Export verified_cert and public_key_hashes on Android.

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 11 matching lines @@
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
 #elif defined(OS_MACOSX) && !defined(OS_IOS)
 #include "base/mac/mac_util.h"
+#elif defined(OS_ANDROID)
+#include "base/android/build_info.h"
 #endif
 
 using base::HexEncode;
 
 namespace net {
 
 namespace {
 
 // A certificate for www.paypal.com with a NULL byte in the common name.
 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
@@ skipping 568 matching lines @@
   // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(),
                      "satveda.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
+#if defined(OS_ANDROID)
+  // Before API level 17, Android does not populate is_issued_by_known_root
+  // correctly.
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
+    return;
+#endif

[Ryan Sleevi, 2013/12/19 00:06:59]

Can you move each of these conditionals into a common method in an unnamed
namespace, and then check at the beginning of each test?

Also, as a cleanup while you're here, can you nuke line 596?

(note: I realize that lines 620/621 will work on Android < 17, but I'd say we
shouldn't be running the test at all < 17)

eg:
if (!SupportsDetectingKnownRoots())
  return;

[davidben, 2013/12/19 00:42:52]

Done.

   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
 // The certse.pem certificate has been revoked. crbug.com/259723.
 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
+#if defined(OS_ANDROID)
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {
+    LOG(INFO) << "This test can't run on Android < 4.2";
+    return;
+  }
+#endif
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(2U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
@@ skipping 75 matching lines @@
 #endif
 }
 
 // Basic test for returning the chain in CertVerifyResult. Note that the
 // returned chain may just be a reflection of the originally supplied chain;
 // that is, if any errors occur, the default chain returned is an exact copy
 // of the certificate to be verified. The remaining VerifyReturn* tests are
 // used to ensure that the actual, verified chain is being returned by
 // Verify().
 TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
+#if defined(OS_ANDROID)
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {
+    LOG(INFO) << "This test can't run on Android < 4.2";
+    return;
+  }
+#endif
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
@@ skipping 22 matching lines @@
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
-#if defined(OS_ANDROID)
-// TODO(ppi): Disabled because is_issued_by_known_root is incorrect on Android.
-// Once this is fixed, re-enable this check for android. crbug.com/116838
-#define MAYBE_IntranetHostsRejected DISABLED_IntranetHostsRejected
-#else
-#define MAYBE_IntranetHostsRejected IntranetHostsRejected
-#endif
-
 // Test that certificates issued for 'intranet' names (that is, containing no
 // known public registry controlled domain information) issued by well-known
 // CAs are flagged appropriately, while certificates that are issued by
 // internal CAs are not flagged.
-TEST_F(CertVerifyProcTest, MAYBE_IntranetHostsRejected) {
+TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "ok_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
   CertVerifyResult verify_result;
   int error = 0;
 
   // Intranet names for public CAs should be flagged:
@@ skipping 10 matching lines @@
   EXPECT_EQ(OK, error);
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 }
 
 // Test that the certificate returned in CertVerifyResult is able to reorder
 // certificates that are not ordered from end-entity to root. While this is
 // a protocol violation if sent during a TLS handshake, if multiple sources
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
+#if defined(OS_ANDROID)
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {
+    LOG(INFO) << "This test can't run on Android < 4.2";
+    return;
+  }
+#endif
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   // Construct the chain out of order.
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[2]->os_cert_handle());
   intermediates.push_back(certs[1]->os_cert_handle());
@@ skipping 26 matching lines @@
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
+#if defined(OS_ANDROID)
+  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17) {
+    LOG(INFO) << "This test can't run on Android < 4.2";
+    return;
+  }
+#endif
+
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
   ScopedTestRoot scoped_root(certs[2].get());
 
   scoped_refptr<X509Certificate> unrelated_certificate =
       ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
   scoped_refptr<X509Certificate> unrelated_certificate2 =
@@ skipping 78 matching lines @@
 
   // Clearing the |trust_anchors| makes verification fail again (the cache
   // should be skipped).
   error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
 }
 
+TEST_F(CertVerifyProcTest, NonStandardRoot) {

[Ryan Sleevi, 2013/12/19 00:06:59]

s/NonStandardRoot/IsIssuedByKnownRootIgnoresTestRoots/

Also, please add a comment here (consistent with the other tests) that explains
what exactly is being tested.

[davidben, 2013/12/19 00:42:52]

Done.

+  // Load root_ca_cert.pem into the test root store.
+  TestRootCerts* root_certs = TestRootCerts::GetInstance();
+  root_certs->AddFromFile(
+      GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));
+
+  CertificateList cert_list = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> cert(cert_list[0]);
+
+  // Verification should pass.
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(
+      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+  // But should not be marked as a known root.
+  EXPECT_FALSE(verify_result.is_issued_by_known_root);
+}
+
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
 // Root can be successfully worked around once Apple completes removing the
 // older GTE CyberTrust Root from its trusted root store.
 //
 // The issue is caused by servers supplying the cross-certified intermediate
 // (necessary for certain mobile platforms), which OS X does not recognize
 // as already existing within its trust store.
 TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
   CertificateList certs = CreateCertificateListFromFile(
@@ skipping 565 matching lines @@
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
   }
 }
 
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     VerifyName,
     CertVerifyProcNameTest,
     testing::ValuesIn(kVerifyNameData));
 
 }  // namespace net