Run CertVerifyProcBuiltin unit-tests on Mac.

(Wired up TestRootCerts). Bug: 649017 Change-Id: I30e22e12a963d0fc398f679dcf79aa7f896557a0 Reviewed-on: https://chromium-review.googlesource.com/720596 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#509674}

Run CertVerifyProcBuiltin unit-tests on Mac.
(Wired up TestRootCerts). Bug: 649017 Change-Id: I30e22e12a963d0fc398f679dcf79aa7f896557a0 Reviewed-on: https://chromium-review.googlesource.com/720596 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#509674}
cdc12c89 · Eric Roman · Commit Bot · bde2f24b · cdc12c89 · cdc12c89
Commit cdc12c89 authored Oct 18, 2017 by Eric Roman Committed by Commit Bot Oct 18, 2017
6 changed files
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -181,7 +181,7 @@ const std::vector<CertVerifyProcType> kAllCertVerifiers = {
 // TODO(crbug.com/649017): Enable this everywhere. Right now this is
 // gated on having CertVerifyProcBuiltin understand the roots added
 // via TestRootCerts.
-#if defined(USE_NSS_CERTS)
+#if defined(USE_NSS_CERTS) || (defined(OS_MACOSX) && !defined(OS_IOS))
        ,
    CERT_VERIFY_PROC_BUILTIN
 #endif

--- a/net/cert/internal/system_trust_store.cc
+++ b/net/cert/internal/system_trust_store.cc
@@ -113,12 +113,21 @@ std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
-// TODO(eroman): Compose with test roots added via cert/test_roots.h
 class SystemTrustStoreMac : public BaseSystemTrustStore {
 public:
  explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) {
    InitializeKnownRoots();
    trust_store_.AddTrustStore(&trust_store_mac_);
+    // When running in test mode, also layer in the test-only root certificates.
+    //
+    // Note that this integration requires TestRootCerts::HasInstance() to be
+    // true by the time SystemTrustStoreMac is created - a limitation which is
+    // acceptable for the test-only code that consumes this.
+    if (TestRootCerts::HasInstance()) {
+      trust_store_.AddTrustStore(
+          TestRootCerts::GetInstance()->test_trust_store());
+    }
  }
  bool UsesSystemTrustStore() const override { return true; }

--- a/net/cert/internal/trust_store.h
+++ b/net/cert/internal/trust_store.h
@@ -56,6 +56,8 @@ class NET_EXPORT TrustStore : public CertIssuerSource {
 public:
  TrustStore();
+  // Writes the trustedness of |cert| into |*trust|. Both |cert| and |trust|
+  // must be non-null.
  virtual void GetTrust(const scoped_refptr<ParsedCertificate>& cert,
                        CertificateTrust* trust) const = 0;

--- a/net/cert/internal/trust_store_mac.cc
+++ b/net/cert/internal/trust_store_mac.cc
@@ -189,6 +189,8 @@ TrustStoreMac::~TrustStoreMac() = default;
 void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert,
                                     ParsedCertificateList* issuers) {
  base::ScopedCFTypeRef<CFDataRef> name_data = GetMacNormalizedIssuer(cert);
+  if (!name_data)
+    return;
  base::ScopedCFTypeRef<CFArrayRef> matching_items =
      FindMatchingCertificatesForMacNormalizedSubject(name_data);
@@ -234,6 +236,10 @@ void TrustStoreMac::GetTrust(const scoped_refptr<ParsedCertificate>& cert,
  base::ScopedCFTypeRef<SecCertificateRef> cert_handle =
      x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(),
                                               cert->der_cert().Length());
+  if (!cert_handle) {
+    *trust = CertificateTrust::ForUnspecified();
+    return;
+  }
  TrustStatus trust_status =
      IsSecCertificateTrustedForPolicy(cert_handle, policy_oid_);

--- a/net/cert/test_root_certs.h
+++ b/net/cert/test_root_certs.h
@@ -70,6 +70,8 @@ class NET_EXPORT TestRootCerts {
  // certificates stored in |temporary_roots_|. If IsEmpty() is true, this
  // does not modify |trust_ref|.
  OSStatus FixupSecTrustRef(SecTrustRef trust_ref) const;
+  TrustStore* test_trust_store() { return &test_trust_store_; }
 #elif defined(OS_WIN)
  HCERTSTORE temporary_roots() const { return temporary_roots_; }
@@ -123,6 +125,7 @@ class NET_EXPORT TestRootCerts {
  HCERTSTORE temporary_roots_;
 #elif defined(OS_MACOSX)
  base::ScopedCFTypeRef<CFMutableArrayRef> temporary_roots_;
+  TrustStoreInMemory test_trust_store_;
 #elif defined(OS_FUCHSIA)
  TrustStoreInMemory test_trust_store_;
 #endif

--- a/net/cert/test_root_certs_mac.cc
+++ b/net/cert/test_root_certs_mac.cc
@@ -7,7 +7,9 @@
 #include <Security/Security.h>
 #include "base/logging.h"
+#include "net/cert/internal/cert_errors.h"
 #include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
 #if defined(OS_IOS)
 #include "net/cert/x509_util_ios.h"
@@ -28,11 +30,26 @@ bool TestRootCerts::Add(X509Certificate* certificate) {
                           os_cert.get()))
    return true;
  CFArrayAppendValue(temporary_roots_, os_cert.get());
+  // Add the certificate to the parallel |test_trust_store_|.
+  CertErrors errors;
+  std::string cert_bytes;
+  if (!X509Certificate::GetDEREncoded(certificate->os_cert_handle(),
+                                      &cert_bytes))
+    return false;
+  scoped_refptr<ParsedCertificate> parsed = ParsedCertificate::Create(
+      x509_util::CreateCryptoBuffer(cert_bytes),
+      x509_util::DefaultParseCertificateOptions(), &errors);
+  if (!parsed)
+    return false;
+  test_trust_store_.AddTrustAnchor(parsed);
  return true;
 }
 void TestRootCerts::Clear() {
  CFArrayRemoveAllValues(temporary_roots_);
+  test_trust_store_.Clear();
 }
 bool TestRootCerts::IsEmpty() const {