Cert - protobufs to serialize and deserialize CertVerifierCache.

components/cronet/cert/cert_verifier_cache_persister_unittest.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cronet/cert/cert_verifier_cache_persister.h"
+
+#include <memory>
+#include <string>
+
+#include "base/android/path_utils.h"
+#include "base/files/file_path.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_completion_callback.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/caching_cert_verifier.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/mock_cert_verifier.h"
+#include "net/cert/x509_certificate.h"
+#include "net/log/net_log.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace cronet {
+
+namespace {
+
+void VerifyCert(const std::string& cert_name,
+                const std::string& hostname,
+                net::CachingCertVerifier* verifier,
+                net::CertVerifyResult* verify_result) {
+  // Set up server certs.
+  scoped_refptr<net::X509Certificate> cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), cert_name));
+  ASSERT_TRUE(cert);
+
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  int error = callback.GetResult(verifier->Verify(
+      net::CertVerifier::RequestParams(cert.get(), hostname, 0, std::string(),
+                                       net::CertificateList()),
+      nullptr, verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+
+  ASSERT_TRUE(net::IsCertificateError(error));
+}
+
+}  // namespace
+
+TEST(CertVerifierCachePersisterTest, RestoreEmptyData) {
+  // Restoring empty data should fail.
+  cronet_pb::CertVerificationCache cert_cache;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier));
+}
+
+TEST(CertVerifierCachePersisterTest, SerializeCache) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+}
+
+// Create a new Verifier and restoring the data into it should succeed.
+TEST(CertVerifierCachePersisterTest, RestoreMultipleEntriesIntoNewVerifier) {
+  scoped_refptr<net::X509Certificate> ok_cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem"));
+  ASSERT_TRUE(ok_cert);
+
+  const scoped_refptr<net::X509Certificate> root_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root_cert);
+
+  // Create a certificate that contains both a leaf and an intermediate/root.
+  net::X509Certificate::OSCertHandles chain;
+  chain.push_back(root_cert->os_cert_handle());
+  const scoped_refptr<net::X509Certificate> combined_cert =
+      net::X509Certificate::CreateFromHandle(ok_cert->os_cert_handle(), chain);
+  ASSERT_TRUE(combined_cert);
+
+  int error;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  // Verify www.example.com host's certificate.
+  std::string example_hostname("www.example.com");
+  net::CertVerifyResult verifyier1_result1;

[Ryan Sleevi, 2016/06/21 01:22:10]

spelling: verifier1_result

[ramant (doing other things), 2016/06/21 16:52:02]

Done.

+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  error = callback.GetResult(verifier.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifyier1_result1, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));
+
+  // Verify www.example2.com host's certificate.

[Ryan Sleevi, 2016/06/21 01:22:10]

example.com is a special (reserved) name, but example2.com is not

If you want different hostnames, use www.example.com and www2.example.com (that
is, make the subdomain vary)

[ramant (doing other things), 2016/06/21 16:52:02]

Done.

+  std::string example2_hostname("www.example2.com");
+  net::CertVerifyResult verifier1_result2;
+  error = callback.GetResult(verifier.Verify(
+      net::CertVerifier::RequestParams(combined_cert, example2_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier1_result2, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(2, cert_cache.cert_entry_size());
+  DCHECK_EQ(2, cert_cache.cache_entry_size());
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+
+  // Populate |verifier2|'s cache.
+  EXPECT_TRUE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+
+  // Verify the cert for www.example.com with |verifier2|.
+  net::CertVerifyResult verifier2_result1;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier2_result1, callback.callback(), &request,
+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data for
+  // www.example.com.
+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verifier2_result1.cert_status, verifyier1_result1.cert_status);
+
+  // Verify the cert for www.example2.com with |verifier2|.
+  net::CertVerifyResult verifier2_result2;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(combined_cert, example2_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier2_result2, callback.callback(), &request,
+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data for
+  // www.example2.com.
+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verifier2_result2.cert_status, verifier1_result2.cert_status);
+}
+
+// Corrupted |cert_entry| in the serialized data, should fail when deserialized.

[Ryan Sleevi, 2016/06/21 01:22:10]

Grammar: This is not a properly constructed sentence.

Alternatives could be:
// A corrupted cert_entry in the serialized data should fail to be deserialized.
// Should not deserialize a corrupted cert_entry.

(Note, no | | because cert_entry isn't a local variable)

[ramant (doing other things), 2016/06/21 16:52:02]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedCerts) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  cert_cache.clear_cert_entry();
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |cache_entry| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedCacheEntry) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  // Corrupt |cache_entry|.
+  cert_cache.clear_cache_entry();
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |request_params| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedRequestParams) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt |request_params|.
+    cache_entry->clear_request_params();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |certificate| in |request_params| in the serialized data, should
+// fail when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoCertificate) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt certificate.
+    request_params->clear_certificate();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |hostname| in |request_params| in the serialized data, should fail
+// when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoHostname) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt hostname.
+    request_params->clear_hostname();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Invalid |hostname| in |request_params| in the serialized data, should fail
+// when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsEmptyHostname) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Set bogus hostname.
+    request_params->set_hostname("");

[Ryan Sleevi, 2016/06/21 01:22:10]

How is this different than NoHostname?

