Perform CRLSet evaluation during Path Building on NSS

chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
 
 #include <stddef.h>
 
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_test_nss_chromeos_user.h"
@@ skipping 47 matching lines @@
                                            "multi-root-chain2.pem",
                                            net::X509Certificate::FORMAT_AUTO);
     ASSERT_EQ(4U, certs_2_.size());
 
     // The chains:
     //   1. A (end-entity) -> B -> C -> D (self-signed root)
     //   2. A (end-entity) -> B -> C2 -> E (self-signed root)
     ASSERT_TRUE(certs_1_[0]->Equals(certs_2_[0].get()));
     ASSERT_TRUE(certs_1_[1]->Equals(certs_2_[1].get()));
     ASSERT_FALSE(certs_1_[2]->Equals(certs_2_[2].get()));
-    ASSERT_EQ("C CA", certs_1_[2]->subject().common_name);
-    ASSERT_EQ("C CA", certs_2_[2]->subject().common_name);
+    ASSERT_EQ("C CA - Multi-root", certs_1_[2]->subject().common_name);
+    ASSERT_EQ("C CA - Multi-root", certs_2_[2]->subject().common_name);
 
     root_1_.push_back(certs_1_.back());
     root_2_.push_back(certs_2_.back());
 
-    ASSERT_EQ("D Root CA", root_1_[0]->subject().common_name);
-    ASSERT_EQ("E Root CA", root_2_[0]->subject().common_name);
+    ASSERT_EQ("D Root CA - Multi-root", root_1_[0]->subject().common_name);
+    ASSERT_EQ("E Root CA - Multi-root", root_2_[0]->subject().common_name);
   }
 
   int VerifyWithAdditionalTrustAnchors(
       net::CertVerifyProc* verify_proc,
       const net::CertificateList& additional_trust_anchors,
       net::X509Certificate* cert,
       std::string* root_subject_name) {
     int flags = 0;
     net::CertVerifyResult verify_result;
     int error =
@@ skipping 51 matching lines @@
   net::NSSCertDatabase::ImportCertFailureList failed;
   EXPECT_TRUE(db_1_->ImportCACerts(
       root_1_, net::NSSCertDatabase::TRUSTED_SSL, &failed));
   EXPECT_EQ(0U, failed.size());
 
   // Imported CA certs are not trusted by default verifier.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_default_.get(), server.get(), &verify_root));
   // User 1 should now verify successfully through the D root.
   EXPECT_EQ(net::OK, Verify(verify_proc_1_.get(), server.get(), &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
   // User 2 should still fail.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_2_.get(), server.get(), &verify_root));
 
   // Import and trust the E root for user 2.
   failed.clear();
   EXPECT_TRUE(db_2_->ImportCACerts(
       root_2_, net::NSSCertDatabase::TRUSTED_SSL, &failed));
   EXPECT_EQ(0U, failed.size());
 
   // Imported CA certs are not trusted by default verifier.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_default_.get(), server.get(), &verify_root));
   // User 1 should still verify successfully through the D root.
   EXPECT_EQ(net::OK, Verify(verify_proc_1_.get(), server.get(), &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
   // User 2 should now verify successfully through the E root.
   EXPECT_EQ(net::OK, Verify(verify_proc_2_.get(), server.get(), &verify_root));
-  EXPECT_EQ("CN=E Root CA", verify_root);
+  EXPECT_EQ("CN=E Root CA - Multi-root", verify_root);
 
   // Delete D root.
   EXPECT_TRUE(db_1_->DeleteCertAndKey(root_1_[0].get()));
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_default_.get(), server.get(), &verify_root));
   // User 1 should now fail to verify.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_1_.get(), server.get(), &verify_root));
   // User 2 should still verify successfully through the E root.
   EXPECT_EQ(net::OK, Verify(verify_proc_2_.get(), server.get(), &verify_root));
-  EXPECT_EQ("CN=E Root CA", verify_root);
+  EXPECT_EQ("CN=E Root CA - Multi-root", verify_root);
 
