Fixing BoringSSL on iOS

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 85 matching lines @@
 #endif
   return true;
 }
 
 bool SupportsDetectingKnownRoots() {
 #if defined(OS_ANDROID)
   // Before API level 17, Android does not expose the APIs necessary to get at
   // the verified certificate chain and detect known roots.
   if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
     return false;
+#elif defined(OS_IOS) && defined(USE_OPENSSL)
+  // iOS does not expose the APIs necessary to get the known system roots.
+  return false;
 #endif
   return true;
 }
 
 // Template helper to load a series of certificate files into a CertificateList.
 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a
 // series of individual certificates (to make the tests clearer).
 template <size_t N>
 void LoadCertificateFiles(const char* const (&cert_files)[N],
                           CertificateList* certs) {
@@ skipping 100 matching lines @@
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(paypal_null_cert.get(),
                      "www.paypal.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
 #if defined(USE_NSS_VERIFIER) || defined(OS_ANDROID)
   EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
+#elif defined(OS_IOS)

[davidben, 2016/04/11 21:46:26]

defined(OS_IOS) && TARGET_IPHONE_SIMULATOR?

That way we can test that it behaves right on a real device.

[svaldez, 2016/04/12 14:36:31]

Done.

+  // iOS returns a ERR_CERT_INVALID error on the real device, while returning
+  // a ERR_CERT_AUTHORITY_INVALID on the simulator.
+  EXPECT_NE(OK, error);
+  EXPECT_TRUE(verify_result.cert_status &
+              (CERT_STATUS_AUTHORITY_INVALID | CERT_STATUS_INVALID));
 #else
   // TOOD(bulach): investigate why macosx and win aren't returning
   // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
 #endif
   // Either the system crypto library should correctly report a certificate
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
 #if defined(USE_NSS_VERIFIER) || defined(OS_WIN)
   EXPECT_TRUE(verify_result.cert_status &
@@ skipping 34 matching lines @@
   int error = Verify(cert.get(),
                      "policy_test.example",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0u, verify_result.cert_status);
 }
 
+TEST_F(CertVerifyProcTest, RejectExpiredCert) {
+  base::FilePath certs_dir = GetTestCertsDirectory();
+
+  // Load root_ca_cert.pem into the test root store.
+  ScopedTestRoot test_root(
+      ImportCertFromFile(certs_dir, "root_ca_cert.pem").get());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  X509Certificate::OSCertHandles intermediates;
+  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+      certs[0]->os_cert_handle(), intermediates);
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+                     &verify_result);
+  EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
+}
+
 // Test that verifying an ECDSA certificate doesn't crash on XP. (See
 // crbug.com/144466).
 TEST_F(CertVerifyProcTest, ECDSA_RSA) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir,
                          "prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem");
 
   CertVerifyResult verify_result;
@@ skipping 806 matching lines @@
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
   // But should not be marked as a known root.
   EXPECT_FALSE(verify_result.is_issued_by_known_root);
 }
 
-#if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) || \
-    defined(OS_MACOSX)
+#if defined(USE_NSS_VERIFIER) || defined(OS_WIN) || \
+    (defined(OS_MACOSX) && !defined(OS_IOS))
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
 TEST_F(CertVerifyProcTest, CRLSet) {
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
 
@@ skipping 554 matching lines @@
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(ERR_CERT_INVALID, error);
   EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status);
 }
 #endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
 }  // namespace net