Add a unit test for handling SSL certificate errors....

net/socket/ssl_client_socket_unittest.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include "net/base/address_list.h"
 #include "net/base/host_resolver.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service.h"
+#include "net/base/ssl_info.h"
 #include "net/base/test_completion_callback.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/ssl_test_util.h"
 #include "net/socket/tcp_client_socket.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
 
 //-----------------------------------------------------------------------------
 
 const net::SSLConfig kDefaultSSLConfig;
@@ skipping 20 matching lines @@
   }
 
   void StartExpiredServer() {
     bool success = server_.Start(net::TestServerLauncher::ProtoHTTP,
         server_.kHostName, server_.kBadHTTPSPort,
         FilePath(), server_.GetExpiredCertPath(), std::wstring());
     ASSERT_TRUE(success);
   }
 
  protected:
+  net::SSLClientSocket* CreateSSLClientSocket(
+      const net::AddressList& addr,
+      const net::SSLConfig& ssl_config) {
+    TestCompletionCallback callback;
+    net::ClientSocket *transport = new net::TCPClientSocket(addr);

[eroman, 2009/08/15 02:04:29]

style-nit: move * to the left.

+    int rv = transport->Connect(&callback);
+    if (rv == net::ERR_IO_PENDING)
+      rv = callback.WaitForResult();
+    EXPECT_EQ(net::OK, rv);
+
+    net::SSLClientSocket* sock = socket_factory_->CreateSSLClientSocket(
+        transport, server_.kHostName, ssl_config);
+    EXPECT_FALSE(sock->IsConnected());
+    return sock;
+  }
+
   scoped_refptr<net::HostResolver> resolver_;
   net::ClientSocketFactory* socket_factory_;
   net::TestServerLauncher server_;
 };
 
 //-----------------------------------------------------------------------------
 
-#if defined(OS_MACOSX)
+#if defined(OS_MAC)
 // Status 6/19/09:
 //
 // If these tests are enabled on OSX, we choke at the point
 // SSLHandshake() (Security framework call) is called from
 // SSLClientSocketMac::DoHandshake().  Return value is -9812 (cert
 // valid but root not trusted), but if you don't have the cert in your
 // keychain as documented on
 // http://dev.chromium.org/developers/testing, the -9812 becomes a
 // -9813 (no root cert).
 //
@@ skipping 17 matching lines @@
 TEST_F(SSLClientSocketTest, MAYBE_Connect) {
   StartOKServer();
 
   net::AddressList addr;
   TestCompletionCallback callback;
 
   net::HostResolver::RequestInfo info(server_.kHostName, server_.kOKHTTPSPort);
   int rv = resolver_->Resolve(NULL, info, &addr, NULL, NULL);
   EXPECT_EQ(net::OK, rv);
 
-  net::ClientSocket *transport = new net::TCPClientSocket(addr);
-  rv = transport->Connect(&callback);
-  if (rv == net::ERR_IO_PENDING)
-    rv = callback.WaitForResult();
-  EXPECT_EQ(net::OK, rv);
-
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(transport,
-          server_.kHostName, kDefaultSSLConfig));
-
-  EXPECT_FALSE(sock->IsConnected());
+      CreateSSLClientSocket(addr, kDefaultSSLConfig));
 
   rv = sock->Connect(&callback);
   if (rv != net::OK) {
     ASSERT_EQ(net::ERR_IO_PENDING, rv);
     EXPECT_FALSE(sock->IsConnected());
 
     rv = callback.WaitForResult();
     EXPECT_EQ(net::OK, rv);
   }
 
   EXPECT_TRUE(sock->IsConnected());
 
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }
 
 TEST_F(SSLClientSocketTest, MAYBE_ConnectExpired) {
   StartExpiredServer();
 
   net::AddressList addr;
   TestCompletionCallback callback;
 
   net::HostResolver::RequestInfo info(server_.kHostName, server_.kBadHTTPSPort);
   int rv = resolver_->Resolve(NULL, info, &addr, NULL, NULL);
   EXPECT_EQ(net::OK, rv);
 
-  net::ClientSocket *transport = new net::TCPClientSocket(addr);
-  rv = transport->Connect(&callback);
-  if (rv == net::ERR_IO_PENDING)
-    rv = callback.WaitForResult();
-  EXPECT_EQ(net::OK, rv);
+  net::SSLConfig ssl_config = kDefaultSSLConfig;
 
