12 files changed, 54 insertions, 44 deletions

diff --git a/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc b/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc
index 9f3fcd1..e71ae58 100644
--- a/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc
+++ b/chrome/browser/net/chrome_fraudulent_certificate_reporter.cc
@@ -65,7 +65,8 @@ static std::string BuildReport(
   std::string der_encoded, pem_encoded;
 
   net::X509Certificate* certificate = ssl_info.cert;
-  if (!certificate->GetDEREncoded(&der_encoded) ||
+  if (!net::X509Certificate::GetDEREncoded(certificate->os_cert_handle(),
+                                           &der_encoded) ||
       !DerToPem(der_encoded, &pem_encoded)) {
     LOG(ERROR) << "Could not PEM encode DER certificate";
   }
@@ -75,13 +76,9 @@ static std::string BuildReport(
 
   const net::X509Certificate::OSCertHandles& intermediates =
       certificate->GetIntermediateCertificates();
-
-  for (net::X509Certificate::OSCertHandles::const_iterator
-      i = intermediates.begin(); i != intermediates.end(); ++i) {
-    scoped_refptr<net::X509Certificate> cert =
-        net::X509Certificate::CreateFromHandle(*i, intermediates);
-
-    if (!cert->GetDEREncoded(&der_encoded) ||
+  for (size_t i = 0; i < intermediates.size(); ++i) {
+    if (!net::X509Certificate::GetDEREncoded(intermediates[i],
+                                             &der_encoded) ||
         !DerToPem(der_encoded, &pem_encoded)) {
       LOG(ERROR) << "Could not PEM encode DER certificate";
       continue;
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 27d3075..40f75c8 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -31,7 +31,7 @@ SSLConfig::~SSLConfig() {
 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
                                  CertStatus* cert_status) const {
   std::string der_cert;
-  if (!cert->GetDEREncoded(&der_cert))
+  if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
     return false;
   return IsAllowedBadCert(der_cert, cert_status);
 }
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index d862110..6d34437 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -393,10 +393,10 @@ class NET_EXPORT X509Certificate
   // Returns true if it matches.
   bool VerifyNameMatch(const std::string& hostname) const;
 
-  // This method returns the DER encoded certificate.
-  // If the return value is true then the DER encoded certificate is available.
-  // The content of the DER encoded certificate is written to |encoded|.
-  bool GetDEREncoded(std::string* encoded);
+  // Obtains the DER encoded certificate data for |cert_handle|. On success,
+  // returns true and writes the DER encoded certificate to |*der_encoded|.
+  static bool GetDEREncoded(OSCertHandle cert_handle,
+                            std::string* der_encoded);
 
   // Returns the OSCertHandle of this object. Because of caching, this may
   // differ from the OSCertHandle originally supplied during initialization.
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 61dbbe2..44acddf 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -957,15 +957,15 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
   return OK;
 }
 
-bool X509Certificate::GetDEREncoded(std::string* encoded) {
-  encoded->clear();
+// static
+bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
+                                    std::string* encoded) {
   CSSM_DATA der_data;
-  if (SecCertificateGetData(cert_handle_, &der_data) == noErr) {
-    encoded->append(reinterpret_cast<char*>(der_data.Data),
-                    der_data.Length);
-    return true;
-  }
-  return false;
+  if (SecCertificateGetData(cert_handle, &der_data) != noErr)
+    return false;
+  encoded->assign(reinterpret_cast<char*>(der_data.Data),
+                  der_data.Length);
+  return true;
 }
 
 // static
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index 0a5c902..c00ee5b 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -899,12 +899,13 @@ bool X509Certificate::VerifyEV() const {
   return false;
 }
 
-bool X509Certificate::GetDEREncoded(std::string* encoded) {
-  if (!cert_handle_->derCert.len)
+// static
+bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
+                                    std::string* encoded) {
+  if (!cert_handle->derCert.len)
     return false;
-  encoded->clear();
-  encoded->append(reinterpret_cast<char*>(cert_handle_->derCert.data),
-                  cert_handle_->derCert.len);
+  encoded->assign(reinterpret_cast<char*>(cert_handle->derCert.data),
+                  cert_handle->derCert.len);
   return true;
 }
 
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index ac5b75c..5880911 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -527,10 +527,12 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
 
 #endif  // !defined(OS_ANDROID)
 
