Refactor some certificate verification tests in preparation to adding

net/cert/internal/path_builder_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/path_builder.h"
 
 #include "base/base_paths.h"
 #include "base/cancelable_callback.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
@@ skipping 82 matching lines @@
     *out_req = std::move(req);
   }
   int num_async_gets() const { return num_async_gets_; }
 
  private:
   CertIssuerSourceStatic static_cert_issuer_source_;
 
   int num_async_gets_ = 0;
 };
 
-// Reads a data file from the unit-test data.
-std::string ReadTestFileToString(const std::string& file_name) {
-  // Compute the full path, relative to the src/ directory.
-  base::FilePath src_root;
-  PathService::Get(base::DIR_SOURCE_ROOT, &src_root);
-  base::FilePath filepath = src_root.AppendASCII(file_name);
-
-  // Read the full contents of the file.
-  std::string file_data;
-  if (!base::ReadFileToString(filepath, &file_data)) {
-    ADD_FAILURE() << "Couldn't read file: " << filepath.value();
-    return std::string();
-  }
-
-  return file_data;
-}
-
-// Reads a verify_certificate_chain_unittest-style test case from |file_name|.
-// Test cases are comprised of a certificate chain, trust store, a timestamp to
-// validate at, and the expected result of verification (though the expected
-// result is ignored here).
-void ReadVerifyCertChainTestFromFile(const std::string& file_name,
-                                     std::vector<std::string>* chain,
-                                     scoped_refptr<ParsedCertificate>* root,
-                                     der::GeneralizedTime* time) {
-  chain->clear();
-
-  std::string file_data = ReadTestFileToString(file_name);
-
-  std::vector<std::string> pem_headers;
-
-  const char kCertificateHeader[] = "CERTIFICATE";
-  const char kTrustedCertificateHeader[] = "TRUSTED_CERTIFICATE";
-  const char kTimeHeader[] = "TIME";
-
-  pem_headers.push_back(kCertificateHeader);
-  pem_headers.push_back(kTrustedCertificateHeader);
-  pem_headers.push_back(kTimeHeader);
-
-  bool has_time = false;
-
-  PEMTokenizer pem_tokenizer(file_data, pem_headers);
-  while (pem_tokenizer.GetNext()) {
-    const std::string& block_type = pem_tokenizer.block_type();
-    const std::string& block_data = pem_tokenizer.data();
-
-    if (block_type == kCertificateHeader) {
-      chain->push_back(block_data);
-    } else if (block_type == kTrustedCertificateHeader) {
-      *root = ParsedCertificate::CreateFromCertificateCopy(block_data, {});
-      ASSERT_TRUE(*root);
-    } else if (block_type == kTimeHeader) {
-      ASSERT_FALSE(has_time) << "Duplicate " << kTimeHeader;
-      has_time = true;
-      ASSERT_TRUE(der::ParseUTCTime(der::Input(&block_data), time));
-    }
-  }
-
-  ASSERT_TRUE(has_time);
-}
-
 ::testing::AssertionResult ReadTestPem(const std::string& file_name,
                                        const std::string& block_name,
                                        std::string* result) {
   const PemBlockMapping mappings[] = {
       {block_name.c_str(), result},
   };
 
   return ReadTestDataFromPemFile(file_name, mappings);
 }
 
@@ skipping 367 matching lines @@
     EXPECT_EQ(c_by_d_, path.certs[2]);
     EXPECT_EQ(d_by_d_, path.trust_anchor->cert());
   }
 }
 
 class PathBuilderKeyRolloverTest : public ::testing::Test {
  public:
   PathBuilderKeyRolloverTest() : signature_policy_(1024) {}
 
   void SetUp() override {
-    std::vector<std::string> path;
+    ParsedCertificateList path;
+    bool unused;
 
-    ReadVerifyCertChainTestFromFile(
-        "net/data/verify_certificate_chain_unittest/key-rollover-oldchain.pem",
-        &path, &oldroot_, &time_);
+    ReadVerifyCertChainTestFromFile("key-rollover-oldchain.pem", &path,
+                                    &oldroot_, &time_, &unused);
     ASSERT_EQ(2U, path.size());
-    target_ = ParsedCertificate::CreateFromCertificateCopy(path[0], {});
-    oldintermediate_ =
-        ParsedCertificate::CreateFromCertificateCopy(path[1], {});
+    target_ = path[0];
+    oldintermediate_ = path[1];
     ASSERT_TRUE(target_);
     ASSERT_TRUE(oldintermediate_);
 
