1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/base/test_root_certs.h"
7 #include <Security/Security.h>
9 #include "base/logging.h"
10 #include "base/mac/scoped_cftyperef.h"
11 #include "net/base/x509_certificate.h"
17 #if !defined(MAC_OS_X_VERSION_10_6) || \
18 MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_6
19 // Declared in <Security/SecBase.h> of the 10.6 SDK.
21 errSecUnimplemented
= -4,
25 typedef OSStatus (*SecTrustSetAnchorCertificatesOnlyFuncPtr
)(SecTrustRef
,
28 Boolean
OurSecCertificateEqual(const void* value1
, const void* value2
) {
29 if (CFGetTypeID(value1
) != SecCertificateGetTypeID() ||
30 CFGetTypeID(value2
) != SecCertificateGetTypeID())
31 return CFEqual(value1
, value2
);
32 return X509Certificate::IsSameOSCert(
33 reinterpret_cast<SecCertificateRef
>(const_cast<void*>(value1
)),
34 reinterpret_cast<SecCertificateRef
>(const_cast<void*>(value2
)));
37 const void* RetainWrapper(CFAllocatorRef unused
, const void* value
) {
38 return CFRetain(value
);
41 void ReleaseWrapper(CFAllocatorRef unused
, const void* value
) {
45 // CFEqual prior to 10.6 only performed pointer checks on SecCertificateRefs,
46 // rather than checking if they were the same (logical) certificate, so a
47 // custom structure is used for the array callbacks.
48 const CFArrayCallBacks kCertArrayCallbacks
= {
53 OurSecCertificateEqual
,
58 bool TestRootCerts::Add(X509Certificate
* certificate
) {
59 if (CFArrayContainsValue(temporary_roots_
,
60 CFRangeMake(0, CFArrayGetCount(temporary_roots_
)),
61 certificate
->os_cert_handle()))
63 CFArrayAppendValue(temporary_roots_
, certificate
->os_cert_handle());
67 void TestRootCerts::Clear() {
68 CFArrayRemoveAllValues(temporary_roots_
);
71 bool TestRootCerts::IsEmpty() const {
72 return CFArrayGetCount(temporary_roots_
) == 0;
75 OSStatus
TestRootCerts::FixupSecTrustRef(SecTrustRef trust_ref
) const {
80 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security"));
81 SecTrustSetAnchorCertificatesOnlyFuncPtr set_anchor_certificates_only
= NULL
;
83 set_anchor_certificates_only
=
84 reinterpret_cast<SecTrustSetAnchorCertificatesOnlyFuncPtr
>(
85 CFBundleGetFunctionPointerForName(bundle
,
86 CFSTR("SecTrustSetAnchorCertificatesOnly")));
89 OSStatus status
= noErr
;
90 if (set_anchor_certificates_only
) {
91 // OS X 10.6 includes a function where the system trusts can be
92 // preserved while appending application trusts. This is preferable,
93 // because it preserves any user trust settings (explicit distrust),
94 // which the naive copy in 10.5 does not. Unfortunately, though the
95 // function pointer may be available, it is not always implemented. If it
96 // returns errSecUnimplemented, fall through to the 10.5 behaviour.
97 status
= SecTrustSetAnchorCertificates(trust_ref
, temporary_roots_
);
100 status
= set_anchor_certificates_only(trust_ref
, false);
101 if (status
!= errSecUnimplemented
)
104 // Restore the original settings before falling back.
105 status
= SecTrustSetAnchorCertificates(trust_ref
, NULL
);
110 // On 10.5, the system certificates have to be copied and merged into
111 // the application trusts, and may override any user trust settings.
112 CFArrayRef system_roots
= NULL
;
113 status
= SecTrustCopyAnchorCertificates(&system_roots
);
117 base::mac::ScopedCFTypeRef
<CFArrayRef
> scoped_system_roots(system_roots
);
118 base::mac::ScopedCFTypeRef
<CFMutableArrayRef
> scoped_roots(
119 CFArrayCreateMutableCopy(kCFAllocatorDefault
, 0,
120 scoped_system_roots
));
121 DCHECK(scoped_roots
.get());
123 CFArrayAppendArray(scoped_roots
, temporary_roots_
,
124 CFRangeMake(0, CFArrayGetCount(temporary_roots_
)));
125 return SecTrustSetAnchorCertificates(trust_ref
, scoped_roots
);
128 TestRootCerts::~TestRootCerts() {}
130 void TestRootCerts::Init() {
131 temporary_roots_
.reset(CFArrayCreateMutable(kCFAllocatorDefault
, 0,
132 &kCertArrayCallbacks
));