| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/test_root_certs.h" | |
| 6 | |
| 7 #include <cert.h> | |
| 8 | |
| 9 #include "base/logging.h" | |
| 10 #include "base/stl_util.h" | |
| 11 #include "crypto/nss_util.h" | |
| 12 #include "net/base/x509_certificate.h" | |
| 13 | |
| 14 #if defined(OS_IOS) | |
| 15 #include "net/base/x509_util_ios.h" | |
| 16 #endif | |
| 17 | |
| 18 namespace net { | |
| 19 | |
| 20 // TrustEntry is used to store the original CERTCertificate and CERTCertTrust | |
| 21 // for a certificate whose trust status has been changed by the | |
| 22 // TestRootCerts. | |
| 23 class TestRootCerts::TrustEntry { | |
| 24 public: | |
| 25 // Creates a new TrustEntry by incrementing the reference to |certificate| | |
| 26 // and copying |trust|. | |
| 27 TrustEntry(CERTCertificate* certificate, const CERTCertTrust& trust); | |
| 28 ~TrustEntry(); | |
| 29 | |
| 30 CERTCertificate* certificate() const { return certificate_; } | |
| 31 const CERTCertTrust& trust() const { return trust_; } | |
| 32 | |
| 33 private: | |
| 34 // The temporary root certificate. | |
| 35 CERTCertificate* certificate_; | |
| 36 | |
| 37 // The original trust settings, before |certificate_| was manipulated to | |
| 38 // be a temporarily trusted root. | |
| 39 CERTCertTrust trust_; | |
| 40 | |
| 41 DISALLOW_COPY_AND_ASSIGN(TrustEntry); | |
| 42 }; | |
| 43 | |
| 44 TestRootCerts::TrustEntry::TrustEntry(CERTCertificate* certificate, | |
| 45 const CERTCertTrust& trust) | |
| 46 : certificate_(CERT_DupCertificate(certificate)), | |
| 47 trust_(trust) { | |
| 48 } | |
| 49 | |
| 50 TestRootCerts::TrustEntry::~TrustEntry() { | |
| 51 CERT_DestroyCertificate(certificate_); | |
| 52 } | |
| 53 | |
| 54 bool TestRootCerts::Add(X509Certificate* certificate) { | |
| 55 #if defined(OS_IOS) | |
| 56 x509_util_ios::NSSCertificate nss_certificate(certificate->os_cert_handle()); | |
| 57 CERTCertificate* cert_handle = nss_certificate.cert_handle(); | |
| 58 #else | |
| 59 CERTCertificate* cert_handle = certificate->os_cert_handle(); | |
| 60 #endif | |
| 61 // Preserve the original trust bits so that they can be restored when | |
| 62 // the certificate is removed. | |
| 63 CERTCertTrust original_trust; | |
| 64 SECStatus rv = CERT_GetCertTrust(cert_handle, &original_trust); | |
| 65 if (rv != SECSuccess) { | |
| 66 // CERT_GetCertTrust will fail if the certificate does not have any | |
| 67 // particular trust settings associated with it, and attempts to use | |
| 68 // |original_trust| later to restore the original trust settings will not | |
| 69 // cause the trust settings to be revoked. If the certificate has no | |
| 70 // particular trust settings associated with it, mark the certificate as | |
| 71 // a valid CA certificate with no specific trust. | |
| 72 rv = CERT_DecodeTrustString(&original_trust, "c,c,c"); | |
| 73 } | |
| 74 | |
| 75 // Change the trust bits to unconditionally trust this certificate. | |
| 76 CERTCertTrust new_trust; | |
| 77 rv = CERT_DecodeTrustString(&new_trust, "TCu,Cu,Tu"); | |
| 78 if (rv != SECSuccess) { | |
| 79 LOG(ERROR) << "Cannot decode certificate trust string."; | |
| 80 return false; | |
| 81 } | |
| 82 | |
| 83 rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert_handle, &new_trust); | |
| 84 if (rv != SECSuccess) { | |
| 85 LOG(ERROR) << "Cannot change certificate trust."; | |
| 86 return false; | |
| 87 } | |
| 88 | |
| 89 trust_cache_.push_back(new TrustEntry(cert_handle, original_trust)); | |
| 90 return true; | |
| 91 } | |
| 92 | |
| 93 void TestRootCerts::Clear() { | |
| 94 // Restore the certificate trusts to what they were originally, before | |
| 95 // Add() was called. Work from the rear first, since if a certificate was | |
| 96 // added twice, the second entry's original trust status will be that of | |
| 97 // the first entry, while the first entry contains the desired resultant | |
| 98 // status. | |
| 99 for (std::list<TrustEntry*>::reverse_iterator it = trust_cache_.rbegin(); | |
| 100 it != trust_cache_.rend(); ++it) { | |
| 101 CERTCertTrust original_trust = (*it)->trust(); | |
| 102 SECStatus rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), | |
| 103 (*it)->certificate(), | |
| 104 &original_trust); | |
| 105 // DCHECK(), rather than LOG(), as a failure to restore the original | |
| 106 // trust can cause flake or hard-to-trace errors in any unit tests that | |
| 107 // occur after Clear() has been called. | |
| 108 DCHECK_EQ(SECSuccess, rv) << "Cannot restore certificate trust."; | |
| 109 } | |
| 110 STLDeleteElements(&trust_cache_); | |
| 111 } | |
| 112 | |
| 113 bool TestRootCerts::IsEmpty() const { | |
| 114 return trust_cache_.empty(); | |
| 115 } | |
| 116 | |
| 117 TestRootCerts::~TestRootCerts() { | |
| 118 Clear(); | |
| 119 } | |
| 120 | |
| 121 void TestRootCerts::Init() { | |
| 122 crypto::EnsureNSSInit(); | |
| 123 } | |
| 124 | |
| 125 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src