diff options
Diffstat (limited to 'chromium/net/cert/test_root_certs_mac.cc')
-rw-r--r-- | chromium/net/cert/test_root_certs_mac.cc | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/chromium/net/cert/test_root_certs_mac.cc b/chromium/net/cert/test_root_certs_mac.cc new file mode 100644 index 00000000000..87824d4c9ed --- /dev/null +++ b/chromium/net/cert/test_root_certs_mac.cc @@ -0,0 +1,117 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/test_root_certs.h" + +#include <Security/Security.h> + +#include "base/logging.h" +#include "base/mac/mac_util.h" +#include "base/mac/scoped_cftyperef.h" +#include "net/cert/x509_certificate.h" + +namespace net { + +namespace { + +typedef OSStatus (*SecTrustSetAnchorCertificatesOnlyFuncPtr)(SecTrustRef, + Boolean); + +Boolean OurSecCertificateEqual(const void* value1, const void* value2) { + if (CFGetTypeID(value1) != SecCertificateGetTypeID() || + CFGetTypeID(value2) != SecCertificateGetTypeID()) + return CFEqual(value1, value2); + return X509Certificate::IsSameOSCert( + reinterpret_cast<SecCertificateRef>(const_cast<void*>(value1)), + reinterpret_cast<SecCertificateRef>(const_cast<void*>(value2))); +} + +const void* RetainWrapper(CFAllocatorRef unused, const void* value) { + return CFRetain(value); +} + +void ReleaseWrapper(CFAllocatorRef unused, const void* value) { + CFRelease(value); +} + +// CFEqual prior to 10.6 only performed pointer checks on SecCertificateRefs, +// rather than checking if they were the same (logical) certificate, so a +// custom structure is used for the array callbacks. +const CFArrayCallBacks kCertArrayCallbacks = { + 0, // version + RetainWrapper, + ReleaseWrapper, + CFCopyDescription, + OurSecCertificateEqual, +}; + +} // namespace + +bool TestRootCerts::Add(X509Certificate* certificate) { + if (CFArrayContainsValue(temporary_roots_, + CFRangeMake(0, CFArrayGetCount(temporary_roots_)), + certificate->os_cert_handle())) + return true; + CFArrayAppendValue(temporary_roots_, certificate->os_cert_handle()); + return true; +} + +void TestRootCerts::Clear() { + CFArrayRemoveAllValues(temporary_roots_); +} + +bool TestRootCerts::IsEmpty() const { + return CFArrayGetCount(temporary_roots_) == 0; +} + +OSStatus TestRootCerts::FixupSecTrustRef(SecTrustRef trust_ref) const { + if (IsEmpty()) + return noErr; + + // Despite SecTrustSetAnchorCertificatesOnly existing in OS X 10.6, and + // being documented as available, it is not actually implemented. On 10.7+, + // however, it always works. + if (base::mac::IsOSLionOrLater()) { + OSStatus status = SecTrustSetAnchorCertificates(trust_ref, + temporary_roots_); + if (status) + return status; + return SecTrustSetAnchorCertificatesOnly(trust_ref, !allow_system_trust_); + } + + if (!allow_system_trust_) { + // Avoid any copying if system roots are not to be trusted. This acts as + // an exclusive list on 10.6, replacing the built-ins. + return SecTrustSetAnchorCertificates(trust_ref, temporary_roots_); + } + + // Otherwise, both system trust and temporary_roots_ must be trusted. + // Emulate the functionality of SecTrustSetAnchorCertificatesOnly by + // creating a copy of the system roots and merging with temporary_roots_. + CFArrayRef system_roots = NULL; + OSStatus status = SecTrustCopyAnchorCertificates(&system_roots); + if (status) + return status; + + base::ScopedCFTypeRef<CFArrayRef> scoped_system_roots(system_roots); + base::ScopedCFTypeRef<CFMutableArrayRef> scoped_roots( + CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, scoped_system_roots)); + CFArrayAppendArray(scoped_roots, temporary_roots_, + CFRangeMake(0, CFArrayGetCount(temporary_roots_))); + return SecTrustSetAnchorCertificates(trust_ref, scoped_roots); +} + +void TestRootCerts::SetAllowSystemTrust(bool allow_system_trust) { + allow_system_trust_ = allow_system_trust; +} + +TestRootCerts::~TestRootCerts() {} + +void TestRootCerts::Init() { + temporary_roots_.reset(CFArrayCreateMutable(kCFAllocatorDefault, 0, + &kCertArrayCallbacks)); + allow_system_trust_ = true; +} + +} // namespace net |