Cast device revocation checking.

components/cast_certificate/cast_cert_validator_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include "components/cast_certificate/cast_cert_validator_test_helpers.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace cast_certificate {
@@ skipping 21 matching lines @@
 //  * |expected_policy| - The policy that should have been identified for the
 //                        device certificate.
 //  * |time| - The timestamp to use when verifying the certificate.
 //  * |optional_signed_data_file_name| - optional path to a PEM file containing
 //        a valid signature generated by the device certificate.
 //
 void RunTest(TestResult expected_result,
              const std::string& expected_common_name,
              CastDeviceCertPolicy expected_policy,
              const std::string& certs_file_name,
-             const base::Time::Exploded& time,
+             const base::Time& time,
              const std::string& optional_signed_data_file_name) {
   auto certs =
       cast_certificate::testing::ReadCertificateChainFromFile(certs_file_name);
 
   std::unique_ptr<CertVerificationContext> context;
   CastDeviceCertPolicy policy;
-  bool result = VerifyDeviceCert(certs, time, &context, &policy);
+  bool result = VerifyDeviceCert(certs, time, &context, &policy, nullptr,
+                                 CRLPolicy::CRL_OPTIONAL);
 
   if (expected_result == RESULT_FAIL) {
     ASSERT_FALSE(result);
     return;
   }
 
   ASSERT_TRUE(result);
   EXPECT_EQ(expected_policy, policy);
   ASSERT_TRUE(context.get());
 
@@ skipping 22 matching lines @@
     // TODO(eroman): This fails because there isn't currently support
     // for specifying a signature algorithm other than RSASSA PKCS#1 v1.5 with
     // SHA1. Once support for different algorithms is added to the API this
     // should be changed to expect success.
     EXPECT_FALSE(context->VerifySignatureOverData(
         signature_data.signature_sha256, signature_data.message));
   }
 }
 
 // Creates a time in UTC at midnight.
-base::Time::Exploded CreateDate(int year, int month, int day) {
+//
+// The maximum date usable here is limited to year 2038 on 32 bit systems due to
+// base::Time::FromExploded clamping the range to what is supported by mktime
+// and timegm.
+base::Time CreateDate(int year, int month, int day) {
   base::Time::Exploded time = {0};
   time.year = year;
   time.month = month;
   time.day_of_month = day;
-  return time;
+  base::Time result;
+  EXPECT_TRUE(base::Time::FromUTCExploded(time, &result));
+  return result;
 }
 
 // Returns 2016-04-01 00:00:00 UTC.
 //
 // This is a time when most of the test certificate paths are
 // valid.
-base::Time::Exploded AprilFirst2016() {
+base::Time AprilFirst2016() {
   return CreateDate(2016, 4, 1);
 }
 
 // Returns 2015-01-01 00:00:00 UTC.
-base::Time::Exploded JanuaryFirst2015() {
+base::Time JanuaryFirst2015() {
   return CreateDate(2015, 1, 1);
 }
 
-// Returns 2040-03-01 00:00:00 UTC.
+// Returns 2037-03-01 00:00:00 UTC.
 //
 // This is so far in the future that the test chains in this unit-test
 // should all be invalid.
-base::Time::Exploded MarchFirst2040() {
-  return CreateDate(2040, 3, 1);
+base::Time MarchFirst2037() {
+  return CreateDate(2037, 3, 1);
 }
 
 // Tests verifying a valid certificate chain of length 2:
 //
 //   0: 2ZZBG9 FA8FCA3EF91A
 //   1: Eureka Gen1 ICA
 //
 // Chains to trust anchor:
 //   Eureka Root CA    (not included)
 TEST(VerifyCastDeviceCertTest, ChromecastGen1) {
@@ skipping 122 matching lines @@
   // this test is pointless.
   RunTest(RESULT_SUCCESS, "3ZZAK6 FA8FCA3F0D35", CastDeviceCertPolicy::NONE,
           kCertsFile, AprilFirst2016(), "");
 
   // Use a time before notBefore.
   RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE, kCertsFile,
           JanuaryFirst2015(), "");
 
   // Use a time after notAfter.
   RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE, kCertsFile,
-          MarchFirst2040(), "");
+          MarchFirst2037(), "");
 }
 
 // Tests verifying a valid certificate chain of length 3:
 //
 //  0: Audio Reference Dev Test
 //  1: Audio Reference Dev Model
 //  2: Cast Audio Dev Root CA
 //
 // Chains to trust anchor:
 //   Cast Root CA     (not included)
@@ skipping 156 matching lines @@
   auto context =
       CertVerificationContextImplForTest(CreateString(kEx2PublicKeySpki));
 
   EXPECT_TRUE(context->VerifySignatureOverData(CreateString(kEx2Signature),
                                                CreateString(kEx2Message)));
 }
 
 }  // namespace
 
 }  // namespace cast_certificate