Add a hook to inject trusted Cast roots for testing purposes.

extensions/common/cast/cast_cert_validator.h

Index: extensions/common/cast/cast_cert_validator.h
diff --git a/extensions/common/cast/cast_cert_validator.h b/extensions/common/cast/cast_cert_validator.h
index c435ebb8776f312edfb7c6bee440f028175c6d4f..e786a1982182ad00029ac740fa359865d8f8592e 100644
--- a/extensions/common/cast/cast_cert_validator.h
+++ b/extensions/common/cast/cast_cert_validator.h
@@ -13,6 +13,7 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
 #include "base/time/time.h"
+#include "net/cert/internal/verify_certificate_chain.h"
 
 namespace extensions {
 namespace api {
@@ -51,6 +52,20 @@ class CertVerificationContext {
   DISALLOW_COPY_AND_ASSIGN(CertVerificationContext);
 };
 
+// Helper function that creates and initializes a TrustAnchor struct given
+// arrays for the subject's DER and the SPKI's DER.
+template <size_t SubjectSize, size_t SpkiSize>
+net::TrustAnchor CreateTrustAnchor(const uint8_t (&subject)[SubjectSize],

[eroman, 2016/04/18 18:28:40]

A more useful API is probably:

void AddTrustAnchor(____, net::TrustStore*);

I suggest changing to something like that before exposing.

Also as a side-note I am in the process of refactoring this to be:

trust_store->AddTrustedCertificate(trusted_cert_der);

As part of https://codereview.chromium.org/1890193003/   (that CL is not ready
for your review yet, just mentioning it as an FYI).

[ryanchung, 2016/04/19 17:19:34]

I'm thinking of undoing this API change and waiting for your change to land
first. Then we won't have to introduce this new API and remove it in a few days.
What do you think?

+                                   const uint8_t (&spki)[SpkiSize]) {
+  net::TrustAnchor anchor;
+  anchor.name = std::string(subject, subject + SubjectSize);
+  anchor.spki = std::string(spki, spki + SpkiSize);
+  return anchor;
+}
+
+// Creates a trust store with the two Cast roots.
+net::TrustStore CreateCastTrustStore();
+
 // Verifies a cast device certficate given a chain of DER-encoded certificates.
 //
 // Inputs:
@@ -73,6 +88,19 @@ class CertVerificationContext {
 //     properties from the device certificate (Common Name).
 //   * |policy| is filled with an indication of the device certificate's policy
 //     (i.e. is it for audio-only devices or is it unrestricted?)
+//   * |trust_store| is filled with the trusted CA certificate information
+bool VerifyDeviceCert(const std::vector<std::string>& certs,
+                      const base::Time::Exploded& time,
+                      scoped_ptr<CertVerificationContext>* context,
+                      CastDeviceCertPolicy* policy,
+                      net::TrustStore trust_store) WARN_UNUSED_RESULT;

[eroman, 2016/04/18 18:28:40]

const net::TrustStore&

[ryanchung, 2016/04/19 17:19:34]

Done.

+
+// Overloads VerifyDeviceCert(const std::vector<std::string>& certs,

[eroman, 2016/04/18 18:28:40]

This comment could be simplified.

// This is an overloaded version of VerifyDeviceCert() that uses the default
Cast trust store.

[ryanchung, 2016/04/19 17:19:34]

Done.

+//                           const base::Time::Exploded& time,
+//                           scoped_ptr<CertVerificationContext>* context,
+//                           CastDeviceCertPolicy* policy,
+//                           net::TrustStore trust_store)
+// Uses the default TrustStore from CreateCastTrustStore()
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
                       const base::Time::Exploded& time,
                       scoped_ptr<CertVerificationContext>* context,