Introduce unit test for NSS OCSP/AIA fetching

net/ocsp/nss_ocsp_unittest.cc

Index: net/ocsp/nss_ocsp_unittest.cc
diff --git a/net/ocsp/nss_ocsp_unittest.cc b/net/ocsp/nss_ocsp_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..439ab0f4f9944e46b96f323de6a417507e6e046e
--- /dev/null
+++ b/net/ocsp/nss_ocsp_unittest.cc
@@ -0,0 +1,142 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/ocsp/nss_ocsp.h"
+
+#include <string>
+
+#include "base/file_util.h"
+#include "base/files/file_path.h"
+#include "base/logging.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_completion_callback.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/cert_verify_proc_nss.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/multi_threaded_cert_verifier.h"
+#include "net/cert/test_root_certs.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "net/url_request/url_request_error_job.h"
+#include "net/url_request/url_request_filter.h"
+#include "net/url_request/url_request_test_job.h"
+#include "net/url_request/url_request_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+// Matches the caIssuers hostname from the generated certificate.
+const char kAiaHost[] = "aia-test.invalid";
+
+// The number of times the intermediate was fetched via the URLRequest factory.
+int g_request_count = 0;
+
+net::URLRequestJob* AiaResponseFactory(net::URLRequest* request,
+                                       net::NetworkDelegate* network_delegate,
+                                       const std::string& scheme) {
+  // Returning a single DER-encoded cert, so the mime-type must be
+  // application/pkix-cert per RFC 5280.
+  static const char kAiaHeaders[] =
+    "HTTP/1.1 200 OK\0"
+    "Content-type: application/pkix-cert\0"
+    "\0";
+
+  if (request->url().scheme() != "http" ||
+      request->url().host() != kAiaHost) {

[pauljensen, 2013/05/16 13:50:43]

The URLRequestFilter should never use this to handle schemes or hosts other than
what it was registered for, so you could just DCHECK here.

[Ryan Sleevi, 2013/05/16 21:25:38]

Fair enough. I don't suppose there's a way to setup a filter for *all*
URLRequests, is there? That is, similar how we can intercept all DNS, intercept
all URL requests...

[pauljensen, 2013/05/17 03:45:22]

You can insert the ProtocolHandler into the URLRequestJobFactory rather than
URLRequestFilter.  Some tests already do this; see AddTestInterceptor().

+    return new net::URLRequestErrorJob(
+        request, network_delegate, net::ERR_BLOCKED_BY_ADMINISTRATOR);
+  }
+
+  ++g_request_count;
+
+  std::string file_contents;
+  if (!file_util::ReadFileToString(
+          GetTestCertsDirectory().AppendASCII("aia-intermediate.der"),
+          &file_contents)) {
+    return new net::URLRequestErrorJob(
+        request, network_delegate, ERR_ACCESS_DENIED);
+  }
+
+  return new net::URLRequestTestJob(
+      request, network_delegate, kAiaHeaders, file_contents, true);
+}
+
+}  // namespace
+
+class NssHttpTest : public ::testing::Test {
+ public:
+  NssHttpTest()
+      : context_(false),
+        verify_proc_(new CertVerifyProcNSS),
+        verifier_(new MultiThreadedCertVerifier(verify_proc_)) {
+    g_request_count = 0;
+
+    URLRequestFilter::GetInstance()->AddHostnameHandler(
+        "http", kAiaHost, &AiaResponseFactory);
+
+    SetURLRequestContextForNSSHttpIO(&context_);
+    EnsureNSSHttpIOInit();
+  }
+
+  virtual ~NssHttpTest() {
+    ShutdownNSSHttpIO();
+
+    URLRequestFilter::GetInstance()->RemoveHostnameHandler(
+        "http", kAiaHost);
+
+    g_request_count = 0;
+  }
+
+  CertVerifier* const verifier() const {
+    return verifier_.get();
+  }
+
+ protected:
+  const CertificateList empty_cert_list_;
+
+ private:
+  TestURLRequestContext context_;
+  scoped_refptr<CertVerifyProc> verify_proc_;
+  scoped_ptr<CertVerifier> verifier_;
+};
+
+// Tests that when using NSS to verify certificates, and IO is enabled,
+// that a request to fetch missing intermediate certificates is
+// made successfully.
+TEST_F(NssHttpTest, TestAia) {
+  scoped_refptr<X509Certificate> test_cert(
+      ImportCertFromFile(GetTestCertsDirectory(), "aia-cert.pem"));
+  ASSERT_TRUE(test_cert.get());
+
+  scoped_refptr<X509Certificate> test_root(
+      ImportCertFromFile(GetTestCertsDirectory(), "aia-root.pem"));
+  ASSERT_TRUE(test_root.get());
+
+  ScopedTestRoot scoped_root(test_root);
+
+  CertVerifyResult verify_result;
+  TestCompletionCallback test_callback;
+  CertVerifier::RequestHandle request_handle;
+
+  int flags = CertVerifier::VERIFY_CERT_IO_ENABLED;

[pauljensen, 2013/05/16 13:50:43]

Any reason you don't pass this directly? (i.e. instead of indirectly through a
variable)

[Ryan Sleevi, 2013/05/16 21:25:38]

Mostly, consistency with most of our other calls to verify (eg:
cert_verify_proc_unittest and friends), which is largely trying for ease of
readability (particularly when flags is '0')

+  int error = verifier()->Verify(
+      test_cert, "aia-host.invalid", flags, NULL, &verify_result,
+      test_callback.callback(), &request_handle, BoundNetLog());

[pauljensen, 2013/05/16 13:50:43]

The style guide says one argument per line when the indent-by-4 function call
format is used.

[Ryan Sleevi, 2013/05/16 21:25:38]

Could swore I clang-format'd this, but fixed now.

+  ASSERT_EQ(ERR_IO_PENDING, error);
+
+  error = test_callback.WaitForResult();
+
+  EXPECT_EQ(OK, error);
+
+  // Ensure that NSS made an AIA request for the missing intermediate.
+  EXPECT_LT(0, g_request_count);
+}
+
+}  // namespace net