1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/test_root_certs.h"
9 #include "base/logging.h"
10 #include "base/stl_util.h"
11 #include "crypto/nss_util.h"
12 #include "net/cert/x509_certificate.h"
15 #include "net/cert/x509_util_ios.h"
20 // TrustEntry is used to store the original CERTCertificate and CERTCertTrust
21 // for a certificate whose trust status has been changed by the
23 class TestRootCerts::TrustEntry
{
25 // Creates a new TrustEntry by incrementing the reference to |certificate|
26 // and copying |trust|.
27 TrustEntry(CERTCertificate
* certificate
, const CERTCertTrust
& trust
);
30 CERTCertificate
* certificate() const { return certificate_
; }
31 const CERTCertTrust
& trust() const { return trust_
; }
34 // The temporary root certificate.
35 CERTCertificate
* certificate_
;
37 // The original trust settings, before |certificate_| was manipulated to
38 // be a temporarily trusted root.
41 DISALLOW_COPY_AND_ASSIGN(TrustEntry
);
44 TestRootCerts::TrustEntry::TrustEntry(CERTCertificate
* certificate
,
45 const CERTCertTrust
& trust
)
46 : certificate_(CERT_DupCertificate(certificate
)),
50 TestRootCerts::TrustEntry::~TrustEntry() {
51 CERT_DestroyCertificate(certificate_
);
54 bool TestRootCerts::Add(X509Certificate
* certificate
) {
56 x509_util_ios::NSSCertificate
nss_certificate(certificate
->os_cert_handle());
57 CERTCertificate
* cert_handle
= nss_certificate
.cert_handle();
59 CERTCertificate
* cert_handle
= certificate
->os_cert_handle();
61 // Preserve the original trust bits so that they can be restored when
62 // the certificate is removed.
63 CERTCertTrust original_trust
;
64 SECStatus rv
= CERT_GetCertTrust(cert_handle
, &original_trust
);
65 if (rv
!= SECSuccess
) {
66 // CERT_GetCertTrust will fail if the certificate does not have any
67 // particular trust settings associated with it, and attempts to use
68 // |original_trust| later to restore the original trust settings will not
69 // cause the trust settings to be revoked. If the certificate has no
70 // particular trust settings associated with it, mark the certificate as
71 // a valid CA certificate with no specific trust.
72 rv
= CERT_DecodeTrustString(&original_trust
, "c,c,c");
75 // Change the trust bits to unconditionally trust this certificate.
76 CERTCertTrust new_trust
;
77 rv
= CERT_DecodeTrustString(&new_trust
, "TCu,Cu,Tu");
78 if (rv
!= SECSuccess
) {
79 LOG(ERROR
) << "Cannot decode certificate trust string.";
83 rv
= CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert_handle
, &new_trust
);
84 if (rv
!= SECSuccess
) {
85 LOG(ERROR
) << "Cannot change certificate trust.";
89 trust_cache_
.push_back(new TrustEntry(cert_handle
, original_trust
));
93 void TestRootCerts::Clear() {
94 // Restore the certificate trusts to what they were originally, before
95 // Add() was called. Work from the rear first, since if a certificate was
96 // added twice, the second entry's original trust status will be that of
97 // the first entry, while the first entry contains the desired resultant
99 for (std::list
<TrustEntry
*>::reverse_iterator it
= trust_cache_
.rbegin();
100 it
!= trust_cache_
.rend(); ++it
) {
101 CERTCertTrust original_trust
= (*it
)->trust();
102 SECStatus rv
= CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
103 (*it
)->certificate(),
105 // DCHECK(), rather than LOG(), as a failure to restore the original
106 // trust can cause flake or hard-to-trace errors in any unit tests that
107 // occur after Clear() has been called.
108 DCHECK_EQ(SECSuccess
, rv
) << "Cannot restore certificate trust.";
110 STLDeleteElements(&trust_cache_
);
113 bool TestRootCerts::IsEmpty() const {
114 return trust_cache_
.empty();
117 TestRootCerts::~TestRootCerts() {
121 void TestRootCerts::Init() {
122 crypto::EnsureNSSInit();