Use LOAD_VERIFY_EV_CERT to verify EV-ness in Verify()....

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/pickle.h"
 #include "net/base/cert_status_flags.h"
+#include "net/base/cert_verify_result.h"
+#include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 // Unit tests aren't allowed to access external resources. Unfortunately, to
 // properly verify the EV-ness of a cert, we need to check for its revocation
 // through online servers. If you're manually running unit tests, feel free to
 // turn this on to test EV certs. But leave it turned off for the automated
 // testing.
 #define ALLOW_EXTERNAL_ACCESS 0
 
 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN)
-#define TEST_EV 1  // Test IsEV()
+#define TEST_EV 1  // Test CERT_STATUS_IS_EV
 #endif
 
 using base::Time;
 
 namespace {
 
 // Certificates for test data. They're obtained with:
 //
 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null
 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der
@@ skipping 356 matching lines @@
   for (size_t i = 0; i < 20; ++i)
     EXPECT_EQ(google_fingerprint[i], fingerprint.data[i]);
 
   std::vector<std::string> dns_names;
   google_cert->GetDNSNames(&dns_names);
   EXPECT_EQ(1U, dns_names.size());
   EXPECT_EQ("www.google.com", dns_names[0]);
 
 #if TEST_EV
   // TODO(avi): turn this on for the Mac once EV checking is implemented.
-  EXPECT_EQ(false, google_cert->IsEV(net::CERT_STATUS_REV_CHECKING_ENABLED));
+  CertVerifyResult verify_result;
+  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
+                X509Certificate::VERIFY_EV_CERT;
+  EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result));
+  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 }
 
 TEST(X509CertificateTest, WebkitCertParsing) {
   scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert);
 
   const X509Certificate::Principal& subject = webkit_cert->subject();
@@ skipping 31 matching lines @@
   for (size_t i = 0; i < 20; ++i)
     EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]);
 
   std::vector<std::string> dns_names;
   webkit_cert->GetDNSNames(&dns_names);
   EXPECT_EQ(2U, dns_names.size());
   EXPECT_EQ("*.webkit.org", dns_names[0]);
   EXPECT_EQ("webkit.org", dns_names[1]);
 
 #if TEST_EV
-  EXPECT_EQ(false, webkit_cert->IsEV(net::CERT_STATUS_REV_CHECKING_ENABLED));
+  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
+                X509Certificate::VERIFY_EV_CERT;
+  CertVerifyResult verify_result;
+  EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result));
+  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 }
 
 TEST(X509CertificateTest, ThawteCertParsing) {
   scoped_refptr<X509Certificate> thawte_cert = X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert);
 
   const X509Certificate::Principal& subject = thawte_cert->subject();
@@ skipping 30 matching lines @@
   const X509Certificate::Fingerprint& fingerprint = thawte_cert->fingerprint();
   for (size_t i = 0; i < 20; ++i)
     EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]);
 
   std::vector<std::string> dns_names;
   thawte_cert->GetDNSNames(&dns_names);
   EXPECT_EQ(1U, dns_names.size());
   EXPECT_EQ("www.thawte.com", dns_names[0]);
 
 #if TEST_EV
+  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
+                X509Certificate::VERIFY_EV_CERT;
+  CertVerifyResult verify_result;
   // EV cert verification requires revocation checking.
-  EXPECT_EQ(true, thawte_cert->IsEV(net::CERT_STATUS_REV_CHECKING_ENABLED));
+  EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result));
+  EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV);
   // Consequently, if we don't have revocation checking enabled, we can't claim
   // any cert is EV.
-  EXPECT_EQ(false, thawte_cert->IsEV(0));
+  flags = X509Certificate::VERIFY_EV_CERT;
+  EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result));
+  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 }
 
 // Tests X509Certificate::Cache via X509Certificate::CreateFromHandle.  We
 // call X509Certificate::CreateFromHandle several times and observe whether
 // it returns a cached or new X509Certificate object.
 //
 // All the OS certificate handles in this test are actually from the same
 // source (the bytes of a lone certificate), but we pretend that some of them
 // come from the network.
@@ skipping 86 matching lines @@
 
   policy.Allow(webkit_cert.get());
 
   EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED);
   EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::ALLOWED);
   EXPECT_TRUE(policy.HasAllowedCert());
   EXPECT_TRUE(policy.HasDeniedCert());
 }
 
 }  // namespace net