Index: net/socket/ssl_client_socket_unittest.cc |
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc |
index 989981925304fd8ce167677b8b575f97df718d07..38b5ce9e19f991f6c5ce773a3e550b28e362e1a2 100644 |
--- a/net/socket/ssl_client_socket_unittest.cc |
+++ b/net/socket/ssl_client_socket_unittest.cc |
@@ -684,10 +684,12 @@ class MockCTVerifier : public CTVerifier { |
// A mock CTPolicyEnforcer that returns a custom verification result. |
class MockCTPolicyEnforcer : public CTPolicyEnforcer { |
public: |
- MOCK_METHOD4(DoesConformToCTEVPolicy, |
+ MOCK_METHOD2(DoesConformToCertPolicy, |
+ bool(X509Certificate* cert, const ct::CTVerifyResult&)); |
+ MOCK_METHOD4(DoesConformToEVPolicy, |
bool(X509Certificate* cert, |
+ CertStatus cert_status, |
const ct::EVCertsWhitelist*, |
- const ct::CTVerifyResult&, |
const BoundNetLog&)); |
}; |
@@ -2334,7 +2336,9 @@ TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) { |
// Emulate compliance of the certificate to the policy. |
MockCTPolicyEnforcer policy_enforcer; |
SetCTPolicyEnforcer(&policy_enforcer); |
- EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) |
+ EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _)) |
+ .WillRepeatedly(Return(true)); |
+ EXPECT_CALL(policy_enforcer, DoesConformToEVPolicy(_, _, _, _)) |
.WillRepeatedly(Return(true)); |
int rv; |
@@ -2366,7 +2370,9 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { |
// Emulate non-compliance of the certificate to the policy. |
MockCTPolicyEnforcer policy_enforcer; |
SetCTPolicyEnforcer(&policy_enforcer); |
- EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) |
+ EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _)) |
+ .WillRepeatedly(Return(false)); |
+ EXPECT_CALL(policy_enforcer, DoesConformToEVPolicy(_, _, _, _)) |
.WillRepeatedly(Return(false)); |
int rv; |
@@ -2380,6 +2386,37 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { |
EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); |
} |
+// Test that when a CT verifier and a CTPolicyEnforcer are defined, but |
+// the non-EV certificate used does not conform to the CT/EV policy, the |
+// correct cert status flag is set. |
+TEST_F(SSLClientSocketTest, CertStatusSetForNonCompliantNonEVCert) { |
+ SpawnedTestServer::SSLOptions ssl_options; |
+ ASSERT_TRUE(StartTestServer(ssl_options)); |
+ |
+ SSLConfig ssl_config; |
+ |
+ // To activate the CT/EV policy enforcement non-null CTVerifier and |
+ // CTPolicyEnforcer are needed. |
+ MockCTVerifier ct_verifier; |
+ SetCTVerifier(&ct_verifier); |
+ EXPECT_CALL(ct_verifier, Verify(_, "", "", _, _)).WillRepeatedly(Return(OK)); |
+ |
+ // Emulate non-compliance of the certificate to the policy. |
+ MockCTPolicyEnforcer policy_enforcer; |
+ SetCTPolicyEnforcer(&policy_enforcer); |
+ EXPECT_CALL(policy_enforcer, DoesConformToCertPolicy(_, _)) |
+ .WillRepeatedly(Return(false)); |
+ |
+ int rv; |
+ ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
+ EXPECT_EQ(OK, rv); |
+ |
+ SSLInfo result; |
+ ASSERT_TRUE(sock_->GetSSLInfo(&result)); |
+ |
+ EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED); |
+} |
+ |
namespace { |
bool IsValidOCSPResponse(const base::StringPiece& input) { |