net: add ability to distinguish user-added root CAs.

net/base/x509_certificate_unittest.cc

Index: net/base/x509_certificate_unittest.cc
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 53a131f148c2fded62a24480975967b5e6971fb2..f1bdba155ebc3a1086fe172bfa8bf994f460f2d4 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -481,6 +481,20 @@ TEST(X509CertificateTest, IntermediateCARequireExplicitPolicy) {
   root_certs->Clear();
 }
 
+TEST(X509CertificateTest, TestProbablyMITMCert) {

[wtc, 2011/04/06 04:28:38]

Please document when this certificate will expire.  (See
examples on lines 401 and 451.)  This lets people know it's
fine to disable this test when it starts to fail.

Alternatively, allow the cert->Verify() call to fail with the
ERR_CERT_DATE_VALID error (CERT_STATUS_DATE_VALID).  You
are only interested in the value of verify_result.is_probably_mitm_cert
anyway.

[agl, 2011/04/06 19:02:02]

Done.

+  FilePath certs_dir = GetTestCertsDirectory();
+  scoped_refptr<X509Certificate> cert =
+      ImportCertFromFile(certs_dir, "nist.der");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = cert->Verify("www.nist.gov", flags, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0, verify_result.cert_status);
+  EXPECT_FALSE(verify_result.is_probably_mitm_cert);
+}
+
 // A regression test for http://crbug.com/70293.
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.