typedef PolicyOID to support Linux-only SECOidTag in EVRootCAMetadata methods.

BUG=none
TEST=none

Review URL: http://codereview.chromium.org/164134

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23164 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 71 insertions, 82 deletions

diff --git a/net/base/ev_root_ca_metadata.cc b/net/base/ev_root_ca_metadata.cc
index 0aeca2b..1fa59ed 100644
--- a/net/base/ev_root_ca_metadata.cc
+++ b/net/base/ev_root_ca_metadata.cc
@@ -2,9 +2,22 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/singleton.h"
 #include "net/base/ev_root_ca_metadata.h"
 
+#if defined(OS_LINUX)
+// Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424
+// until NSS 3.12.2 comes out and we update to it.
+#define Lock FOO_NSS_Lock
+#include <cert.h>
+#include <pkcs11n.h>
+#include <secerr.h>
+#include <secoid.h>
+#undef Lock
+#endif
+
+#include "base/logging.h"
+#include "base/singleton.h"
+
 namespace net {
 
 // Raw metadata.
@@ -201,8 +214,8 @@ EVRootCAMetadata* EVRootCAMetadata::GetInstance() {
 
 bool EVRootCAMetadata::GetPolicyOID(
     const X509Certificate::Fingerprint& fingerprint,
-    std::string* policy_oid) const {
-  StringMap::const_iterator iter = ev_policy_.find(fingerprint);
+    PolicyOID* policy_oid) const {
+  PolicyOidMap::const_iterator iter = ev_policy_.find(fingerprint);
   if (iter == ev_policy_.end())
     return false;
   *policy_oid = iter->second;
@@ -211,16 +224,41 @@ bool EVRootCAMetadata::GetPolicyOID(
 
 EVRootCAMetadata::EVRootCAMetadata() {
   // Constructs the object from the raw metadata in ev_root_ca_metadata.
-  num_policy_oids_ = arraysize(ev_root_ca_metadata);
-  policy_oids_.reset(new const char*[num_policy_oids_]);
+#if defined(OS_LINUX)
+  for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) {
+    const EVMetadata& metadata = ev_root_ca_metadata[i];
+    PRUint8 buf[1024];
+    SECItem oid_item;
+    oid_item.data = buf;
+    oid_item.len = sizeof(buf);
+    SECStatus status = SEC_StringToOID(NULL, &oid_item, metadata.policy_oid, 0);
+    if (status != SECSuccess) {
+      LOG(ERROR) << "Failed to convert to OID: " << metadata.policy_oid;
+      continue;
+    }
+    // Register the OID.
+    SECOidData od;
+    od.oid.len = oid_item.len;
+    od.oid.data = oid_item.data;
+    od.offset = SEC_OID_UNKNOWN;
+    od.desc = metadata.policy_oid;
+    od.mechanism = CKM_INVALID_MECHANISM;
+    od.supportedExtension = INVALID_CERT_EXTENSION;
+    SECOidTag policy = SECOID_AddEntry(&od);
+    DCHECK(policy != SEC_OID_UNKNOWN);
+    ev_policy_[metadata.fingerprint] = policy;
+    policy_oids_.push_back(policy);
+  }
+#else
   for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) {
     const EVMetadata& metadata = ev_root_ca_metadata[i];
     ev_policy_[metadata.fingerprint] = metadata.policy_oid;
     // Multiple root CA certs may use the same EV policy OID.  Having
     // duplicates in the policy_oids_ array does no harm, so we don't
     // bother detecting duplicates.
-    policy_oids_[i] = metadata.policy_oid;
+    policy_oids_.push_back(metadata.policy_oid);
   }
+#endif
 }
 
 }  // namespace net
diff --git a/net/base/ev_root_ca_metadata.h b/net/base/ev_root_ca_metadata.h
index 7904039..5b12337 100644
--- a/net/base/ev_root_ca_metadata.h
+++ b/net/base/ev_root_ca_metadata.h
@@ -5,9 +5,15 @@
 #ifndef NET_BASE_EV_ROOT_CA_METADATA_H_
 #define NET_BASE_EV_ROOT_CA_METADATA_H_
 
