Implement LoadTemporaryRoot for Windows

net/base/test_root_certs_win.cc

Index: net/base/test_root_certs_win.cc
diff --git a/net/base/test_root_certs_win.cc b/net/base/test_root_certs_win.cc
new file mode 100644
index 0000000000000000000000000000000000000000..9a9c409ab1d8eb9c423e47e3de4fc5899f56261f
--- /dev/null
+++ b/net/base/test_root_certs_win.cc
@@ -0,0 +1,128 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/test_root_certs.h"
+
+#include "base/logging.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+namespace {
+
+// Creates a new temporary memory store.
+HCERTSTORE CreateMemoryStore() {
+  return CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL,
+                       CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL);
+}
+
+}  // namespace
+
+bool TestRootCerts::Add(X509Certificate* certificate) {
+  BOOL ok = CertAddCertificateContextToStore(
+      temporary_roots_, certificate->os_cert_handle(),
+      CERT_STORE_ADD_NEW, NULL);
+  if (!ok) {
+    // If the certificate is already added, return successfully.
+    return GetLastError() == CRYPT_E_EXISTS;
+  }
+
+  empty_ = false;
+  return true;
+}
+
+void TestRootCerts::Clear() {
+  CertCloseStore(temporary_roots_, 0);
+  temporary_roots_ = CreateMemoryStore();
+  DCHECK(temporary_roots_);
+  empty_ = true;
+}
+
+bool TestRootCerts::IsEmpty() const {
+  return empty_;
+}
+
+void TestRootCerts::FixupChainContext(
+    PCERT_CHAIN_CONTEXT chain_context) const {
+  if ((chain_context->TrustStatus.dwErrorStatus &
+       CERT_TRUST_IS_UNTRUSTED_ROOT) == 0)
+    return;  // Trusted certificate - nothing to fix.
+
+  if (IsEmpty())
+    return;  // No need to scan - no temporary trusted certificates.
+
+  // Until Windows 7, it is not possible for an application to mark
+  // certificates as trusted for only that application, via the
+  // CERT_CHAIN_ENGINE_CONFIG.hExclusiveRoot. Because of this deficiency,
+  // a method similar to the one employed by Outlook and EFS is used, as
+  // described at http://technet.microsoft.com/en-us/library/bb457027.aspx
+  // Unlike the behaviour of Outlook, EFS, and the PeerOrChainTrustValidator
+  // of Windows Communication Foundation, an attempt is made to build a full
+  // certificate chain, rather than merely checking for the presence of the
+  // target certificate in an application-trusted store. If the chain
+  // verification fails due to trust issues, then the individual chains and
+  // certificates are compared with |temporary_roots_|. If a matching
+  // certificate can be found, then the trust-related failure status bits
+  // are unset, causing the certificate to appear as trusted, provided there
+  // were no other verification failures.
+  //
+  // Because of how CryptoAPI is implemented, it is not possible to perform
+  // revocation checking via CRLs or OCSP for a certificate that does not
+  // chain to a certificate in "Trusted Roots", so it is not possible to
+  // test revocation checking. More information about this can be found at
+  // http://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx#BKMK_BC
+  for (DWORD chain_index = 0; chain_index < chain_context->cChain;
+       ++chain_index) {
+    PCERT_SIMPLE_CHAIN chain = chain_context->rgpChain[chain_index];
+
+    // Scan through all the certificates, rather than just the root, to match
+    // Windows' behaviour of supporting trust anchors anywhere in the chain,
+    // as described in RFCs 3280/5280.
+    for (DWORD element_index = 0; element_index < chain->cElement;
+         ++element_index) {
+      PCERT_CHAIN_ELEMENT element = chain->rgpElement[element_index];
+      PCCERT_CONTEXT cert = CertFindCertificateInStore(
+          temporary_roots_, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
+          CERT_FIND_EXISTING, element->pCertContext, NULL);
+      if (cert != NULL) {
+        // Successfully matched a certificate in one of the chains with a
+        // certificate in |temporary_roots_|.
+        CertFreeCertificateContext(cert);
+
+        // Unset both the element status and the overall chain status. While
+        // X509Certificate only checks the TrustStatus of the chain_context,
+        // the individual chain and element TrustStatuses are also modified
+        // for subsequent CryptoAPI calls.
+        if (element->TrustStatus.dwErrorStatus &
+            CERT_TRUST_IS_UNTRUSTED_ROOT) {
+          element->TrustStatus.dwErrorStatus &=
+              ~(CERT_TRUST_IS_UNTRUSTED_ROOT |
+                CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
+                CERT_TRUST_IS_OFFLINE_REVOCATION);
+          chain->TrustStatus.dwErrorStatus &=
+              ~(CERT_TRUST_IS_UNTRUSTED_ROOT |
+                CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
+                CERT_TRUST_IS_OFFLINE_REVOCATION);
+          chain_context->TrustStatus.dwErrorStatus &=
+              ~(CERT_TRUST_IS_UNTRUSTED_ROOT |
+                CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
+                CERT_TRUST_IS_OFFLINE_REVOCATION);
+          return;
+        }
+      }
+    }
+  }
+}
+
+TestRootCerts::TestRootCerts()
+    : temporary_roots_(CreateMemoryStore()),
+      empty_(true) {
+  DCHECK(temporary_roots_);
+}
+
+TestRootCerts::~TestRootCerts() {
+  CertCloseStore(temporary_roots_, 0);
+}
+
+}  // namespace net