Allow TrustStore queries to be asynchronous.

net/cert/internal/path_builder_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/path_builder.h"
 
 #include "base/base_paths.h"
 #include "base/cancelable_callback.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
 #include "base/path_service.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/internal/cert_issuer_source_static.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/test_helpers.h"
 #include "net/cert/internal/trust_store_in_memory.h"
+#include "net/cert/internal/trust_store_test_helpers.h"
 #include "net/cert/internal/verify_certificate_chain.h"
 #include "net/cert/pem_tokenizer.h"
 #include "net/der/input.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
@@ skipping 590 matching lines @@
     DVLOG(1) << "USED OLD";
     EXPECT_EQ(oldintermediate_, path.certs[1]);
     EXPECT_EQ(oldroot_, path.trust_anchor);
   } else {
     DVLOG(1) << "USED NEW";
     EXPECT_EQ(newintermediate_, path.certs[1]);
     EXPECT_EQ(newroot_, path.trust_anchor->cert());
   }
 }
 
-class MockTrustStore : public TrustStore {
- public:
-  MOCK_CONST_METHOD2(FindTrustAnchorsByNormalizedName,
-                     void(const der::Input& normalized_name,
-                          TrustAnchors* matches));
-};
+// If trust anchors are provided both synchronously and asynchronously for the
+// same cert, the synchronously provided ones should be tried first, and
+// pathbuilder should finish synchronously.
+TEST_F(PathBuilderKeyRolloverTest, TestSyncAnchorsPreferred) {
+  TrustStoreInMemoryAsync trust_store;
+  // Both oldintermediate and newintermediate are trusted, but oldintermediate
+  // is returned synchronously and newintermediate asynchronously.
+  trust_store.AddSyncTrustAnchor(
+      TrustAnchor::CreateFromCertificateNoConstraints(oldintermediate_));
+  trust_store.AddAsyncTrustAnchor(
+      TrustAnchor::CreateFromCertificateNoConstraints(newintermediate_));
+
+  CertPathBuilder::Result result;
+  CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
+                               &result);
+
+  EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
+
+  EXPECT_EQ(OK, result.error());
+
+  ASSERT_EQ(1U, result.paths.size());
+  const auto& path = result.paths[0]->path;
+  EXPECT_EQ(OK, result.paths[0]->error);
+  ASSERT_EQ(1U, path.certs.size());
+  EXPECT_EQ(target_, path.certs[0]);
+  EXPECT_EQ(oldintermediate_, path.trust_anchor->cert());
+}
+
+// Async trust anchor checks should be done before synchronous issuer checks are
+// considered. (Avoiding creating unnecessarily long paths.)
+//
+// Two valid paths could be built:
+// newintermediate <- newrootrollover <- oldroot
+// newintermediate <- newroot
+// One invalid path could be built:
+// newintermediate <- oldroot
+//
+// First: newintermediate <- oldroot will be tried, since oldroot is
+// available synchronously, but this path will not verify.
+// Second: newintermediate <- newroot should be built, even though
+// newrootrollover issuer is available synchronously and newroot is async. This
+// path should verify and pathbuilder will stop.
+TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsBeforeSyncIssuers) {
+  TrustStoreInMemoryAsync trust_store;
+  trust_store.AddSyncTrustAnchor(oldroot_);
+  trust_store.AddAsyncTrustAnchor(
+      TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
+
+  CertIssuerSourceStatic sync_certs;
+  sync_certs.AddCert(newrootrollover_);
+
+  CertPathBuilder::Result result;
+  CertPathBuilder path_builder(newintermediate_, &trust_store,
+                               &signature_policy_, time_, &result);
+  path_builder.AddCertIssuerSource(&sync_certs);
+
+  EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
+
+  EXPECT_EQ(OK, result.error());
+
+  ASSERT_EQ(2U, result.paths.size());
+  {
+    const auto& path = result.paths[0]->path;
+    EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
+    ASSERT_EQ(1U, path.certs.size());
+    EXPECT_EQ(newintermediate_, path.certs[0]);
+    EXPECT_EQ(oldroot_, path.trust_anchor);
+  }
+  {
+    const auto& path = result.paths[1]->path;
+    EXPECT_EQ(OK, result.paths[1]->error);
+    ASSERT_EQ(1U, path.certs.size());
+    EXPECT_EQ(newintermediate_, path.certs[0]);
+    EXPECT_EQ(newroot_, path.trust_anchor->cert());
+  }
+}
+
+// If async trust anchor query returned no results, and there are no issuer
+// sources, path building should fail at that point.
+TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsNoMatchAndNoIssuerSources) {
+  TrustStoreInMemoryAsync trust_store;
+  trust_store.AddAsyncTrustAnchor(
+      TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
+
+  CertPathBuilder::Result result;
+  CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
+                               &result);
+
+  EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
+
+  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error());
+
+  ASSERT_EQ(0U, result.paths.size());
+}
+
+// Both trust store and issuer source are async. Should successfully build a
+// path.
+TEST_F(PathBuilderKeyRolloverTest, TestAsyncAnchorsAndAsyncIssuers) {
+  TrustStoreInMemoryAsync trust_store;
+  trust_store.AddAsyncTrustAnchor(
+      TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
+
+  AsyncCertIssuerSourceStatic async_certs;
+  async_certs.AddCert(newintermediate_);
+
+  CertPathBuilder::Result result;
+  CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
+                               &result);
+  path_builder.AddCertIssuerSource(&async_certs);
+
+  EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
+
+  EXPECT_EQ(OK, result.error());
+
+  ASSERT_EQ(1U, result.paths.size());
+  const auto& path = result.paths[0]->path;
+  EXPECT_EQ(OK, result.paths[0]->error);
+  ASSERT_EQ(2U, path.certs.size());
+  EXPECT_EQ(target_, path.certs[0]);
+  EXPECT_EQ(newintermediate_, path.certs[1]);
+  EXPECT_EQ(newroot_, path.trust_anchor->cert());
+}
 