+#include "build/build_config.h"
+
+#if defined(OS_LINUX)
+#include <secoidt.h>
+#endif
+
 #include <map>
+#include <vector>
 
-#include "base/scoped_ptr.h"
 #include "net/base/x509_certificate.h"
 
 template <typename T>
@@ -19,15 +25,21 @@ namespace net {
 // extended-validation (EV) certificates.
 class EVRootCAMetadata {
  public:
+#if defined(OS_LINUX)
+  typedef SECOidTag PolicyOID;
+#else
+  typedef const char* PolicyOID;
+#endif
+
   static EVRootCAMetadata* GetInstance();
 
   // If the root CA cert has an EV policy OID, returns true and stores the
   // policy OID in *policy_oid.  Otherwise, returns false.
   bool GetPolicyOID(const X509Certificate::Fingerprint& fingerprint,
-                    std::string* policy_oid) const;
+                    PolicyOID* policy_oid) const;
 
-  const char* const* GetPolicyOIDs() const { return policy_oids_.get(); }
-  int NumPolicyOIDs() const { return num_policy_oids_; }
+  const PolicyOID* GetPolicyOIDs() const { return &policy_oids_[0]; }
+  int NumPolicyOIDs() const { return policy_oids_.size(); }
 
  private:
   EVRootCAMetadata();
@@ -35,17 +47,13 @@ class EVRootCAMetadata {
 
   friend struct DefaultSingletonTraits<EVRootCAMetadata>;
 
-  typedef std::map<X509Certificate::Fingerprint, std::string,
-                   X509Certificate::FingerprintLessThan> StringMap;
+  typedef std::map<X509Certificate::Fingerprint, PolicyOID,
+                   X509Certificate::FingerprintLessThan> PolicyOidMap;
 
   // Maps an EV root CA cert's SHA-1 fingerprint to its EV policy OID.
-  StringMap ev_policy_;
+  PolicyOidMap ev_policy_;
 
-  // Contains dotted-decimal OID strings (in ASCII).  This is a C array of
-  // C strings so that it can be passed directly to Windows CryptoAPI as
-  // LPSTR*.
-  scoped_array<const char*> policy_oids_;
-  int num_policy_oids_;
+  std::vector<PolicyOID> policy_oids_;
 
   DISALLOW_COPY_AND_ASSIGN(EVRootCAMetadata);
 };
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index e96acbb..9e41219 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -319,38 +319,6 @@ void GetCertSubjectAltNamesOfType(X509Certificate::OSCertHandle cert_handle,
   PORT_Free(alt_name.data);
 }
 
-// TODO(ukai): this should be a Linux-only method of EVRootCAMetadata class.
-void GetPolicyOidTags(net::EVRootCAMetadata* metadata,
-                      std::vector<SECOidTag>* policies) {
-  const char* const* policy_oids = metadata->GetPolicyOIDs();
-  for (int i = 0; i < metadata->NumPolicyOIDs(); i++) {
-    PRUint8 buf[1024];
-    SECItem oid_item;
-    oid_item.data = buf;
-    oid_item.len = sizeof(buf);
-    SECStatus status = SEC_StringToOID(NULL, &oid_item, policy_oids[i], 0);
-    if (status != SECSuccess) {
-      LOG(ERROR) << "Failed to convert to OID: " << policy_oids[i];
-      continue;
-    }
-    SECOidTag policy = SECOID_FindOIDTag(&oid_item);
-    if (policy == SEC_OID_UNKNOWN) {
-      // Register the OID.
-      SECOidData od;
-      od.oid.len = oid_item.len;
-      od.oid.data = oid_item.data;
-      od.offset = SEC_OID_UNKNOWN;
-      od.desc = policy_oids[i];
-      od.mechanism = CKM_INVALID_MECHANISM;
-      od.supportedExtension = INVALID_CERT_EXTENSION;
-      policy = SECOID_AddEntry(&od);
-      DCHECK(policy != SEC_OID_UNKNOWN);
-    }
-    policies->push_back(policy);
-  }
-  return;
-}
-
 // Call CERT_PKIXVerifyCert for the cert_handle.
 // Verification results are stored in an array of CERTValOutParam.
 // If policy_oids is not NULL and num_policy_oids is positive, policies
@@ -429,31 +397,6 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
                              cvin, cvout, NULL);
 }
 
