Cert - protobufs to serialize and deserialize CertVerifierCache.

components/cronet/cert/cert_verifier_cache_persister_unittest.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cronet/cert/cert_verifier_cache_persister.h"
+
+#include <memory>
+#include <string>
+
+#include "base/android/path_utils.h"
+#include "base/files/file_path.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_completion_callback.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/caching_cert_verifier.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/mock_cert_verifier.h"
+#include "net/cert/x509_certificate.h"
+#include "net/log/net_log.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace cronet {
+
+namespace {
+
+int VerifyCert(scoped_refptr<net::X509Certificate> certificate,
+               const std::string& hostname,
+               net::CachingCertVerifier* verifier,
+               net::CertVerifyResult* verify_result) {
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  return callback.GetResult(verifier->Verify(
+      net::CertVerifier::RequestParams(certificate, hostname, 0, std::string(),
+                                       net::CertificateList()),
+      nullptr, verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+}
+
+cronet_pb::CertVerificationCache VerifyAndSerializeCert(
+    const std::string& cert_name,
+    const std::string& hostname,
+    net::CachingCertVerifier* verifier,
+    net::CertVerifyResult* verify_result) {
+  // Set up server certs.
+  scoped_refptr<net::X509Certificate> cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), cert_name));
+  EXPECT_TRUE(cert.get());
+
+  int error = VerifyCert(cert, hostname, verifier, verify_result);
+  EXPECT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(*verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+  return cert_cache;
+}
+
+}  // namespace
+
+class CertVerifierCachePersisterTest : public ::testing::Test {
+ public:
+  CertVerifierCachePersisterTest()
+      : verifier_(base::MakeUnique<net::MockCertVerifier>()) {}
+  ~CertVerifierCachePersisterTest() override {}
+
+ protected:
+  net::CachingCertVerifier verifier_;
+};
+
+TEST_F(CertVerifierCachePersisterTest, RestoreEmptyData) {
+  // Restoring empty data should fail.
+  cronet_pb::CertVerificationCache cert_cache;
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier_));
+}
+
+TEST_F(CertVerifierCachePersisterTest, SerializeCache) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+}
+
+TEST_F(CertVerifierCachePersisterTest, RestoreExistingEntry) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  // Restore the cache data for an existing entry shouldn't fail.
+  EXPECT_TRUE(DeserializeCertVerifierCache(cert_cache, &verifier_));
+}
+
+TEST_F(CertVerifierCachePersisterTest, RestoreDataIntoNewVerifier) {
+  scoped_refptr<net::X509Certificate> ok_cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem"));
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), ok_cert.get());
+
+  int error;
+  std::string example_hostname("www.example.com");
+  net::CertVerifyResult verify_result;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  error = callback.GetResult(verifier_.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier_);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  // Create a new Verifier and restoring the data into it should succeed.
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_TRUE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+
+  net::CertVerifyResult verify_result2;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verify_result2, callback.callback(), &request,
+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data.
+  ASSERT_NE(net::ERR_IO_PENDING, error);
+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verify_result2.cert_status, verify_result.cert_status);
+}
+
+TEST_F(CertVerifierCachePersisterTest, RestoreMultipleEntriesIntoNewVerifier) {
+  scoped_refptr<net::X509Certificate> ok_cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem"));
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), ok_cert.get());
+
+  const scoped_refptr<net::X509Certificate> root_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root_cert.get());
+
+  // Create a certificate that contains both a leaf and an intermediate/root.
+  net::X509Certificate::OSCertHandles chain;
+  chain.push_back(root_cert->os_cert_handle());
+  const scoped_refptr<net::X509Certificate> combined_cert =
+      net::X509Certificate::CreateFromHandle(ok_cert->os_cert_handle(), chain);
+  ASSERT_TRUE(combined_cert.get());
+
+  int error;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  // Verify www.example.com host's certificate.
+  std::string example_hostname("www.example.com");
+  net::CertVerifyResult verifyier1_result1;
+  error = callback.GetResult(verifier_.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifyier1_result1, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));
+
+  // Verify www.example2.com host's certificate.
+  std::string example2_hostname("www.example2.com");
+  net::CertVerifyResult verifier1_result2;
+  error = callback.GetResult(verifier_.Verify(
+      net::CertVerifier::RequestParams(combined_cert, example2_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier1_result2, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier_);
+  DCHECK_EQ(2, cert_cache.cert_entry_size());
+  DCHECK_EQ(2, cert_cache.cache_entry_size());
+
+  // Create a new Verifier and restoring the data into it should succeed.
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+
+  // Populate |verifier2|'s cache.
+  EXPECT_TRUE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+
+  // Verify the cert for www.example.com with |verifier2|.
+  net::CertVerifyResult verifier2_result1;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier2_result1, callback.callback(), &request,
+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data for
+  // www.example.com.
+  ASSERT_NE(net::ERR_IO_PENDING, error);
+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verifier2_result1.cert_status, verifyier1_result1.cert_status);
+
+  // Verify the cert for www.example2.com with |verifier2|.
