Index: net/cert/cert_verify_proc_unittest.cc |
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc |
index ed6f028b2002d2446f10186473d9bb2e3d002c0e..201000f4a933a1c0d1b160e285b3757cb4f0306d 100644 |
--- a/net/cert/cert_verify_proc_unittest.cc |
+++ b/net/cert/cert_verify_proc_unittest.cc |
@@ -1593,4 +1593,28 @@ WRAPPED_INSTANTIATE_TEST_CASE_P( |
CertVerifyProcNameTest, |
testing::ValuesIn(kVerifyNameData)); |
+#if defined(OS_MACOSX) && !defined(OS_IOS) |
+// Test that CertVerifyProcMac reacts appropriately when Apple's certificate |
+// verifier rejects a certificate with a fatal error. This is a regression |
+// test for https://crbug.com/472291. |
+TEST_F(CertVerifyProcTest, LargeKey) { |
+ // Load root_ca_cert.pem into the test root store. |
+ ScopedTestRoot test_root( |
+ ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get()); |
+ |
+ scoped_refptr<X509Certificate> cert( |
+ ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem")); |
+ |
+ // Apple's verifier rejects this certificate as invalid because the |
+ // RSA key is too large. If a future version of OS X changes this, |
+ // large_key.pem may need to be regenerated with a larger key. |
+ int flags = 0; |
+ CertVerifyResult verify_result; |
+ int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, |
+ &verify_result); |
+ EXPECT_EQ(ERR_CERT_INVALID, error); |
+ EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status); |
+} |
+#endif // defined(OS_MACOSX) && !defined(OS_IOS) |
+ |
} // namespace net |