-bool X509Certificate::GetDEREncoded(std::string* encoded) {
+// static
+bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
+                                    std::string* encoded) {
   DERCache der_cache;
-  if (!GetDERAndCacheIfNeeded(cert_handle_, &der_cache))
-      return false;
+  if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))
+    return false;
   encoded->assign(reinterpret_cast<const char*>(der_cache.data),
                   der_cache.data_length);
   return true;
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index d54a36f..33c5edd 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -595,7 +595,8 @@ TEST(X509CertificateTest, DigiNotarCerts) {
     scoped_refptr<X509Certificate> diginotar_cert =
         ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
     std::string der_bytes;
-    ASSERT_TRUE(diginotar_cert->GetDEREncoded(&der_bytes));
+    ASSERT_TRUE(X509Certificate::GetDEREncoded(
+        diginotar_cert->os_cert_handle(), &der_bytes));
 
     base::StringPiece spki;
     ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
@@ -653,7 +654,8 @@ TEST(X509CertificateTest, ExtractSPKIFromDERCert) {
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   std::string derBytes;
-  EXPECT_TRUE(cert->GetDEREncoded(&derBytes));
+  EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
+                                             &derBytes));
 
   base::StringPiece spkiBytes;
   EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes));
@@ -672,7 +674,8 @@ TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   std::string derBytes;
-  EXPECT_TRUE(cert->GetDEREncoded(&derBytes));
+  EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
+                                             &derBytes));
 
   std::vector<base::StringPiece> crl_urls;
   EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls));
@@ -1220,7 +1223,8 @@ TEST(X509CertificateTest, GetDEREncoded) {
           private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1));
 
   std::string der_cert;
-  EXPECT_TRUE(cert->GetDEREncoded(&der_cert));
+  EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
+                                             &der_cert));
   EXPECT_FALSE(der_cert.empty());
 }
 #endif
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index efa5e5c..4f27836 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -964,12 +964,13 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
   return OK;
 }
 
-bool X509Certificate::GetDEREncoded(std::string* encoded) {
-  if (!cert_handle_->pbCertEncoded || !cert_handle_->cbCertEncoded)
+// static
+bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
+                                    std::string* encoded) {
+  if (!cert_handle->pbCertEncoded || !cert_handle->cbCertEncoded)
     return false;
-  encoded->clear();
-  encoded->append(reinterpret_cast<char*>(cert_handle_->pbCertEncoded),
-                  cert_handle_->cbCertEncoded);
+  encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded),
+                  cert_handle->cbCertEncoded);
   return true;
 }
 
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 66c3135..17cd769 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -1074,8 +1074,10 @@ int HttpStreamFactoryImpl::Job::HandleCertificateError(int error) {
   // X509Certificate for whatever reason, but normally it shouldn't
   // happen, unless this code is used inside sandbox.
   if (ssl_info_.cert == NULL ||
-      !ssl_info_.cert->GetDEREncoded(&bad_cert.der_cert))
+      !X509Certificate::GetDEREncoded(ssl_info_.cert->os_cert_handle(),
+                                      &bad_cert.der_cert)) {
     return error;
+  }
   bad_cert.cert_status = ssl_info_.cert_status;
   server_ssl_config_.allowed_bad_certs.push_back(bad_cert);
 
diff --git a/net/socket/ssl_server_socket_nss.cc b/net/socket/ssl_server_socket_nss.cc
index 4316049..8f1b43b 100644
--- a/net/socket/ssl_server_socket_nss.cc
+++ b/net/socket/ssl_server_socket_nss.cc
@@ -357,7 +357,7 @@ int SSLServerSocketNSS::InitializeSSLOptions() {
 
   // Get a certificate of CERTCertificate structure.
   std::string der_string;
-  if (!cert_->GetDEREncoded(&der_string))
+  if (!X509Certificate::GetDEREncoded(cert_->os_cert_handle(), &der_string))
     return ERR_UNEXPECTED;
 
   SECItem der_cert;
diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc
index 9af48f4..5051b64 100644
--- a/net/socket_stream/socket_stream.cc
+++ b/net/socket_stream/socket_stream.cc
@@ -335,7 +335,8 @@ int SocketStream::DidEstablishSSL(int result, SSLConfig* ssl_config) {
       // Add the bad certificate to the set of allowed certificates in the
       // SSL config object.
       SSLConfig::CertAndStatus bad_cert;
-      if (!ssl_info.cert->GetDEREncoded(&bad_cert.der_cert)) {
+      if (!X509Certificate::GetDEREncoded(ssl_info.cert->os_cert_handle(),
+                                          &bad_cert.der_cert)) {
         next_state_ = STATE_CLOSE;
         return result;
       }
diff --git a/remoting/host/host_key_pair.cc b/remoting/host/host_key_pair.cc
index 576bc1b..4f81aa8 100644
--- a/remoting/host/host_key_pair.cc
+++ b/remoting/host/host_key_pair.cc
@@ -100,9 +100,11 @@ std::string HostKeyPair::GenerateCertificate() const {
           key_.get(), "CN=chromoting",
           base::RandInt(1, std::numeric_limits<int>::max()),
           base::TimeDelta::FromDays(1));
-  std::string result;
-  CHECK(cert->GetDEREncoded(&result));
-  return result;
+  std::string encoded;
+  bool result = net::X509Certificate::GetDEREncoded(cert->os_cert_handle(),
+                                                    &encoded);
+  CHECK(result);
+  return encoded;
 }
 
 }  // namespace remoting