Implement LoadTemporaryRoot for Windows

net/base/temporary_root_certs_openssl.cc

Index: net/base/temporary_root_certs_openssl.cc
diff --git a/net/base/temporary_root_certs_openssl.cc b/net/base/temporary_root_certs_openssl.cc
new file mode 100644
index 0000000000000000000000000000000000000000..3f91a01fc026e5e0f94dff99fcf54c7f660700da
--- /dev/null
+++ b/net/base/temporary_root_certs_openssl.cc
@@ -0,0 +1,47 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/temporary_root_certs.h"
+
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+#include "base/logging.h"
+#include "net/base/openssl_util.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+bool TemporaryRootCerts::Add(X509Certificate* certificate) {
+  OpenSSLInitSingleton* openssl_init = GetOpenSSLInitSingleton();
+
+  if (!X509_STORE_add_cert(openssl_init->x509_store(),

[joth, 2010/11/17 10:37:02]

note this will now need to be
X509_STORE_add_cert(X509Certificate::cert_store(),

+                           certificate->os_cert_handle())) {
+    unsigned long error_code = ERR_get_error();
+    if (ERR_GET_LIB(error_code) != ERR_LIB_X509 ||
+        ERR_GET_REASON(error_code) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+      do {
+        LOG(ERROR) << "X509_STORE_add_cert error: " << error_code;
+      } while ((error_code = ERR_get_error()) != 0);
+      return false;
+    }
+  }
+
+  return true;
+}
+
+void TemporaryRootCerts::Remove(X509Certificate* certificate) {
+  // TODO(rsleevi): With OpenSSL, there is no good public means to
+  // remove a certificate from an X509_STORE. Either we implement a custom
+  // X509_LOOKUP_METHOD, which means implementing a whole host of search
+  // options, or we go directly against the X509_STORE.objs member iterate
+  // through for the desired object, and then sk_X509_OBJECT_delete[_ptr].
+  // Either way seems messy for something intended as a temporary test utility.

[bulach, 2010/11/09 16:21:09]

maybe:
LOG(WARNING) << "OpenSSL doesn't support removing temporary certs";

it may be helpful if we ever really rely on this on new tests in the future.

[joth, 2010/11/17 10:37:02]

Would it help if we added something of a 'test mode' into
X509Certificate::Verify that allows you to inject a STACK_OF(X509) which is then
used rather than a X509_STORE i.e. using X509_STORE_CTX_trusted_stack?
A STACK_OF(X509) looks simpler to manipulate.

This would mean in test code (once 1 or more test certs are added) we will only
verify against those certs, and we exercise an ever so slightly different path
to in production, which is unfortunate but at least means the test cert store is
fully under the test code's control.

+}
+
+TemporaryRootCerts::TemporaryRootCerts() {}
+
+TemporaryRootCerts::~TemporaryRootCerts() {}
+
+}  // namespace net