Account for the OS returning an empty certificate chain.

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index ed6f028b2002d2446f10186473d9bb2e3d002c0e..63c0219917a00a94d7d748e3bdd2096109122f9c 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1593,4 +1593,34 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
     CertVerifyProcNameTest,
     testing::ValuesIn(kVerifyNameData));
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+// Test that CertVerifyProcMac reacts appropriately when Apple's certificate
+// verifier rejects a certificate with a fatal error. This is a regression
+// test for https://crbug.com/472291.
+TEST_F(CertVerifyProcTest, LargeKey) {
+  // Load root_ca_cert.pem into the test root store.
+  TestRootCerts* root_certs = TestRootCerts::GetInstance();
+  root_certs->AddFromFile(
+      GetTestCertsDirectory().AppendASCII("root_ca_cert.pem"));

[Ryan Sleevi, 2015/04/23 14:05:41]

https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/test_root...

ScopedTestRoot test_root(ImportCertFromFile(GetTestCertsDirectory(),
"root_ca_cert.pem").get());


[Really, ScopedTestRoot should take a "const scoped_refptr<X509Certificate>&" so
that we don't have to do the .get() dance; in case it scares you to see the
.get(), the temporary lasts for the duration of the full statement (aka the full
execution of the ctor), which will handle grabbing the ref to keep things alive]

[davidben, 2015/04/23 18:12:29]

I just copy-and-pasted that part of the test. :-P Done.

+
+  CertificateList cert_list = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "large_key.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> cert(cert_list[0]);

[Ryan Sleevi, 2015/04/23 14:05:41]

Either ImportCertFromFile or
https://code.google.com/p/chromium/codesearch#chromium/src/net/test/cert_test...

[davidben, 2015/04/23 18:12:28]

Done.

+
+  // Apple's verifier rejects this certificate as invalid because the
+  // RSA key is too large. If a future version of OS X changes this,
+  // large_key.pem may need to be regenerated with a larger key.
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+                     &verify_result);
+  EXPECT_EQ(ERR_CERT_INVALID, error);
+  EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status);
+
+  root_certs->Clear();
+  EXPECT_TRUE(root_certs->IsEmpty());
+}
+#endif  // defined(OS_MACOSX) && !defined(OS_IOS)
+
 }  // namespace net