• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/test_root_certs.h"
6 
7 #include <Security/Security.h>
8 
9 #include "base/logging.h"
10 #include "base/mac/mac_util.h"
11 #include "base/mac/scoped_cftyperef.h"
12 #include "net/cert/x509_certificate.h"
13 
14 namespace net {
15 
16 namespace {
17 
18 typedef OSStatus (*SecTrustSetAnchorCertificatesOnlyFuncPtr)(SecTrustRef,
19                                                              Boolean);
20 
OurSecCertificateEqual(const void * value1,const void * value2)21 Boolean OurSecCertificateEqual(const void* value1, const void* value2) {
22   if (CFGetTypeID(value1) != SecCertificateGetTypeID() ||
23       CFGetTypeID(value2) != SecCertificateGetTypeID())
24     return CFEqual(value1, value2);
25   return X509Certificate::IsSameOSCert(
26       reinterpret_cast<SecCertificateRef>(const_cast<void*>(value1)),
27       reinterpret_cast<SecCertificateRef>(const_cast<void*>(value2)));
28 }
29 
RetainWrapper(CFAllocatorRef unused,const void * value)30 const void* RetainWrapper(CFAllocatorRef unused, const void* value) {
31   return CFRetain(value);
32 }
33 
ReleaseWrapper(CFAllocatorRef unused,const void * value)34 void ReleaseWrapper(CFAllocatorRef unused, const void* value) {
35   CFRelease(value);
36 }
37 
38 // CFEqual prior to 10.6 only performed pointer checks on SecCertificateRefs,
39 // rather than checking if they were the same (logical) certificate, so a
40 // custom structure is used for the array callbacks.
41 const CFArrayCallBacks kCertArrayCallbacks = {
42   0,  // version
43   RetainWrapper,
44   ReleaseWrapper,
45   CFCopyDescription,
46   OurSecCertificateEqual,
47 };
48 
49 }  // namespace
50 
Add(X509Certificate * certificate)51 bool TestRootCerts::Add(X509Certificate* certificate) {
52   if (CFArrayContainsValue(temporary_roots_,
53                            CFRangeMake(0, CFArrayGetCount(temporary_roots_)),
54                            certificate->os_cert_handle()))
55     return true;
56   CFArrayAppendValue(temporary_roots_, certificate->os_cert_handle());
57   return true;
58 }
59 
Clear()60 void TestRootCerts::Clear() {
61   CFArrayRemoveAllValues(temporary_roots_);
62 }
63 
IsEmpty() const64 bool TestRootCerts::IsEmpty() const {
65   return CFArrayGetCount(temporary_roots_) == 0;
66 }
67 
FixupSecTrustRef(SecTrustRef trust_ref) const68 OSStatus TestRootCerts::FixupSecTrustRef(SecTrustRef trust_ref) const {
69   if (IsEmpty())
70     return noErr;
71 
72   // Despite SecTrustSetAnchorCertificatesOnly existing in OS X 10.6, and
73   // being documented as available, it is not actually implemented. On 10.7+,
74   // however, it always works.
75   if (base::mac::IsOSLionOrLater()) {
76     OSStatus status = SecTrustSetAnchorCertificates(trust_ref,
77                                                     temporary_roots_);
78     if (status)
79       return status;
80     return SecTrustSetAnchorCertificatesOnly(trust_ref, !allow_system_trust_);
81   }
82 
83   if (!allow_system_trust_) {
84     // Avoid any copying if system roots are not to be trusted. This acts as
85     // an exclusive list on 10.6, replacing the built-ins.
86     return SecTrustSetAnchorCertificates(trust_ref, temporary_roots_);
87   }
88 
89   // Otherwise, both system trust and temporary_roots_ must be trusted.
90   // Emulate the functionality of SecTrustSetAnchorCertificatesOnly by
91   // creating a copy of the system roots and merging with temporary_roots_.
92   CFArrayRef system_roots = NULL;
93   OSStatus status = SecTrustCopyAnchorCertificates(&system_roots);
94   if (status)
95     return status;
96 
97   base::ScopedCFTypeRef<CFArrayRef> scoped_system_roots(system_roots);
98   base::ScopedCFTypeRef<CFMutableArrayRef> scoped_roots(
99       CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, scoped_system_roots));
100   CFArrayAppendArray(scoped_roots, temporary_roots_,
101                      CFRangeMake(0, CFArrayGetCount(temporary_roots_)));
102   return SecTrustSetAnchorCertificates(trust_ref, scoped_roots);
103 }
104 
SetAllowSystemTrust(bool allow_system_trust)105 void TestRootCerts::SetAllowSystemTrust(bool allow_system_trust) {
106   allow_system_trust_ = allow_system_trust;
107 }
108 
~TestRootCerts()109 TestRootCerts::~TestRootCerts() {}
110 
Init()111 void TestRootCerts::Init() {
112   temporary_roots_.reset(CFArrayCreateMutable(kCFAllocatorDefault, 0,
113                                               &kCertArrayCallbacks));
114   allow_system_trust_ = true;
115 }
116 
117 }  // namespace net
118