Revert my last commit 'cause it breaks net unit tests on OS X 10.6 :(

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40743 0039d316-1c4b-4281-b951-d872f2087c98
author: snej@chromium.org <snej@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-03-05 17:17:57 +0000
committer: snej@chromium.org <snej@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-03-05 17:17:57 +0000
commit: 207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a (patch)
tree: a2017eddab0bbb8713ddfd9c1473dd81e557ec4f /net/socket
parent: 76964955a0fc995d7a0c95feaeaa17891eab2205 (diff)
download: chromium_src-207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a.zip
chromium_src-207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a.tar.gz
chromium_src-207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a.tar.bz2
4 files changed, 46 insertions, 41 deletions
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index 1a0ca6d..0720a40 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -411,22 +411,29 @@ X509Certificate* GetServerCert(SSLContextRef ssl_context) {
 
   DCHECK_GT(CFArrayGetCount(certs), 0);
 
+  SecCertificateRef server_cert = static_cast<SecCertificateRef>(
+      const_cast<void*>(CFArrayGetValueAtIndex(certs, 0)));
+  CFRetain(server_cert);
+  X509Certificate *x509_cert = X509Certificate::CreateFromHandle(
+      server_cert, X509Certificate::SOURCE_FROM_NETWORK);
+  if (!x509_cert)
+    return NULL;
+
   // Add each of the intermediate certificates in the server's chain to the
   // server's X509Certificate object. This makes them available to
   // X509Certificate::Verify() for chain building.
-  std::vector<SecCertificateRef> intermediate_ca_certs;
+  // TODO(wtc): Since X509Certificate::CreateFromHandle may return a cached
+  // X509Certificate object, we may be adding intermediate CA certificates to
+  // it repeatedly!
   CFIndex certs_length = CFArrayGetCount(certs);
   for (CFIndex i = 1; i < certs_length; ++i) {
     SecCertificateRef cert_ref = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(certs, i)));
-    intermediate_ca_certs.push_back(cert_ref);
+    CFRetain(cert_ref);
+    x509_cert->AddIntermediateCertificate(cert_ref);
   }
 
-  SecCertificateRef server_cert = static_cast<SecCertificateRef>(
-      const_cast<void*>(CFArrayGetValueAtIndex(certs, 0)));
-  CFRetain(server_cert);
-  return X509Certificate::CreateFromHandle(
-      server_cert, X509Certificate::SOURCE_FROM_NETWORK, intermediate_ca_certs);
+  return x509_cert;
 }
 
 // Dynamically look up a pointer to a function exported by a bundle.
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 30566b3..52dc09e 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -595,11 +595,24 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
       if (!cert_store_)
         cert_store_ = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
 
-      // Get each of the intermediate certificates in the server's chain.
-      // These will be added to the server's X509Certificate object, making
-      // them available to X509Certificate::Verify() for chain building.
-      X509Certificate::OSCertHandles intermediate_ca_certs;
       PCCERT_CONTEXT cert_context = NULL;
+      BOOL ok = CertAddEncodedCertificateToStore(
+          cert_store_,
+          X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+          server_cert_nss_->derCert.data,
+          server_cert_nss_->derCert.len,
+          CERT_STORE_ADD_USE_EXISTING,
+          &cert_context);
+      DCHECK(ok);
+      server_cert_ = X509Certificate::CreateFromHandle(
+          cert_context, X509Certificate::SOURCE_FROM_NETWORK);
+
+      // Add each of the intermediate certificates in the server's chain to
+      // the server's X509Certificate object. This makes them available to
+      // X509Certificate::Verify() for chain building.
+      // TODO(wtc): Since X509Certificate::CreateFromHandle may return a
+      // cached X509Certificate object, we may be adding intermediate CA
+      // certificates to it repeatedly!
       CERTCertList* cert_list = CERT_GetCertChainFromCert(
           server_cert_nss_, PR_Now(), certUsageSSLCA);
       if (cert_list) {
@@ -607,7 +620,7 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
              !CERT_LIST_END(node, cert_list);
              node = CERT_LIST_NEXT(node)) {
           cert_context = NULL;
-          BOOL ok = CertAddEncodedCertificateToStore(
+          ok = CertAddEncodedCertificateToStore(
               cert_store_,
               X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
               node->cert->derCert.data,
@@ -616,31 +629,14 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
               &cert_context);
           DCHECK(ok);
           if (node->cert != server_cert_nss_)
-            intermediate_ca_certs.push_back(cert_context);
+            server_cert_->AddIntermediateCertificate(cert_context);
         }
         CERT_DestroyCertList(cert_list);
       }
-
-      // Finally create the X509Certificate object.
-      BOOL ok = CertAddEncodedCertificateToStore(
-          cert_store_,
-          X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-          server_cert_nss_->derCert.data,
-          server_cert_nss_->derCert.len,
-          CERT_STORE_ADD_USE_EXISTING,
-          &cert_context);
-      DCHECK(ok);
-      server_cert_ = X509Certificate::CreateFromHandle(
-          cert_context,
-          X509Certificate::SOURCE_FROM_NETWORK,
-          intermediate_ca_certs);
-      for (size_t i = 0; i < intermediate_ca_certs.size(); ++i)
-        CertFreeCertificateContext(intermediate_ca_certs[i]);
 #else
       server_cert_ = X509Certificate::CreateFromHandle(
           CERT_DupCertificate(server_cert_nss_),
-          X509Certificate::SOURCE_FROM_NETWORK,
-          X509Certificate::OSCertHandles());
+          X509Certificate::SOURCE_FROM_NETWORK);
 #endif
     }
   }
@@ -1143,8 +1139,7 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
         privkey = PK11_FindKeyByAnyCert(cert, wincx);
         if (privkey) {
           X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
-              cert, X509Certificate::SOURCE_LONE_CERT_IMPORT,
-              net::X509Certificate::OSCertHandles());
+              cert, X509Certificate::SOURCE_LONE_CERT_IMPORT);
           that->client_certs_.push_back(x509_cert);
           SECKEY_DestroyPrivateKey(privkey);
           continue;
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index bf4a547..7e76f9e 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -68,6 +68,13 @@ static int MapSecurityError(SECURITY_STATUS err) {
   }
 }
 