-  scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(transport,
-          server_.kHostName, kDefaultSSLConfig));
+  scoped_ptr<net::SSLClientSocket> sock;
 
-  EXPECT_FALSE(sock->IsConnected());
+  sock.reset(CreateSSLClientSocket(addr, ssl_config));
 
   rv = sock->Connect(&callback);
   if (rv != net::OK) {
     ASSERT_EQ(net::ERR_IO_PENDING, rv);
     EXPECT_FALSE(sock->IsConnected());
 
     rv = callback.WaitForResult();
-    EXPECT_EQ(net::ERR_CERT_DATE_INVALID, rv);
+    // TODO(wtc): This should be net::ERR_CERT_DATE_INVALID.
+    EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, rv);
   }
 
   // We cannot test sock->IsConnected(), as the NSS implementation disconnects
   // the socket when it encounters an error, whereas other implementations
   // leave it connected.
+
+  ////////////////////////
+  ////////////////////////
+
+  net::SSLInfo ssl_info;
+  sock->GetSSLInfo(&ssl_info);
+  EXPECT_TRUE(ssl_info.cert);
+  EXPECT_EQ(net::CERT_STATUS_AUTHORITY_INVALID,

[eroman, 2009/08/15 02:04:29]

style-nit: why not just EXPECT_TRUE(ssl_info.cert_status &
net::CERT_STATUS_AUTHORITY_INVALID) ? or can you do
EXPECT_EQ(net::CERT_STATUS_AUTHORITY_INVALID, or ssl_info.cert_status) ?

+            ssl_info.cert_status & net::CERT_STATUS_AUTHORITY_INVALID);
+  net::SSLConfig::CertAndStatus bad_cert;
+  bad_cert.cert = ssl_info.cert;
+  bad_cert.cert_status = ssl_info.cert_status;
+  ssl_config.allowed_bad_certs.push_back(bad_cert);
+
+  ///////////////////////
+  ///////////////////////

[eroman, 2009/08/15 02:04:29]

style-nit: i haven't really seen the //// style in other places. I am not
opposed to it, just wandering if there is precedent.

+
+  sock->Disconnect();
+  EXPECT_FALSE(sock->IsConnected());
+
+  ///////////////////////
+  ///////////////////////
+
+  sock.reset(CreateSSLClientSocket(addr, ssl_config));
+
+  rv = sock->Connect(&callback);
+  if (rv != net::OK) {
+    ASSERT_EQ(net::ERR_IO_PENDING, rv);
+    EXPECT_FALSE(sock->IsConnected());
+
+    rv = callback.WaitForResult();
+    EXPECT_EQ(net::OK, rv);
+  }
+
+  EXPECT_TRUE(sock->IsConnected());
+
+  ssl_info.Reset();
+  sock->GetSSLInfo(&ssl_info);
+  EXPECT_TRUE(ssl_info.cert);
+  EXPECT_EQ(net::CERT_STATUS_AUTHORITY_INVALID,
+            ssl_info.cert_status & net::CERT_STATUS_AUTHORITY_INVALID);
+
+  sock->Disconnect();
+  EXPECT_FALSE(sock->IsConnected());
 }
 
 TEST_F(SSLClientSocketTest, MAYBE_ConnectMismatched) {
   StartMismatchedServer();
 
   net::AddressList addr;
   TestCompletionCallback callback;
 
   net::HostResolver::RequestInfo info(server_.kMismatchedHostName,
                                       server_.kOKHTTPSPort);
   int rv = resolver_->Resolve(NULL, info, &addr, NULL, NULL);
   EXPECT_EQ(net::OK, rv);
 
-  net::ClientSocket *transport = new net::TCPClientSocket(addr);
-  rv = transport->Connect(&callback);
-  if (rv == net::ERR_IO_PENDING)
-    rv = callback.WaitForResult();
-  EXPECT_EQ(net::OK, rv);
-
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(transport,
-          server_.kMismatchedHostName, kDefaultSSLConfig));
-
-  EXPECT_FALSE(sock->IsConnected());
+      CreateSSLClientSocket(addr, kDefaultSSLConfig));

[eroman, 2009/08/15 02:04:29]

