Implement LoadTemporaryRoot for Windows

net/base/test_root_certs.h

+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_TEST_ROOT_CERTS_H_
+#define NET_BASE_TEST_ROOT_CERTS_H_
+#pragma once
+
+#include "build/build_config.h"
+
+#include "base/singleton.h"

[wtc, 2010/11/18 02:12:49]

Nit: I believe brettw's recommendation is to simply include
"build/build_config.h" in alphabetical order.  Here we would
do:
  #include "base/singleton.h"
  #include "build/build_config.h"

+
+#if defined(OS_WIN)
+#include <windows.h>
+#include <wincrypt.h>
+#elif defined(OS_MACOSX)
+#include <CoreFoundation/CFArray.h>
+#include <Security/SecBase.h>
+#include "base/mac/scoped_cftyperef.h"
+#elif defined(USE_NSS)
+#include <list>
+#endif
+
+class FilePath;
+
+namespace net {
+
+class X509Certificate;
+
+// TestRootCerts is a helper class for unit tests that is used to
+// artificially mark a certificate as trusted, independent of the local
+// machine configuration.
+class TestRootCerts {
+ public:
+  // Obtains the Singleton instance to the trusted certificates.
+  static TestRootCerts* GetInstance();
+
+  // Marks |certificate| as trusted for X509Certificate::Verify(). Returns
+  // false if the certificate could not be marked trusted.
+  bool Add(X509Certificate* certificate);
+
+  // Reads a single certificate from |file| and marks it as trusted. Returns
+  // false if an error is encountered, such as being unable to read |file|
+  // or more than one certificate existing in |file|.
+  bool AddFromFile(const FilePath& file);
+
+  // Clears the trusted status of any certificates that were previously
+  // marked trusted via Add().
+  void Clear();
+
+  // Returns true if there are no certificates that have been marked trusted.
+  bool IsEmpty() const;
+
+#if defined(OS_MACOSX)
+  CFArrayRef temporary_roots() const { return temporary_roots_; }
+
+  // Overrides the anchor certificates of |trust_ref| to include the
+  // certificates stored in |temporary_roots_|.
+  OSStatus SetAnchorCertificates(SecTrustRef trust_ref) const;
+#elif defined(OS_WIN)
+  HCERTSTORE temporary_roots() const { return temporary_roots_; }
+
+  // Examines |chain_context| for trust failures resulting from an untrusted
+  // root. If such a failure is found, |temporary_roots_| is checked to see
+  // if it contains the offending certificate. If it does, |chain_context| is
+  // updated and the trust-related failures are removed.
+  void UpdateChainContext(PCERT_CHAIN_CONTEXT chain_context) const;

[wtc, 2010/11/18 02:12:49]

Nit: rename this method FixupChainContext.  "Update" is
not clear.

+#endif
+
+ private:
+  friend struct DefaultSingletonTraits<TestRootCerts>;
+
+  TestRootCerts();
+  ~TestRootCerts();
+
+#if defined(OS_MACOSX)
+  base::mac::ScopedCFTypeRef<CFMutableArrayRef> temporary_roots_;
+#elif defined(OS_WIN)
+  HCERTSTORE temporary_roots_;
+#elif defined(USE_NSS)
+  // It is necessary to maintain a cache of the original certificate trust
+  // settings, in order to restore them when Clear() is called.
+  class TrustEntry;
+  std::list<TrustEntry*> trust_cache_;
+#endif
+
+#if defined(OS_WIN) || defined(USE_OPENSSL)
+  // True if there are no temporarily trusted root certificates.
+  bool empty_;
+#endif
+
+  DISALLOW_COPY_AND_ASSIGN(TestRootCerts);
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_TEST_ROOT_CERTS_H_