Add a hook to inject trusted Cast roots for testing purposes.

extensions/common/cast/cast_cert_validator.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_COMMON_CAST_CAST_CERT_VALIDATOR_H_
 #define EXTENSIONS_COMMON_CAST_CAST_CERT_VALIDATOR_H_
 
 #include <string>
 #include <vector>
 
 #include "base/compiler_specific.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
 #include "base/time/time.h"
+#include "net/cert/internal/verify_certificate_chain.h"
 
 namespace extensions {
 namespace api {
 namespace cast_crypto {
 
 // Describes the policy for a Device certificate.
 enum class CastDeviceCertPolicy {
   // The device certificate is unrestricted.
   NONE,
 
@@ skipping 18 matching lines @@
 
   // Retrieve the Common Name attribute of the subject's distinguished name from
   // the verified certificate, if present.  Returns an empty string if no Common
   // Name is found.
   virtual std::string GetCommonName() const = 0;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(CertVerificationContext);
 };
 
+// Helper function that creates and initializes a TrustAnchor struct given
+// arrays for the subject's DER and the SPKI's DER.
+template <size_t SubjectSize, size_t SpkiSize>
+net::TrustAnchor CreateTrustAnchor(const uint8_t (&subject)[SubjectSize],

[eroman, 2016/04/18 18:28:40]

A more useful API is probably:

void AddTrustAnchor(____, net::TrustStore*);

I suggest changing to something like that before exposing.

Also as a side-note I am in the process of refactoring this to be:

trust_store->AddTrustedCertificate(trusted_cert_der);

As part of https://codereview.chromium.org/1890193003/   (that CL is not ready
for your review yet, just mentioning it as an FYI).

[ryanchung, 2016/04/19 17:19:34]

I'm thinking of undoing this API change and waiting for your change to land
first. Then we won't have to introduce this new API and remove it in a few days.
What do you think?

+                                   const uint8_t (&spki)[SpkiSize]) {
+  net::TrustAnchor anchor;
+  anchor.name = std::string(subject, subject + SubjectSize);
+  anchor.spki = std::string(spki, spki + SpkiSize);
+  return anchor;
+}
+
+// Creates a trust store with the two Cast roots.
+net::TrustStore CreateCastTrustStore();
+
 // Verifies a cast device certficate given a chain of DER-encoded certificates.
 //
 // Inputs:
 //
 // * |certs| is a chain of DER-encoded certificates:
 //   * |certs[0]| is the target certificate (i.e. the device certificate)
 //   * |certs[i]| is the certificate that issued certs[i-1]
 //   * |certs.back()| must be signed by a trust anchor
 //
 // * |time| is the UTC time to use for determining if the certificate
 //   is expired.
 //
 // Outputs:
 //
 // Returns true on success, false on failure. On success the output
 // parameters are filled with more details:
 //
 //   * |context| is filled with an object that can be used to verify signatures
 //     using the device certificate's public key, as well as to extract other
 //     properties from the device certificate (Common Name).
 //   * |policy| is filled with an indication of the device certificate's policy
 //     (i.e. is it for audio-only devices or is it unrestricted?)
+//   * |trust_store| is filled with the trusted CA certificate information
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
                       const base::Time::Exploded& time,
                       scoped_ptr<CertVerificationContext>* context,
+                      CastDeviceCertPolicy* policy,
+                      net::TrustStore trust_store) WARN_UNUSED_RESULT;

[eroman, 2016/04/18 18:28:40]

const net::TrustStore&

[ryanchung, 2016/04/19 17:19:34]

Done.

+
+// Overloads VerifyDeviceCert(const std::vector<std::string>& certs,

[eroman, 2016/04/18 18:28:40]

This comment could be simplified.

// This is an overloaded version of VerifyDeviceCert() that uses the default
Cast trust store.

[ryanchung, 2016/04/19 17:19:34]

Done.

+//                           const base::Time::Exploded& time,
+//                           scoped_ptr<CertVerificationContext>* context,
+//                           CastDeviceCertPolicy* policy,
+//                           net::TrustStore trust_store)
+// Uses the default TrustStore from CreateCastTrustStore()
+bool VerifyDeviceCert(const std::vector<std::string>& certs,
+                      const base::Time::Exploded& time,
+                      scoped_ptr<CertVerificationContext>* context,
                       CastDeviceCertPolicy* policy) WARN_UNUSED_RESULT;
 
 // Exposed only for unit-tests, not for use in production code.
 // Production code would get a context from VerifyDeviceCert().
 //
 // Constructs a VerificationContext that uses the provided public key.
 // The common name will be hardcoded to some test value.
 scoped_ptr<CertVerificationContext> CertVerificationContextImplForTest(
     const base::StringPiece& spki);
 
 
 }  // namespace cast_crypto
 }  // namespace api
 }  // namespace extensions
 
 #endif  // EXTENSIONS_COMMON_CAST_CAST_CERT_VALIDATOR_H_