Implement LoadTemporaryRoot for Windows

net/base/x509_certificate_win.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
+#include "base/crypto/scoped_capi_types.h"
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/net_errors.h"
 #include "net/base/scoped_cert_chain_context.h"
+#include "net/base/test_root_certs.h"
 
 #pragma comment(lib, "crypt32.lib")
 
 using base::Time;
 
 namespace net {
 
 namespace {
 
+typedef base::ScopedCAPIHandle<
+    HCERTSTORE,
+    base::CAPIDestroyerWithFlags<HCERTSTORE,
+                                 CertCloseStore, 0> > ScopedHCERTSTORE;
+
 //-----------------------------------------------------------------------------
 
 // TODO(wtc): This is a copy of the MapSecurityError function in
 // ssl_client_socket_win.cc.  Another function that maps Windows error codes
 // to our network error codes is WinInetUtil::OSErrorToNetError.  We should
 // eliminate the code duplication.
 int MapSecurityError(SECURITY_STATUS err) {
   // There are numerous security error codes, but these are the ones we thus
   // far find interesting.
   switch (err) {
@@ skipping 385 matching lines @@
                         &out_store, NULL, NULL) || out_store == NULL) {
     return results;
   }
 
   AddCertsFromStore(out_store, &results);
   CertCloseStore(out_store, CERT_CLOSE_STORE_CHECK_FLAG);
 
   return results;
 }
 
+// Returns a new HCERTSTORE containing both |cert_store| and any temporarily
+// trusted root certificates. If there are no temporarily trusted root
+// certificates, returns NULL.
+HCERTSTORE CreateStoreForTestsIfNeeded(HCERTSTORE cert_store) {
+  TestRootCerts* temporary_roots = TestRootCerts::GetInstance();
+  if (temporary_roots->IsEmpty())
+    return NULL;
+  if (!cert_store) {
+    // If |cert_store| is empty, just return a copy of the temporary store,
+    // as no merging is needed.
+    return CertDuplicateStore(temporary_roots->temporary_roots());
+  }
+
+  HCERTSTORE collection_store = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0,
+                                              NULL, 0, NULL);
+  if (!collection_store) {
+    DPLOG(ERROR) << "Unable to create temporary linked certificate store";
+    return NULL;
+  }
+
+  // Add the temporary roots with priority 0, so that certificates from the
+  // temporary roots will be of a higher priority for chain building. If
+  // set to a lower priority, it is possible that the chain building
+  // algorithm will prefer a root from |cert_store|, which may be a
+  // compatible-but-different certificate than the one in
+  // |temporary_roots|. If this happens, FixupChainContext() may fail to
+  // override the trust failure.
+  BOOL ok = CertAddStoreToCollection(collection_store,
+                                     temporary_roots->temporary_roots(),
+                                     0, 0);
+  if (ok)
+    ok = CertAddStoreToCollection(collection_store, cert_store, 0, 1);
+  if (!ok) {
+    DPLOG(ERROR) << "Unable to create temporary linked certificate store";
+    CertCloseStore(collection_store, 0);
+    return NULL;
+  }
+
+  return collection_store;
+}
+
 }  // namespace
 
 void X509Certificate::Initialize() {
   std::wstring subject_info;
   std::wstring issuer_info;
   DWORD name_size;
   DCHECK(cert_handle_);
   name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
                             &cert_handle_->pCertInfo->Subject,
                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
@@ skipping 157 matching lines @@
           chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND;
           chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1;
           chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
               &ev_policy_oid;
           break;
         }
       }
     }
   }
 
+  ScopedHCERTSTORE scoped_test_store(
+      CreateStoreForTestsIfNeeded(cert_handle_->hCertStore));
+  HCERTSTORE intermediates_store = scoped_test_store ?
+      scoped_test_store : cert_handle_->hCertStore;
+
   PCCERT_CHAIN_CONTEXT chain_context;
   // IE passes a non-NULL pTime argument that specifies the current system
   // time.  IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the
   // chain_flags argument.
+  // TODO(rsleevi): Add support for Windows 7's hExclusiveRoot to work around
+  // the issues described in TestRootCerts.
   if (!CertGetCertificateChain(
            NULL,  // default chain engine, HCCE_CURRENT_USER
            cert_handle_,
            NULL,  // current system time
-           cert_handle_->hCertStore,  // search this store
+           intermediates_store,
            &chain_para,
            chain_flags,
            NULL,  // reserved
            &chain_context)) {
     return MapSecurityError(GetLastError());
   }
   if (chain_context->TrustStatus.dwErrorStatus &
       CERT_TRUST_IS_NOT_VALID_FOR_USAGE) {
     ev_policy_oid = NULL;
     chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0;
     chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL;
     CertFreeCertificateChain(chain_context);
     if (!CertGetCertificateChain(
              NULL,  // default chain engine, HCCE_CURRENT_USER
              cert_handle_,
              NULL,  // current system time
-             cert_handle_->hCertStore,  // search this store
+             intermediates_store,
              &chain_para,
              chain_flags,
              NULL,  // reserved
              &chain_context)) {
       return MapSecurityError(GetLastError());
     }
   }
   ScopedCertChainContext scoped_chain_context(chain_context);
 
+  TestRootCerts* root_certs = TestRootCerts::GetInstance();

[bulach, 2010/11/18 12:42:12]

nit: test_root_certs, and similar comment to the mac side about instantiating
this only in test code.

+  root_certs->FixupChainContext(
+      const_cast<PCERT_CHAIN_CONTEXT>(chain_context));
+
   GetCertChainInfo(chain_context, verify_result);
-
   verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
       chain_context->TrustStatus.dwErrorStatus);
 
   // Treat certificates signed using broken signature algorithms as invalid.
   if (verify_result->has_md4)
     verify_result->cert_status |= CERT_STATUS_INVALID;
 
   // Flag certificates signed using weak signature algorithms.
   if (verify_result->has_md2)
     verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
@@ skipping 201 matching lines @@
   DWORD sha1_size = sizeof(sha1.data);
   rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
                             cert->cbCertEncoded, sha1.data, &sha1_size);
   DCHECK(rv && sha1_size == sizeof(sha1.data));
   if (!rv)
     memset(sha1.data, 0, sizeof(sha1.data));
   return sha1;
 }
 
 }  // namespace net