OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/base/test_root_certs.h" |
| 6 |
| 7 #include <cert.h> |
| 8 |
| 9 #include "base/logging.h" |
| 10 #include "base/nss_util.h" |
| 11 #include "base/stl_util-inl.h" |
| 12 #include "net/base/x509_certificate.h" |
| 13 |
| 14 namespace net { |
| 15 |
| 16 // TrustEntry is used to store the original CERTCertificate and CERTCertTrust |
| 17 // for a certificate whose trust status has been changed by the |
| 18 // TestRootCerts. |
| 19 class TestRootCerts::TrustEntry { |
| 20 public: |
| 21 // Creates a new TrustEntry by incrementing the reference to |certificate| |
| 22 // and copying |trust|. |
| 23 TrustEntry(CERTCertificate* certificate, CERTCertTrust trust); |
| 24 ~TrustEntry(); |
| 25 |
| 26 CERTCertificate* certificate() const { return certificate_; } |
| 27 CERTCertTrust trust() const { return trust_; } |
| 28 |
| 29 private: |
| 30 // The temporary root certificate. |
| 31 CERTCertificate* certificate_; |
| 32 |
| 33 // The original trust settings, before |certificate_| was manipulated to |
| 34 // be a temporarily trusted root. |
| 35 CERTCertTrust trust_; |
| 36 |
| 37 DISALLOW_COPY_AND_ASSIGN(TrustEntry); |
| 38 }; |
| 39 |
| 40 TestRootCerts::TrustEntry::TrustEntry(CERTCertificate* certificate, |
| 41 CERTCertTrust trust) |
| 42 : certificate_(CERT_DupCertificate(certificate)), |
| 43 trust_(trust) { |
| 44 } |
| 45 |
| 46 TestRootCerts::TrustEntry::~TrustEntry() { |
| 47 CERT_DestroyCertificate(certificate_); |
| 48 } |
| 49 |
| 50 bool TestRootCerts::Add(X509Certificate* certificate) { |
| 51 // Preserve the original trust bits so that they can be restored when |
| 52 // the certificate is removed. |
| 53 CERTCertTrust original_trust; |
| 54 SECStatus rv = CERT_GetCertTrust(certificate->os_cert_handle(), |
| 55 &original_trust); |
| 56 if (rv != SECSuccess) { |
| 57 // CERT_GetCertTrust will fail if the certificate does not have any |
| 58 // particular trust settings associated with it, and attempts to use |
| 59 // |original_trust| later to restore the original trust settings will not |
| 60 // cause the trust settings to be revoked. If the certificate has no |
| 61 // particular trust settings associated with it, mark the certificate as |
| 62 // a valid CA certificate with no specific trust. |
| 63 rv = CERT_DecodeTrustString(&original_trust, "c,c,c"); |
| 64 } |
| 65 |
| 66 // Change the trust bits to unconditionally trust this certificate. |
| 67 CERTCertTrust new_trust; |
| 68 rv = CERT_DecodeTrustString(&new_trust, "TCu,Cu,Tu"); |
| 69 if (rv != SECSuccess) { |
| 70 LOG(ERROR) << "Cannot decode certificate trust string."; |
| 71 return false; |
| 72 } |
| 73 |
| 74 rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), |
| 75 certificate->os_cert_handle(), |
| 76 &new_trust); |
| 77 if (rv != SECSuccess) { |
| 78 LOG(ERROR) << "Cannot change certificate trust."; |
| 79 return false; |
| 80 } |
| 81 |
| 82 trust_cache_.push_back(new TrustEntry(certificate->os_cert_handle(), |
| 83 original_trust)); |
| 84 return true; |
| 85 } |
| 86 |
| 87 void TestRootCerts::Clear() { |
| 88 // Restore the certificate trusts to what they were originally, before |
| 89 // Add() was called. Work from the rear first, since if a certificate was |
| 90 // added twice, the second entry's original trust status will be that of |
| 91 // the first entry, while the first entry contains the desired resultant |
| 92 // status. |
| 93 for (std::list<TrustEntry*>::reverse_iterator it = trust_cache_.rbegin(); |
| 94 it != trust_cache_.rend(); ++it) { |
| 95 CERTCertTrust original_trust = (*it)->trust(); |
| 96 SECStatus rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), |
| 97 (*it)->certificate(), |
| 98 &original_trust); |
| 99 // DCHECK(), rather than LOG(), as a failure to restore the original |
| 100 // trust can cause flake or hard-to-trace errors in any unit tests that |
| 101 // occur after Clear() has been called. |
| 102 DCHECK_EQ(SECSuccess, rv) << "Cannot restore certificate trust."; |
| 103 } |
| 104 STLDeleteElements(&trust_cache_); |
| 105 } |
| 106 |
| 107 bool TestRootCerts::IsEmpty() const { |
| 108 return trust_cache_.empty(); |
| 109 } |
| 110 |
| 111 TestRootCerts::~TestRootCerts() { |
| 112 Clear(); |
| 113 } |
| 114 |
| 115 void TestRootCerts::Init() { |
| 116 base::EnsureNSSInit(); |
| 117 } |
| 118 |
| 119 } // namespace net |
OLD | NEW |