OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/test_root_certs.h" | |
6 | |
7 #include "base/logging.h" | |
8 #include "net/base/x509_certificate.h" | |
9 | |
10 namespace net { | |
11 | |
12 namespace { | |
13 | |
14 // Creates a new temporary memory store. | |
15 HCERTSTORE CreateMemoryStore() { | |
16 return CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, | |
17 CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL); | |
18 } | |
19 | |
20 } // namespace | |
21 | |
22 bool TestRootCerts::Add(X509Certificate* certificate) { | |
23 BOOL ok = CertAddCertificateContextToStore( | |
24 temporary_roots_, certificate->os_cert_handle(), | |
25 CERT_STORE_ADD_NEW, NULL); | |
26 if (!ok) { | |
27 // If the certificate is already added, return successfully. | |
28 return GetLastError() == CRYPT_E_EXISTS; | |
29 } | |
30 | |
31 empty_ = false; | |
32 return true; | |
33 } | |
34 | |
35 void TestRootCerts::Clear() { | |
36 CertCloseStore(temporary_roots_, 0); | |
37 temporary_roots_ = CreateMemoryStore(); | |
38 DCHECK(temporary_roots_); | |
39 empty_ = true; | |
40 } | |
41 | |
42 bool TestRootCerts::IsEmpty() const { | |
43 return empty_; | |
44 } | |
45 | |
46 void TestRootCerts::UpdateChainContext( | |
47 PCERT_CHAIN_CONTEXT chain_context) const { | |
48 if ((chain_context->TrustStatus.dwErrorStatus & | |
49 CERT_TRUST_IS_UNTRUSTED_ROOT) == 0) | |
50 return; // Trusted certificate - nothing to fix. | |
51 | |
52 if (IsEmpty()) | |
53 return; // No need to scan - no temporary trusted certificates. | |
54 | |
55 // Windows does not support application-level trusts until Win 7, via | |
56 // CERT_CHAIN_ENGINE_CONFIG.hExclusiveRoot. Because of this, a messy, | |
57 // manual, brute-force method is used for unit tests. Look through every | |
wtc
2010/11/17 19:44:39
Could you please add a short version of your descr
Ryan Sleevi
2010/11/18 05:31:58
Sure. There are still differences in how we're doi
| |
58 // chain on |chain_context|, looking for a chain which contains one of the | |
59 // trusted certificates. If a matching certificate is found, unset the | |
60 // three status-bits that Windows sets when an untrusted root is found. | |
61 // Any other failure states are left unmodified, so that situations like | |
62 // name or date mismatches are properly reported. | |
63 for (DWORD chain_index = 0; chain_index < chain_context->cChain; | |
64 ++chain_index) { | |
65 PCERT_SIMPLE_CHAIN chain = chain_context->rgpChain[chain_index]; | |
66 // Scan through all the certificates, rather than just the root, since | |
67 // an RFC 3280/5280 trust anchor may be any certificate in the chain, not | |
68 // just the root certificate. | |
69 for (DWORD element_index = 0; element_index < chain->cElement; | |
70 ++element_index) { | |
71 PCERT_CHAIN_ELEMENT element = chain->rgpElement[element_index]; | |
72 PCCERT_CONTEXT cert = CertFindCertificateInStore( | |
73 temporary_roots_, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, | |
74 CERT_FIND_EXISTING, element->pCertContext, NULL); | |
75 if (cert != NULL) { | |
76 // Successfully located the certificate in the temporary roots. | |
77 // Free the returned certificate - it is not used. | |
78 CertFreeCertificateContext(cert); | |
79 | |
80 // Unset both the element status and the overall chain status, in the | |
81 // event a Windows function drills down into the chain results. | |
82 if (element->TrustStatus.dwErrorStatus & | |
83 CERT_TRUST_IS_UNTRUSTED_ROOT) { | |
84 element->TrustStatus.dwErrorStatus &= | |
85 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | | |
86 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | | |
wtc
2010/11/17 19:44:39
Two comments about the revocation error flags.
1.
Ryan Sleevi
2010/11/18 05:31:58
No, I believe the issue is directly related to the
| |
87 CERT_TRUST_IS_OFFLINE_REVOCATION); | |
88 chain_context->TrustStatus.dwErrorStatus &= | |
89 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | | |
90 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | | |
91 CERT_TRUST_IS_OFFLINE_REVOCATION); | |
92 return; | |
93 } | |
94 } | |
95 } | |
96 } | |
97 } | |
98 | |
99 TestRootCerts::TestRootCerts() | |
100 : temporary_roots_(CreateMemoryStore()), | |
101 empty_(true) { | |
102 DCHECK(temporary_roots_); | |
103 } | |
104 | |
105 TestRootCerts::~TestRootCerts() { | |
106 CertCloseStore(temporary_roots_, 0); | |
107 } | |
108 | |
109 } // namespace net | |
OLD | NEW |