Is this intentional? This used to use server_.kMismatchedHostName, but now it
uses server_.kHostName

 
   rv = sock->Connect(&callback);
   if (rv != net::ERR_CERT_COMMON_NAME_INVALID) {
     ASSERT_EQ(net::ERR_IO_PENDING, rv);
     EXPECT_FALSE(sock->IsConnected());
 
     rv = callback.WaitForResult();
     EXPECT_EQ(net::ERR_CERT_COMMON_NAME_INVALID, rv);
   }
 
@@ skipping 13 matching lines @@
   net::AddressList addr;
   TestCompletionCallback callback;
 
   net::HostResolver::RequestInfo info(server_.kHostName, server_.kOKHTTPSPort);
   int rv = resolver_->Resolve(NULL, info, &addr, &callback, NULL);
   EXPECT_EQ(net::ERR_IO_PENDING, rv);
 
   rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::ClientSocket *transport = new net::TCPClientSocket(addr);
-  rv = transport->Connect(&callback);
-  if (rv == net::ERR_IO_PENDING)
-    rv = callback.WaitForResult();
-  EXPECT_EQ(net::OK, rv);
-
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(transport,
-                                             server_.kHostName,
-                                             kDefaultSSLConfig));
+      CreateSSLClientSocket(addr, kDefaultSSLConfig));
 
   rv = sock->Connect(&callback);
   if (rv != net::OK) {
     ASSERT_EQ(net::ERR_IO_PENDING, rv);
 
     rv = callback.WaitForResult();
     EXPECT_EQ(net::OK, rv);
   }
   EXPECT_TRUE(sock->IsConnected());
 
@@ skipping 27 matching lines @@
 TEST_F(SSLClientSocketTest, MAYBE_Read_SmallChunks) {
   StartOKServer();
 
   net::AddressList addr;
   TestCompletionCallback callback;
 
   net::HostResolver::RequestInfo info(server_.kHostName, server_.kOKHTTPSPort);
   int rv = resolver_->Resolve(NULL, info, &addr, NULL, NULL);
   EXPECT_EQ(net::OK, rv);
 
-  net::ClientSocket *transport = new net::TCPClientSocket(addr);
-  rv = transport->Connect(&callback);
-  if (rv == net::ERR_IO_PENDING)
-    rv = callback.WaitForResult();
-  EXPECT_EQ(net::OK, rv);
-
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(transport,
-          server_.kHostName, kDefaultSSLConfig));
+      CreateSSLClientSocket(addr, kDefaultSSLConfig));
 
   rv = sock->Connect(&callback);
   if (rv != net::OK) {
     ASSERT_EQ(net::ERR_IO_PENDING, rv);
 
     rv = callback.WaitForResult();
     EXPECT_EQ(net::OK, rv);
   }
 
   const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
@@ skipping 26 matching lines @@
 TEST_F(SSLClientSocketTest, MAYBE_Read_Interrupted) {
   StartOKServer();
 
   net::AddressList addr;
   TestCompletionCallback callback;
 
   net::HostResolver::RequestInfo info(server_.kHostName, server_.kOKHTTPSPort);
   int rv = resolver_->Resolve(NULL, info, &addr, NULL, NULL);
   EXPECT_EQ(net::OK, rv);
 
-  net::ClientSocket *transport = new net::TCPClientSocket(addr);
-  rv = transport->Connect(&callback);
-  if (rv == net::ERR_IO_PENDING)
-    rv = callback.WaitForResult();
-  EXPECT_EQ(net::OK, rv);
-
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(transport,
-          server_.kHostName, kDefaultSSLConfig));
+      CreateSSLClientSocket(addr, kDefaultSSLConfig));
 
   rv = sock->Connect(&callback);
   if (rv != net::OK) {
     ASSERT_EQ(net::ERR_IO_PENDING, rv);
 
     rv = callback.WaitForResult();
     EXPECT_EQ(net::OK, rv);
   }
 
   const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
@@ skipping 12 matching lines @@
   // Do a partial read and then exit.  This test should not crash!
   scoped_refptr<net::IOBuffer> buf = new net::IOBuffer(512);
   rv = sock->Read(buf, 512, &callback);
   EXPECT_TRUE(rv >= 0 || rv == net::ERR_IO_PENDING);
 
   if (rv == net::ERR_IO_PENDING)
     rv = callback.WaitForResult();
 
   EXPECT_NE(rv, 0);
 }