Extract IsKnownRoot() functionality for testing if a certificate is a

net/cert/internal/system_trust_store.cc

Index: net/cert/internal/system_trust_store.cc
diff --git a/net/cert/internal/system_trust_store.cc b/net/cert/internal/system_trust_store.cc
index 64ac20982abdf24a1c9a1b47143a4f6f368e4c1a..099501a6964c11255c2db3b8824711446894dde0 100644
--- a/net/cert/internal/system_trust_store.cc
+++ b/net/cert/internal/system_trust_store.cc
@@ -19,9 +19,12 @@
 #include "crypto/nss_util.h"
 #include "net/cert/internal/cert_issuer_source_nss.h"
 #include "net/cert/internal/trust_store_nss.h"
+#include "net/cert/known_roots_nss.h"
 #include "net/cert/scoped_nss_types.h"
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
 #include "net/cert/internal/trust_store_mac.h"
+#include "net/cert/known_roots_mac.h"
+#include "net/cert/x509_util_mac.h"
 #endif
 
 namespace net {
@@ -93,24 +96,10 @@ class SystemTrustStoreNSS : public BaseSystemTrustStore {
     if (!nss_cert)
       return false;
 
-    return IsKnownRoot(nss_cert.get());
+    return net::IsKnownRoot(nss_cert.get());

[mattm, 2017/04/20 02:14:12]

unnecessary net::

[eroman, 2017/04/20 17:30:59]

Unfortunately the unqualified symbol name will resolve to
SystemTrustStoreNSS::IsKnownRoot(), despite the different argument type (and
fail to compile).

I added the net:: namespace specificity to cause it to resolve to the right
overload.

I am not sure of a better way to tackle this short of giving them unique names.

   }
 
  private:
-  // TODO(eroman): This function was copied verbatim from
-  // cert_verify_proc_nss.cc
-  //
-  // IsKnownRoot returns true if the given certificate is one that we believe
-  // is a standard (as opposed to user-installed) root.
-  bool IsKnownRoot(CERTCertificate* root) const {
-    if (!root || !root->slot)
-      return false;
-
-    // This magic name is taken from
-    // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
-    return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects");
-  }
-
   TrustStoreNSS trust_store_nss_;
   CertIssuerSourceNSS cert_issuer_source_nss_;
 };
@@ -123,14 +112,16 @@ std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
 
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
 
+// TODO(eroman): Compose with test roots added via cert/test_roots.h
 class SystemTrustStoreMac : public BaseSystemTrustStore {
  public:
   explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) {
+    InitializeKnownRoots();
     trust_store_.AddTrustStore(&trust_store_mac_);
   }
 
   CertIssuerSource* GetCertIssuerSource() override {
-    // TODO(eroman): Should this return something?
+    // TODO(eroman): Implement.
     return nullptr;
   }
 
@@ -140,8 +131,17 @@ class SystemTrustStoreMac : public BaseSystemTrustStore {
   // opposed to a user-installed root)
   bool IsKnownRoot(
       const scoped_refptr<TrustAnchor>& trust_anchor) const override {
-    // TODO(eroman): Implement.
-    return false;
+    if (!trust_anchor->cert())
+      return false;
+
+    der::Input bytes = trust_anchor->cert()->der_cert();
+    base::ScopedCFTypeRef<SecCertificateRef> cert_ref =
+        x509_util::CreateSecCertificateFromBytes(bytes.UnsafeData(),
+                                                 bytes.Length());
+    if (!cert_ref)
+      return false;
+
+    return net::IsKnownRoot(cert_ref);

[mattm, 2017/04/20 02:14:12]

unnecessary net::

   }
 
  private: