Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

chrome/browser/chromeos/policy/policy_cert_verifier.cc

Index: chrome/browser/chromeos/policy/policy_cert_verifier.cc
diff --git a/chrome/browser/chromeos/policy/policy_cert_verifier.cc b/chrome/browser/chromeos/policy/policy_cert_verifier.cc
new file mode 100644
index 0000000000000000000000000000000000000000..313bfd5d15612e9678ac7a1fb6ae0020873a954d
--- /dev/null
+++ b/chrome/browser/chromeos/policy/policy_cert_verifier.cc
@@ -0,0 +1,89 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
+
+#include "base/logging.h"
+#include "base/prefs/pref_service.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/profiles/profile_manager.h"
+#include "chrome/common/pref_names.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/base/cert_verify_proc.h"
+#include "net/base/multi_threaded_cert_verifier.h"
+#include "net/base/net_errors.h"
+
+namespace policy {
+
+namespace {
+
+void TaintProfile(void* profile_ptr) {
+  Profile* profile = reinterpret_cast<Profile*>(profile_ptr);
+  if (!g_browser_process->profile_manager()->IsValidProfile(profile))
+    return;
+  profile->GetPrefs()->SetBoolean(prefs::kUsedPolicyCertificatesOnce, true);
+}
+
+void MaybeTaintProfile(const net::CertVerifyResult& verify_result,
+                       void* profile) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  if (verify_result.is_issued_by_additional_trust_anchor) {
+    content::BrowserThread::PostTask(content::BrowserThread::UI, FROM_HERE,
+                                     base::Bind(&TaintProfile, profile));

[Ryan Sleevi, 2013/03/25 21:09:53]

I have no clue if this is (thread) safe, but it surprises me if it is.

[Joao da Silva, 2013/03/31 19:22:14]

I'm not sure what it is that you're unsure about here; I guess it's the profile
pointer?

This is the same pattern that ProfileIOData uses;
ProfileManager::IsValidProfile() exists to support it. In theory the pointer
could point to a new Profile that just happened to be allocated at the same
address as the old Profile; in practice Profiles are never deleted before
shutdown. I'd like to have a better way to pass around a handle to a Profile to
different threads (maybe get a WeakPtr?), but this is what we have for now.

Or maybe you meant something else? :-)

[Ryan Sleevi, 2013/04/02 19:16:06]

It was concern about profile deletion, yes. If the profile was deleted on the UI
thread while the IO thread was running, and then it re-posts the (now dead)
profile to the UI thread for handling.

I've luckily stayed away from profiles, but it looks like IsValidProfile() does
indeed specifically handle this - as long as the pointer is not reused.

+  }
+}
+
+void CallbackWrapper(void* profile,
+                     const net::CertVerifyResult* verify_result,
+                     const net::CompletionCallback& callback,
+                     int error) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  if (error == net::OK)
+    MaybeTaintProfile(*verify_result, profile);
+  if (!callback.is_null())
+    callback.Run(error);

[Ryan Sleevi, 2013/03/25 21:09:53]

nit: naming could be better
nit: Isn't an error to supply a null callback to a CertVerifier?

[Joao da Silva, 2013/03/31 19:22:14]

Renamed to |original_callback|.
That's what's documented, but MultiThreadedCertVerifier supports it (see
CertVerifierRequest::Post). Since this wraps a MTCV I think it should support it
as well, even though the interface doesn't allow it.

+}
+
+}  // namespace
+
+PolicyCertVerifier::PolicyCertVerifier(
+    void* profile,
+    net::CertTrustAnchorProvider* trust_anchor_provider)
+    : profile_(profile) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  net::MultiThreadedCertVerifier* verifier =
+      new net::MultiThreadedCertVerifier(net::CertVerifyProc::CreateDefault());

[Ryan Sleevi, 2013/03/25 21:09:53]

Because you added the bool to the SSLInfo, I think it's fine to have the
CertVerifier/CertVerifyProc handle this (eg: you do *NOT* need to sublcass a new
CertVerifier).

[Ryan Sleevi, 2013/03/25 23:55:32]

I'm an idiot who hadn't had his coffee. Ignore this remark.

+  verifier->SetCertTrustAnchorProvider(trust_anchor_provider);
+  delegate_.reset(verifier);
+}
+
+PolicyCertVerifier::~PolicyCertVerifier() {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+}
+
+int PolicyCertVerifier::Verify(net::X509Certificate* cert,
+                               const std::string& hostname,
+                               int flags,
+                               net::CRLSet* crl_set,
+                               net::CertVerifyResult* verify_result,
+                               const net::CompletionCallback& callback,
+                               RequestHandle* out_req,
+                               const net::BoundNetLog& net_log) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  net::CompletionCallback wrapped_callback =
+      base::Bind(&CallbackWrapper, profile_, verify_result, callback);
+  int error = delegate_->Verify(cert, hostname, flags, crl_set, verify_result,
+                                wrapped_callback, out_req, net_log);
+  if (error == net::OK)
+    MaybeTaintProfile(*verify_result, profile_);
+  return error;
+}
+
+void PolicyCertVerifier::CancelRequest(RequestHandle req) {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  delegate_->CancelRequest(req);
+}
+
+}  // namespace policy