diff options
| author | hawk@chromium.org <hawk@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-27 17:49:41 +0000 |
|---|---|---|
| committer | hawk@chromium.org <hawk@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-27 17:49:41 +0000 |
| commit | 010e27ec98de24f68648b8c3ac68f3408f0578c0 (patch) | |
| tree | 5d598c11cc366a4dd778f9d5aaed0ab62b082d05 /net/socket/ssl_test_util.cc | |
| parent | 7cb43d53404c33f90398ba6217dc9645400e9c8e (diff) | |
| download | chromium_src-010e27ec98de24f68648b8c3ac68f3408f0578c0.zip chromium_src-010e27ec98de24f68648b8c3ac68f3408f0578c0.tar.gz chromium_src-010e27ec98de24f68648b8c3ac68f3408f0578c0.tar.bz2 | |
Enable SSLClientSocketTest unit tests on Mac OS X by implementing our own certificate validation code. This gives us proper hostname matching, multiple error codes (e.g., before a certificate could be marked as expired or untrusted, but not both), revocation checking, and EV certificate checking.
BUG=19286,10910,14733
TEST=https://www.paypal.com should work without warning. https://paypal.com should get a warning about a hostname mismatch. https://test-ssev.verisign.com:1443/test-SSEV-expired-verisign.html should give a warning about an expired certificate.
Review URL: http://codereview.chromium.org/174102
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24625 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_test_util.cc')
| -rw-r--r-- | net/socket/ssl_test_util.cc | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/net/socket/ssl_test_util.cc b/net/socket/ssl_test_util.cc index b0fa20e..7e73f1e 100644 --- a/net/socket/ssl_test_util.cc +++ b/net/socket/ssl_test_util.cc @@ -24,6 +24,10 @@ #include <pk11pub.h> #undef Lock #include "base/nss_init.h" +#elif defined(OS_MACOSX) +#include <Security/Security.h> +#include "base/scoped_cftyperef.h" +#include "net/base/x509_certificate.h" #endif #include "base/file_util.h" @@ -81,10 +85,48 @@ static CERTCertificate* LoadTemporaryCert(const FilePath& filename) { } #endif +#if defined(OS_MACOSX) +static net::X509Certificate* LoadTemporaryCert(const FilePath& filename) { + std::string rawcert; + if (!file_util::ReadFileToString(filename.ToWStringHack(), &rawcert)) { + LOG(ERROR) << "Can't load certificate " << filename.ToWStringHack(); + return NULL; + } + + CFDataRef pem = CFDataCreate(kCFAllocatorDefault, + reinterpret_cast<const UInt8*>(rawcert.data()), + static_cast<CFIndex>(rawcert.size())); + if (!pem) + return NULL; + scoped_cftyperef<CFDataRef> scoped_pem(pem); + + SecExternalFormat input_format = kSecFormatUnknown; + SecExternalItemType item_type = kSecItemTypeUnknown; + CFArrayRef cert_array = NULL; + if (SecKeychainItemImport(pem, NULL, &input_format, &item_type, 0, NULL, NULL, + &cert_array)) + return NULL; + scoped_cftyperef<CFArrayRef> scoped_cert_array(cert_array); + + if (!CFArrayGetCount(cert_array)) + return NULL; + + SecCertificateRef cert_ref = static_cast<SecCertificateRef>( + const_cast<void*>(CFArrayGetValueAtIndex(cert_array, 0))); + CFRetain(cert_ref); + return net::X509Certificate::CreateFromHandle(cert_ref, + net::X509Certificate::SOURCE_FROM_NETWORK); +} +#endif + } // namespace namespace net { +#if defined(OS_MACOSX) +void SetMacTestCertificate(X509Certificate* cert); +#endif + // static const char TestServerLauncher::kHostName[] = "127.0.0.1"; const char TestServerLauncher::kMismatchedHostName[] = "localhost"; @@ -317,6 +359,8 @@ TestServerLauncher::~TestServerLauncher() { #if defined(OS_LINUX) if (cert_) CERT_DestroyCertificate(reinterpret_cast<CERTCertificate*>(cert_)); +#elif defined(OS_MACOSX) + SetMacTestCertificate(NULL); #endif Stop(); } @@ -353,6 +397,12 @@ bool TestServerLauncher::LoadTestRootCert() { LoadTemporaryCert(GetRootCertPath())); DCHECK(cert_); return (cert_ != NULL); +#elif defined(OS_MACOSX) + X509Certificate* cert = LoadTemporaryCert(GetRootCertPath()); + if (!cert) + return false; + SetMacTestCertificate(cert); + return true; #else return true; #endif |