2 files changed, 54 insertions, 65 deletions

diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 85ef0a7..4e0fd86 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -6,9 +6,9 @@
 
 #include "net/base/address_list.h"
 #include "net/base/cert_test_util.h"
-#include "net/base/cert_verifier.h"
 #include "net/base/host_resolver.h"
 #include "net/base/io_buffer.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
 #include "net/base/net_errors.h"
@@ -31,7 +31,8 @@ class SSLClientSocketTest : public PlatformTest {
  public:
   SSLClientSocketTest()
       : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()),
-        cert_verifier_(net::CertVerifier::CreateDefault()) {
+        cert_verifier_(new net::MockCertVerifier) {
+    cert_verifier_->set_default_result(net::OK);
   }
 
  protected:
@@ -49,7 +50,7 @@ class SSLClientSocketTest : public PlatformTest {
   }
 
   net::ClientSocketFactory* socket_factory_;
-  scoped_ptr<net::CertVerifier> cert_verifier_;
+  scoped_ptr<net::MockCertVerifier> cert_verifier_;
 };
 
 //-----------------------------------------------------------------------------
@@ -86,12 +87,9 @@ TEST_F(SSLClientSocketTest, Connect) {
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(
-          transport, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
   EXPECT_FALSE(sock->IsConnected());
 
@@ -118,6 +116,8 @@ TEST_F(SSLClientSocketTest, ConnectExpired) {
   net::TestServer test_server(https_options, FilePath());
   ASSERT_TRUE(test_server.Start());
 
+  cert_verifier_->set_default_result(net::ERR_CERT_DATE_INVALID);
+
   net::AddressList addr;
   ASSERT_TRUE(test_server.GetAddressList(&addr));
 
@@ -161,6 +161,8 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) {
   net::TestServer test_server(https_options, FilePath());
   ASSERT_TRUE(test_server.Start());
 
+  cert_verifier_->set_default_result(net::ERR_CERT_COMMON_NAME_INVALID);
+
   net::AddressList addr;
   ASSERT_TRUE(test_server.GetAddressList(&addr));
 
@@ -394,12 +396,9 @@ TEST_F(SSLClientSocketTest, Read_FullDuplex) {
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(
-          transport, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
   rv = sock->Connect(callback.callback());
   if (rv == net::ERR_IO_PENDING)
@@ -759,15 +758,12 @@ TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
   net::ClientSocketHandle* socket_handle = new net::ClientSocketHandle();
   socket_handle->set_socket(transport);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
-  scoped_ptr<net::SSLClientSocket> ssl_socket(
-      socket_factory_->CreateSSLClientSocket(
-          socket_handle, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+  scoped_ptr<net::SSLClientSocket> sock(
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
-  EXPECT_FALSE(ssl_socket->IsConnected());
-  rv = ssl_socket->Connect(callback.callback());
+  EXPECT_FALSE(sock->IsConnected());
+  rv = sock->Connect(callback.callback());
   if (rv == net::ERR_IO_PENDING)
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
@@ -793,12 +789,9 @@ TEST_F(SSLClientSocketTest, ExportKeyingMaterial) {
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(
-          transport, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
   rv = sock->Connect(callback.callback());
   if (rv == net::ERR_IO_PENDING)
@@ -835,40 +828,37 @@ TEST(SSLClientSocket, ClearSessionCache) {
 // verified, not the chain as served by the server. (They may be different.)
 //
 // CERT_CHAIN_WRONG_ROOT is redundant-server-chain.pem. It contains A
-// (end-entity) -> B -> C, and C is signed by D. We do not set D to be a
-// trusted root in this test. Instead, we install C2 as a root; C2 contains
-// the same public key as C. redundant-server-chain.pem should therefore
-// validate as A -> B -> C2. If it does, this test passes.
-//
-// This test is the upper-layer analogue for
-// X509CertificateTest.VerifyReturnChainProperlyOrdered.
-#if defined(OS_MACOSX)
-// TODO(rsleevi): http://crbug.com/114343 / http://crbug.com/69278 - OS X
-// path building fails to properly handle cross-certified intermediates
-// without AIA information, so this test is disabled.
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    DISABLED_VerifyReturnChainProperlyOrdered
-#elif defined(OS_ANDROID)
-// TODO(jnd): http://crbug.com/116838 - Requires support of Android APIs
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    DISABLED_VerifyReturnChainProperlyOrdered
-#elif defined(USE_OPENSSL)
-// TODO(jnd): http://crbug.com/117196 - OpenSSL doesn't support arbitrary
-// trust anchors or cross-signed certificate chain path building until
-// OpenSSL 1.1.0.
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    DISABLED_VerifyReturnChainProperlyOrdered
-#else
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    VerifyReturnChainProperlyOrdered
-#endif
-TEST_F(SSLClientSocketTest, MAYBE_VerifyReturnChainProperlyOrdered) {
+// (end-entity) -> B -> C, and C is signed by D. redundant-validated-chain.pem
+// contains a chain of A -> B -> C2, where C2 is the same public key as C, but
+// a self-signed root. Such a situation can occur when a new root (C2) is
+// cross-certified by an old root (D) and has two different versions of its
+// floating around. Servers may supply C2 as an intermediate, but the
+// SSLClientSocket should return the chain that was verified, from
+// verify_result, instead.
+TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
+  // By default, cause the CertVerifier to treat all certificates as
+  // expired.
+  cert_verifier_->set_default_result(net::ERR_CERT_DATE_INVALID);
+
   // We will expect SSLInfo to ultimately contain this chain.
   net::CertificateList certs = CreateCertificateListFromFile(
       net::GetTestCertsDirectory(), "redundant-validated-chain.pem",
       net::X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
+  net::X509Certificate::OSCertHandles temp_intermediates;
+  temp_intermediates.push_back(certs[1]->os_cert_handle());
+  temp_intermediates.push_back(certs[2]->os_cert_handle());
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert =
+      net::X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+                                             temp_intermediates);
+
+  // Add a rule that maps the server cert (A) to the chain of A->B->C2
+  // rather than A->B->C.
+  cert_verifier_->AddResultForCert(certs[0], verify_result, net::OK);
+
   // Load and install the root for the validated chain.
   scoped_refptr<net::X509Certificate> root_cert =
     net::ImportCertFromFile(net::GetTestCertsDirectory(),
diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc
index b456b74..97841ff 100644
--- a/net/socket/ssl_server_socket_unittest.cc
+++ b/net/socket/ssl_server_socket_unittest.cc
@@ -29,11 +29,11 @@
 #include "net/base/address_list.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_test_util.h"
-#include "net/base/cert_verifier.h"
 #include "net/base/completion_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_config_service.h"
@@ -57,8 +57,7 @@ class FakeDataChannel {
         ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)) {
   }
 
