6 files changed, 121 insertions, 15 deletions

diff --git a/chrome/browser/profiles/profile_io_data.cc b/chrome/browser/profiles/profile_io_data.cc
index a149387..b8db2b3 100644
--- a/chrome/browser/profiles/profile_io_data.cc
+++ b/chrome/browser/profiles/profile_io_data.cc
@@ -64,6 +64,7 @@
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/resource_context.h"
 #include "net/base/keygen_handler.h"
+#include "net/cert/cert_verifier.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/http/http_util.h"
@@ -156,6 +157,8 @@ using content::ResourceContext;
 
 namespace {
 
+net::CertVerifier* g_cert_verifier_for_testing = nullptr;
+
 #if defined(DEBUG_DEVTOOLS)
 bool IsSupportedDevToolsURL(const GURL& url, base::FilePath* path) {
   std::string bundled_path_prefix(chrome::kChromeUIDevToolsBundledPath);
@@ -748,6 +751,12 @@ void ProfileIOData::InstallProtocolHandlers(
   protocol_handlers->clear();
 }
 
+// static
+void ProfileIOData::SetCertVerifierForTesting(
+    net::CertVerifier* cert_verifier) {
+  g_cert_verifier_for_testing = cert_verifier;
+}
+
 content::ResourceContext* ProfileIOData::GetResourceContext() const {
   return resource_context_.get();
 }
@@ -1099,24 +1108,31 @@ void ProfileIOData::Init(
   use_system_key_slot_ = profile_params_->use_system_key_slot;
   if (use_system_key_slot_)
     EnableNSSSystemKeySlotForResourceContext(resource_context_.get());
+#endif
 
-  crypto::ScopedPK11Slot public_slot =
-      crypto::GetPublicSlotForChromeOSUser(username_hash_);
-  // The private slot won't be ready by this point. It shouldn't be necessary
-  // for cert trust purposes anyway.
-  scoped_refptr<net::CertVerifyProc> verify_proc(
-      new chromeos::CertVerifyProcChromeOS(public_slot.Pass()));
-  if (policy_cert_verifier_) {
-    DCHECK_EQ(policy_cert_verifier_, cert_verifier_.get());
-    policy_cert_verifier_->InitializeOnIOThread(verify_proc);
+  if (g_cert_verifier_for_testing) {
+    main_request_context_->set_cert_verifier(g_cert_verifier_for_testing);
   } else {
-    cert_verifier_.reset(new net::MultiThreadedCertVerifier(verify_proc.get()));
-  }
-  main_request_context_->set_cert_verifier(cert_verifier_.get());
+#if defined(OS_CHROMEOS)
+    crypto::ScopedPK11Slot public_slot =
+        crypto::GetPublicSlotForChromeOSUser(username_hash_);
+    // The private slot won't be ready by this point. It shouldn't be necessary
+    // for cert trust purposes anyway.
+    scoped_refptr<net::CertVerifyProc> verify_proc(
+        new chromeos::CertVerifyProcChromeOS(public_slot.Pass()));
+    if (policy_cert_verifier_) {
+      DCHECK_EQ(policy_cert_verifier_, cert_verifier_.get());
+      policy_cert_verifier_->InitializeOnIOThread(verify_proc);
+    } else {
+      cert_verifier_.reset(
+          new net::MultiThreadedCertVerifier(verify_proc.get()));
+    }
+    main_request_context_->set_cert_verifier(cert_verifier_.get());
 #else
-  main_request_context_->set_cert_verifier(
-      io_thread_globals->cert_verifier.get());
+    main_request_context_->set_cert_verifier(
+        io_thread_globals->cert_verifier.get());
 #endif
+  }
 
   // Install the New Tab Page Interceptor.
   if (profile_params_->new_tab_page_interceptor.get()) {
diff --git a/chrome/browser/profiles/profile_io_data.h b/chrome/browser/profiles/profile_io_data.h
index 3f9dbaf..a3a55b1 100644
--- a/chrome/browser/profiles/profile_io_data.h
+++ b/chrome/browser/profiles/profile_io_data.h
@@ -109,6 +109,9 @@ class ProfileIOData {
       net::URLRequestJobFactoryImpl* job_factory,
       content::ProtocolHandlerMap* protocol_handlers);
 
+  // Sets a global CertVerifier to use when initializing all profiles.
+  static void SetCertVerifierForTesting(net::CertVerifier* cert_verifier);
+
   // Called by Profile.
   content::ResourceContext* GetResourceContext() const;
 
