Update PKITs test data to include "user_constrained_policy_set".

net/cert/internal/verify_certificate_chain_pkits_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/trust_store.h"
 #include "net/der/input.h"
@@ skipping 29 matching lines @@
   DISABLED_Section7InvalidkeyUsageNotCriticalcRLSignFalseTest5
 
 #include "net/cert/internal/nist_pkits_unittest.h"
 
 namespace net {
 
 namespace {
 
 class VerifyCertificateChainPkitsTestDelegate {
  public:
-  static bool Verify(std::vector<std::string> cert_ders,
-                     std::vector<std::string> crl_ders,
-                     const PkitsTestSettings& settings) {
-    if (cert_ders.empty()) {
-      ADD_FAILURE() << "cert_ders is empty";
-      return false;
-    }
+  static void RunTest(std::vector<std::string> cert_ders,
+                      std::vector<std::string> crl_ders,
+                      const PkitsTestInfo& info) {
+    ASSERT_FALSE(cert_ders.empty());
 
     // PKITS lists chains from trust anchor to target, whereas
     // VerifyCertificateChain takes them starting with the target and ending
     // with the trust anchor.
     std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
     CertErrors parsing_errors;
     for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) {
-      if (!net::ParsedCertificate::CreateAndAddToVector(
-              bssl::UniquePtr<CRYPTO_BUFFER>(
-                  CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(i->data()),
-                                    i->size(), nullptr)),
-              {}, &input_chain, &parsing_errors)) {
-        ADD_FAILURE() << "Cert failed to parse:\n"
-                      << parsing_errors.ToDebugString();
-        return false;
-      }
+      ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector(
+          bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
+              reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)),
+          {}, &input_chain, &parsing_errors))
+          << parsing_errors.ToDebugString();
     }
 
     SimpleSignaturePolicy signature_policy(1024);
 
-    // Run all tests at the time the PKITS was published.
-    der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};
-
     CertPathErrors path_errors;
     VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(),
-                           &signature_policy, time, KeyPurpose::ANY_EKU,
+                           &signature_policy, info.time, KeyPurpose::ANY_EKU,
                            &path_errors);
+    bool did_succeed = !path_errors.ContainsHighSeverityErrors();
 
     //  TODO(crbug.com/634443): Test errors on failure?
-    return !path_errors.ContainsHighSeverityErrors();
+    if (info.should_validate != did_succeed) {
+      ASSERT_EQ(info.should_validate, did_succeed)
+          << path_errors.ToDebugString(input_chain);
+    }
   }
 };
 
 }  // namespace
 
 class PkitsTest01SignatureVerificationCustom
     : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
 
 // Modified version of 4.1.4 Valid DSA Signatures Test4
 TEST_F(PkitsTest01SignatureVerificationCustom,
        Section1ValidDSASignaturesTest4Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
                                "ValidDSASignaturesTest4EE"};
   const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"};
   // DSA signatures are intentionally unsupported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5
 TEST_F(PkitsTest01SignatureVerificationCustom,
        Section1ValidDSAParameterInheritanceTest5Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
                                "DSAParametersInheritedCACert",
                                "ValidDSAParameterInheritanceTest5EE"};
   const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL",
                               "DSAParametersInheritedCACRL"};
   // DSA signatures are intentionally unsupported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 class PkitsTest13SignatureVerificationCustom
     : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
 
 // Modified version of 4.13.21 Valid RFC822 nameConstraints Test21
 TEST_F(PkitsTest13SignatureVerificationCustom,
        Section13ValidRFC822nameConstraintsTest21Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate",
                                "nameConstraintsRFC822CA1Cert",
                                "ValidRFC822nameConstraintsTest21EE"};
   const char* const crls[] = {"TrustAnchorRootCRL",
                               "nameConstraintsRFC822CA1CRL"};
   // Name constraints on rfc822Names are not supported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23
 TEST_F(PkitsTest13SignatureVerificationCustom,
        Section13ValidRFC822nameConstraintsTest23Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate",
                                "nameConstraintsRFC822CA2Cert",
                                "ValidRFC822nameConstraintsTest23EE"};
   const char* const crls[] = {"TrustAnchorRootCRL",
                               "nameConstraintsRFC822CA2CRL"};
   // Name constraints on rfc822Names are not supported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25
 TEST_F(PkitsTest13SignatureVerificationCustom,
        Section13ValidRFC822nameConstraintsTest25Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate",
                                "nameConstraintsRFC822CA3Cert",
                                "ValidRFC822nameConstraintsTest25EE"};
   const char* const crls[] = {"TrustAnchorRootCRL",
                               "nameConstraintsRFC822CA3CRL"};
   // Name constraints on rfc822Names are not supported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27
 TEST_F(PkitsTest13SignatureVerificationCustom,
        Section13ValidDNandRFC822nameConstraintsTest27Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate",
                                "nameConstraintsDN1CACert",
                                "nameConstraintsDN1subCA3Cert",
                                "ValidDNandRFC822nameConstraintsTest27EE"};
   const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL",
                               "nameConstraintsDN1subCA3CRL"};
   // Name constraints on rfc822Names are not supported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 // Modified version of 4.13.34 Valid URI nameConstraints Test34
 TEST_F(PkitsTest13SignatureVerificationCustom,
        Section13ValidURInameConstraintsTest34Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate",
                                "nameConstraintsURI1CACert",
                                "ValidURInameConstraintsTest34EE"};
   const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"};
   // Name constraints on uniformResourceIdentifiers are not supported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 // Modified version of 4.13.36 Valid URI nameConstraints Test36
 TEST_F(PkitsTest13SignatureVerificationCustom,
        Section13ValidURInameConstraintsTest36Custom) {
   const char* const certs[] = {"TrustAnchorRootCertificate",
                                "nameConstraintsURI2CACert",
                                "ValidURInameConstraintsTest36EE"};
   const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"};
   // Name constraints on uniformResourceIdentifiers are not supported.
-  ASSERT_FALSE(this->Verify(certs, crls, {}));
+  PkitsTestInfo info;
+  info.should_validate = false;
+
+  this->RunTest(certs, crls, info);
 }
 
 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
                               PkitsTest01SignatureVerification,
                               VerifyCertificateChainPkitsTestDelegate);
 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
                               PkitsTest02ValidityPeriods,
                               VerifyCertificateChainPkitsTestDelegate);
 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
                               PkitsTest03VerifyingNameChaining,
@@ skipping 13 matching lines @@
 
 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests,
 // PkitsTest05VerifyingPathswithSelfIssuedCertificates,
 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
 
 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies,
 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings,
 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy
 
 }  // namespace net