[Nearby] Add private cert crypto methods to the cert manager interface

The private certificate needs to track the salts it uses to encrypt the metadata key. We need to ensure that storage is updated when EncryptMetadataKey() is called. We perform all private certificate operations via certificate manager methods, never returning a private certificate to the user. The certificate manager is responsible for internally updating its storage when necessary. Fixed: b/166473931, 1121443 Change-Id: I90fd432eed32bb9d0a1437a94c8615d1c816f0c7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2417550Reviewed-by: James Vecore <vecore@google.com> Commit-Queue: Josh Nohle <nohle@chromium.org> Cr-Commit-Position: refs/heads/master@{#808648}

[Nearby] Add private cert crypto methods to the cert manager interface
The private certificate needs to track the salts it uses to encrypt the metadata key. We need to ensure that storage is updated when EncryptMetadataKey() is called. We perform all private certificate operations via certificate manager methods, never returning a private certificate to the user. The certificate manager is responsible for internally updating its storage when necessary. Fixed: b/166473931, 1121443 Change-Id: I90fd432eed32bb9d0a1437a94c8615d1c816f0c7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2417550Reviewed-by: James Vecore <vecore@google.com> Commit-Queue: Josh Nohle <nohle@chromium.org> Cr-Commit-Position: refs/heads/master@{#808648}
2f4b11f4 · Josh Nohle · Commit Bot · 9448cc7f · 2f4b11f4 · 2f4b11f4
Commit 2f4b11f4 authored Sep 19, 2020 by Josh Nohle Committed by Commit Bot Sep 19, 2020
10 changed files
--- a/chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.cc
+++ b/chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.cc
@@ -50,13 +50,6 @@ FakeNearbyShareCertificateManager::FakeNearbyShareCertificateManager() =
 FakeNearbyShareCertificateManager::~FakeNearbyShareCertificateManager() =
    default;
-NearbySharePrivateCertificate
-FakeNearbyShareCertificateManager::GetValidPrivateCertificate(
-    nearby_share::mojom::Visibility visibility) {
-  ++num_get_valid_private_certificate_calls_;
-  return GetNearbyShareTestPrivateCertificate(visibility);
-}
 std::vector<nearbyshare::proto::PublicCertificate>
 FakeNearbyShareCertificateManager::GetPrivateCertificatesAsPublicCertificates(
    nearby_share::mojom::Visibility visibility) {
@@ -78,3 +71,12 @@ void FakeNearbyShareCertificateManager::DownloadPublicCertificates() {
 void FakeNearbyShareCertificateManager::OnStart() {}
 void FakeNearbyShareCertificateManager::OnStop() {}
+base::Optional<NearbySharePrivateCertificate>
+FakeNearbyShareCertificateManager::GetValidPrivateCertificate(
+    nearby_share::mojom::Visibility visibility) const {
+  return GetNearbyShareTestPrivateCertificate(visibility);
+}
+void FakeNearbyShareCertificateManager::UpdatePrivateCertificateInStorage(
+    const NearbySharePrivateCertificate& private_certificate) {}
--- a/chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.h
+++ b/chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.h
@@ -72,8 +72,6 @@ class FakeNearbyShareCertificateManager : public NearbyShareCertificateManager {
  ~FakeNearbyShareCertificateManager() override;
  // NearbyShareCertificateManager:
-  NearbySharePrivateCertificate GetValidPrivateCertificate(
-      nearby_share::mojom::Visibility visibility) override;
  std::vector<nearbyshare::proto::PublicCertificate>
  GetPrivateCertificatesAsPublicCertificates(
      nearby_share::mojom::Visibility visibility) override;
@@ -86,10 +84,6 @@ class FakeNearbyShareCertificateManager : public NearbyShareCertificateManager {
  using NearbyShareCertificateManager::NotifyPrivateCertificatesChanged;
  using NearbyShareCertificateManager::NotifyPublicCertificatesDownloaded;
-  size_t num_get_valid_private_certificate_calls() {
-    return num_get_valid_private_certificate_calls_;
-  }
  size_t num_get_private_certificates_as_public_certificates_calls() {
    return num_get_private_certificates_as_public_certificates_calls_;
  }
@@ -107,8 +101,11 @@ class FakeNearbyShareCertificateManager : public NearbyShareCertificateManager {
  // NearbyShareCertificateManager:
  void OnStart() override;
  void OnStop() override;
+  base::Optional<NearbySharePrivateCertificate> GetValidPrivateCertificate(
+      nearby_share::mojom::Visibility visibility) const override;
+  void UpdatePrivateCertificateInStorage(
