[Nearby] Add methods to certificate storage

We add the following methods to certificate storage:

1) UpdatePrivateCertificate(): Replaces the private certificate that has
same ID; no-op if a certificate with that ID doesn't exist. This is
necessary to update the private certificate's list of consumed salts
that changes every time its metadata key is encrypted. This will be used
in a follow-up CL.

2) RemoveExpiredPrivateCertificates(): Deletes all certificates with a
not-after time later than the current time. This action is currently
being performed by the certificate manager, but we want to move the
logic to the storage class in a follow-up CL.

3) ClearPrivateCertificatesOfVisibility(): Deletes all private
certificates of a given visibility. This is necessary for removing
only the relevant certificates when contacts change; currently, all
certificates are being cleared when the allowlist changes or the
contact list changes. This will be used in a follow-up CL.

We also implement most private-certificate methods in the base class
so that they can also be used by the fake implementation.

Bug: b/166473931, b/168022980, b/166112705, 1123134, 1121443
Change-Id: If3e873383e2289047200123939302e85587f441f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2412479Reviewed-by: James Vecore <vecore@google.com>
Commit-Queue: Josh Nohle <nohle@chromium.org>
Cr-Commit-Position: refs/heads/master@{#807286}

chrome/browser/nearby_sharing/certificates/BUILD.gn

@@ -12,6 +12,7 @@ source_set("certificates") {
     "nearby_share_certificate_manager.h",
     "nearby_share_certificate_manager_impl.cc",
     "nearby_share_certificate_manager_impl.h",
+    "nearby_share_certificate_storage.cc",
     "nearby_share_certificate_storage.h",
     "nearby_share_certificate_storage_impl.cc",
     "nearby_share_certificate_storage_impl.h",

chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_storage.cc

@@ -86,12 +86,6 @@ FakeNearbyShareCertificateStorage::GetPrivateCertificates() const {
   return private_certificates_;
 }
 
-base::Optional<base::Time>
-FakeNearbyShareCertificateStorage::NextPrivateCertificateExpirationTime()
-    const {
-  return next_private_certificate_expiration_time_;
-}
-
 base::Optional<base::Time>
 FakeNearbyShareCertificateStorage::NextPublicCertificateExpirationTime() const {
   return next_public_certificate_expiration_time_;
@@ -125,10 +119,6 @@ void FakeNearbyShareCertificateStorage::RemoveExpiredPublicCertificates(
                                                          std::move(callback));
 }
 
-void FakeNearbyShareCertificateStorage::ClearPrivateCertificates() {
-  ++num_clear_private_certificates_calls_;
-}
-
 void FakeNearbyShareCertificateStorage::ClearPublicCertificates(
     ResultCallback callback) {
   clear_public_certificates_callbacks_.push_back(std::move(callback));
@@ -139,17 +129,6 @@ void FakeNearbyShareCertificateStorage::SetPublicCertificateIds(
   public_certificate_ids_ = ids;
 }
 
-void FakeNearbyShareCertificateStorage::SetPrivateCertificates(
-    base::Optional<std::vector<NearbySharePrivateCertificate>>
-        private_certificates) {
-  private_certificates_ = std::move(private_certificates);
-}
-
-void FakeNearbyShareCertificateStorage::SetNextPrivateCertificateExpirationTime(
-    base::Optional<base::Time> time) {
-  next_private_certificate_expiration_time_ = time;
-}
-
 void FakeNearbyShareCertificateStorage::SetNextPublicCertificateExpirationTime(
     base::Optional<base::Time> time) {
   next_public_certificate_expiration_time_ = time;

chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_storage.h

@@ -100,8 +100,6 @@ class FakeNearbyShareCertificateStorage : public NearbyShareCertificateStorage {
   void GetPublicCertificates(PublicCertificateCallback callback) override;
   base::Optional<std::vector<NearbySharePrivateCertificate>>
   GetPrivateCertificates() const override;
-  base::Optional<base::Time> NextPrivateCertificateExpirationTime()
-      const override;
   base::Optional<base::Time> NextPublicCertificateExpirationTime()
       const override;
   void ReplacePrivateCertificates(
@@ -117,14 +115,9 @@ class FakeNearbyShareCertificateStorage : public NearbyShareCertificateStorage {
       ResultCallback callback) override;
   void RemoveExpiredPublicCertificates(base::Time now,
                                        ResultCallback callback) override;
-  void ClearPrivateCertificates() override;
   void ClearPublicCertificates(ResultCallback callback) override;
 
   void SetPublicCertificateIds(const std::vector<std::string>& ids);
-  void SetPrivateCertificates(
-      base::Optional<std::vector<NearbySharePrivateCertificate>>
-          private_certificates);
-  void SetNextPrivateCertificateExpirationTime(base::Optional<base::Time> time);
   void SetNextPublicCertificateExpirationTime(base::Optional<base::Time> time);
 
   std::vector<PublicCertificateCallback>& get_public_certificates_callbacks() {
@@ -145,17 +138,11 @@ class FakeNearbyShareCertificateStorage : public NearbyShareCertificateStorage {
     return remove_expired_public_certificates_calls_;
   }
 
