diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-16 00:01:37 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-16 00:01:37 +0000 |
| commit | 32765f80889421c6161a7b9e73bc1ee722db6892 (patch) | |
| tree | bba0f974c84f9859da5b62bc233d00955e63c032 /net/base/test_root_certs.h | |
| parent | 235478be87f59f3962eda9d8f3fba04e8a5096e4 (diff) | |
| download | chromium_src-32765f80889421c6161a7b9e73bc1ee722db6892.zip chromium_src-32765f80889421c6161a7b9e73bc1ee722db6892.tar.gz chromium_src-32765f80889421c6161a7b9e73bc1ee722db6892.tar.bz2 | |
Add support for temporarily trusting a certificate for the duration of unit tests on Windows, rather than requiring the machine to be pre-configured out-of-band.
Given the lack of a Microsoft-provided high-level API to supply application-level trusts to the verification routines, this implements a workaround that intercepts attempts to open the trusted system root store and injects the test certificates directly. This allows the unit tests to work without requiring that the Test CA be added to the machine's Trusted Certificates store.
While doing so, clean up the interface to adding/removing trusted test certificates, so as to support more than one trusted certificate if necessary.
BUG=8470
TEST=To follow
Review URL: http://codereview.chromium.org/4646001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@69351 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/test_root_certs.h')
| -rw-r--r-- | net/base/test_root_certs.h | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/net/base/test_root_certs.h b/net/base/test_root_certs.h new file mode 100644 index 0000000..3fa8fcfd --- /dev/null +++ b/net/base/test_root_certs.h @@ -0,0 +1,103 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_BASE_TEST_ROOT_CERTS_H_ +#define NET_BASE_TEST_ROOT_CERTS_H_ +#pragma once + +#include "base/lazy_instance.h" +#include "build/build_config.h" + +#if defined(OS_WIN) +#include <windows.h> +#include <wincrypt.h> +#elif defined(OS_MACOSX) +#include <CoreFoundation/CFArray.h> +#include <Security/SecTrust.h> +#include "base/mac/scoped_cftyperef.h" +#elif defined(USE_NSS) +#include <list> +#endif + +class FilePath; + +namespace net { + +class X509Certificate; + +// TestRootCerts is a helper class for unit tests that is used to +// artificially mark a certificate as trusted, independent of the local +// machine configuration. +class TestRootCerts { + public: + // Obtains the Singleton instance to the trusted certificates. + static TestRootCerts* GetInstance(); + + // Returns true if an instance exists, without forcing an initialization. + static bool HasInstance(); + + // Marks |certificate| as trusted for X509Certificate::Verify(). Returns + // false if the certificate could not be marked trusted. + bool Add(X509Certificate* certificate); + + // Reads a single certificate from |file| and marks it as trusted. Returns + // false if an error is encountered, such as being unable to read |file| + // or more than one certificate existing in |file|. + bool AddFromFile(const FilePath& file); + + // Clears the trusted status of any certificates that were previously + // marked trusted via Add(). + void Clear(); + + // Returns true if there are no certificates that have been marked trusted. + bool IsEmpty() const; + +#if defined(OS_MACOSX) + CFArrayRef temporary_roots() const { return temporary_roots_; } + + // Modifies the root certificates of |trust_ref| to include the + // certificates stored in |temporary_roots_|. If IsEmpty() is true, this + // does not modify |trust_ref|. + OSStatus FixupSecTrustRef(SecTrustRef trust_ref) const; +#elif defined(OS_WIN) + HCERTSTORE temporary_roots() const { return temporary_roots_; } + + // Returns an HCERTCHAINENGINE suitable to be used for certificate + // validation routines, or NULL to indicate that the default system chain + // engine is appropriate. The caller is responsible for freeing the + // returned HCERTCHAINENGINE. + HCERTCHAINENGINE GetChainEngine() const; +#endif + + private: + friend struct base::DefaultLazyInstanceTraits<TestRootCerts>; + + TestRootCerts(); + ~TestRootCerts(); + + // Performs platform-dependent initialization. + void Init(); + +#if defined(OS_MACOSX) + base::mac::ScopedCFTypeRef<CFMutableArrayRef> temporary_roots_; +#elif defined(OS_WIN) + HCERTSTORE temporary_roots_; +#elif defined(USE_NSS) + // It is necessary to maintain a cache of the original certificate trust + // settings, in order to restore them when Clear() is called. + class TrustEntry; + std::list<TrustEntry*> trust_cache_; +#endif + +#if defined(OS_WIN) || defined(USE_OPENSSL) + // True if there are no temporarily trusted root certificates. + bool empty_; +#endif + + DISALLOW_COPY_AND_ASSIGN(TestRootCerts); +}; + +} // namespace net + +#endif // NET_BASE_TEST_ROOT_CERTS_H_ |