+      const NearbySharePrivateCertificate& private_certificate) override;
-  size_t num_get_valid_private_certificate_calls_ = 0;
  size_t num_get_private_certificates_as_public_certificates_calls_ = 0;
  size_t num_download_public_certificates_calls_ = 0;
  std::vector<GetDecryptedPublicCertificateCall>

--- a/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.cc
+++ b/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.cc
@@ -32,6 +32,49 @@ void NearbyShareCertificateManager::Stop() {
  OnStop();
 }
+base::Optional<NearbyShareEncryptedMetadataKey>
+NearbyShareCertificateManager::EncryptPrivateCertificateMetadataKey(
+    nearby_share::mojom::Visibility visibility) {
+  base::Optional<NearbySharePrivateCertificate> cert =
+      GetValidPrivateCertificate(visibility);
+  if (!cert)
+    return base::nullopt;
+  base::Optional<NearbyShareEncryptedMetadataKey> encrypted_key =
+      cert->EncryptMetadataKey();
+  // Every salt consumed to encrypt the metadata encryption key is tracked by
+  // the NearbySharePrivateCertificate. Update the private certificate in
+  // storage to reflect the new list of consumed salts.
+  UpdatePrivateCertificateInStorage(*cert);
+  return encrypted_key;
+}
+base::Optional<std::vector<uint8_t>>
+NearbyShareCertificateManager::SignWithPrivateCertificate(
+    nearby_share::mojom::Visibility visibility,
+    base::span<const uint8_t> payload) const {
+  base::Optional<NearbySharePrivateCertificate> cert =
+      GetValidPrivateCertificate(visibility);
+  if (!cert)
+    return base::nullopt;
+  return cert->Sign(payload);
+}
+base::Optional<std::vector<uint8_t>>
+NearbyShareCertificateManager::HashAuthenticationTokenWithPrivateCertificate(
+    nearby_share::mojom::Visibility visibility,
+    base::span<const uint8_t> authentication_token) const {
+  base::Optional<NearbySharePrivateCertificate> cert =
+      GetValidPrivateCertificate(visibility);
+  if (!cert)
+    return base::nullopt;
+  return cert->HashAuthenticationToken(authentication_token);
+}
 void NearbyShareCertificateManager::NotifyPublicCertificatesDownloaded() {
  for (auto& observer : observers_)
    observer.OnPublicCertificatesDownloaded();

--- a/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.h
+++ b/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.h
@@ -8,6 +8,7 @@
 #include <vector>
 #include "base/callback.h"
+#include "base/containers/span.h"
 #include "base/observer_list.h"
 #include "base/observer_list_types.h"
 #include "base/optional.h"
@@ -20,12 +21,20 @@
 // The Nearby Share certificate manager maintains the local device's private
 // certificates and contacts' public certificates. The manager communicates with
 // the Nearby server to 1) download contacts' public certificates and 2) upload
-// local device public certificates to be distributed to contacts. All crypto
+// local device public certificates to be distributed to contacts.
-// operations are performed by the private/public certificate classes. Access
+//
-// the relevant certificates here, then perform the necessary operations, such
+// The class contatins methods for performing crypto operations with the
-// as signing/verifying a payload or generating an encrypted metadata key for an
+// currently valid private certificate of a given visibility, such as signing a
-// advertisement using the certificate class. Observers are notified of any
+// payload or generating an encrypted metadata key for an advertisement. For
-// changes to private/public certificates.
+// crypto operations related to public certificates, such as verifying a
+// payload, find and decrypt the relevant certificate with
+// DecryptPublicCertificate(), then use the
+// NearbyShareDecryptedPublicCertificate class to perform the crypto operations.
+// NOTE: The NearbySharePrivateCertificate class is not directly returned
+// because storage needs to be update whenever salts are consumed for metadata
+// key encryption.
+//
+// Observers are notified of any changes to private/public certificates.
 class NearbyShareCertificateManager {
 public:
  class Observer : public base::CheckedObserver {
@@ -48,10 +57,28 @@ class NearbyShareCertificateManager {
  void Stop();
  bool is_running() { return is_running_; }
-  // Returns the currently valid private certificate with |visibility|.
+  // Encrypts the metadata encryption key of the currently valid private
-  // TODO(crbug.com/1106369): Use common visibility enum.
