Add support for temporarily trusting a certificate for the duration of unit tests on Windows, rather than requiring the machine to be pre-configured out-of-band.

Given the lack of a Microsoft-provided high-level API to supply application-level trusts to the verification routines, this implements a workaround that intercepts attempts to open the trusted system root store and injects the test certificates directly. This allows the unit tests to work without requiring that the Test CA be added to the machine's Trusted Certificates store.

While doing so, clean up the interface to adding/removing trusted test certificates, so as to support more than one trusted certificate if necessary.

BUG=8470
TEST=To follow

Review URL: http://codereview.chromium.org/4646001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@69351 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 5 insertions, 75 deletions

diff --git a/net/test/test_server.cc b/net/test/test_server.cc
index a6e5a82..9722dc1 100644
--- a/net/test/test_server.cc
+++ b/net/test/test_server.cc
@@ -26,10 +26,10 @@
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
 #include "googleurl/src/gurl.h"
-#include "net/base/cert_test_util.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/host_resolver.h"
 #include "net/base/test_completion_callback.h"
+#include "net/base/test_root_certs.h"
 #include "net/socket/tcp_client_socket.h"
 #include "net/test/python_utils.h"
 #include "testing/platform_test.h"
@@ -58,10 +58,6 @@ std::string GetHostname(TestServer::Type type,
 
 }  // namespace
 
-#if defined(OS_MACOSX)
-void SetMacTestCertificate(X509Certificate* cert);
-#endif
-
 TestServer::HTTPSOptions::HTTPSOptions()
     : server_certificate(CERT_OK),
       request_client_certificate(false),
@@ -103,9 +99,8 @@ TestServer::TestServer(const HTTPSOptions& https_options,
 }
 
 TestServer::~TestServer() {
-#if defined(OS_MACOSX)
-  SetMacTestCertificate(NULL);
-#endif
+  TestRootCerts* root_certs = TestRootCerts::GetInstance();
+  root_certs->Clear();
   Stop();
 }
 
@@ -132,8 +127,6 @@ bool TestServer::Start() {
   if (type_ == TYPE_HTTPS) {
     if (!LoadTestRootCert())
       return false;
-    if (!CheckCATrusted())
-      return false;
   }
 
   // Get path to python server script
@@ -318,27 +311,8 @@ FilePath TestServer::GetRootCertificatePath() {
 }
 
 bool TestServer::LoadTestRootCert() {
-#if defined(USE_OPENSSL) || defined(USE_NSS)
-  if (cert_)
-    return true;
-
-  // TODO(dkegel): figure out how to get this to only happen once?
-
-  // This currently leaks a little memory.
-  // TODO(dkegel): fix the leak and remove the entry in
-  // tools/valgrind/memcheck/suppressions.txt
-  ANNOTATE_SCOPED_MEMORY_LEAK;  // Tell heap checker about the leak.
-  cert_ = LoadTemporaryRootCert(GetRootCertificatePath());
-  return (cert_ != NULL);
-#elif defined(OS_MACOSX)
-  X509Certificate* cert = LoadTemporaryRootCert(GetRootCertificatePath());
-  if (!cert)
-    return false;
-  SetMacTestCertificate(cert);
-  return true;
-#else
-  return true;
-#endif
+  TestRootCerts* root_certs = TestRootCerts::GetInstance();
+  return root_certs->AddFromFile(GetRootCertificatePath());
 }
 
 bool TestServer::AddCommandLineArguments(CommandLine* command_line) const {
diff --git a/net/test/test_server.h b/net/test/test_server.h
index 4154302..9686aef 100644
--- a/net/test/test_server.h
+++ b/net/test/test_server.h
@@ -23,11 +23,6 @@
 #include "base/scoped_handle_win.h"
 #endif
 
-#if defined(USE_OPENSSL) || defined(USE_NSS)
-#include "base/ref_counted.h"
-#include "net/base/x509_certificate.h"
-#endif
-
 class CommandLine;
 class DictionaryValue;
 class GURL;
@@ -156,9 +151,6 @@ class TestServer {
   // Returns path to the root certificate.
   FilePath GetRootCertificatePath();
 
-  // Returns false if our test root certificate is not trusted.
-  bool CheckCATrusted() WARN_UNUSED_RESULT;
-
   // Load the test root cert, if it hasn't been loaded yet.
   bool LoadTestRootCert() WARN_UNUSED_RESULT;
 
@@ -203,10 +195,6 @@ class TestServer {
   // If |type_| is TYPE_HTTPS, the TLS settings to use for the test server.
   HTTPSOptions https_options_;
 
-#if defined(USE_OPENSSL) || defined(USE_NSS)
-  scoped_refptr<X509Certificate> cert_;
-#endif
-
   Type type_;
 
   // Has the server been started?
diff --git a/net/test/test_server_posix.cc b/net/test/test_server_posix.cc
index 43bdb10..d14561e 100644
--- a/net/test/test_server_posix.cc
+++ b/net/test/test_server_posix.cc
@@ -163,8 +163,4 @@ bool TestServer::WaitToStart() {
   return true;
 }
 
-bool TestServer::CheckCATrusted() {
-  return true;
-}
-
 }  // namespace net
diff --git a/net/test/test_server_win.cc b/net/test/test_server_win.cc
index e1c54e9..e38d0bc 100644
--- a/net/test/test_server_win.cc
+++ b/net/test/test_server_win.cc
@@ -216,32 +216,4 @@ bool TestServer::WaitToStart() {
   return true;
 }
 
-bool TestServer::CheckCATrusted() {
-  HCERTSTORE cert_store = CertOpenSystemStore(NULL, L"ROOT");
-  if (!cert_store) {
-    LOG(ERROR) << " could not open trusted root CA store";
-    return false;
-  }
-  PCCERT_CONTEXT cert =
-      CertFindCertificateInStore(cert_store,
-                                 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                 0,
-                                 CERT_FIND_ISSUER_STR,
-                                 L"Test CA",
-                                 NULL);
-  if (cert)
-    CertFreeCertificateContext(cert);
-  CertCloseStore(cert_store, 0);
-
-  if (!cert) {
-    LOG(ERROR) << " TEST CONFIGURATION ERROR: you need to import the test ca "
-                  "certificate to your trusted roots for this test to work. "
-                  "For more info visit:\n"
-                  "http://dev.chromium.org/developers/testing\n";
-    return false;
-  }
-
-  return true;
-}
-
 }  // namespace net