Cert - protobufs to serialize and deserialize CertVerifierCache.

components/cronet/cert/cert_verifier_cache_persister_unittest.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cronet/cert/cert_verifier_cache_persister.h"
+
+#include <memory>
+#include <string>
+
+#include "base/android/path_utils.h"
+#include "base/files/file_path.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_completion_callback.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/caching_cert_verifier.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/mock_cert_verifier.h"
+#include "net/cert/x509_certificate.h"
+#include "net/log/net_log.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace cronet {
+
+namespace {
+
+void VerifyCert(const std::string& cert_name,
+                const std::string& hostname,
+                net::CachingCertVerifier* verifier,
+                net::CertVerifyResult* verify_result) {
+  // Set up server certs.
+  scoped_refptr<net::X509Certificate> cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), cert_name));
+  ASSERT_TRUE(cert);
+
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  int error = callback.GetResult(verifier->Verify(
+      net::CertVerifier::RequestParams(cert.get(), hostname, 0, std::string(),
+                                       net::CertificateList()),
+      nullptr, verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+
+  ASSERT_TRUE(net::IsCertificateError(error));

[Ryan Sleevi, 2016/06/21 20:31:03]

BUG/SURPRISE: What part of the contract of VerifyCert guarantees it'll be an
error? You're passed in a CachingCertVerifier - there's no way you can know
whether |cert_name| should be valid or invalid.

Documenting this method could be clearer, but it's not clear to me that this is
the right check you should be doing.

Put differently: Why does it matter what the value of |error| is for the
functioning of this test? If it matters, you should document it as a condition
to VerifyCert. If it doesn't matter, you should remove this assert.

[ramant (doing other things), 2016/06/22 03:51:36]

I am not an expert in this area. Was copying other cert verification tests.

Deleted the check for IsCertificateError. Added comment that cert verifcation
will succeed. wdyt?
Done.

+}
+
+}  // namespace
+
+TEST(CertVerifierCachePersisterTest, RestoreEmptyData) {
+  // Restoring empty data should fail.
+  cronet_pb::CertVerificationCache cert_cache;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier));
+}
+
+TEST(CertVerifierCachePersisterTest, SerializeCache) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+}
+
+// Create a new Verifier and restoring the data into it should succeed.
+TEST(CertVerifierCachePersisterTest, RestoreMultipleEntriesIntoNewVerifier) {
+  scoped_refptr<net::X509Certificate> ok_cert(
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem"));
+  ASSERT_TRUE(ok_cert);
+
+  const scoped_refptr<net::X509Certificate> root_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root_cert);
+
+  // Create a certificate that contains both a leaf and an intermediate/root.
+  net::X509Certificate::OSCertHandles chain;
+  chain.push_back(root_cert->os_cert_handle());
+  const scoped_refptr<net::X509Certificate> combined_cert =
+      net::X509Certificate::CreateFromHandle(ok_cert->os_cert_handle(), chain);
+  ASSERT_TRUE(combined_cert);
+
+  int error;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  // Verify www.example.com host's certificate.
+  std::string example_hostname("www.example.com");
+  net::CertVerifyResult verifier1_result1;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  error = callback.GetResult(verifier.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier1_result1, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));

[Ryan Sleevi, 2016/06/21 20:31:02]

Same comments apply throughout for the checks here

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+
+  // Verify www2.example.com host's certificate.
+  std::string example2_hostname("www2.example.com");
+  net::CertVerifyResult verifier1_result2;
+  error = callback.GetResult(verifier.Verify(
+      net::CertVerifier::RequestParams(combined_cert, example2_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier1_result2, callback.callback(), &request,
+      net::BoundNetLog()));
+  ASSERT_TRUE(net::IsCertificateError(error));
+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(2, cert_cache.cert_entry_size());
+  DCHECK_EQ(2, cert_cache.cache_entry_size());
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+
+  // Populate |verifier2|'s cache.
+  EXPECT_TRUE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+
+  // Verify the cert for www.example.com with |verifier2|.
+  net::CertVerifyResult verifier2_result1;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(ok_cert, example_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier2_result1, callback.callback(), &request,
+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data for
+  // www.example.com.

[Ryan Sleevi, 2016/06/21 20:31:03]

I highlighted before, but these comments (130-131) do not match what you're
doing in the test.

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verifier2_result1.cert_status, verifier1_result1.cert_status);

[Ryan Sleevi, 2016/06/21 20:31:03]

Document why you're checking here.