+  // certificate with |visibility|. Returns base::nullopt if there is no valid
-  virtual NearbySharePrivateCertificate GetValidPrivateCertificate(
+  // private certificate with |visibility|, if the encryption failed, or if
-      nearby_share::mojom::Visibility visibility) = 0;
+  // there are no remaining salts.
+  base::Optional<NearbyShareEncryptedMetadataKey>
+  EncryptPrivateCertificateMetadataKey(
+      nearby_share::mojom::Visibility visibility);
+  // Signs the input |payload| using the currently valid private certificate
+  // with |visibility|. Returns base::nullopt if there is no valid private
+  // certificate with |visibility| or if the signing was unsuccessful.
+  base::Optional<std::vector<uint8_t>> SignWithPrivateCertificate(
+      nearby_share::mojom::Visibility visibility,
+      base::span<const uint8_t> payload) const;
+  // Creates a hash of the |authentication_token| using the currently valid
+  // private certificate. Returns base::nullopt if there is no valid private
+  // certificate with |visibility|.
+  base::Optional<std::vector<uint8_t>>
+  HashAuthenticationTokenWithPrivateCertificate(
+      nearby_share::mojom::Visibility visibility,
+      base::span<const uint8_t> authentication_token) const;
  // Returns all local device private certificates of |visibility| converted to
  // public certificates. The public certificates' for_selected_contacts fields
@@ -80,6 +107,17 @@ class NearbyShareCertificateManager {
  virtual void OnStart() = 0;
  virtual void OnStop() = 0;
+  // Returns the currently valid private certificate with |visibility|, or
+  // returns base::nullopt if one does not exist.
+  virtual base::Optional<NearbySharePrivateCertificate>
+  GetValidPrivateCertificate(
+      nearby_share::mojom::Visibility visibility) const = 0;
+  // Updates the existing record for |private_certificate|. If no such record
+  // exists, this function does nothing.
+  virtual void UpdatePrivateCertificateInStorage(
+      const NearbySharePrivateCertificate& private_certificate) = 0;
  void NotifyPublicCertificatesDownloaded();
  void NotifyPrivateCertificatesChanged();

--- a/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl.cc
+++ b/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl.cc
@@ -278,28 +278,6 @@ NearbyShareCertificateManagerImpl::~NearbyShareCertificateManagerImpl() {
  contact_manager_->RemoveObserver(this);
 }
-NearbySharePrivateCertificate
-NearbyShareCertificateManagerImpl::GetValidPrivateCertificate(
-    nearby_share::mojom::Visibility visibility) {
-  std::vector<NearbySharePrivateCertificate> certs =
-      *certificate_storage_->GetPrivateCertificates();
-  for (auto& cert : certs) {
-    if (IsNearbyShareCertificateWithinValidityPeriod(
-            clock_->Now(), cert.not_before(), cert.not_after(),
-            /*use_public_certificate_tolerance=*/false) &&
-        cert.visibility() == visibility) {
-      return std::move(cert);
-    }
-  }
-  NOTREACHED();
-  NS_LOG(ERROR) << __func__
-                << ": No valid private certificate found with visibility "
-                << static_cast<int>(visibility);
-  return NearbySharePrivateCertificate(nearby_share::mojom::Visibility::kNoOne,
-                                       /*not_before=*/base::Time(),
-                                       nearbyshare::proto::EncryptedMetadata());
-}
 std::vector<nearbyshare::proto::PublicCertificate>
 NearbyShareCertificateManagerImpl::GetPrivateCertificatesAsPublicCertificates(
    nearby_share::mojom::Visibility visibility) {
@@ -333,6 +311,31 @@ void NearbyShareCertificateManagerImpl::OnStop() {
  download_public_certificates_scheduler_->Stop();
 }
+base::Optional<NearbySharePrivateCertificate>
+NearbyShareCertificateManagerImpl::GetValidPrivateCertificate(
+    nearby_share::mojom::Visibility visibility) const {
+  base::Optional<std::vector<NearbySharePrivateCertificate>> certs =
+      *certificate_storage_->GetPrivateCertificates();
+  for (auto& cert : *certs) {
+    if (IsNearbyShareCertificateWithinValidityPeriod(
+            clock_->Now(), cert.not_before(), cert.not_after(),
+            /*use_public_certificate_tolerance=*/false) &&
+        cert.visibility() == visibility) {
+      return std::move(cert);
+    }
+  }
+  NS_LOG(WARNING) << __func__
+                  << ": No valid private certificate found with visibility "
+                  << visibility;
+  return base::nullopt;
+}
+void NearbyShareCertificateManagerImpl::UpdatePrivateCertificateInStorage(
+    const NearbySharePrivateCertificate& private_certificate) {
+  certificate_storage_->UpdatePrivateCertificate(private_certificate);
+}
 void NearbyShareCertificateManagerImpl::OnAllowlistChanged(
    bool were_contacts_added_to_allowlist,
    bool were_contacts_removed_from_allowlist) {

--- a/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl.h
+++ b/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl.h
@@ -56,13 +56,6 @@ class ListPublicCertificatesResponse;
 //   a) the user's contact list has changed, or
 //   b) contacts are removed from the allowlist--relevant to selected-contacts
 //      visibility mode.