-// TODO(ukai): make a Linux-only method of the EVRootCAMetadata.
-bool GetEvPolicyOidTag(net::EVRootCAMetadata* metadata,
-                       const X509Certificate::Fingerprint& fingerprint,
-                       SECOidTag* ev_policy_tag) {
-  std::string ev_policy_oid;
-  if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid)) {
-    LOG(ERROR) << "GetPolicyOID failed";
-    return false;
-  }
-  DCHECK(!ev_policy_oid.empty());
-
-  PRUint8 buf[1024];
-  SECItem oid_item;
-  oid_item.data = buf;
-  oid_item.len = sizeof(buf);
-  SECStatus status = SEC_StringToOID(NULL, &oid_item, ev_policy_oid.data(),
-                                     ev_policy_oid.length());
-  if (status != SECSuccess) {
-    LOG(ERROR) << "Failed to convert OID:" << ev_policy_oid;
-    return false;
-  }
-  *ev_policy_tag = SECOID_FindOIDTag(&oid_item);
-  return true;
-}
-
 bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle,
                        SECOidTag ev_policy_tag) {
   SECItem policy_ext;
@@ -598,10 +541,10 @@ bool X509Certificate::VerifyEV() const {
   cvout[cvout_index].type = cert_po_end;
   ScopedCERTValOutParam scoped_cvout(cvout);
 
-  std::vector<SECOidTag> policies;
-  GetPolicyOidTags(metadata, &policies);
   SECStatus status = PKIXVerifyCert(cert_handle_,
-                                    &policies[0], policies.size(), cvout);
+                                    metadata->GetPolicyOIDs(),
+                                    metadata->NumPolicyOIDs(),
+                                    cvout);
   if (status != SECSuccess)
     return false;
 
@@ -612,7 +555,7 @@ bool X509Certificate::VerifyEV() const {
   X509Certificate::Fingerprint fingerprint =
       X509Certificate::CalculateFingerprint(root_ca);
   SECOidTag ev_policy_tag = SEC_OID_UNKNOWN;
-  if (!GetEvPolicyOidTag(metadata, fingerprint, &ev_policy_tag))
+  if (!metadata->GetPolicyOID(fingerprint, &ev_policy_tag))
     return false;
 
   if (!CheckCertPolicies(cert_handle_, ev_policy_tag))
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index cd50668..9fe5e9f 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -601,10 +601,10 @@ bool X509Certificate::VerifyEV() const {
   // Look up the EV policy OID of the root CA.
   PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
   Fingerprint fingerprint = CalculateFingerprint(root_cert);
-  std::string ev_policy_oid;
+  const char* ev_policy_oid = NULL;
   if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid))
     return false;
-  DCHECK(!ev_policy_oid.empty());
+  DCHECK(ev_policy_oid);
 
   // Get the certificatePolicies extension of the end certificate.
   PCCERT_CONTEXT end_cert = element[0]->pCertContext;
@@ -613,7 +613,7 @@ bool X509Certificate::VerifyEV() const {
   if (!policies_info.get())
     return false;
 
-  return ContainsPolicy(policies_info.get(), ev_policy_oid.c_str());
+  return ContainsPolicy(policies_info.get(), ev_policy_oid);
 }
 
 // static