Add served cert chain to SSLInfo

net/socket/ssl_client_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include "base/callback_helpers.h"
 #include "base/memory/ref_counted.h"
 #include "base/run_loop.h"
 #include "base/thread_task_runner_handle.h"
@@ skipping 2404 matching lines @@
   EXPECT_TRUE(sock->IsConnected());
 
   // When given option CERT_CHAIN_WRONG_ROOT, SpawnedTestServer will present
   // certs from redundant-server-chain.pem.
   CertificateList server_certs =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "redundant-server-chain.pem",
                                     X509Certificate::FORMAT_AUTO);
 
   // Get the server certificate as received client side.
-  scoped_refptr<X509Certificate> server_certificate =
-      sock->GetUnverifiedServerCertificateChain();
+  SSLInfo ssl_info;
+  sock->GetSSLInfo(&ssl_info);
+  scoped_refptr<X509Certificate> server_certificate = ssl_info.served_cert;

[davidben, 2015/06/12 19:45:42]

It is somewhat confusing that the code alternates between calling it "server
certificate" and "served certificate". I keep thinking one of them is a typo.

Maybe just call it server_cert? That's consistent with what
SSLClientSocketOpenSSL calls it internally. Though I can definitely see the
distinction between server_cert and cert as much more confusing than
served_cert. ("Oh, this is the server_cert; the other must be the client cert.
I'll use this one.")

Maybe unverified_cert or original_cert? Just so we're not one letter off from
server_cert. Or perhaps really we should just be renaming all the server_cert
instances to served_cert...

[served cert is also kind of a tongue-twister to say out loud, but oh well.]

[estark, 2015/06/12 20:29:11]

I like |unverified_cert| the best, I think. Changed to that. |served_cert| and
|server_cert| both are slightly confusing to me anyway because it's really the
|as_received_by_the_client_cert|, not necessarily the actual cert that the
server served.

 
   // Get the intermediates as received  client side.
   const X509Certificate::OSCertHandles& server_intermediates =
       server_certificate->GetIntermediateCertificates();
 
   // Check that the unverified server certificate chain is properly retrieved
   // from the underlying ssl stack.
   ASSERT_EQ(4U, server_certs.size());
 
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
@@ skipping 22 matching lines @@
 // a self-signed root. Such a situation can occur when a new root (C2) is
 // cross-certified by an old root (D) and has two different versions of its
 // floating around. Servers may supply C2 as an intermediate, but the
 // SSLClientSocket should return the chain that was verified, from
 // verify_result, instead.
 TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
   // By default, cause the CertVerifier to treat all certificates as
   // expired.
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
 
+  CertificateList served_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "redundant-server-chain.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(4u, served_certs.size());
+
   // We will expect SSLInfo to ultimately contain this chain.
   CertificateList certs =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "redundant-validated-chain.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles temp_intermediates;
   temp_intermediates.push_back(certs[1]->os_cert_handle());
   temp_intermediates.push_back(certs[2]->os_cert_handle());
@@ skipping 57 matching lines @@
   const X509Certificate::OSCertHandles& intermediates =
       ssl_info.cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(ssl_info.cert->os_cert_handle(),
                                             certs[0]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[1],
                                             certs[2]->os_cert_handle()));
 
+  // Verify that SSLInfo also contains the chain as received from the server.
+  const X509Certificate::OSCertHandles& served_intermediates =
+      ssl_info.served_cert->GetIntermediateCertificates();
+  ASSERT_EQ(3U, served_intermediates.size());
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(ssl_info.cert->os_cert_handle(),
+                                            served_certs[0]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(served_intermediates[0],
+                                            served_certs[1]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(served_intermediates[1],
+                                            served_certs[2]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(served_intermediates[2],
+                                            served_certs[3]->os_cert_handle()));
+
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }
 
 TEST_F(SSLClientSocketCertRequestInfoTest, NoAuthorities) {
   SpawnedTestServer::SSLOptions ssl_options;
   ssl_options.request_client_certificate = true;
   scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
   ASSERT_TRUE(request_info.get());
   EXPECT_EQ(0u, request_info->cert_authorities.size());
@@ skipping 852 matching lines @@
   ssl_config.channel_id_enabled = true;
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
 
   EXPECT_EQ(ERR_UNEXPECTED, rv);
   EXPECT_FALSE(sock_->IsConnected());
 }
 
 }  // namespace net