-// TODO(b/168022980): Only destroy the private certificates of the relevant
-// visiblity: all-contacts and selected-contacts visibility, respectively.
-//
-// TODO(https://crbug.com/1121443): Add the following if we remove
-// GetValidPrivateCertificate() and perform all private certificate crypto
-// operations internally: "This implementation also provides the high-level
-// interface for performing cryptographic operations related to certificates."
 class NearbyShareCertificateManagerImpl
    : public NearbyShareCertificateManager,
      public NearbyShareContactManager::Observer,
@@ -108,8 +101,6 @@ class NearbyShareCertificateManagerImpl
      const base::Clock* clock);
  // NearbyShareCertificateManager:
-  NearbySharePrivateCertificate GetValidPrivateCertificate(
-      nearby_share::mojom::Visibility visibility) override;
  std::vector<nearbyshare::proto::PublicCertificate>
  GetPrivateCertificatesAsPublicCertificates(
      nearby_share::mojom::Visibility visibility) override;
@@ -119,6 +110,10 @@ class NearbyShareCertificateManagerImpl
  void DownloadPublicCertificates() override;
  void OnStart() override;
  void OnStop() override;
+  base::Optional<NearbySharePrivateCertificate> GetValidPrivateCertificate(
+      nearby_share::mojom::Visibility visibility) const override;
+  void UpdatePrivateCertificateInStorage(
+      const NearbySharePrivateCertificate& private_certificate) override;
  // NearbyShareContactManager::Observer:
  void OnAllowlistChanged(bool were_contacts_added_to_allowlist,

--- a/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl_unittest.cc
+++ b/chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl_unittest.cc
@@ -410,15 +410,92 @@ class NearbyShareCertificateManagerImplTest
  std::unique_ptr<NearbyShareCertificateManager> cert_manager_;
 };
-TEST_F(NearbyShareCertificateManagerImplTest, GetValidPrivateCertificate) {
+TEST_F(NearbyShareCertificateManagerImplTest,
-  cert_store_->ReplacePrivateCertificates(private_certificates_);
+       EncryptPrivateCertificateMetadataKey) {
-  FastForward(kNearbyShareCertificateValidityPeriod * 1.5);
+  // No valid certificates exist.
-  auto cert = cert_manager_->GetValidPrivateCertificate(
+  cert_store_->ReplacePrivateCertificates(
-      nearby_share::mojom::Visibility::kAllContacts);
+      std::vector<NearbySharePrivateCertificate>());
+  EXPECT_FALSE(cert_manager_->EncryptPrivateCertificateMetadataKey(
+      nearby_share::mojom::Visibility::kAllContacts));
+  EXPECT_FALSE(cert_manager_->EncryptPrivateCertificateMetadataKey(
+      nearby_share::mojom::Visibility::kSelectedContacts));
+  // Set up valid all-contacts visibility certificate.
+  NearbySharePrivateCertificate private_certificate =
+      GetNearbyShareTestPrivateCertificate(
+          nearby_share::mojom::Visibility::kAllContacts);
+  cert_store_->ReplacePrivateCertificates({private_certificate});
+  FastForward(GetNearbyShareTestNotBefore() +
+              kNearbyShareCertificateValidityPeriod * 0.5 - Now());
+  // Sanity check that the cert storage is as expected.
