Index: net/base/test_root_certs_win.cc |
diff --git a/net/base/test_root_certs_win.cc b/net/base/test_root_certs_win.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..4cbd10111fa53d94e3320f0000f03d18743f4abc |
--- /dev/null |
+++ b/net/base/test_root_certs_win.cc |
@@ -0,0 +1,109 @@ |
+// Copyright (c) 2010 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "net/base/test_root_certs.h" |
+ |
+#include "base/logging.h" |
+#include "net/base/x509_certificate.h" |
+ |
+namespace net { |
+ |
+namespace { |
+ |
+// Creates a new temporary memory store. |
+HCERTSTORE CreateMemoryStore() { |
+ return CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, |
+ CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL); |
+} |
+ |
+} // namespace |
+ |
+bool TestRootCerts::Add(X509Certificate* certificate) { |
+ BOOL ok = CertAddCertificateContextToStore( |
+ temporary_roots_, certificate->os_cert_handle(), |
+ CERT_STORE_ADD_NEW, NULL); |
+ if (!ok) { |
+ // If the certificate is already added, return successfully. |
+ return GetLastError() == CRYPT_E_EXISTS; |
+ } |
+ |
+ empty_ = false; |
+ return true; |
+} |
+ |
+void TestRootCerts::Clear() { |
+ CertCloseStore(temporary_roots_, 0); |
+ temporary_roots_ = CreateMemoryStore(); |
+ DCHECK(temporary_roots_); |
+ empty_ = true; |
+} |
+ |
+bool TestRootCerts::IsEmpty() const { |
+ return empty_; |
+} |
+ |
+void TestRootCerts::UpdateChainContext( |
+ PCERT_CHAIN_CONTEXT chain_context) const { |
+ if ((chain_context->TrustStatus.dwErrorStatus & |
+ CERT_TRUST_IS_UNTRUSTED_ROOT) == 0) |
+ return; // Trusted certificate - nothing to fix. |
+ |
+ if (IsEmpty()) |
+ return; // No need to scan - no temporary trusted certificates. |
+ |
+ // Windows does not support application-level trusts until Win 7, via |
+ // CERT_CHAIN_ENGINE_CONFIG.hExclusiveRoot. Because of this, a messy, |
+ // manual, brute-force method is used for unit tests. Look through every |
wtc
2010/11/17 19:44:39
Could you please add a short version of your descr
Ryan Sleevi
2010/11/18 05:31:58
Sure. There are still differences in how we're doi
|
+ // chain on |chain_context|, looking for a chain which contains one of the |
+ // trusted certificates. If a matching certificate is found, unset the |
+ // three status-bits that Windows sets when an untrusted root is found. |
+ // Any other failure states are left unmodified, so that situations like |
+ // name or date mismatches are properly reported. |
+ for (DWORD chain_index = 0; chain_index < chain_context->cChain; |
+ ++chain_index) { |
+ PCERT_SIMPLE_CHAIN chain = chain_context->rgpChain[chain_index]; |
+ // Scan through all the certificates, rather than just the root, since |
+ // an RFC 3280/5280 trust anchor may be any certificate in the chain, not |
+ // just the root certificate. |
+ for (DWORD element_index = 0; element_index < chain->cElement; |
+ ++element_index) { |
+ PCERT_CHAIN_ELEMENT element = chain->rgpElement[element_index]; |
+ PCCERT_CONTEXT cert = CertFindCertificateInStore( |
+ temporary_roots_, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, |
+ CERT_FIND_EXISTING, element->pCertContext, NULL); |
+ if (cert != NULL) { |
+ // Successfully located the certificate in the temporary roots. |
+ // Free the returned certificate - it is not used. |
+ CertFreeCertificateContext(cert); |
+ |
+ // Unset both the element status and the overall chain status, in the |
+ // event a Windows function drills down into the chain results. |
+ if (element->TrustStatus.dwErrorStatus & |
+ CERT_TRUST_IS_UNTRUSTED_ROOT) { |
+ element->TrustStatus.dwErrorStatus &= |
+ ~(CERT_TRUST_IS_UNTRUSTED_ROOT | |
+ CERT_TRUST_REVOCATION_STATUS_UNKNOWN | |
wtc
2010/11/17 19:44:39
Two comments about the revocation error flags.
1.
Ryan Sleevi
2010/11/18 05:31:58
No, I believe the issue is directly related to the
|
+ CERT_TRUST_IS_OFFLINE_REVOCATION); |
+ chain_context->TrustStatus.dwErrorStatus &= |
+ ~(CERT_TRUST_IS_UNTRUSTED_ROOT | |
+ CERT_TRUST_REVOCATION_STATUS_UNKNOWN | |
+ CERT_TRUST_IS_OFFLINE_REVOCATION); |
+ return; |
+ } |
+ } |
+ } |
+ } |
+} |
+ |
+TestRootCerts::TestRootCerts() |
+ : temporary_roots_(CreateMemoryStore()), |
+ empty_(true) { |
+ DCHECK(temporary_roots_); |
+} |
+ |
+TestRootCerts::~TestRootCerts() { |
+ CertCloseStore(temporary_roots_, 0); |
+} |
+ |
+} // namespace net |