Update CertVerifyProcTest.RejectWeakKeys for Sierra (Mac OS 10.12)

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 20 matching lines @@
 #include "net/test/test_certificate_data.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(OS_ANDROID)
 #include "base/android/build_info.h"
 #endif
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
+#include "base/mac/mac_util.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #endif
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
 #endif
 
 using net::test::IsError;
 using net::test::IsOk;
 
@@ skipping 64 matching lines @@
   // the verified certificate chain and detect known roots.
   if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
     return false;
 #elif defined(OS_IOS)
   // iOS does not expose the APIs necessary to get the known system roots.
   return false;
 #endif
   return true;
 }
 
+bool WeakKeysAreInvalid() {
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+  // Starting with Mac OS 10.12, certs with weak keys are treated as
+  // (recoverable) invalid certificate errors.
+  return base::mac::IsAtLeastOS10_12();
+#else
+  return false;
+#endif
+}
+
 // Template helper to load a series of certificate files into a CertificateList.
 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a
 // series of individual certificates (to make the tests clearer).
 template <size_t N>
 void LoadCertificateFiles(const char* const (&cert_files)[N],
                           CertificateList* certs) {
   certs->clear();
   for (size_t i = 0; i < N; ++i) {
     SCOPED_TRACE(cert_files[i]);
     scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
@@ skipping 265 matching lines @@
                          "127.0.0.1",
                          0,
                          NULL,
                          empty_cert_list_,
                          &verify_result);
 
       if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
         EXPECT_NE(OK, error);
         EXPECT_EQ(CERT_STATUS_WEAK_KEY,
                   verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-        EXPECT_NE(CERT_STATUS_INVALID,
+        EXPECT_EQ(WeakKeysAreInvalid() ? CERT_STATUS_INVALID : 0,
                   verify_result.cert_status & CERT_STATUS_INVALID);
       } else {
         EXPECT_THAT(error, IsOk());
         EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
       }
     }
   }
 }
 
 // Regression test for http://crbug.com/108514.
@@ skipping 1644 matching lines @@
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 }
 
 }  // namespace net