+  base::Optional<std::vector<NearbySharePrivateCertificate>> stored_certs =
+      cert_store_->GetPrivateCertificates();
+  EXPECT_EQ(stored_certs->at(0).ToDictionary(),
+            private_certificate.ToDictionary());
+  base::Optional<NearbyShareEncryptedMetadataKey> encrypted_metadata_key =
+      cert_manager_->EncryptPrivateCertificateMetadataKey(
+          nearby_share::mojom::Visibility::kAllContacts);
+  EXPECT_EQ(GetNearbyShareTestEncryptedMetadataKey().encrypted_key(),
+            encrypted_metadata_key->encrypted_key());
+  EXPECT_EQ(GetNearbyShareTestEncryptedMetadataKey().salt(),
+            encrypted_metadata_key->salt());
+  EXPECT_FALSE(cert_manager_->EncryptPrivateCertificateMetadataKey(
+      nearby_share::mojom::Visibility::kSelectedContacts));
+  // Verify that storage is updated when salts are consumed during encryption.
+  EXPECT_NE(cert_store_->GetPrivateCertificates()->at(0).ToDictionary(),
+            private_certificate.ToDictionary());
+  // No valid certificates exist.
+  FastForward(kNearbyShareCertificateValidityPeriod);
+  EXPECT_FALSE(cert_manager_->EncryptPrivateCertificateMetadataKey(
+      nearby_share::mojom::Visibility::kAllContacts));
+  EXPECT_FALSE(cert_manager_->EncryptPrivateCertificateMetadataKey(
+      nearby_share::mojom::Visibility::kSelectedContacts));
+}
+TEST_F(NearbyShareCertificateManagerImplTest, SignWithPrivateCertificate) {
+  NearbySharePrivateCertificate private_certificate =
+      GetNearbyShareTestPrivateCertificate(
+          nearby_share::mojom::Visibility::kAllContacts);
+  cert_store_->ReplacePrivateCertificates({private_certificate});
+  FastForward(GetNearbyShareTestNotBefore() +
+              kNearbyShareCertificateValidityPeriod * 0.5 - Now());
+  // Perform sign/verify roundtrip.
+  EXPECT_TRUE(GetNearbyShareTestDecryptedPublicCertificate().VerifySignature(
+      GetNearbyShareTestPayloadToSign(),
+      *cert_manager_->SignWithPrivateCertificate(
+          nearby_share::mojom::Visibility::kAllContacts,
+          GetNearbyShareTestPayloadToSign())));
+  // No selected-contact visibility certificate in storage.
+  EXPECT_FALSE(cert_manager_->SignWithPrivateCertificate(
+      nearby_share::mojom::Visibility::kSelectedContacts,
+      GetNearbyShareTestPayloadToSign()));
+}
-  EXPECT_EQ(nearby_share::mojom::Visibility::kAllContacts, cert.visibility());
+TEST_F(NearbyShareCertificateManagerImplTest,
-  EXPECT_LE(cert.not_before(), Now());
+       HashAuthenticationTokenWithPrivateCertificate) {
-  EXPECT_LT(Now(), cert.not_after());
+  NearbySharePrivateCertificate private_certificate =
+      GetNearbyShareTestPrivateCertificate(
+          nearby_share::mojom::Visibility::kAllContacts);
+  cert_store_->ReplacePrivateCertificates({private_certificate});
+  FastForward(GetNearbyShareTestNotBefore() +
+              kNearbyShareCertificateValidityPeriod * 0.5 - Now());
+  EXPECT_EQ(private_certificate.HashAuthenticationToken(
+                GetNearbyShareTestPayloadToSign()),
+            cert_manager_->HashAuthenticationTokenWithPrivateCertificate(
+                nearby_share::mojom::Visibility::kAllContacts,
+                GetNearbyShareTestPayloadToSign()));
+  // No selected-contact visibility certificate in storage.