-    ReadVerifyCertChainTestFromFile(
-        "net/data/verify_certificate_chain_unittest/"
-        "key-rollover-longrolloverchain.pem",
-        &path, &oldroot_, &time_);
+    ReadVerifyCertChainTestFromFile("key-rollover-longrolloverchain.pem", &path,
+                                    &oldroot_, &time_, &unused);
     ASSERT_EQ(4U, path.size());
-    newintermediate_ =
-        ParsedCertificate::CreateFromCertificateCopy(path[1], {});
-    newroot_ = ParsedCertificate::CreateFromCertificateCopy(path[2], {});
-    newrootrollover_ =
-        ParsedCertificate::CreateFromCertificateCopy(path[3], {});
+    newintermediate_ = path[1];
+    newroot_ = path[2];
+    newrootrollover_ = path[3];
     ASSERT_TRUE(newintermediate_);
     ASSERT_TRUE(newroot_);
     ASSERT_TRUE(newrootrollover_);
   }
 
  protected:
   //    oldroot-------->newrootrollover  newroot
   //       |                      |        |
   //       v                      v        v
   // oldintermediate           newintermediate
   //       |                          |
   //       +------------+-------------+
   //                    |
   //                    v
   //                  target
   scoped_refptr<ParsedCertificate> target_;
   scoped_refptr<ParsedCertificate> oldintermediate_;
   scoped_refptr<ParsedCertificate> newintermediate_;
-  scoped_refptr<ParsedCertificate> oldroot_;
+  scoped_refptr<TrustAnchor> oldroot_;
   scoped_refptr<ParsedCertificate> newroot_;
   scoped_refptr<ParsedCertificate> newrootrollover_;
 
   SimpleSignaturePolicy signature_policy_;
   der::GeneralizedTime time_;
 };
 
 // Tests that if only the old root cert is trusted, the path builder can build a
 // path through the new intermediate and rollover cert to the old root.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) {
   // Only oldroot is trusted.
   TrustStore trust_store;
-  AddTrustedCertificate(oldroot_, &trust_store);
+  trust_store.AddTrustAnchor(oldroot_);
 
   // Old intermediate cert is not provided, so the pathbuilder will need to go
   // through the rollover cert.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   // Path builder will first attempt: target <- newintermediate <- oldroot
   // but it will fail since newintermediate is signed by newroot.
   ASSERT_EQ(2U, result.paths.size());
   const auto& path0 = result.paths[0]->path;
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
   ASSERT_EQ(2U, path0.certs.size());
   EXPECT_EQ(target_, path0.certs[0]);
   EXPECT_EQ(newintermediate_, path0.certs[1]);
-  EXPECT_EQ(oldroot_, path0.trust_anchor->cert());
+  EXPECT_EQ(oldroot_, path0.trust_anchor);
 
   // Path builder will next attempt:
   // target <- newintermediate <- newrootrollover <- oldroot
   // which will succeed.
   const auto& path1 = result.paths[1]->path;
   EXPECT_EQ(1U, result.best_result_index);
   EXPECT_EQ(OK, result.paths[1]->error);
   ASSERT_EQ(3U, path1.certs.size());
   EXPECT_EQ(target_, path1.certs[0]);
   EXPECT_EQ(newintermediate_, path1.certs[1]);
   EXPECT_EQ(newrootrollover_, path1.certs[2]);
-  EXPECT_EQ(oldroot_, path1.trust_anchor->cert());
+  EXPECT_EQ(oldroot_, path1.trust_anchor);
 }
 
 // Tests that if both old and new roots are trusted it can build a path through
 // either.
 // TODO(mattm): Once prioritization is implemented, it should test that it
 // always builds the path through the new intermediate and new root.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
   // Both oldroot and newroot are trusted.
   TrustStore trust_store;
-  AddTrustedCertificate(oldroot_, &trust_store);
+  trust_store.AddTrustAnchor(oldroot_);
   AddTrustedCertificate(newroot_, &trust_store);
 
   // Both old and new intermediates + rollover cert are provided.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   // Path builder willattempt one of:
   // target <- oldintermediate <- oldroot
   // target <- newintermediate <- newroot
   // either will succeed.
   ASSERT_EQ(1U, result.paths.size());
   const auto& path = result.paths[0]->path;
   EXPECT_EQ(OK, result.paths[0]->error);
   ASSERT_EQ(2U, path.certs.size());
   EXPECT_EQ(target_, path.certs[0]);
   if (path.certs[1] != newintermediate_) {
     DVLOG(1) << "USED OLD";
     EXPECT_EQ(oldintermediate_, path.certs[1]);
-    EXPECT_EQ(oldroot_, path.trust_anchor->cert());
+    EXPECT_EQ(oldroot_, path.trust_anchor);
   } else {
     DVLOG(1) << "USED NEW";
     EXPECT_EQ(newintermediate_, path.certs[1]);
     EXPECT_EQ(newroot_, path.trust_anchor->cert());
   }
 }
 
 // Tests that multiple trust root matches on a single path will be considered.
 // Both roots have the same subject but different keys. Only one of them will
 // verify.
 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) {
   // Both newroot and oldroot are trusted.
   TrustStore trust_store;
   AddTrustedCertificate(newroot_, &trust_store);
-  AddTrustedCertificate(oldroot_, &trust_store);
+  trust_store.AddTrustAnchor(oldroot_);
 