[ramant (doing other things), 2016/06/21 16:52:02]

One checks request_params.has_hostname() and the other checks 
request_params.hostname().empty().

bool CertVerificationRequestParams::has_hostname() const {
  return (_has_bits_[0] & 0x00000002u) != 0;
}

Is this overkill? Can delete the test.

+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |flags| in |request_params| in the serialized data, should fail
+// when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoFlags) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt flags.
+    request_params->clear_flags();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |ocsp_response| in |request_params| in the serialized data, should
+// fail when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoOcspResponse) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt |ocsp_response|.
+    request_params->clear_ocsp_response();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Empty certificate number in |request_params| in the serialized data, should
+// fail when deserialized.
+TEST(CertVerifierCachePersisterTest,
+     DeserializeRequestParamsCertificateNoCertNumbers) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    cronet_pb::CertVerificationCertificate* certificate =
+        request_params->mutable_certificate();
+    // Corrupt certificate number.
+    certificate->clear_cert_numbers();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Invalid certificate number in |request_params| in the serialized data, should
+// fail when deserialized.
+TEST(CertVerifierCachePersisterTest,
+     DeserializeCorruptedRequestParamsCertNumbers) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    cronet_pb::CertVerificationCertificate* certificate =
+        request_params->mutable_certificate();
+    // Set bogus certificate number.
+    certificate->set_cert_numbers(0, 100);
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted certificate number in |additional_trust_anchors| of
+// |request_params| in the serialized data, should fail when deserialized.
+TEST(CertVerifierCachePersisterTest,
+     DeserializeRequestParamsCertificateNoTrustAnchors) {
+  net::CertificateList ca_cert_list = net::CreateCertificateListFromFile(
+      net::GetTestCertsDirectory(), "root_ca_cert.pem",
+      net::X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_cert_list.size());
+  scoped_refptr<net::X509Certificate> ca_cert(ca_cert_list[0]);
+
+  net::CertificateList cert_list = net::CreateCertificateListFromFile(
+      net::GetTestCertsDirectory(), "ok_cert.pem",
+      net::X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<net::X509Certificate> cert(cert_list[0]);
+
+  // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
+  net::CertificateList trust_anchors;
+  trust_anchors.push_back(ca_cert);
+
+  int error;
+  net::CertVerifyResult verify_result;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  error = callback.GetResult(verifier.Verify(
+      net::CertVerifier::RequestParams(cert, "www.example.com", 0,
+                                       std::string(), trust_anchors),
+      nullptr, &verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+  EXPECT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(2, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    for (int j = 0; j < request_params->additional_trust_anchors_size(); ++j) {
+      cronet_pb::CertVerificationCertificate* certificate =
+          request_params->mutable_additional_trust_anchors(j);
+      // Corrupt the certificate number in |additional_trust_anchors|.
+      certificate->clear_cert_numbers();
+    }
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |cached_result| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedCachedResult) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt the |cached_result|.
+    cache_entry->clear_cached_result();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |error| in the serialized data, should fail when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoError) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    // Corrupt |error|.
+    cached_result->clear_error();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |result| (CertVerifyResult) in the serialized data, should fail
+// when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoResult) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    // Corrupt the |result|.
+    cached_result->clear_result();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |cert_status| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoCertStatus) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Corrupt the |cert_status|.
+    result->clear_cert_status();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |verification_time| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoVerifiedCert) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Corrupt the |verified_cert|.
+    result->clear_verified_cert();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |verified_cert| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest,
+     DeserializeCachedResultNoVerifiedCertNumber) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    result->clear_verified_cert();
+    // Corrupt the verified cert's certificate number.
+    cronet_pb::CertVerificationCertificate* certificate =
+        result->mutable_verified_cert();
+    certificate->clear_cert_numbers();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Invalid certificate number of |verified_cert| in the serialized data,
+// should fail when deserialized.
+TEST(CertVerifierCachePersisterTest,
+     DeserializeCorruptedCachedResultVerifiedCertNumber) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    cronet_pb::CertVerificationCertificate* certificate =
+        result->mutable_verified_cert();
+    // Set bogus certificate number for |verified_cert|.
+    certificate->set_cert_numbers(0, 100);
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |public_key_hashes| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest,
+     DeserializeCorruptedCachedResultPublicKeyHashes) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Set bogus |public_key_hashes|.
+    result->add_public_key_hashes("");
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |verification_time| in the serialized data, should fail when
+// deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedVerificationTime) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt |verification_time|.
+    cache_entry->clear_verification_time();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+}  // namespace cronet