+  EXPECT_FALSE(cert_manager_->HashAuthenticationTokenWithPrivateCertificate(
+      nearby_share::mojom::Visibility::kSelectedContacts,
+      GetNearbyShareTestPayloadToSign()));
 }
 TEST_F(NearbyShareCertificateManagerImplTest,

--- a/chrome/browser/nearby_sharing/nearby_sharing_service_impl.cc
+++ b/chrome/browser/nearby_sharing/nearby_sharing_service_impl.cc
@@ -976,8 +976,7 @@ NearbySharingServiceImpl::CreateEndpointInfo(
  if (visibility == Visibility::kAllContacts ||
      visibility == Visibility::kSelectedContacts) {
    base::Optional<NearbyShareEncryptedMetadataKey> encrypted_metadata_key =
-        certificate_manager_->GetValidPrivateCertificate(visibility)
+        certificate_manager_->EncryptPrivateCertificateMetadataKey(visibility);
-            .EncryptMetadataKey();
    if (encrypted_metadata_key) {
      salt = encrypted_metadata_key->salt();
      encrypted_key = encrypted_metadata_key->encrypted_key();

--- a/chrome/browser/nearby_sharing/paired_key_verification_runner.cc
+++ b/chrome/browser/nearby_sharing/paired_key_verification_runner.cc
@@ -232,9 +232,6 @@ void PairedKeyVerificationRunner::SendCertificateInfo() {
 }
 void PairedKeyVerificationRunner::SendPairedKeyEncryptionFrame() {
-  NearbySharePrivateCertificate private_certificate =
-      certificate_manager_->GetValidPrivateCertificate(visibility_);
  sharing::nearby::Frame frame;
  frame.set_version(sharing::nearby::Frame::V1);
  sharing::nearby::V1Frame* v1_frame = frame.mutable_v1();
@@ -243,7 +240,8 @@ void PairedKeyVerificationRunner::SendPairedKeyEncryptionFrame() {
      v1_frame->mutable_paired_key_encryption();
  base::Optional<std::vector<uint8_t>> signature =
-      private_certificate.Sign(PadPrefix(local_prefix_, raw_token_));
+      certificate_manager_->SignWithPrivateCertificate(
+          visibility_, PadPrefix(local_prefix_, raw_token_));
  if (signature) {
    std::vector<uint8_t> certificate_id_hash;
    if (certificate_)
@@ -268,11 +266,10 @@ void PairedKeyVerificationRunner::SendPairedKeyEncryptionFrame() {
 PairedKeyVerificationRunner::PairedKeyVerificationResult
 PairedKeyVerificationRunner::VerifyRemotePublicCertificate(
    const sharing::mojom::V1FramePtr& frame) {
-  NearbySharePrivateCertificate private_certificate =
+  base::Optional<std::vector<uint8_t>> hash =
-      certificate_manager_->GetValidPrivateCertificate(visibility_);
+      certificate_manager_->HashAuthenticationTokenWithPrivateCertificate(
+          visibility_, raw_token_);
-  if (private_certificate.HashAuthenticationToken(raw_token_) ==
+  if (hash && *hash == frame->get_paired_key_encryption()->secret_id_hash) {
-      frame->get_paired_key_encryption()->secret_id_hash) {
    NS_LOG(VERBOSE) << __func__
                    << ": Successfully verified remote public certificate.";
    return PairedKeyVerificationResult::kSuccess;

--- a/chrome/browser/nearby_sharing/paired_key_verification_runner_unittest.cc
+++ b/chrome/browser/nearby_sharing/paired_key_verification_runner_unittest.cc
@@ -126,11 +126,6 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
          run_loop.Quit();
        }));
    run_loop.Run();
-    // The private certificate is at least always immediately retrieved in order
-    // to create the signature for the sent PairedKeyEncryptionFrame.
-    EXPECT_GE(certificate_manager_.num_get_valid_private_certificate_calls(),
-              1u);
  }
  void SetUpPairedKeyEncryptionFrame(ReturnFrameType frame_type) {
@@ -140,20 +135,11 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
            testing::Eq(sharing::mojom::V1Frame::Tag::PAIRED_KEY_ENCRYPTION),
            testing::_, testing::Eq(kTimeout)))
        .WillOnce(testing::WithArg<1>(testing::Invoke(
-            [frame_type,
+            [frame_type](
-             this](base::OnceCallback<void(
+                base::OnceCallback<void(
-                       base::Optional<sharing::mojom::V1FramePtr>)> callback) {
+                    base::Optional<sharing::mojom::V1FramePtr>)> callback) {
-              // A private certificate retrieval will only be necessary if we
-              // receive a frame that needs verification.
-              size_t initial_num_private_cert_gets =
-                  certificate_manager_
-                      .num_get_valid_private_certificate_calls();
              if (frame_type == ReturnFrameType::kNull) {
                std::move(callback).Run(base::nullopt);
-                EXPECT_EQ(initial_num_private_cert_gets,
-                          certificate_manager_
-                              .num_get_valid_private_certificate_calls());
                return;
              }
@@ -171,9 +157,6 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
              }
              std::move(callback).Run(std::move(mojo_v1frame));
-              EXPECT_EQ(initial_num_private_cert_gets + 1,
-                        certificate_manager_
-                            .num_get_valid_private_certificate_calls());
            })));
  }