For example, why don't you make sure that they have the same error result? Why
don't you test that the overall CertVerifyResults are equal? Why only test the
CertStatus?

(This is where having an operator== for CertVerifyResult may help)

[ramant (doing other things), 2016/06/22 03:51:37]

Added operator== to CertVerifyResult and used it here.

Done.

+
+  // Verify the cert for www2.example.com with |verifier2|.
+  net::CertVerifyResult verifier2_result2;
+  error = callback.GetResult(verifier2.Verify(
+      net::CertVerifier::RequestParams(combined_cert, example2_hostname, 0,
+                                       std::string(), net::CertificateList()),
+      nullptr, &verifier2_result2, callback.callback(), &request,

[Ryan Sleevi, 2016/06/21 20:31:03]

Why don't you use the VerifyCert helper here? What's different or the same?

[ramant (doing other things), 2016/06/22 03:51:37]

www2.example.com has certificate chain. VerifyCert verifies ok_cert certificate
(a different cert chain). Added a comment.

+      net::BoundNetLog()));
+  // Synchronous completion and verify it is same as serialized data for
+  // www2.example.com.
+  ASSERT_TRUE(net::IsCertificateError(error));
+  ASSERT_FALSE(request);
+  EXPECT_EQ(verifier2_result2.cert_status, verifier1_result2.cert_status);
+}
+
+// A corrupted cert_entry in the serialized data should fail to be deserialized.
+// Should not deserialize a corrupted cert_entry.

[Ryan Sleevi, 2016/06/21 20:31:04]

You updated this description, but failed to update all of the others like I
requested. I only highlighted the first instance.

see HERE1 below

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedCerts) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  cert_cache.clear_cert_entry();
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |cache_entry| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedCacheEntry) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  // Corrupt |cache_entry|.
+  cert_cache.clear_cache_entry();
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |request_params| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:02]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedRequestParams) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt |request_params|.
+    cache_entry->clear_request_params();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |certificate| in |request_params| in the serialized data, should
+// fail when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoCertificate) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt certificate.
+    request_params->clear_certificate();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |hostname| in |request_params| in the serialized data, should fail
+// when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoHostname) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt hostname.
+    request_params->clear_hostname();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Invalid |hostname| in |request_params| in the serialized data, should fail
+// when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsEmptyHostname) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Set bogus hostname.
+    request_params->set_hostname("");
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |flags| in |request_params| in the serialized data, should fail
+// when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoFlags) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt flags.
+    request_params->clear_flags();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |ocsp_response| in |request_params| in the serialized data, should
+// fail when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeRequestParamsNoOcspResponse) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    // Corrupt |ocsp_response|.
+    request_params->clear_ocsp_response();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Empty certificate number in |request_params| in the serialized data, should
+// fail when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest,
+     DeserializeRequestParamsCertificateNoCertNumbers) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    cronet_pb::CertVerificationCertificate* certificate =
+        request_params->mutable_certificate();
+    // Corrupt certificate number.
+    certificate->clear_cert_numbers();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Invalid certificate number in |request_params| in the serialized data, should
+// fail when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest,
+     DeserializeCorruptedRequestParamsCertNumbers) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    cronet_pb::CertVerificationCertificate* certificate =
+        request_params->mutable_certificate();
+    // Set bogus certificate number.
+    certificate->set_cert_numbers(0, 100);
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted certificate number in |additional_trust_anchors| of
+// |request_params| in the serialized data, should fail when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest,
+     DeserializeRequestParamsCertificateNoTrustAnchors) {
+  net::CertificateList ca_cert_list = net::CreateCertificateListFromFile(
+      net::GetTestCertsDirectory(), "root_ca_cert.pem",
+      net::X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_cert_list.size());
+  scoped_refptr<net::X509Certificate> ca_cert(ca_cert_list[0]);
+
+  net::CertificateList cert_list = net::CreateCertificateListFromFile(
+      net::GetTestCertsDirectory(), "ok_cert.pem",
+      net::X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<net::X509Certificate> cert(cert_list[0]);
+
+  // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
+  net::CertificateList trust_anchors;
+  trust_anchors.push_back(ca_cert);
+
+  int error;
+  net::CertVerifyResult verify_result;
+  net::TestCompletionCallback callback;
+  std::unique_ptr<net::CertVerifier::Request> request;
+
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  error = callback.GetResult(verifier.Verify(
+      net::CertVerifier::RequestParams(cert, "www.example.com", 0,
+                                       std::string(), trust_anchors),
+      nullptr, &verify_result, callback.callback(), &request,
+      net::BoundNetLog()));
+  EXPECT_TRUE(net::IsCertificateError(error));

[Ryan Sleevi, 2016/06/21 20:31:03]

Why don't you use the VerifyCert() helper like you do in other tests?

