1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_TEST_ROOT_CERTS_H_
6 #define NET_CERT_TEST_ROOT_CERTS_H_
8 #include "base/lazy_instance.h"
9 #include "base/memory/ref_counted.h"
10 #include "build/build_config.h"
11 #include "net/base/net_export.h"
13 #if defined(USE_NSS) || defined(OS_IOS)
15 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
19 #include "crypto/wincrypt_shim.h"
20 #elif defined(OS_MACOSX)
21 #include <CoreFoundation/CFArray.h>
22 #include <Security/SecTrust.h>
23 #include "base/mac/scoped_cftyperef.h"
27 typedef struct CERTCertificateStr CERTCertificate
;
28 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
29 typedef struct x509_st X509
;
38 class X509Certificate
;
40 // TestRootCerts is a helper class for unit tests that is used to
41 // artificially mark a certificate as trusted, independent of the local
42 // machine configuration.
43 class NET_EXPORT TestRootCerts
{
45 // Obtains the Singleton instance to the trusted certificates.
46 static TestRootCerts
* GetInstance();
48 // Returns true if an instance exists, without forcing an initialization.
49 static bool HasInstance();
51 // Marks |certificate| as trusted for X509Certificate::Verify(). Returns
52 // false if the certificate could not be marked trusted.
53 bool Add(X509Certificate
* certificate
);
55 // Reads a single certificate from |file| and marks it as trusted. Returns
56 // false if an error is encountered, such as being unable to read |file|
57 // or more than one certificate existing in |file|.
58 bool AddFromFile(const base::FilePath
& file
);
60 // Clears the trusted status of any certificates that were previously
61 // marked trusted via Add().
64 // Returns true if there are no certificates that have been marked trusted.
68 bool Contains(CERTCertificate
* cert
) const;
69 #elif defined(OS_MACOSX) && !defined(OS_IOS)
70 CFArrayRef
temporary_roots() const { return temporary_roots_
; }
72 // Modifies the root certificates of |trust_ref| to include the
73 // certificates stored in |temporary_roots_|. If IsEmpty() is true, this
74 // does not modify |trust_ref|.
75 OSStatus
FixupSecTrustRef(SecTrustRef trust_ref
) const;
77 // Configures whether or not the default/system root store should also
78 // be trusted. By default, this is true, indicating that the TestRootCerts
79 // are used in addition to OS trust store.
80 void SetAllowSystemTrust(bool allow_system_trust
);
81 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
82 const std::vector
<scoped_refptr
<X509Certificate
> >&
83 temporary_roots() const { return temporary_roots_
; }
84 bool Contains(X509
* cert
) const;
86 HCERTSTORE
temporary_roots() const { return temporary_roots_
; }
88 // Returns an HCERTCHAINENGINE suitable to be used for certificate
89 // validation routines, or NULL to indicate that the default system chain
90 // engine is appropriate. The caller is responsible for freeing the
91 // returned HCERTCHAINENGINE.
92 HCERTCHAINENGINE
GetChainEngine() const;
96 friend struct base::DefaultLazyInstanceTraits
<TestRootCerts
>;
101 // Performs platform-dependent initialization.
104 #if defined(USE_NSS) || defined(OS_IOS)
105 // It is necessary to maintain a cache of the original certificate trust
106 // settings, in order to restore them when Clear() is called.
108 std::list
<TrustEntry
*> trust_cache_
;
109 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
110 std::vector
<scoped_refptr
<X509Certificate
> > temporary_roots_
;
111 #elif defined(OS_WIN)
112 HCERTSTORE temporary_roots_
;
113 #elif defined(OS_MACOSX)
114 base::ScopedCFTypeRef
<CFMutableArrayRef
> temporary_roots_
;
115 bool allow_system_trust_
;
118 #if defined(OS_WIN) || defined(OS_ANDROID)
119 // True if there are no temporarily trusted root certificates.
123 DISALLOW_COPY_AND_ASSIGN(TestRootCerts
);
126 // Scoped helper for unittests to handle safely managing trusted roots.
127 class NET_EXPORT_PRIVATE ScopedTestRoot
{
130 // Creates a ScopedTestRoot that will adds|cert| to the TestRootCerts store.
131 explicit ScopedTestRoot(X509Certificate
* cert
);
134 // Assigns |cert| to be the new test root cert. If |cert| is NULL, undoes
135 // any work the ScopedTestRoot may have previously done.
136 // If |cert_| contains a certificate (due to a prior call to Reset or due to
137 // a cert being passed at construction), the existing TestRootCerts store is
139 void Reset(X509Certificate
* cert
);
142 scoped_refptr
<X509Certificate
> cert_
;
144 DISALLOW_COPY_AND_ASSIGN(ScopedTestRoot
);
149 #endif // NET_CERT_TEST_ROOT_CERTS_H_