net: add ability to distinguish user-added root CAs.

net/base/x509_certificate_unittest.cc

Index: net/base/x509_certificate_unittest.cc
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 53a131f148c2fded62a24480975967b5e6971fb2..915c49a4c2e493fa0311f00e66d097b737fcfb35 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -481,6 +481,19 @@ TEST(X509CertificateTest, IntermediateCARequireExplicitPolicy) {
   root_certs->Clear();
 }
 
+TEST(X509CertificateTest, TestKnownRoot) {
+  FilePath certs_dir = GetTestCertsDirectory();
+  scoped_refptr<X509Certificate> cert =
+      ImportCertFromFile(certs_dir, "nist.der");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  cert->Verify("www.nist.gov", flags, &verify_result);
+  // We don't check the error because the certificate will expire eventually.
+  EXPECT_TRUE(verify_result.is_issued_by_known_root);

[wtc, 2011/04/07 05:01:54]

BUG (FUTURE): cert->Verify() sets
verify_result.is_issued_by_known_root only if the certificate
is good.  So when this certificate expires,
verify_result.is_issued_by_known_root will be false.

[agl, 2011/04/07 15:02:49]

I've moved the code which sets |is_issued_by_known_root| down in each case so
that it's only set in the event of a valid certificate. Now, expiry is a problem
here but I can't find a way around it :( The test will blow up in the future.

[wtc, 2011/04/08 00:39:17]

Yes.  The X509CertificateTest unit tests that use real
certificates all have this problem.  We should at least
document when the certificate will expire so that build
sheriffs will know they can disable the test safely when
the test blows up.

+}
+
 // A regression test for http://crbug.com/70293.
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.