 // Tests that multiple trust root matches on a single path will be considered.
 // Both roots have the same subject but different keys. Only one of them will
 // verify.
 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) {
-  NiceMock<MockTrustStore> trust_store;
-  // Default handler for any other TrustStore requests.
-  EXPECT_CALL(trust_store, FindTrustAnchorsByNormalizedName(_, _))
-      .WillRepeatedly(Return());
-  // Both newroot and oldroot are trusted, and newroot is returned first in the
-  // matches vector.
-  EXPECT_CALL(trust_store, FindTrustAnchorsByNormalizedName(
-                               newroot_->normalized_subject(), _))
-      .WillRepeatedly(Invoke(
-          [this](const der::Input& normalized_name, TrustAnchors* matches) {
-            matches->push_back(
-                TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
-            matches->push_back(oldroot_);
-          }));
+  TrustStoreInMemoryAsync trust_store;
+  // Since FindTrustAnchorsByNormalizedName returns newroot synchronously, it
+  // should be tried first.
+  trust_store.AddSyncTrustAnchor(
+      TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
+  // oldroot is returned asynchronously, so it should only be tried after the
+  // path built with newroot fails.
+  trust_store.AddAsyncTrustAnchor(oldroot_);
 
   // Only oldintermediate is supplied, so the path with newroot should fail,
   // oldroot should succeed.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
-  EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
+  EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
-  // Since FindTrustAnchorsByNormalizedName returns newroot first, it should be
-  // tried first. (Note: this may change if PathBuilder starts prioritizing the
-  // path building order.)
   ASSERT_EQ(2U, result.paths.size());
 
   {
     // Path builder may first attempt: target <- oldintermediate <- newroot
     // but it will fail since oldintermediate is signed by oldroot.
     EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
     const auto& path = result.paths[0]->path;
     ASSERT_EQ(2U, path.certs.size());
     EXPECT_EQ(target_, path.certs[0]);
     EXPECT_EQ(oldintermediate_, path.certs[1]);
@@ skipping 499 matching lines @@
   const auto& path1 = result.paths[1]->path;
   ASSERT_EQ(2U, path1.certs.size());
   EXPECT_EQ(target_, path1.certs[0]);
   EXPECT_EQ(newintermediate_, path1.certs[1]);
   EXPECT_EQ(newroot_, path1.trust_anchor->cert());
 }
 
 }  // namespace
 
 }  // namespace net