-  virtual int Read(IOBuffer* buf, int buf_len,
-                   const CompletionCallback& callback) {
+  int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) {
     if (data_.empty()) {
       read_callback_ = callback;
       read_buf_ = buf;
@@ -68,8 +67,7 @@ class FakeDataChannel {
     return PropogateData(buf, buf_len);
   }
 
-  virtual int Write(IOBuffer* buf, int buf_len,
-                    const CompletionCallback& callback) {
+  int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) {
     data_.push(new net::DrainableIOBuffer(buf, buf_len));
     MessageLoop::current()->PostTask(
         FROM_HERE, base::Bind(&FakeDataChannel::DoReadCallback,
@@ -251,7 +249,8 @@ class SSLServerSocketTest : public PlatformTest {
  public:
   SSLServerSocketTest()
       : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()),
-        cert_verifier_(net::CertVerifier::CreateDefault()) {
+        cert_verifier_(new MockCertVerifier()) {
+    cert_verifier_->set_default_result(net::CERT_STATUS_AUTHORITY_INVALID);
   }
 
  protected:
@@ -308,7 +307,7 @@ class SSLServerSocketTest : public PlatformTest {
   scoped_ptr<net::SSLClientSocket> client_socket_;
   scoped_ptr<net::SSLServerSocket> server_socket_;
   net::ClientSocketFactory* socket_factory_;
-  scoped_ptr<net::CertVerifier> cert_verifier_;
+  scoped_ptr<net::MockCertVerifier> cert_verifier_;
 };
 
 // SSLServerSocket is only implemented using NSS.
@@ -459,14 +458,14 @@ TEST_F(SSLServerSocketTest, ExportKeyingMaterial) {
   int rv = server_socket_->ExportKeyingMaterial(kKeyingLabel,
                                                 false, kKeyingContext,
                                                 server_out, sizeof(server_out));
-  ASSERT_EQ(rv, net::OK);
+  ASSERT_EQ(net::OK, rv);
 
   unsigned char client_out[kKeyingMaterialSize];
   rv = client_socket_->ExportKeyingMaterial(kKeyingLabel,
                                             false, kKeyingContext,
                                             client_out, sizeof(client_out));
-  ASSERT_EQ(rv, net::OK);
-  EXPECT_TRUE(memcmp(server_out, client_out, sizeof(server_out)) == 0);
+  ASSERT_EQ(net::OK, rv);
+  EXPECT_EQ(0, memcmp(server_out, client_out, sizeof(server_out)));
 
   const char* kKeyingLabelBad = "EXPERIMENTAL-server-socket-test-bad";
   unsigned char client_bad[kKeyingMaterialSize];
@@ -474,7 +473,7 @@ TEST_F(SSLServerSocketTest, ExportKeyingMaterial) {
                                             false, kKeyingContext,
                                             client_bad, sizeof(client_bad));
   ASSERT_EQ(rv, net::OK);
-  EXPECT_TRUE(memcmp(server_out, client_bad, sizeof(server_out)) != 0);
+  EXPECT_NE(0, memcmp(server_out, client_bad, sizeof(server_out)));
 }
 #endif