Fixing BoringSSL on iOS

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 07ef561581240a34723d1739447fa31716614e68..b4b6a63153fad57d3b157c3b10ec9fa7ac5ae3a1 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -103,6 +103,9 @@ bool SupportsDetectingKnownRoots() {
   // the verified certificate chain and detect known roots.
   if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
     return false;
+#elif defined(OS_IOS) && defined(USE_OPENSSL)
+  // iOS does not expose the APIs necessary to get the known system roots.
+  return false;
 #endif
   return true;
 }
@@ -223,6 +226,12 @@ TEST_F(CertVerifyProcTest, PaypalNullCertParsing) {
                      &verify_result);
 #if defined(USE_NSS_VERIFIER) || defined(OS_ANDROID)
   EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
+#elif defined(OS_IOS)

[davidben, 2016/04/11 21:46:26]

defined(OS_IOS) && TARGET_IPHONE_SIMULATOR?

That way we can test that it behaves right on a real device.

[svaldez, 2016/04/12 14:36:31]

Done.

+  // iOS returns a ERR_CERT_INVALID error on the real device, while returning
+  // a ERR_CERT_AUTHORITY_INVALID on the simulator.
+  EXPECT_NE(OK, error);
+  EXPECT_TRUE(verify_result.cert_status &
+              (CERT_STATUS_AUTHORITY_INVALID | CERT_STATUS_INVALID));
 #else
   // TOOD(bulach): investigate why macosx and win aren't returning
   // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
@@ -277,6 +286,29 @@ TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
   EXPECT_EQ(0u, verify_result.cert_status);
 }
 
+TEST_F(CertVerifyProcTest, RejectExpiredCert) {
+  base::FilePath certs_dir = GetTestCertsDirectory();
+
+  // Load root_ca_cert.pem into the test root store.
+  ScopedTestRoot test_root(
+      ImportCertFromFile(certs_dir, "root_ca_cert.pem").get());
+
+  CertificateList certs = CreateCertificateListFromFile(
+      certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  X509Certificate::OSCertHandles intermediates;
+  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+      certs[0]->os_cert_handle(), intermediates);
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+                     &verify_result);
+  EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
+}
+
 // Test that verifying an ECDSA certificate doesn't crash on XP. (See
 // crbug.com/144466).
 TEST_F(CertVerifyProcTest, ECDSA_RSA) {
@@ -1103,8 +1135,8 @@ TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
   EXPECT_FALSE(verify_result.is_issued_by_known_root);
 }
 
-#if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) || \
-    defined(OS_MACOSX)
+#if defined(USE_NSS_VERIFIER) || defined(OS_WIN) || \
+    (defined(OS_MACOSX) && !defined(OS_IOS))
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
 TEST_F(CertVerifyProcTest, CRLSet) {