   // Delete E root.
   EXPECT_TRUE(db_2_->DeleteCertAndKey(root_2_[0].get()));
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_default_.get(), server.get(), &verify_root));
   // User 1 should still fail to verify.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             Verify(verify_proc_1_.get(), server.get(), &verify_root));
   // User 2 should now fail to verify.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
@@ skipping 24 matching lines @@
                                              server.get(),
                                              &verify_root));
 
   // Use D Root CA as additional trust anchor. Verifications should succeed now.
   additional_trust_anchors.push_back(root_1_[0]);
   EXPECT_EQ(net::OK,
             VerifyWithAdditionalTrustAnchors(verify_proc_default_.get(),
                                              additional_trust_anchors,
                                              server.get(),
                                              &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
   EXPECT_EQ(net::OK,
             VerifyWithAdditionalTrustAnchors(verify_proc_1_.get(),
                                              additional_trust_anchors,
                                              server.get(),
                                              &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
   // User 2 should still fail.
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
             VerifyWithAdditionalTrustAnchors(verify_proc_2_.get(),
                                              net::CertificateList(),
                                              server.get(),
                                              &verify_root));
 
   // Without additional trust anchors, verification should fail again.
   additional_trust_anchors.clear();
   EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
@@ skipping 16 matching lines @@
   EXPECT_EQ(0U, failed.size());
 
   // Use D Root CA as additional trust anchor. Verifications should still
   // succeed even if the cert is trusted by a different profile.
   additional_trust_anchors.push_back(root_1_[0]);
   EXPECT_EQ(net::OK,
             VerifyWithAdditionalTrustAnchors(verify_proc_default_.get(),
                                              additional_trust_anchors,
                                              server.get(),
                                              &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
   EXPECT_EQ(net::OK,
             VerifyWithAdditionalTrustAnchors(verify_proc_1_.get(),
                                              additional_trust_anchors,
                                              server.get(),
                                              &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
   EXPECT_EQ(net::OK,
             VerifyWithAdditionalTrustAnchors(verify_proc_2_.get(),
                                              additional_trust_anchors,
                                              server.get(),
                                              &verify_root));
-  EXPECT_EQ("CN=D Root CA", verify_root);
+  EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
 }
 
 class CertVerifyProcChromeOSOrderingTest
     : public CertVerifyProcChromeOSTest,
       public ::testing::WithParamInterface<
           std::tr1::tuple<bool, int, std::string> > {};
 
 // Test a variety of different combinations of (maybe) verifying / (maybe)
 // importing / verifying again, to try to find any cases where caching might
 // affect the results.
@@ skipping 60 matching lines @@
         case 'd':
           // Default verifier should always fail.
           EXPECT_EQ(
               net::ERR_CERT_AUTHORITY_INVALID,
               Verify(verify_proc_default_.get(), server.get(), &verify_root));
           break;
         case '1':
           EXPECT_EQ(expected_user1_result,
                     Verify(verify_proc_1_.get(), server.get(), &verify_root));
           if (expected_user1_result == net::OK)
-            EXPECT_EQ("CN=D Root CA", verify_root);
+            EXPECT_EQ("CN=D Root CA - Multi-root", verify_root);
           break;
         case '2':
           EXPECT_EQ(expected_user2_result,
                     Verify(verify_proc_2_.get(), server.get(), &verify_root));
           if (expected_user2_result == net::OK)
-            EXPECT_EQ("CN=E Root CA", verify_root);
+            EXPECT_EQ("CN=E Root CA - Multi-root", verify_root);
           break;
         default:
           FAIL();
       }
     }
   }
 }
 
 INSTANTIATE_TEST_CASE_P(
     Variations,
     CertVerifyProcChromeOSOrderingTest,
     ::testing::Combine(
         ::testing::Bool(),
         ::testing::Range(0, 1 << 2),
         ::testing::Values("d12", "d21", "1d2", "12d", "2d1", "21d")));
 
 }  // namespace chromeos