@@ -550,8 +553,8 @@ class ProfileIOData {
 #if defined(OS_CHROMEOS)
   // Set to |cert_verifier_| if it references a PolicyCertVerifier. In that
   // case, the verifier is owned by  |cert_verifier_|. Otherwise, set to NULL.
-  mutable policy::PolicyCertVerifier* policy_cert_verifier_;
   mutable scoped_ptr<net::CertVerifier> cert_verifier_;
+  mutable policy::PolicyCertVerifier* policy_cert_verifier_;
   mutable std::string username_hash_;
   mutable bool use_system_key_slot_;
 #endif
diff --git a/chrome/browser/ssl/cert_verifier_browser_test.cc b/chrome/browser/ssl/cert_verifier_browser_test.cc
new file mode 100644
index 0000000..5ec31c3
--- /dev/null
+++ b/chrome/browser/ssl/cert_verifier_browser_test.cc
@@ -0,0 +1,26 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/cert_verifier_browser_test.h"
+
+#include "chrome/browser/profiles/profile_io_data.h"
+#include "net/cert/mock_cert_verifier.h"
+
+CertVerifierBrowserTest::CertVerifierBrowserTest()
+    : InProcessBrowserTest(),
+      mock_cert_verifier_(new net::MockCertVerifier()) {}
+
+CertVerifierBrowserTest::~CertVerifierBrowserTest() {}
+
+void CertVerifierBrowserTest::SetUpInProcessBrowserTestFixture() {
+  ProfileIOData::SetCertVerifierForTesting(mock_cert_verifier_.get());
+}
+
+void CertVerifierBrowserTest::TearDownInProcessBrowserTestFixture() {
+  ProfileIOData::SetCertVerifierForTesting(nullptr);
+}
+
+net::MockCertVerifier* CertVerifierBrowserTest::mock_cert_verifier() {
+  return mock_cert_verifier_.get();
+}
diff --git a/chrome/browser/ssl/cert_verifier_browser_test.h b/chrome/browser/ssl/cert_verifier_browser_test.h
new file mode 100644
index 0000000..d5d977c
--- /dev/null
+++ b/chrome/browser/ssl/cert_verifier_browser_test.h
@@ -0,0 +1,37 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SSL_CERT_VERIFIER_BROWSER_TEST_H_
+#define CHROME_BROWSER_SSL_CERT_VERIFIER_BROWSER_TEST_H_
+
+#include "base/memory/scoped_ptr.h"
+#include "chrome/test/base/in_process_browser_test.h"
+
+namespace net {
+class MockCertVerifier;
+}  // namespace net
+
+// CertVerifierBrowserTest allows tests to force certificate
+// verification results for requests made with any profile's main
+// request context (such as navigations). To do so, tests can use the
+// MockCertVerifier exposed via
+// CertVerifierBrowserTest::mock_cert_verifier().
+class CertVerifierBrowserTest : public InProcessBrowserTest {
+ public:
+  CertVerifierBrowserTest();
+  ~CertVerifierBrowserTest() override;
+
+  // InProcessBrowserTest:
+  void SetUpInProcessBrowserTestFixture() override;
+  void TearDownInProcessBrowserTestFixture() override;
+
+  // Returns a pointer to the MockCertVerifier used by all profiles in
+  // this test.
+  net::MockCertVerifier* mock_cert_verifier();
+
+ private:
+  scoped_ptr<net::MockCertVerifier> mock_cert_verifier_;
+};
+
+#endif  // CHROME_BROWSER_SSL_CERT_VERIFIER_BROWSER_TEST_H_
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index 5a0891f..7391243 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -24,6 +24,7 @@
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ssl/cert_logger.pb.h"
 #include "chrome/browser/ssl/cert_report_helper.h"
+#include "chrome/browser/ssl/cert_verifier_browser_test.h"
 #include "chrome/browser/ssl/certificate_error_report.h"
 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
@@ -61,6 +62,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/cert_status_flags.h"
+#include "net/cert/mock_cert_verifier.h"
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
@@ -2280,6 +2282,26 @@ IN_PROC_BROWSER_TEST_F(SSLBlockingPageIDNTest, SSLBlockingPageDecodesIDN) {
   EXPECT_TRUE(VerifyIDNDecoded());
 }
 
+IN_PROC_BROWSER_TEST_F(CertVerifierBrowserTest, MockCertVerifierSmokeTest) {
+  net::SpawnedTestServer https_server(
+      net::SpawnedTestServer::TYPE_HTTPS,
+      net::SpawnedTestServer::SSLOptions(
+          net::SpawnedTestServer::SSLOptions::CERT_OK),
+      base::FilePath(kDocRoot));
+  ASSERT_TRUE(https_server.Start());
+
+  mock_cert_verifier()->set_default_result(
+      net::ERR_CERT_NAME_CONSTRAINT_VIOLATION);
+
+  ui_test_utils::NavigateToURL(browser(),
+                               https_server.GetURL("files/ssl/google.html"));
+
+  CheckSecurityState(browser()->tab_strip_model()->GetActiveWebContents(),
+                     net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
+                     content::SECURITY_STYLE_AUTHENTICATION_BROKEN,
+                     AuthState::SHOWING_INTERSTITIAL);
+}
+
 // TODO(jcampan): more tests to do below.
 
 // Visit a page over https that contains a frame with a redirect.
diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi
index 96abb37..9262d92 100644
--- a/chrome/chrome_tests.gypi
+++ b/chrome/chrome_tests.gypi
@@ -403,6 +403,8 @@
       'browser/ssl/captive_portal_blocking_page_browsertest.cc',
       'browser/ssl/certificate_reporting_test_utils.cc',
       'browser/ssl/certificate_reporting_test_utils.h',
+      'browser/ssl/cert_verifier_browser_test.cc',
+      'browser/ssl/cert_verifier_browser_test.h',
       'browser/ssl/chrome_ssl_host_state_delegate_test.cc',
       'browser/ssl/ssl_browser_tests.cc',
       'browser/ssl/ssl_client_certificate_selector_test.cc',