Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / net / cert / test_root_certs_mac.cc
blob87824d4c9ed19dd67177903c6ae69f6961b9480f
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/test_root_certs.h"
7 #include <Security/Security.h>
9 #include "base/logging.h"
10 #include "base/mac/mac_util.h"
11 #include "base/mac/scoped_cftyperef.h"
12 #include "net/cert/x509_certificate.h"
14 namespace net {
16 namespace {
18 typedef OSStatus (*SecTrustSetAnchorCertificatesOnlyFuncPtr)(SecTrustRef,
19 Boolean);
21 Boolean OurSecCertificateEqual(const void* value1, const void* value2) {
22 if (CFGetTypeID(value1) != SecCertificateGetTypeID() ||
23 CFGetTypeID(value2) != SecCertificateGetTypeID())
24 return CFEqual(value1, value2);
25 return X509Certificate::IsSameOSCert(
26 reinterpret_cast<SecCertificateRef>(const_cast<void*>(value1)),
27 reinterpret_cast<SecCertificateRef>(const_cast<void*>(value2)));
30 const void* RetainWrapper(CFAllocatorRef unused, const void* value) {
31 return CFRetain(value);
34 void ReleaseWrapper(CFAllocatorRef unused, const void* value) {
35 CFRelease(value);
38 // CFEqual prior to 10.6 only performed pointer checks on SecCertificateRefs,
39 // rather than checking if they were the same (logical) certificate, so a
40 // custom structure is used for the array callbacks.
41 const CFArrayCallBacks kCertArrayCallbacks = {
42 0, // version
43 RetainWrapper,
44 ReleaseWrapper,
45 CFCopyDescription,
46 OurSecCertificateEqual,
49 } // namespace
51 bool TestRootCerts::Add(X509Certificate* certificate) {
52 if (CFArrayContainsValue(temporary_roots_,
53 CFRangeMake(0, CFArrayGetCount(temporary_roots_)),
54 certificate->os_cert_handle()))
55 return true;
56 CFArrayAppendValue(temporary_roots_, certificate->os_cert_handle());
57 return true;
60 void TestRootCerts::Clear() {
61 CFArrayRemoveAllValues(temporary_roots_);
64 bool TestRootCerts::IsEmpty() const {
65 return CFArrayGetCount(temporary_roots_) == 0;
68 OSStatus TestRootCerts::FixupSecTrustRef(SecTrustRef trust_ref) const {
69 if (IsEmpty())
70 return noErr;
72 // Despite SecTrustSetAnchorCertificatesOnly existing in OS X 10.6, and
73 // being documented as available, it is not actually implemented. On 10.7+,
74 // however, it always works.
75 if (base::mac::IsOSLionOrLater()) {
76 OSStatus status = SecTrustSetAnchorCertificates(trust_ref,
77 temporary_roots_);
78 if (status)
79 return status;
80 return SecTrustSetAnchorCertificatesOnly(trust_ref, !allow_system_trust_);
83 if (!allow_system_trust_) {
84 // Avoid any copying if system roots are not to be trusted. This acts as
85 // an exclusive list on 10.6, replacing the built-ins.
86 return SecTrustSetAnchorCertificates(trust_ref, temporary_roots_);
89 // Otherwise, both system trust and temporary_roots_ must be trusted.
90 // Emulate the functionality of SecTrustSetAnchorCertificatesOnly by
91 // creating a copy of the system roots and merging with temporary_roots_.
92 CFArrayRef system_roots = NULL;
93 OSStatus status = SecTrustCopyAnchorCertificates(&system_roots);
94 if (status)
95 return status;
97 base::ScopedCFTypeRef<CFArrayRef> scoped_system_roots(system_roots);
98 base::ScopedCFTypeRef<CFMutableArrayRef> scoped_roots(
99 CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, scoped_system_roots));
100 CFArrayAppendArray(scoped_roots, temporary_roots_,
101 CFRangeMake(0, CFArrayGetCount(temporary_roots_)));
102 return SecTrustSetAnchorCertificates(trust_ref, scoped_roots);
105 void TestRootCerts::SetAllowSystemTrust(bool allow_system_trust) {
106 allow_system_trust_ = allow_system_trust;
109 TestRootCerts::~TestRootCerts() {}
111 void TestRootCerts::Init() {
112 temporary_roots_.reset(CFArrayCreateMutable(kCFAllocatorDefault, 0,
113 &kCertArrayCallbacks));
114 allow_system_trust_ = true;
117 } // namespace net