OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/test_root_certs.h" | |
6 | |
7 #include <cert.h> | |
8 | |
9 #include "base/logging.h" | |
10 #include "base/nss_util.h" | |
11 #include "base/stl_util-inl.h" | |
12 #include "net/base/x509_certificate.h" | |
13 | |
14 namespace net { | |
15 | |
16 // TestEntry is used to store the original CERTCertificate and CERTCertTrust | |
17 // for a certificate whose trust status has been changed by the | |
18 // TestRootCerts. | |
19 class TestRootCerts::TrustEntry { | |
20 public: | |
21 // Creates a new TrustEntry by incrementing the reference to |certificate| | |
22 // and copying |trust|. | |
23 TrustEntry(CERTCertificate* certificate, CERTCertTrust trust); | |
24 ~TrustEntry(); | |
25 | |
26 CERTCertificate* certificate() const { return certificate_; } | |
27 CERTCertTrust trust() const { return trust_; } | |
28 | |
29 private: | |
30 // The temporary root certificate. | |
31 CERTCertificate* certificate_; | |
32 | |
33 // The original trust settings, before |certificate_| was manipulated to | |
34 // be a temporarily trusted root. | |
35 CERTCertTrust trust_; | |
36 | |
37 DISALLOW_COPY_AND_ASSIGN(TrustEntry); | |
38 }; | |
39 | |
40 TestRootCerts::TrustEntry::TrustEntry(CERTCertificate* certificate, | |
41 CERTCertTrust trust) | |
42 : certificate_(CERT_DupCertificate(certificate)), | |
43 trust_(trust) { | |
44 } | |
45 | |
46 TestRootCerts::TrustEntry::~TrustEntry() { | |
47 CERT_DestroyCertificate(certificate_); | |
48 } | |
49 | |
50 bool TestRootCerts::Add(X509Certificate* certificate) { | |
51 // Preserve the original trust bits so that they can be restored when | |
52 // the certificate is removed. | |
53 CERTCertTrust original_trust; | |
54 SECStatus rv = CERT_GetCertTrust(certificate->os_cert_handle(), | |
55 &original_trust); | |
56 if (rv != SECSuccess) | |
57 rv = CERT_DecodeTrustString(&original_trust, "c,c,c"); | |
wtc
2010/11/23 00:30:11
Could you add a comment to explain what you're doi
| |
58 | |
59 // Change the trust bits to unconditionally trust this certificate. | |
60 CERTCertTrust new_trust; | |
61 rv = CERT_DecodeTrustString(&new_trust, "TCu,Cu,Tu"); | |
62 if (rv != SECSuccess) { | |
63 LOG(ERROR) << "Cannot decode certificate trust string."; | |
64 return false; | |
65 } | |
66 | |
67 rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), | |
68 certificate->os_cert_handle(), | |
69 &new_trust); | |
70 if (rv != SECSuccess) { | |
71 LOG(ERROR) << "Cannot change certificate trust."; | |
72 return false; | |
73 } | |
74 | |
75 trust_cache_.push_back(new TrustEntry(certificate->os_cert_handle(), | |
76 original_trust)); | |
77 return true; | |
78 } | |
79 | |
80 void TestRootCerts::Clear() { | |
81 // Restore the certificate trusts to what they were originally, before | |
82 // Add() was called. Work from the rear first, since if a certificate was | |
83 // added twice, the second entry's original trust status will be that of | |
84 // the first entry, while the first entry contains the desired resultant | |
85 // status. | |
86 for (std::list<TrustEntry*>::reverse_iterator it = trust_cache_.rbegin(); | |
87 it != trust_cache_.rend(); ++it) { | |
88 CERTCertTrust original_trust = (*it)->trust(); | |
89 SECStatus rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), | |
90 (*it)->certificate(), | |
91 &original_trust); | |
92 // DCHECK(), rather than LOG(), as a failure to restore the original | |
93 // trust can cause flake or hard-to-trace errors in any unit tests that | |
94 // occur after Clear() has been called. | |
95 DCHECK_EQ(SECSuccess, rv) << "Cannot restore certificate trust."; | |
96 } | |
97 STLDeleteElements(&trust_cache_); | |
98 } | |
99 | |
100 bool TestRootCerts::IsEmpty() const { | |
101 return trust_cache_.empty(); | |
102 } | |
103 | |
104 TestRootCerts::TestRootCerts() { | |
105 base::EnsureNSSInit(); | |
106 } | |
107 | |
108 TestRootCerts::~TestRootCerts() { | |
109 Clear(); | |
110 } | |
111 | |
112 } // namespace net | |
OLD | NEW |