[ramant (doing other things), 2016/06/22 03:51:37]

In this test, we are verifying with trust_anchors. Added a comment. wdyt?

+
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(2, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationRequestParams* request_params =
+        cache_entry->mutable_request_params();
+    for (int j = 0; j < request_params->additional_trust_anchors_size(); ++j) {
+      cronet_pb::CertVerificationCertificate* certificate =
+          request_params->mutable_additional_trust_anchors(j);
+      // Corrupt the certificate number in |additional_trust_anchors|.
+      certificate->clear_cert_numbers();
+    }
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |cached_result| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedCachedResult) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt the |cached_result|.
+    cache_entry->clear_cached_result();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |error| in the serialized data, should fail when deserialized.
+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoError) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    // Corrupt |error|.
+    cached_result->clear_error();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |result| (CertVerifyResult) in the serialized data, should fail
+// when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoResult) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    // Corrupt the |result|.
+    cached_result->clear_result();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |cert_status| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoCertStatus) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Corrupt the |cert_status|.
+    result->clear_cert_status();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |verification_time| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:02]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCachedResultNoVerifiedCert) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Corrupt the |verified_cert|.
+    result->clear_verified_cert();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |verified_cert| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest,
+     DeserializeCachedResultNoVerifiedCertNumber) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    result->clear_verified_cert();
+    // Corrupt the verified cert's certificate number.
+    cronet_pb::CertVerificationCertificate* certificate =
+        result->mutable_verified_cert();
+    certificate->clear_cert_numbers();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Invalid certificate number of |verified_cert| in the serialized data,
+// should fail when deserialized.

[Ryan Sleevi, 2016/06/21 20:31:04]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest,
+     DeserializeCorruptedCachedResultVerifiedCertNumber) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    cronet_pb::CertVerificationCertificate* certificate =
+        result->mutable_verified_cert();
+    // Set bogus certificate number for |verified_cert|.
+    certificate->set_cert_numbers(0, 100);
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |public_key_hashes| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:03]

HERE1

[ramant (doing other things), 2016/06/22 03:51:37]

Done.

+TEST(CertVerifierCachePersisterTest,
+     DeserializeCorruptedCachedResultPublicKeyHashes) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    cronet_pb::CertVerificationCachedResult* cached_result =
+        cache_entry->mutable_cached_result();
+    cronet_pb::CertVerificationResult* result = cached_result->mutable_result();
+    // Set bogus |public_key_hashes|.
+    result->add_public_key_hashes("");
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+// Corrupted |verification_time| in the serialized data, should fail when
+// deserialized.

[Ryan Sleevi, 2016/06/21 20:31:02]

HERE1

[ramant (doing other things), 2016/06/22 03:51:36]

Done.

+TEST(CertVerifierCachePersisterTest, DeserializeCorruptedVerificationTime) {
+  net::CertVerifyResult verify_result;
+  net::CachingCertVerifier verifier(base::MakeUnique<net::MockCertVerifier>());
+  ASSERT_NO_FATAL_FAILURE(
+      VerifyCert("ok_cert.pem", "www.example.com", &verifier, &verify_result));
+  cronet_pb::CertVerificationCache cert_cache =
+      SerializeCertVerifierCache(verifier);
+  DCHECK_EQ(1, cert_cache.cert_entry_size());
+  DCHECK_EQ(1, cert_cache.cache_entry_size());
+
+  for (int i = 0; i < cert_cache.cache_entry_size(); ++i) {
+    cronet_pb::CertVerificationCacheEntry* cache_entry =
+        cert_cache.mutable_cache_entry(i);
+    // Corrupt |verification_time|.
+    cache_entry->clear_verification_time();
+  }
+
+  net::CachingCertVerifier verifier2(base::MakeUnique<net::MockCertVerifier>());
+  EXPECT_FALSE(DeserializeCertVerifierCache(cert_cache, &verifier2));
+}
+
+}  // namespace cronet