Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

chrome/browser/chromeos/cros/network_library_impl_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/network_library_impl_base.h"
 
 #include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
 #include "base/memory/scoped_vector.h"
@@ skipping 1046 matching lines @@
     else if (placeholder == onc::substitutes::kEmailField)
       *substitute = logged_in_user->email();
     else
       return false;
     return true;
   }
 };
 
 }  // namespace
 
-bool NetworkLibraryImplBase::LoadOncNetworks(const std::string& onc_blob,
-                                             const std::string& passphrase,
-                                             onc::ONCSource source,
-                                             bool allow_web_trust_from_policy) {
+bool NetworkLibraryImplBase::LoadOncNetworks(
+    const std::string& onc_blob,
+    const std::string& passphrase,
+    onc::ONCSource source,
+    net::CertificateList* onc_trusted_certificates) {
   VLOG(2) << __func__ << ": called on " << onc_blob;
   NetworkProfile* profile = NULL;
   bool from_policy = (source == onc::ONC_SOURCE_USER_POLICY ||
                       source == onc::ONC_SOURCE_DEVICE_POLICY);
 
   // Policies are applied to a specific Shill profile. User ONC import however
   // is applied to whatever profile Shill chooses. This should be the profile
   // that is already associated with a network and if no profile is associated
   // yet, it should be the user profile.
   if (from_policy) {
@@ skipping 64 matching lines @@
           &certificates);
 
   const base::ListValue* network_configs;
   bool has_network_configurations = root_dict->GetListWithoutPathExpansion(
       onc::toplevel_config::kNetworkConfigurations,
       &network_configs);
 
   if (has_certificates) {
     VLOG(2) << "ONC file has " << certificates->GetSize() << " certificates";
 
-    // Web trust is only granted to certificates imported for a managed user
-    // on a managed device and for user imports.
-    bool allow_web_trust =
-        (source == onc::ONC_SOURCE_USER_IMPORT) ||
-        (source == onc::ONC_SOURCE_USER_POLICY && allow_web_trust_from_policy);
-    onc::CertificateImporter cert_importer(allow_web_trust);
-    if (cert_importer.ParseAndStoreCertificates(*certificates) !=
+    // Web trust is only granted to certificates imported by the user.
+    bool allow_trust_imports = source == onc::ONC_SOURCE_USER_IMPORT;
+    onc::CertificateImporter cert_importer(allow_trust_imports);
+    if (cert_importer.ParseAndStoreCertificates(
+            *certificates, onc_trusted_certificates) !=
         onc::CertificateImporter::IMPORT_OK) {
       LOG(ERROR) << "Cannot parse some of the certificates in the ONC from "
                  << onc::GetSourceAsString(source);
       success = false;
     }
   }
 
   std::set<std::string> removal_ids;
   std::set<std::string>& network_ids(network_source_map_[source]);
   network_ids.clear();
@@ skipping 627 matching lines @@
   GetTpmInfo();
   return tpm_slot_;
 }
 
 const std::string& NetworkLibraryImplBase::GetTpmPin() {
   GetTpmInfo();
   return tpm_pin_;
 }
 
 }  // namespace chromeos