04:48:17 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-21 04:48:17 +0000
commit	40a089c802ae7e4e514d2228c84c115842c4d371 (patch)
tree	e14688f6f48968f4c8ae432315323d78fe18342d /net/socket
parent	1ab4ddf6636cdb88ea138aa5820ddeed29f72b98 (diff)
download	chromium_src-40a089c802ae7e4e514d2228c84c115842c4d371.zip chromium_src-40a089c802ae7e4e514d2228c84c115842c4d371.tar.gz chromium_src-40a089c802ae7e4e514d2228c84c115842c4d371.tar.bz2