4 files changed, 36 insertions, 26 deletions
diff --git a/net/cert/ct_objects_extractor_nss.cc b/net/cert/ct_objects_extractor_nss.cc
index 97b8590..0f353489e 100644
--- a/net/cert/ct_objects_extractor_nss.cc
+++ b/net/cert/ct_objects_extractor_nss.cc
@@ -13,6 +13,7 @@
 #include "crypto/scoped_nss_types.h"
 #include "crypto/sha2.h"
 #include "net/cert/asn1_util.h"
+#include "net/cert/scoped_nss_types.h"
 #include "net/cert/signed_certificate_timestamp.h"
 
 namespace net {
@@ -21,16 +22,6 @@ namespace ct {
 
 namespace {
 
-struct FreeCERTCertificate {
- public:
-  inline void operator()(CERTCertificate* x) const {
-    CERT_DestroyCertificate(x);
-  }
-};
-
-typedef scoped_ptr_malloc<CERTCertificate, FreeCERTCertificate>
-    ScopedCERTCertificate;
-
 // Wrapper class to convert a X509Certificate::OSCertHandle directly
 // into a CERTCertificate* usable with other NSS functions. This is used for
 // platforms where X509Certificate::OSCertHandle refers to a different type
@@ -65,9 +56,9 @@ NSSCertWrapper::NSSCertWrapper(X509Certificate::OSCertHandle cert_handle) {
 
 // The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of
 // RFC6962.
-static const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
-                                                0xD6, 0x79, 0x02, 0x04, 0x02};
-static const char kEmbeddedSCTDescription[] =
+const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
+                                         0xD6, 0x79, 0x02, 0x04, 0x02};
+const char kEmbeddedSCTDescription[] =
     "X.509v3 Certificate Transparency Embedded Signed Certificate Timestamp "
     "List";
 
@@ -131,11 +122,10 @@ bool GetOctetStringExtension(CERTCertificate* cert,
   base::StringPiece raw_data(reinterpret_cast<char*>(extension.data),
                              extension.len);
   base::StringPiece parsed_data;
-  if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data)) {
+  if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data) ||
+      raw_data.size() > 0) { // Decoding failure or raw data left
     rv = SECFailure;
   } else {
-    if (raw_data.size() > 0)
-      return false; // leftover data
     parsed_data.CopyToString(extension_data);
   }
 
@@ -144,7 +134,7 @@ bool GetOctetStringExtension(CERTCertificate* cert,
 }
 
 // Given a |cert|, extract the TBSCertificate from this certificate, also
-// removing X.509 extensions with OID 1.3.6.1.4.1.11129.2.4.2 (that is,
+// removing the X.509 extension with OID 1.3.6.1.4.1.11129.2.4.2 (that is,
 // the embedded SCT)
 bool ExtractTBSCertWithoutSCTs(CERTCertificate* cert,
                                std::string* to_be_signed) {
diff --git a/net/cert/scoped_nss_types.h b/net/cert/scoped_nss_types.h
new file mode 100644
index 0000000..3e6d57d
--- /dev/null
+++ b/net/cert/scoped_nss_types.h
@@ -0,0 +1,26 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// // Use of this source code is governed by a BSD-style license that can be
+// // found in the LICENSE file.
+//
+#ifndef NET_CERT_SCOPED_NSS_TYPES_H_
+#define NET_CERT_SCOPED_NSS_TYPES_H_
+
+#include <cert.h>
+
+#include "base/memory/scoped_ptr.h"
+
+namespace net {
+
+struct FreeCERTCertificate {
+ public:
+  void operator()(CERTCertificate* x) const {
+    CERT_DestroyCertificate(x);
+  }
+};
+
+typedef scoped_ptr_malloc<CERTCertificate, FreeCERTCertificate>
+    ScopedCERTCertificate;
+
+}  // namespace net
+
+#endif  // NET_CERT_SCOPED_NSS_TYPES_H_
diff --git a/net/net.gyp b/net/net.gyp
index 8a7dd26..9b80bd4 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -290,6 +290,7 @@
         'cert/nss_cert_database.h',
         'cert/pem_tokenizer.cc',
         'cert/pem_tokenizer.h',
+        'cert/scoped_nss_types.h',
         'cert/signed_certificate_timestamp.cc',
         'cert/signed_certificate_timestamp.h',
         'cert/single_request_cert_verifier.cc',
@@ -1274,6 +1275,7 @@
               'cert/jwk_serializer_nss.cc',
               'cert/nss_cert_database.cc',
               'cert/nss_cert_database.h',
+              'cert/scoped_nss_types.h',
               'cert/test_root_certs_nss.cc',
               'cert/x509_certificate_nss.cc',
               'cert/x509_util_nss.cc',
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 6f1910c..89eab14 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -93,6 +93,7 @@
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/scoped_nss_types.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
@@ -221,15 +222,6 @@ bool IsOCSPStaplingSupported() {
 }
 #endif
 
-class FreeCERTCertificate {
- public:
-  inline void operator()(CERTCertificate* x) const {
-    CERT_DestroyCertificate(x);
-  }
-};
-typedef scoped_ptr_malloc<CERTCertificate, FreeCERTCertificate>
-    ScopedCERTCertificate;
-
 #if defined(OS_WIN)
 
 // This callback is intended to be used with CertFindChainInStore. In addition