Add path validation error expectations for PKITS tests.

net/cert/internal/verify_certificate_chain_pkits_unittest.cc

Index: net/cert/internal/verify_certificate_chain_pkits_unittest.cc
diff --git a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
index f86e1e9ec40aba0ab2032f7237d4872564c386c6..1c342daf61221edf36bae281cba777994692507f 100644
--- a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
+++ b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
@@ -10,29 +10,6 @@
 #include "net/der/input.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 
-// Disable tests that require DSA signatures (DSA signatures are intentionally
-// unsupported). Custom versions of the DSA tests are defined below which expect
-// verification to fail.
-#define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4
-#define Section1ValidDSAParameterInheritanceTest5 \
-  DISABLED_Section1ValidDSAParameterInheritanceTest5
-
-// Disable tests that require name constraints with name types that are
-// intentionally unsupported. Custom versions of the tests are defined below
-// which expect verification to fail.
-#define Section13ValidRFC822nameConstraintsTest21 \
-  DISABLED_Section13ValidRFC822nameConstraintsTest21
-#define Section13ValidRFC822nameConstraintsTest23 \
-  DISABLED_Section13ValidRFC822nameConstraintsTest23
-#define Section13ValidRFC822nameConstraintsTest25 \
-  DISABLED_Section13ValidRFC822nameConstraintsTest25
-#define Section13ValidDNandRFC822nameConstraintsTest27 \
-  DISABLED_Section13ValidDNandRFC822nameConstraintsTest27
-#define Section13ValidURInameConstraintsTest34 \
-  DISABLED_Section13ValidURInameConstraintsTest34
-#define Section13ValidURInameConstraintsTest36 \
-  DISABLED_Section13ValidURInameConstraintsTest36
-
 // TODO(mattm): these require CRL support:
 #define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \
   DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4
@@ -78,141 +55,32 @@ class VerifyCertificateChainPkitsTestDelegate {
         &path_errors);
     bool did_succeed = !path_errors.ContainsHighSeverityErrors();
 
+    EXPECT_EQ(info.should_validate, did_succeed);
     EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set);
 
-    //  TODO(crbug.com/634443): Test errors on failure?
-    if (info.should_validate != did_succeed) {
-      ASSERT_EQ(info.should_validate, did_succeed)
-          << path_errors.ToDebugString(input_chain);
+    // Check that the errors match expectations. The errors are saved in a
+    // parallel file, as they don't apply generically to the third_party
+    // PKITS data.
+    if (!info.should_validate && !did_succeed) {
+      std::string errors_file_path =
+          std::string(
+              "net/data/verify_certificate_chain_unittest/pkits_errors/") +
+          info.test_number + std::string(".txt");
+
+      std::string expected_errors = ReadTestFileToString(errors_file_path);
+
+      // Check that the errors match.
+      VerifyCertPathErrors(expected_errors, path_errors, input_chain,
+                           errors_file_path);
+    } else if (!did_succeed) {
+      // If it failed and wasn't supposed to fail, print the errors.
+      EXPECT_EQ("", path_errors.ToDebugString(input_chain));
     }
   }
 };
 
 }  // namespace
 
-class PkitsTest01SignatureVerificationCustom
-    : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
-
-// Modified version of 4.1.4 Valid DSA Signatures Test4
-TEST_F(PkitsTest01SignatureVerificationCustom,
-       Section1ValidDSASignaturesTest4Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
-                               "ValidDSASignaturesTest4EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"};
-  // DSA signatures are intentionally unsupported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-// Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5
-TEST_F(PkitsTest01SignatureVerificationCustom,
-       Section1ValidDSAParameterInheritanceTest5Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert",
-                               "DSAParametersInheritedCACert",
-                               "ValidDSAParameterInheritanceTest5EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL",
-                              "DSAParametersInheritedCACRL"};
-  // DSA signatures are intentionally unsupported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-class PkitsTest13SignatureVerificationCustom
-    : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {};
-
-// Modified version of 4.13.21 Valid RFC822 nameConstraints Test21
-TEST_F(PkitsTest13SignatureVerificationCustom,
-       Section13ValidRFC822nameConstraintsTest21Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate",
-                               "nameConstraintsRFC822CA1Cert",
-                               "ValidRFC822nameConstraintsTest21EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL",
-                              "nameConstraintsRFC822CA1CRL"};
-  // Name constraints on rfc822Names are not supported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-// Modified version of 4.13.23 Valid RFC822 nameConstraints Test23
-TEST_F(PkitsTest13SignatureVerificationCustom,
-       Section13ValidRFC822nameConstraintsTest23Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate",
-                               "nameConstraintsRFC822CA2Cert",
-                               "ValidRFC822nameConstraintsTest23EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL",
-                              "nameConstraintsRFC822CA2CRL"};
-  // Name constraints on rfc822Names are not supported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-// Modified version of 4.13.25 Valid RFC822 nameConstraints Test25
-TEST_F(PkitsTest13SignatureVerificationCustom,
-       Section13ValidRFC822nameConstraintsTest25Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate",
-                               "nameConstraintsRFC822CA3Cert",
-                               "ValidRFC822nameConstraintsTest25EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL",
-                              "nameConstraintsRFC822CA3CRL"};
-  // Name constraints on rfc822Names are not supported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-// Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27
-TEST_F(PkitsTest13SignatureVerificationCustom,
-       Section13ValidDNandRFC822nameConstraintsTest27Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate",
-                               "nameConstraintsDN1CACert",
-                               "nameConstraintsDN1subCA3Cert",
-                               "ValidDNandRFC822nameConstraintsTest27EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL",
-                              "nameConstraintsDN1subCA3CRL"};
-  // Name constraints on rfc822Names are not supported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-// Modified version of 4.13.34 Valid URI nameConstraints Test34
-TEST_F(PkitsTest13SignatureVerificationCustom,
-       Section13ValidURInameConstraintsTest34Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate",
-                               "nameConstraintsURI1CACert",
-                               "ValidURInameConstraintsTest34EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"};
-  // Name constraints on uniformResourceIdentifiers are not supported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
-// Modified version of 4.13.36 Valid URI nameConstraints Test36
-TEST_F(PkitsTest13SignatureVerificationCustom,
-       Section13ValidURInameConstraintsTest36Custom) {
-  const char* const certs[] = {"TrustAnchorRootCertificate",
-                               "nameConstraintsURI2CACert",
-                               "ValidURInameConstraintsTest36EE"};
-  const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"};
-  // Name constraints on uniformResourceIdentifiers are not supported.
-  PkitsTestInfo info;
-  info.should_validate = false;
-
-  this->RunTest(certs, crls, info);
-}
-
 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
                               PkitsTest01SignatureVerification,
                               VerifyCertificateChainPkitsTestDelegate);