Remember if a user declines to provide a server with a client certificate

net/base/ssl_client_auth_cache_unittest.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/ssl_client_auth_cache.h"
 
 #include "base/time.h"
+#include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 TEST(SSLClientAuthCacheTest, LookupAddRemove) {
   SSLClientAuthCache cache;
 
   base::Time start_date = base::Time::Now();
   base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);
 
   std::string server1("foo1:443");
   scoped_refptr<X509Certificate> cert1(
       new X509Certificate("foo1", "CA", start_date, expiration_date));
 
   std::string server2("foo2:443");
   scoped_refptr<X509Certificate> cert2(
       new X509Certificate("foo2", "CA", start_date, expiration_date));
 
   std::string server3("foo3:443");
   scoped_refptr<X509Certificate> cert3(
     new X509Certificate("foo3", "CA", start_date, expiration_date));
 
+  X509Certificate* cached_cert = NULL;
   // Lookup non-existent client certificate.
-  EXPECT_TRUE(cache.Lookup(server1) == NULL);
+  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(NULL, cached_cert);
 
   // Add client certificate for server1.
   cache.Add(server1, cert1.get());
-  EXPECT_EQ(cert1.get(), cache.Lookup(server1));
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(cert1.get(), cached_cert);
 
   // Add client certificate for server2.
   cache.Add(server2, cert2.get());
-  EXPECT_EQ(cert1.get(), cache.Lookup(server1));
-  EXPECT_EQ(cert2.get(), cache.Lookup(server2));
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(cert1.get(), cached_cert);
+  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
+  EXPECT_EQ(cert2.get(), cached_cert);
 
   // Overwrite the client certificate for server1.
   cache.Add(server1, cert3.get());
-  EXPECT_EQ(cert3.get(), cache.Lookup(server1));
-  EXPECT_EQ(cert2.get(), cache.Lookup(server2));
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(cert3.get(), cached_cert);
+  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
+  EXPECT_EQ(cert2.get(), cached_cert);
 
   // Remove client certificate of server1.
   cache.Remove(server1);
-  EXPECT_TRUE(cache.Lookup(server1) == NULL);
-  EXPECT_EQ(cert2.get(), cache.Lookup(server2));
+  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(NULL, cached_cert);
+  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
+  EXPECT_EQ(cert2.get(), cached_cert);
 
   // Remove non-existent client certificate.
   cache.Remove(server1);
-  EXPECT_TRUE(cache.Lookup(server1) == NULL);
-  EXPECT_EQ(cert2.get(), cache.Lookup(server2));
+  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(NULL, cached_cert);
+  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
+  EXPECT_EQ(cert2.get(), cached_cert);
 }
 
 // Check that if the server differs only by port number, it is considered
 // a separate server.
 TEST(SSLClientAuthCacheTest, LookupWithPort) {
   SSLClientAuthCache cache;
 
   base::Time start_date = base::Time::Now();
   base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);
 
   std::string server1("foo:443");
   scoped_refptr<X509Certificate> cert1(
       new X509Certificate("foo", "CA", start_date, expiration_date));
 
   std::string server2("foo:8443");
   scoped_refptr<X509Certificate> cert2(
       new X509Certificate("foo", "CA", start_date, expiration_date));
 
   cache.Add(server1, cert1.get());
   cache.Add(server2, cert2.get());
 
-  EXPECT_EQ(cert1.get(), cache.Lookup(server1));
-  EXPECT_EQ(cert2.get(), cache.Lookup(server2));
+  X509Certificate* cached_cert = NULL;
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(cert1.get(), cached_cert);
+  EXPECT_TRUE(cache.Lookup(server2, &cached_cert));
+  EXPECT_EQ(cert2.get(), cached_cert);
+}
+
+// Check that the a NULL certificate, indicating the user has declined to send
+// a certificate, is properly cached.
+TEST(SSLClientAuthCacheTest, LookupNullPreference) {
+  SSLClientAuthCache cache;
+  base::Time start_date = base::Time::Now();
+  base::Time expiration_date = start_date + base::TimeDelta::FromDays(1);
+
+  std::string server1("foo:443");
+  scoped_refptr<X509Certificate> cert1(
+      new X509Certificate("foo", "CA", start_date, expiration_date));
+
+  cache.Add(server1, NULL);
+
+  X509Certificate* cached_cert = cert1.get();
+  // Make sure that |cached_cert| is updated to NULL, indicating the user
+  // declined to send a certificate to |server1|.
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(NULL, cached_cert);
+
+  // Remove the existing cached certificate. Make sure that |cached_cert|
+  // is still updated to NULL, but that Lookup() returns false.
+  cache.Remove(server1);
+  cached_cert = cert1.get();
+  EXPECT_FALSE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(NULL, cached_cert);
+
+  // Add a new preference for a specific certificate.
+  cache.Add(server1, cert1.get());
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(cert1.get(), cached_cert);
+
+  // Replace the specific preference with a NULL certificate.
+  cache.Add(server1, NULL);
+  EXPECT_TRUE(cache.Lookup(server1, &cached_cert));
+  EXPECT_EQ(NULL, cached_cert);
 }
 
 }  // namespace net