Add a hook to inject trusted Cast roots for testing purposes.

extensions/common/cast/cast_cert_validator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/cast/cast_cert_validator.h"
 
 #include <stddef.h>
 #include <stdint.h>
 #include <algorithm>
 #include <utility>
@@ skipping 101 matching lines @@
     0x07, 0x7F, 0xD7, 0xE9, 0x69, 0x1F, 0xAE, 0x3F, 0x4F, 0x63, 0x8A, 0x8F,
     0x89, 0xD6, 0xF2, 0x19, 0x78, 0x5C, 0x21, 0x8E, 0xB1, 0xB6, 0x57, 0xD8,
     0xC0, 0xE1, 0xEE, 0x7D, 0x6E, 0xDD, 0xF1, 0x3A, 0x0A, 0x6A, 0xF1, 0xBA,
     0xFF, 0xF9, 0x83, 0x2F, 0xDC, 0xB5, 0xA4, 0x20, 0x17, 0x63, 0x36, 0xEF,
     0xC8, 0x62, 0x19, 0xCC, 0x56, 0xCE, 0xB2, 0xEA, 0x31, 0x89, 0x4B, 0x78,
     0x58, 0xC1, 0xBF, 0x03, 0x13, 0x99, 0xE0, 0x12, 0xF2, 0x88, 0xAA, 0x9B,
     0x94, 0xDA, 0xDD, 0x76, 0x79, 0x17, 0x1E, 0x34, 0xD1, 0x0A, 0xC4, 0x07,
     0x45, 0x02, 0x03, 0x01, 0x00, 0x01,
 };
 
-// Helper function that creates and initializes a TrustAnchor struct given
-// arrays for the subject's DER and the SPKI's DER.
-template <size_t SubjectSize, size_t SpkiSize>
-net::TrustAnchor CreateTrustAnchor(const uint8_t (&subject)[SubjectSize],
-                                   const uint8_t (&spki)[SpkiSize]) {
-  net::TrustAnchor anchor;
-  anchor.name = std::string(subject, subject + SubjectSize);
-  anchor.spki = std::string(spki, spki + SpkiSize);
-  return anchor;
-}
-
-// Creates a trust store with the two Cast roots.
-//
-// TODO(eroman): The root certificates themselves are not included in the trust
-// store (just their subject/SPKI). The problem with this approach is any
-// restrictions encoded in their (like path length, or policy) are not known
-// when verifying, and hence not enforced.
-net::TrustStore CreateCastTrustStore() {
-  net::TrustStore store;
-  store.anchors.push_back(
-      CreateTrustAnchor(kEurekaRootCaSubjectDer, kEurekaRootCaSpkiDer));
-  store.anchors.push_back(
-      CreateTrustAnchor(kCastRootCaSubjectDer, kCastRootCaSpkiDer));
-  return store;
-}
-
 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>;
 
 // Helper that looks up an extension by OID given a map of extensions.
 bool GetExtensionValue(const ExtensionsMap& extensions,
                        const net::der::Input& oid,
                        net::der::Input* value) {
   auto it = extensions.find(oid);
   if (it == extensions.end())
     return false;
   *value = it->second.value;
@@ skipping 171 matching lines @@
   result.month = exploded.month;
   result.day = exploded.day_of_month;
   result.hours = exploded.hour;
   result.minutes = exploded.minute;
   result.seconds = exploded.second;
   return result;
 }
 
 }  // namespace
 
+// TODO(eroman): The root certificates themselves are not included in the trust
+// store (just their subject/SPKI). The problem with this approach is any
+// restrictions encoded in their (like path length, or policy) are not known
+// when verifying, and hence not enforced.
+net::TrustStore CreateCastTrustStore() {
+  net::TrustStore store;
+  store.anchors.push_back(
+      CreateTrustAnchor(kEurekaRootCaSubjectDer, kEurekaRootCaSpkiDer));
+  store.anchors.push_back(
+      CreateTrustAnchor(kCastRootCaSubjectDer, kCastRootCaSpkiDer));
+  return store;
+}
+
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
                       const base::Time::Exploded& time,
                       scoped_ptr<CertVerificationContext>* context,
                       CastDeviceCertPolicy* policy) {
   // Initialize the trust store used for verifying Cast
   // device certificates.
   //
   // Performance: This code is re-building a TrustStore object each
   // time a chain needs to be verified rather than caching it, to
   // avoid memory bloat.
   auto trust_store = CreateCastTrustStore();
+  return VerifyDeviceCert(certs, time, context, policy, trust_store);
+}
 
+bool VerifyDeviceCert(const std::vector<std::string>& certs,
+                      const base::Time::Exploded& time,
+                      scoped_ptr<CertVerificationContext>* context,
+                      CastDeviceCertPolicy* policy,
+                      net::TrustStore trust_store) {
   // The underlying verification function expects a sequence of
   // der::Input, so wrap the data in it (cheap).
   std::vector<net::der::Input> input_chain;
   for (const auto& cert : certs)
     input_chain.push_back(net::der::Input(&cert));
 
   // Use a signature policy compatible with Cast's PKI.
   auto signature_policy = CreateCastSignaturePolicy();
 
   // Do RFC 5280 compatible certificate verification using the two Cast
@@ skipping 13 matching lines @@
     const base::StringPiece& spki) {
   // Use a bogus CommonName, since this is just exposed for testing signature
   // verification by unittests.
   return make_scoped_ptr(
       new CertVerificationContextImpl(net::der::Input(spki), "CommonName"));
 }
 
 }  // namespace cast_crypto
 }  // namespace api
 }  // namespace extensions