Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues

net/cert/test_root_certs_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/test_root_certs.h"
 
 #include <Security/Security.h>
 
 #include "base/logging.h"
 #include "base/mac/scoped_cftyperef.h"
@@ skipping 53 matching lines @@
   return CFArrayGetCount(temporary_roots_) == 0;
 }
 
 OSStatus TestRootCerts::FixupSecTrustRef(SecTrustRef trust_ref) const {
   if (IsEmpty())
     return noErr;
 
   OSStatus status = SecTrustSetAnchorCertificates(trust_ref, temporary_roots_);
   if (status)
     return status;
-  return SecTrustSetAnchorCertificatesOnly(trust_ref, false);
+  return SecTrustSetAnchorCertificatesOnly(trust_ref, !allow_system_trust_);
+}
+
+void TestRootCerts::SetAllowSystemTrust(bool allow_system_trust) {
+  allow_system_trust_ = allow_system_trust;
 }
 
 TestRootCerts::~TestRootCerts() {}
 
 void TestRootCerts::Init() {
   temporary_roots_.reset(CFArrayCreateMutable(kCFAllocatorDefault, 0,
                                               &kCertArrayCallbacks));
+  allow_system_trust_ = true;

[wtc, 2013/04/29 19:14:57]

Is it convenient to initialize allow_system_trust_ in the
constructor? Otherwise tools such as Coverity may report
an uninitialized class member.

[Ryan Sleevi, 2013/04/29 21:28:23]

No. We use |Init()| to handle the per-OS initialization of members.

This is the same as how empty_ is treated, and it doesn't trigger any warnings.
Init() is called by the CTOR, FWIW.

[wtc, 2013/04/29 22:53:42]

I see. I didn't know that (I didn't check test_root_certs.cc)
when I reviewed the CL. Sorry about my confusion.

 }
 
 }  // namespace net