Support x509 certificate on iOS.

net/base/x509_util_ios.cc

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/x509_util_ios.h"
+
+#include <cert.h>
+#include <nss.h>
+#include <prtypes.h>
+
+#include "base/mac/scoped_cftyperef.h"
+#include "crypto/nss_util.h"
+#include "net/base/x509_certificate.h"
+
+using base::mac::ScopedCFTypeRef;
+
+namespace net {
+namespace x509_util_ios {
+
+namespace {
+
+// Creates an NSS certificate handle from |data|, which is |length| bytes in
+// size.
+CERTCertificate* CreateNSSCertHandleFromBytes(const char* data,
+                                              int length) {
+  if (length < 0)
+    return NULL;
+
+  crypto::EnsureNSSInit();
+
+  if (!NSS_IsInitialized())
+    return NULL;
+
+  SECItem der_cert;
+  der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
+  der_cert.len  = length;
+  der_cert.type = siDERCertBuffer;
+
+  // Parse into a certificate structure.
+  return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
+                                 PR_FALSE, PR_TRUE);
+}
+
+}  // namespace
+
+CERTCertificate* CreateNSSCertHandleFromOSHandle(
+    SecCertificateRef cert_handle) {
+  ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle));
+  return CreateNSSCertHandleFromBytes(
+      reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)),
+      CFDataGetLength(cert_data));
+}
+
+SecCertificateRef CreateOSCertHandleFromNSSHandle(
+    CERTCertificate* nss_cert_handle) {
+  return X509Certificate::CreateOSCertHandleFromBytes(
+      reinterpret_cast<const char*>(nss_cert_handle->derCert.data),
+      nss_cert_handle->derCert.len);
+}
+
+NSSCertificate::NSSCertificate(SecCertificateRef cert_handle) {
+  nss_cert_handle_ = CreateNSSCertHandleFromOSHandle(cert_handle);
+}
+
+NSSCertificate::~NSSCertificate() {
+  CERT_DestroyCertificate(nss_cert_handle_);
+}
+
+CERTCertificate* NSSCertificate::cert_handle() {
+  return nss_cert_handle_;

[Ryan Sleevi, 2012/09/12 19:34:44]

nit: We'll want to ensure that all callers who call cert_handle() are checking
that it's valid (!= NULL). Whether that's done with an IsValid helper or a
direct NULL check, I'm ambivalent on, but it is possible that

- A Cert can be represented as a SecCertificateRef, but not a CERTCertificate*
- A Cert can be represented as a CERTCertificate*, but not a SecCertificateRef

Usually this comes down to date/time handling, but may also happen with
extensions.

Callers should never assume they're guaranteed to get a good result from a good
input, and because it represents "untrusted" (eg: network) input, they should
handle it gracefully (eg: don't DCHECK/CHECK/crash)

[droger, 2012/09/13 13:03:05]

I added special cases in GetSubjectAltName() and Initialize().
GetPublicKeyInfo already fails gracefully.

+}
+
+}  // namespace x509_util_ios
+}  // namespace net
+