Extract IsKnownRoot() functionality for testing if a certificate is a

net/cert/cert_verify_proc_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_mac.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 
@@ skipping 14 matching lines @@
 #include "net/base/hash_value.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/internal/certificate_policies.h"
 #include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/known_roots_mac.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/cert/x509_util_mac.h"
 
 // CSSM functions are deprecated as of OSX 10.7, but have no replacement.
 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
@@ skipping 544 matching lines @@
     return NetErrorFromOSStatus(status);
 
   trust_ref->swap(scoped_tmp_trust);
   *trust_result = tmp_trust_result;
   verified_chain->reset(tmp_verified_chain);
   *chain_info = tmp_chain_info;
 
   return OK;
 }
 
-// Helper class for managing the set of OS X Known Roots. This is only safe
-// to initialize while the crypto::GetMacSecurityServicesLock() is held, due
-// to calling into Security.framework functions; however, once initialized,
-// it can be called at any time.
-// In practice, due to lazy initialization, it's best to just always guard
-// accesses with the lock.
-class OSXKnownRootHelper {
- public:
-  // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
-  // that we recognise as a standard root.
-  bool IsIssuedByKnownRoot(CFArrayRef chain) {
-    // If there are no known roots, then an API failure occurred. For safety,
-    // assume that all certificates are issued by known roots.
-    if (known_roots_.empty())
-      return true;
-
-    CFIndex n = CFArrayGetCount(chain);
-    if (n < 1)
-      return false;
-    SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(
-        const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));
-    SHA256HashValue hash = x509_util::CalculateFingerprint256(root_ref);
-    return known_roots_.find(hash) != known_roots_.end();
-  }
-
- private:
-  friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>;
-
-  OSXKnownRootHelper() {
-    CFArrayRef cert_array = NULL;
-    OSStatus rv = SecTrustSettingsCopyCertificates(
-        kSecTrustSettingsDomainSystem, &cert_array);
-    if (rv != noErr) {
-      LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are "
-                 << "trusted! Error " << rv;
-      return;
-    }
-    base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array);
-    for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) {
-      SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
-          const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i)));
-      known_roots_.insert(x509_util::CalculateFingerprint256(cert));
-    }
-  }
-
-  ~OSXKnownRootHelper() {}
-
-  std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_;
-};
-
-base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots =
-    LAZY_INSTANCE_INITIALIZER;
+// IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
+// that we recognise as a standard root.
+bool IsIssuedByKnownRoot(CFArrayRef chain) {
+  CFIndex n = CFArrayGetCount(chain);
+  if (n < 1)
+    return false;
+  SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(
+      const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));
+  return IsKnownRoot(root_ref);
+}
 
 // Runs path building & verification loop for |cert|, given |flags|. This is
 // split into a separate function so verification can be repeated with different
 // flags. This function does not handle EV.
 int VerifyWithGivenFlags(X509Certificate* cert,
                          const std::string& hostname,
                          const int flags,
                          CRLSet* crl_set,
                          CertVerifyResult* verify_result,
                          CRLSetResult* completed_chain_crl_result) {
@@ skipping 338 matching lines @@
   // Hostname validation is handled by CertVerifyProc, so mask off any errors
   // that SecTrustEvaluate may have set, as its results are not used.
   verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;
 
   // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
   // compatible with Windows, which in turn implements this behavior to be
   // compatible with WinHTTP, which doesn't report this error (bug 3004).
   verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
 
   AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
-  verify_result->is_issued_by_known_root =
-      g_known_roots.Get().IsIssuedByKnownRoot(completed_chain);
+  verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
 
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
   return OK;
 }
 
 }  // namespace
 
 CertVerifyProcMac::CertVerifyProcMac() {}
@@ skipping 60 matching lines @@
     // EV cert and it was covered by CRLSets or revocation checking passed.
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
 
   return OK;
 }
 
 }  // namespace net
 
 #pragma clang diagnostic pop  // "-Wdeprecated-declarations"