Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

chromeos/network/onc/onc_certificate_importer.cc

Index: chromeos/network/onc/onc_certificate_importer.cc
diff --git a/chromeos/network/onc/onc_certificate_importer.cc b/chromeos/network/onc/onc_certificate_importer.cc
index 34079715a2a5f0cfdd521dd340976d9ec6484b40..0dd932543dfa70399ee23bf74827b94b05a16019 100644
--- a/chromeos/network/onc/onc_certificate_importer.cc
+++ b/chromeos/network/onc/onc_certificate_importer.cc
@@ -34,12 +34,13 @@ const char kX509CertificateHeader[] = "X509 CERTIFICATE";
 namespace chromeos {
 namespace onc {
 
-CertificateImporter::CertificateImporter(bool allow_web_trust)
-    : allow_web_trust_(allow_web_trust) {
+CertificateImporter::CertificateImporter(bool allow_trust_imports)
+    : allow_trust_imports_(allow_trust_imports) {
 }
 
 CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
-    const base::ListValue& certificates) {
+    const base::ListValue& certificates,
+    net::CertificateList* onc_trusted_certificates) {
   size_t successful_imports = 0;
   for (size_t i = 0; i < certificates.GetSize(); ++i) {
     const base::DictionaryValue* certificate = NULL;
@@ -48,7 +49,7 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
 
     VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
 
-    if (!ParseAndStoreCertificate(*certificate)) {
+    if (!ParseAndStoreCertificate(*certificate, onc_trusted_certificates)) {
       ONC_LOG_ERROR(
           base::StringPrintf("Cannot parse certificate at index %zu", i));
     } else {
@@ -66,37 +67,6 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
   }
 }
 
-bool CertificateImporter::ParseAndStoreCertificate(
-    const base::DictionaryValue& certificate) {
-  // Get out the attributes of the given certificate.
-  std::string guid;
-  certificate.GetString(certificate::kGUID, &guid);
-  DCHECK(!guid.empty());
-
-  bool remove = false;
-  if (certificate.GetBoolean(kRemove, &remove) && remove) {
-    if (!DeleteCertAndKeyByNickname(guid)) {
-      ONC_LOG_ERROR("Unable to delete certificate");
-      return false;
-    } else {
-      return true;
-    }
-  }
-
-  // Not removing, so let's get the data we need to add this certificate.
-  std::string cert_type;
-  certificate.GetString(certificate::kType, &cert_type);
-  if (cert_type == certificate::kServer ||
-      cert_type == certificate::kAuthority) {
-    return ParseServerOrCaCertificate(cert_type, guid, certificate);
-  } else if (cert_type == certificate::kClient) {
-    return ParseClientCertificate(guid, certificate);
-  }
-
-  NOTREACHED();
-  return false;
-}
-
 // static
 void CertificateImporter::ListCertsWithNickname(const std::string& label,
                                                 net::CertificateList* result) {
@@ -155,11 +125,45 @@ bool CertificateImporter::DeleteCertAndKeyByNickname(const std::string& label) {
   return result;
 }
 
+bool CertificateImporter::ParseAndStoreCertificate(
+    const base::DictionaryValue& certificate,
+    net::CertificateList* onc_trusted_certificates) {
+  // Get out the attributes of the given certificate.
+  std::string guid;
+  certificate.GetString(certificate::kGUID, &guid);
+  DCHECK(!guid.empty());
+
+  bool remove = false;
+  if (certificate.GetBoolean(kRemove, &remove) && remove) {
+    if (!DeleteCertAndKeyByNickname(guid)) {
+      ONC_LOG_ERROR("Unable to delete certificate");
+      return false;
+    } else {
+      return true;
+    }
+  }
+
+  // Not removing, so let's get the data we need to add this certificate.
+  std::string cert_type;
+  certificate.GetString(certificate::kType, &cert_type);
+  if (cert_type == certificate::kServer ||
+      cert_type == certificate::kAuthority) {
+    return ParseServerOrCaCertificate(
+        cert_type, guid, certificate, onc_trusted_certificates);
+  } else if (cert_type == certificate::kClient) {
+    return ParseClientCertificate(guid, certificate);
+  }
+
+  NOTREACHED();
+  return false;
+}
+
 bool CertificateImporter::ParseServerOrCaCertificate(
     const std::string& cert_type,
     const std::string& guid,
-    const base::DictionaryValue& certificate) {
-  bool web_trust = false;
+    const base::DictionaryValue& certificate,
+    net::CertificateList* onc_trusted_certificates) {
+  bool web_trust_flag = false;
   const base::ListValue* trust_list = NULL;
   if (certificate.GetList(certificate::kTrust, &trust_list)) {
     for (size_t i = 0; i < trust_list->GetSize(); ++i) {
@@ -170,7 +174,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
       if (trust_type == certificate::kWeb) {
         // "Web" implies that the certificate is to be trusted for SSL
         // identification.
-        web_trust = true;
+        web_trust_flag = true;
       } else {
         ONC_LOG_ERROR("Certificate contains unknown trust type " + trust_type);
         return false;
@@ -178,9 +182,12 @@ bool CertificateImporter::ParseServerOrCaCertificate(
     }
   }
 
-  if (web_trust && !allow_web_trust_) {
-    LOG(WARNING) << "Web trust not granted for certificate: " << guid;
-    web_trust = false;
+  bool import_with_ssl_trust = false;
+  if (web_trust_flag) {
+    if (!allow_trust_imports_)
+      LOG(WARNING) << "Web trust not granted for certificate: " << guid;
+    else
+      import_with_ssl_trust = true;
   }
 
   std::string x509_data;
@@ -276,7 +283,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
   cert_list.push_back(x509_cert);
   net::NSSCertDatabase::ImportCertFailureList failures;
   bool success = false;
-  net::NSSCertDatabase::TrustBits trust = web_trust ?
+  net::NSSCertDatabase::TrustBits trust = import_with_ssl_trust ?
                                           net::NSSCertDatabase::TRUSTED_SSL :
                                           net::NSSCertDatabase::TRUST_DEFAULT;
   if (cert_type == certificate::kServer) {
@@ -295,6 +302,9 @@ bool CertificateImporter::ParseServerOrCaCertificate(
     return false;
   }
 
+  if (web_trust_flag && onc_trusted_certificates)
+    onc_trusted_certificates->push_back(x509_cert);
+
   return true;
 }