+  net::CertVerifyResult verifier2_result2;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(combined_cert, example2_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier2_result2, callback.callback(), &request,
+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data for
+  // www.example2.com.
+  ASSERT_NE(net::ERR_IO_PENDING, error);
+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verifier2_result2.cert_status, verifier1_result2.cert_status);
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCorruptedCerts) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  // Corrupt deserialized certs and verify deserialization failure.
+  cert_cache.clear_cert_entry();
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCorruptedCacheEntry) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  // Corrupt cronet_pb::CertVerificationCacheEntry and verify deserialization
+  // failure.
+  cert_cache.clear_cache_entry();
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCorruptedRequestParams) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt request_params and verify deserialization failure.
+    cache_entry->clear_request_params();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeRequestParamsNoCertificate) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt request_params's certificate and verify deserialization failure.
+    request_params->clear_certificate();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeRequestParamsNoHostname) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt request_params's hostname and verify deserialization failure.
+    request_params->clear_hostname();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeRequestParamsEmptyHostname) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Set bogus hostname and verify deserialization failure.
+    request_params->set_hostname("");
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeRequestParamsNoFlags) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt request_params's flags and verify deserialization failure.
+    request_params->clear_flags();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeRequestParamsNoOcspResponse) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt request_params's flags and verify deserialization failure.
+    request_params->clear_ocsp_response();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest,
+       DeserializeRequestParamsCertificateNoCertNumbers) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    cronet_pb::CertVerificationCertificate* certificate =
+        request_params->mutable_certificate();
+    // Corrupt request_params's certificate and verify deserialization failure.
+    certificate->clear_cert_numbers();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest,
+       DeserializeCorruptedRequestParamsCertNumbers) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    cronet_pb::CertVerificationCertificate* certificate =
+        request_params->mutable_certificate();
+    // Set bogus certificate and verify deserialization failure.
+    certificate->set_cert_numbers(0, 100);
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest,
+       DeserializeRequestParamsCertificateNoTrustAnchors) {
+  net::CertificateList ca_cert_list = net::CreateCertificateListFromFile(
+      net::GetTestCertsDirectory(), "root_ca_cert.pem",
+      net::X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_cert_list.size());
+  scoped_refptr<net::X509Certificate> ca_cert(ca_cert_list[0]);
+
+  net::CertificateList cert_list = net::CreateCertificateListFromFile(
+      net::GetTestCertsDirectory(), "ok_cert.pem",
+      net::X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<net::X509Certificate> cert(cert_list[0]);
+
+  // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
+  net::CertificateList trust_anchors;
+  trust_anchors.push_back(ca_cert);
+
+  int error;
+  net::CertVerifyResult verify_result;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  error = callback.GetResult(verifier_.Verify(
+      net::CertVerifier::RequestParams(cert, "www.example.com", 0,
+                                       std::string(), trust_anchors),
+      nullptr, &verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+  EXPECT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier_);
+  DCHECK_EQ(2, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    for (int j = 0; j < request_params->additional_trust_anchors_size(); ++j) {
+      cronet_pb::CertVerificationCertificate* certificate =
+          request_params->mutable_additional_trust_anchors(j);
+      // Corrupt the certificate number in |additional_trust_anchors| and verify
+      // deserialization failure.w
+      certificate->clear_cert_numbers();
+    }
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCorruptedCachedResult) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt the |cached_result| and verify deserialization failure.
+    cache_entry->clear_cached_result();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCachedResultNoError) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    // Corrupt the |error| and verify deserialization failure.
+    cached_result->clear_error();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCachedResultNoResult) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    // Corrupt the |cached_result| and verify deserialization failure.
+    cached_result->clear_result();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCachedResultNoCertStatus) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Corrupt the |cert_status| and verify deserialization failure.
+    result->clear_cert_status();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCachedResultNoVerifiedCert) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Corrupt the |verified_cert| and verify deserialization failure.
+    result->clear_verified_cert();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest,
+       DeserializeCachedResultNoVerifiedCertNumber) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    result->clear_verified_cert();
+    // Corrupt the verified certificate and verify deserialization failure.
+    cronet_pb::CertVerificationCertificate* certificate =
+        result->mutable_verified_cert();
+    certificate->clear_cert_numbers();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest,
+       DeserializeCorruptedCachedResultVerifiedCertNumber) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    cronet_pb::CertVerificationCertificate* certificate =
+        result->mutable_verified_cert();
+    // Set bogus certificate number and verify deserialization failure.
+    certificate->set_cert_numbers(0, 100);
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest,
+       DeserializeCorruptedCachedResultPublicKeyHashes) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Set bogus |public_key_hashes| and verify deserialization failure.
+    result->add_public_key_hashes("");
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+TEST_F(CertVerifierCachePersisterTest, DeserializeCorruptedVerificationTime) {
+  net::CertVerifyResult verify_result;
+  cronet_pb::CertVerificationCache cert_cache = VerifyAndSerializeCert(
+      "ok_cert.pem", "www.example.com", &verifier_, &verify_result);
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt |verification_time| and verify deserialization failure.
+    cache_entry->clear_verification_time();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+}  // namespace cronet