crypto: fix leak and improve cert enumeration

1. Fix CFRelease leak in IsTrustDictionaryTrustedForPolicy: the
   CFDictionaryRef returned by SecPolicyCopyProperties(policy_ref)
   was not released when the policy OID matched kSecPolicyAppleSSL.

2. Deduplicate certificates: SecItemCopyMatching can return the same
   certificate from multiple keychains.

3. Filter expired certificates.

Author: deepak1556

src/crypto/crypto_context.cc

@@ -369,7 +369,10 @@ TrustStatus IsTrustDictionaryTrustedForPolicy(CFDictionaryRef trust_dict,
     CFStringRef policy_oid = reinterpret_cast<CFStringRef>(
         const_cast<void*>(CFDictionaryGetValue(policy_dict, kSecPolicyOid)));
 
-    if (!CFEqual(policy_oid, kSecPolicyAppleSSL)) {
+    bool matches_ssl = CFEqual(policy_oid, kSecPolicyAppleSSL);
+    CFRelease(policy_dict);
+
+    if (!matches_ssl) {
       return TrustStatus::UNSPECIFIED;
     }
   }
@@ -522,6 +525,21 @@ bool IsCertificateTrustedForPolicy(X509* cert, SecCertificateRef ref) {
   return false;
 }
 
+// Checks if a certificate has expired.
+// Returns true if the certificate's notAfter date is in the past.
+static bool IsCertificateExpired(X509* cert) {
+  // X509_cmp_current_time returns:
+  // -1 if the time is in the past (expired)
+  //  0 if there was an error
+  //  1 if the time is in the future (not yet expired)
+  ASN1_TIME* not_after = X509_get_notAfter(cert);
+  if (not_after == nullptr) {
+    return false;
+  }
+  int cmp = X509_cmp_current_time(not_after);
+  return cmp < 0;
+}
+
 void ReadMacOSKeychainCertificates(
     std::vector<X509*>* system_root_certificates_X509) {
   CFTypeRef search_keys[] = {kSecClass, kSecMatchLimit, kSecReturnRef};
@@ -549,6 +567,10 @@ void ReadMacOSKeychainCertificates(
 
   CFIndex count = CFArrayGetCount(curr_anchors);
 
+  // Track seen certificates to detect duplicates (same cert in multiple
+  // keychains).
+  std::set<X509*, X509Less> seen_certs;
+
   for (int i = 0; i < count; ++i) {
     SecCertificateRef cert_ref = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(curr_anchors, i)));
@@ -574,11 +596,28 @@ void ReadMacOSKeychainCertificates(
     }
 
     bool is_valid = IsCertificateTrustedForPolicy(cert, cert_ref);
-    if (is_valid) {
-      system_root_certificates_X509->emplace_back(cert);
-    } else {
+    if (!is_valid) {
+      X509_free(cert);
+      continue;
+    }
+
+    // Skip duplicate certificates.
+    auto [it, inserted] = seen_certs.insert(cert);
+    if (!inserted) {
       X509_free(cert);
+      continue;
     }
+
+    // Skip expired certificates.
+    if (IsCertificateExpired(cert)) {
+      per_process::Debug(DebugCategory::CRYPTO,
+                         "Skipping expired system certificate\n");
+      seen_certs.erase(it);
+      X509_free(cert);
+      continue;
+    }
+
+    system_root_certificates_X509->emplace_back(cert);
   }
   CFRelease(curr_anchors);
 }