+// Returns true if the two CERT_CONTEXTs contain the same certificate.
+bool SameCert(PCCERT_CONTEXT a, PCCERT_CONTEXT b) {
+  return a == b ||
+         (a->cbCertEncoded == b->cbCertEncoded &&
+         memcmp(a->pbCertEncoded, b->pbCertEncoded, b->cbCertEncoded) == 0);
+}
+
 //-----------------------------------------------------------------------------
 
 // A bitmask consisting of these bit flags encodes which versions of the SSL
@@ -411,8 +418,7 @@ void SSLClientSocketWin::GetSSLCertRequestInfo(
       continue;
     }
     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-        cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT,
-        net::X509Certificate::OSCertHandles());
+        cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT);
     cert_request_info->client_certs.push_back(cert);
   }
 
@@ -1297,16 +1303,14 @@ int SSLClientSocketWin::DidCompleteHandshake() {
     return MapSecurityError(status);
   }
   if (renegotiating_ &&
-      X509Certificate::IsSameOSCert(server_cert_->os_cert_handle(),
-                                    server_cert_handle)) {
+      SameCert(server_cert_->os_cert_handle(), server_cert_handle)) {
     // We already verified the server certificate.  Either it is good or the
     // user has accepted the certificate error.
     CertFreeCertificateContext(server_cert_handle);
     DidCompleteRenegotiation();
   } else {
     server_cert_ = X509Certificate::CreateFromHandle(
-        server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK,
-        net::X509Certificate::OSCertHandles());
+        server_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
 
     next_state_ = STATE_VERIFY_CERT;
   }
diff --git a/net/socket/ssl_test_util.cc b/net/socket/ssl_test_util.cc
index 56eba9c..55d104c 100644
--- a/net/socket/ssl_test_util.cc
+++ b/net/socket/ssl_test_util.cc
@@ -112,8 +112,7 @@ static net::X509Certificate* LoadTemporaryCert(const FilePath& filename) {
       const_cast<void*>(CFArrayGetValueAtIndex(cert_array, 0)));
   CFRetain(cert_ref);
   return net::X509Certificate::CreateFromHandle(cert_ref,
-      net::X509Certificate::SOURCE_LONE_CERT_IMPORT,
-      net::X509Certificate::OSCertHandles());
+      net::X509Certificate::SOURCE_FROM_NETWORK);
 }
 #endif
author	snej@chromium.org <snej@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-03-05 17:17:57 +0000
committer	snej@chromium.org <snej@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-03-05 17:17:57 +0000
commit	207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a (patch)
tree	a2017eddab0bbb8713ddfd9c1473dd81e557ec4f /net/socket
parent	76964955a0fc995d7a0c95feaeaa17891eab2205 (diff)
download	chromium_src-207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a.zip chromium_src-207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a.tar.gz chromium_src-207c678c4692c9dfec3e34c0d206f2ee1b2fbb6a.tar.bz2