Add served cert chain to SSLInfo

net/socket/ssl_client_socket_unittest.cc

Index: net/socket/ssl_client_socket_unittest.cc
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 8d6bb1bd189348890687eee249264885067b0f2e..854a274a32c4cd8fb26580a6e118c5198f488e89 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -2422,8 +2422,9 @@ TEST_F(SSLClientSocketTest, VerifyServerChainProperlyOrdered) {
                                     X509Certificate::FORMAT_AUTO);
 
   // Get the server certificate as received client side.
-  scoped_refptr<X509Certificate> server_certificate =
-      sock->GetUnverifiedServerCertificateChain();
+  SSLInfo ssl_info;
+  sock->GetSSLInfo(&ssl_info);
+  scoped_refptr<X509Certificate> server_certificate = ssl_info.served_cert;

[davidben, 2015/06/12 19:45:42]

It is somewhat confusing that the code alternates between calling it "server
certificate" and "served certificate". I keep thinking one of them is a typo.

Maybe just call it server_cert? That's consistent with what
SSLClientSocketOpenSSL calls it internally. Though I can definitely see the
distinction between server_cert and cert as much more confusing than
served_cert. ("Oh, this is the server_cert; the other must be the client cert.
I'll use this one.")

Maybe unverified_cert or original_cert? Just so we're not one letter off from
server_cert. Or perhaps really we should just be renaming all the server_cert
instances to served_cert...

[served cert is also kind of a tongue-twister to say out loud, but oh well.]

[estark, 2015/06/12 20:29:11]

I like |unverified_cert| the best, I think. Changed to that. |served_cert| and
|server_cert| both are slightly confusing to me anyway because it's really the
|as_received_by_the_client_cert|, not necessarily the actual cert that the
server served.

 
   // Get the intermediates as received  client side.
   const X509Certificate::OSCertHandles& server_intermediates =
@@ -2466,6 +2467,11 @@ TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
   // expired.
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
 
+  CertificateList served_certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "redundant-server-chain.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(4u, served_certs.size());
+
   // We will expect SSLInfo to ultimately contain this chain.
   CertificateList certs =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
@@ -2543,6 +2549,19 @@ TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
   EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[1],
                                             certs[2]->os_cert_handle()));
 
+  // Verify that SSLInfo also contains the chain as received from the server.
+  const X509Certificate::OSCertHandles& served_intermediates =
+      ssl_info.served_cert->GetIntermediateCertificates();
+  ASSERT_EQ(3U, served_intermediates.size());
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(ssl_info.cert->os_cert_handle(),
+                                            served_certs[0]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(served_intermediates[0],
+                                            served_certs[1]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(served_intermediates[1],
+                                            served_certs[2]->os_cert_handle()));
+  EXPECT_TRUE(X509Certificate::IsSameOSCert(served_intermediates[2],
+                                            served_certs[3]->os_cert_handle()));
+
   sock->Disconnect();
   EXPECT_FALSE(sock->IsConnected());
 }