CertVerifyProcMac: Add Keychain re-ordering hack, check CRLsets in path pruning loop.

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 #include <utility>
 
 #include "base/memory/ptr_util.h"
 #include "build/build_config.h"
 
@@ skipping 9356 matching lines @@
     return;
   }
 
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
   ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED;
 
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
-#if !(defined(OS_MACOSX) && !defined(OS_IOS))
-  // Doesn't pass on OS X yet for reasons that need to be investigated.

[Ryan Sleevi, 2016/08/12 19:50:17]

I think this may start causing flaky failures, because of OS X's OCSP cache
(which is global and we don't flush)

[mattm, 2016/08/16 01:41:34]

Isn't that a bigger problem then? Wouldn't this test running at all have a
chance of causing future flakes in any of the other tests that use the same ocsp
test root (such as HTTPSOCSPTest.Valid)?

[mattm, 2016/08/16 02:14:30]

If I'm reading the code correctly, it uses a random 16-byte serial number for
each cert it generates, so the risk of flake from caching should be minimal:
https://cs.chromium.org/chromium/src/net/tools/testserver/minica.py?rcl=0&l=402 

   EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
-#endif
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 TEST_F(HTTPSOCSPTest, Invalid) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
     return;
   }
 
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
   ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_INVALID;
 
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+  // TODO(mattm): Figure out why CERT_STATUS_UNABLE_TO_CHECK_REVOCATION is
+  // returned for this test but not any of the other ones that use
+  // ExpectedCertStatusForFailedOnlineRevocationCheck.
+  EXPECT_EQ(CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
+            cert_status & CERT_STATUS_ALL_ERRORS);
+#else
   EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),

[Ryan Sleevi, 2016/08/12 19:50:17]

Looking at the definition of this, shouldn't you just update the function to
support OS X as well?

[mattm, 2016/08/16 01:41:34]

Done. I had to fix HTTPSEVCRLSetTest.MissingCRLSetAndInvalidOCSP, so you should
check that my fix there makes sense.

             cert_status & CERT_STATUS_ALL_ERRORS);
+#endif
 
   // Without a positive OCSP response, we shouldn't show the EV status.
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 TEST_F(HTTPSOCSPTest, ValidStapled) {
   if (!SystemSupportsOCSPStapling()) {
     LOG(WARNING)
         << "Skipping test because system doesn't support OCSP stapling";
@@ skipping 694 matching lines @@
   AddTestInterceptor()->set_main_intercept_job(std::move(job));
 
   req->Start();
   req->Cancel();
   base::RunLoop().RunUntilIdle();
   EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status());
   EXPECT_EQ(0, d.received_redirect_count());
 }
 
 }  // namespace net