Add Mac-specific unittests for ClientCertStoreImpl

BUG=170374


Review URL: https://chromiumcodereview.appspot.com/12093021

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@179207 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 77 insertions, 0 deletions

diff --git a/net/base/client_cert_store_impl.h b/net/base/client_cert_store_impl.h
index 5b555e8..3b08b29 100644
--- a/net/base/client_cert_store_impl.h
+++ b/net/base/client_cert_store_impl.h
@@ -27,6 +27,10 @@ class NET_EXPORT ClientCertStoreImpl : public ClientCertStore {
   FRIEND_TEST_ALL_PREFIXES(ClientCertStoreImplTest, EmptyQuery);
   FRIEND_TEST_ALL_PREFIXES(ClientCertStoreImplTest, AllIssuersAllowed);
   FRIEND_TEST_ALL_PREFIXES(ClientCertStoreImplTest, CertAuthorityFiltering);
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+  FRIEND_TEST_ALL_PREFIXES(ClientCertStoreImplTest, FilterOutThePreferredCert);
+  FRIEND_TEST_ALL_PREFIXES(ClientCertStoreImplTest, PreferredCertGoesFirst);
+#endif
 
   // A hook for testing. Filters |input_certs| using the logic being used to
   // filter the system store when GetClientCerts() is called. Depending on the
@@ -40,6 +44,18 @@ class NET_EXPORT ClientCertStoreImpl : public ClientCertStore {
                          const SSLCertRequestInfo& cert_request_info,
                          CertificateList* selected_certs);
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+  // Testing hook specific to Mac, where the internal logic recognizes preferred
+  // certificates for particular domains. If the preferred certificate is
+  // present in the output list (i.e. it doesn't get filtered out), it should
+  // always come first.
+  bool SelectClientCertsGivenPreferred(
+      const scoped_refptr<X509Certificate>& preferred_cert,
+      const CertificateList& regular_certs,
+      const SSLCertRequestInfo& request,
+      CertificateList* selected_certs);
+#endif
+
   DISALLOW_COPY_AND_ASSIGN(ClientCertStoreImpl);
 };
 
diff --git a/net/base/client_cert_store_impl_mac.cc b/net/base/client_cert_store_impl_mac.cc
index e8097e2..80a9210 100644
--- a/net/base/client_cert_store_impl_mac.cc
+++ b/net/base/client_cert_store_impl_mac.cc
@@ -158,4 +158,15 @@ bool ClientCertStoreImpl::SelectClientCerts(const CertificateList& input_certs,
                             selected_certs);
 }
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+bool ClientCertStoreImpl::SelectClientCertsGivenPreferred(
+      const scoped_refptr<X509Certificate>& preferred_cert,
+      const CertificateList& regular_certs,
+      const SSLCertRequestInfo& request,
+      CertificateList* selected_certs) {
+  return GetClientCertsImpl(preferred_cert, regular_certs, request,
+                            selected_certs);
+}
+#endif
+
 }  // namespace net
diff --git a/net/base/client_cert_store_impl_unittest.cc b/net/base/client_cert_store_impl_unittest.cc
index 351d5de..761f88c 100644
--- a/net/base/client_cert_store_impl_unittest.cc
+++ b/net/base/client_cert_store_impl_unittest.cc
@@ -99,4 +99,54 @@ TEST(ClientCertStoreImplTest, CertAuthorityFiltering) {
   EXPECT_TRUE(selected_certs[0]->Equals(cert_1));
 }
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+// Verify that the preferred cert gets filtered out when it doesn't match the
+// server criteria.
+TEST(ClientCertStoreImplTest, FilterOutThePreferredCert) {
+  scoped_refptr<X509Certificate> cert_1(
+      ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
+  ASSERT_TRUE(cert_1);
+
+  std::vector<std::string> authority_2(
+      1, std::string(reinterpret_cast<const char*>(kAuthority2DN),
+                     sizeof(kAuthority2DN)));
+  EXPECT_FALSE(cert_1->IsIssuedByEncoded(authority_2));
+
+  std::vector<scoped_refptr<X509Certificate> > certs;
+  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+  request->cert_authorities = authority_2;
+
+  ClientCertStoreImpl store;
+  std::vector<scoped_refptr<X509Certificate> > selected_certs;
+  bool rv = store.SelectClientCertsGivenPreferred(cert_1, certs, *request,
+                                                  &selected_certs);
+  EXPECT_TRUE(rv);
+  EXPECT_EQ(0u, selected_certs.size());
+}
+
+// Verify that the preferred cert takes the first position in the output list,
+// when it does not get filtered out.
+TEST(ClientCertStoreImplTest, PreferredCertGoesFirst) {
+  scoped_refptr<X509Certificate> cert_1(
+      ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
+  ASSERT_TRUE(cert_1);
+  scoped_refptr<X509Certificate> cert_2(
+      ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem"));
+  ASSERT_TRUE(cert_2);
+
+  std::vector<scoped_refptr<X509Certificate> > certs;
+  certs.push_back(cert_2);
+  scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
+
+  ClientCertStoreImpl store;
+  std::vector<scoped_refptr<X509Certificate> > selected_certs;
+  bool rv = store.SelectClientCertsGivenPreferred(cert_1, certs, *request,
+                                                  &selected_certs);
+  EXPECT_TRUE(rv);
+  ASSERT_EQ(2u, selected_certs.size());
+  EXPECT_TRUE(selected_certs[0]->Equals(cert_1));
+  EXPECT_TRUE(selected_certs[1]->Equals(cert_2));
+}
+#endif
+
 }  // namespace net