   // Only oldintermediate is supplied, so the path with newroot should fail,
   // oldroot should succeed.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
@@ skipping 20 matching lines @@
   }
 
   // Path builder will next attempt:
   // target <- old intermediate <- oldroot
   // which should succeed.
   EXPECT_EQ(OK, result.paths[result.best_result_index]->error);
   const auto& path = result.paths[result.best_result_index]->path;
   ASSERT_EQ(2U, path.certs.size());
   EXPECT_EQ(target_, path.certs[0]);
   EXPECT_EQ(oldintermediate_, path.certs[1]);
-  EXPECT_EQ(oldroot_, path.trust_anchor->cert());
+  EXPECT_EQ(oldroot_, path.trust_anchor);
 }
 
 // Tests that the path builder doesn't build longer than necessary paths.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) {
   // Only oldroot is trusted.
   TrustStore trust_store;
-  AddTrustedCertificate(oldroot_, &trust_store);
+  trust_store.AddTrustAnchor(oldroot_);
 
   // New intermediate and new root are provided synchronously.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newroot_);
 
   // Rollover cert is only provided asynchronously. This will force the
   // pathbuilder to first try building a longer than necessary path.
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
   path_builder.AddCertIssuerSource(&async_certs);
 
   EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
   ASSERT_EQ(3U, result.paths.size());
 
   // Path builder will first attempt: target <- newintermediate <- oldroot
   // but it will fail since newintermediate is signed by newroot.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
   const auto& path0 = result.paths[0]->path;
   ASSERT_EQ(2U, path0.certs.size());
   EXPECT_EQ(target_, path0.certs[0]);
   EXPECT_EQ(newintermediate_, path0.certs[1]);
-  EXPECT_EQ(oldroot_, path0.trust_anchor->cert());
+  EXPECT_EQ(oldroot_, path0.trust_anchor);
 
   // Path builder will next attempt:
   // target <- newintermediate <- newroot <- oldroot
   // but it will fail since newroot is self-signed.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[1]->error);
   const auto& path1 = result.paths[1]->path;
   ASSERT_EQ(3U, path1.certs.size());
   EXPECT_EQ(target_, path1.certs[0]);
   EXPECT_EQ(newintermediate_, path1.certs[1]);
   EXPECT_EQ(newroot_, path1.certs[2]);
-  EXPECT_EQ(oldroot_, path1.trust_anchor->cert());
+  EXPECT_EQ(oldroot_, path1.trust_anchor);
 
   // Path builder will skip:
   // target <- newintermediate <- newroot <- newrootrollover <- ...
   // Since newroot and newrootrollover have the same Name+SAN+SPKI.
 
   // Finally path builder will use:
   // target <- newintermediate <- newrootrollover <- oldroot
   EXPECT_EQ(2U, result.best_result_index);
   EXPECT_EQ(OK, result.paths[2]->error);
   const auto& path2 = result.paths[2]->path;
   ASSERT_EQ(3U, path2.certs.size());
   EXPECT_EQ(target_, path2.certs[0]);
   EXPECT_EQ(newintermediate_, path2.certs[1]);
   EXPECT_EQ(newrootrollover_, path2.certs[2]);
-  EXPECT_EQ(oldroot_, path2.trust_anchor->cert());
+  EXPECT_EQ(oldroot_, path2.trust_anchor);
 }
 
 // If the target cert is a trust anchor, however is not itself *signed* by a
 // trust anchor, then it is not considered valid (the SPKI and name of the
 // trust anchor matches the SPKI and subject of the targe certificate, but the
 // rest of the certificate cannot be verified).
 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) {
   // Trust newintermediate.
   TrustStore trust_store;
   AddTrustedCertificate(newintermediate_, &trust_store);
 
   CertPathBuilder::Result result;
   // Newintermediate is also the target cert.
   CertPathBuilder path_builder(newintermediate_, &trust_store,
                                &signature_policy_, time_, &result);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error());
 }
 
 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path
 // can still be built.
 // Since LoopChecker will prevent the intermediate from being included, this
 // currently does NOT verify. This case shouldn't occur in the web PKI.
 TEST_F(PathBuilderKeyRolloverTest,
        TestEndEntityHasSameNameAndSpkiAsIntermediate) {
   // Trust oldroot.
   TrustStore trust_store;
-  AddTrustedCertificate(oldroot_, &trust_store);
+  trust_store.AddTrustAnchor(oldroot_);
 
   // New root rollover is provided synchronously.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   // Newroot is the target cert.
   CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_,
                                time_, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
@@ skipping 382 matching lines @@
   const auto& path1 = result.paths[1]->path;
   ASSERT_EQ(2U, path1.certs.size());
   EXPECT_EQ(target_, path1.certs[0]);
   EXPECT_EQ(newintermediate_, path1.certs[1]);
   EXPECT_EQ(newroot_, path1.trust_anchor->cert());
 }
 
 }  // namespace
 
 }  // namespace net