-  size_t num_clear_private_certificates_calls() {
-    return num_clear_private_certificates_calls_;
-  }
-
   std::vector<ResultCallback>& clear_public_certificates_callbacks() {
     return clear_public_certificates_callbacks_;
   }
 
  private:
-  size_t num_clear_private_certificates_calls_ = 0;
-  base::Optional<base::Time> next_private_certificate_expiration_time_;
   base::Optional<base::Time> next_public_certificate_expiration_time_;
   std::vector<std::string> public_certificate_ids_;
   base::Optional<std::vector<NearbySharePrivateCertificate>>

chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl_unittest.cc

@@ -411,7 +411,7 @@ class NearbyShareCertificateManagerImplTest
 };
 
 TEST_F(NearbyShareCertificateManagerImplTest, GetValidPrivateCertificate) {
-  cert_store_->SetPrivateCertificates(private_certificates_);
+  cert_store_->ReplacePrivateCertificates(private_certificates_);
   FastForward(kNearbyShareCertificateValidityPeriod * 1.5);
   auto cert = cert_manager_->GetValidPrivateCertificate(
       nearby_share::mojom::Visibility::kAllContacts);
@@ -504,7 +504,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
 
 TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_ValidCertificates) {
-  cert_store_->SetPrivateCertificates(private_certificates_);
+  cert_store_->ReplacePrivateCertificates(private_certificates_);
 
   cert_manager_->Start();
   HandlePrivateCertificateRefresh(/*expect_private_cert_refresh=*/false,
@@ -514,7 +514,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
 
 TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_NoCertificates_UploadSuccess) {
-  cert_store_->SetPrivateCertificates(
+  cert_store_->ReplacePrivateCertificates(
       std::vector<NearbySharePrivateCertificate>());
 
   cert_manager_->Start();
@@ -526,7 +526,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
 
 TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_NoCertificates_UploadFailure) {
-  cert_store_->SetPrivateCertificates(
+  cert_store_->ReplacePrivateCertificates(
       std::vector<NearbySharePrivateCertificate>());
 
   cert_manager_->Start();
@@ -548,11 +548,11 @@ TEST_F(NearbyShareCertificateManagerImplTest,
       contact_manager_->NotifyAllowlistChanged(
           were_contacts_added_to_allowlist,
           were_contacts_removed_from_allowlist);
-      if (were_contacts_removed_from_allowlist)
+      if (were_contacts_removed_from_allowlist) {
         ++num_expected_calls;
+        EXPECT_TRUE(cert_store_->GetPrivateCertificates()->empty());
+      }
 
-      EXPECT_EQ(num_expected_calls,
-                cert_store_->num_clear_private_certificates_calls());
       EXPECT_EQ(num_expected_calls,
                 private_cert_exp_scheduler_->num_immediate_requests());
     }
@@ -569,11 +569,11 @@ TEST_F(NearbyShareCertificateManagerImplTest,
   for (bool did_contacts_change_since_last_upload : {true, false}) {
     contact_manager_->NotifyContactsUploaded(
         did_contacts_change_since_last_upload);
-    if (did_contacts_change_since_last_upload)
+    if (did_contacts_change_since_last_upload) {
       ++num_expected_calls;
+      EXPECT_TRUE(cert_store_->GetPrivateCertificates()->empty());
+    }
 
-    EXPECT_EQ(num_expected_calls,
-              cert_store_->num_clear_private_certificates_calls());
     EXPECT_EQ(num_expected_calls,
               private_cert_exp_scheduler_->num_immediate_requests());
   }
@@ -594,10 +594,9 @@ TEST_F(NearbyShareCertificateManagerImplTest,
         if (did_device_name_change || did_full_name_change ||
             did_icon_url_change) {
           ++num_expected_calls;
+          EXPECT_TRUE(cert_store_->GetPrivateCertificates()->empty());
         }
 
-        EXPECT_EQ(num_expected_calls,
-                  cert_store_->num_clear_private_certificates_calls());
         EXPECT_EQ(num_expected_calls,
                   private_cert_exp_scheduler_->num_immediate_requests());
       }
@@ -609,7 +608,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_ExpiredCertificate) {
   // First certificates are expired;
   FastForward(kNearbyShareCertificateValidityPeriod * 1.5);
-  cert_store_->SetPrivateCertificates(private_certificates_);
+  cert_store_->ReplacePrivateCertificates(private_certificates_);
 
   cert_manager_->Start();
   HandlePrivateCertificateRefresh(/*expect_private_cert_refresh=*/true,
@@ -620,7 +619,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
 
 TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_InvalidDeviceName) {
-  cert_store_->SetPrivateCertificates(
+  cert_store_->ReplacePrivateCertificates(
       std::vector<NearbySharePrivateCertificate>());
 
   // Device name is missing in local device data manager.
@@ -635,7 +634,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
 
 TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_InvalidBluetoothMacAddress) {
-  cert_store_->SetPrivateCertificates(
+  cert_store_->ReplacePrivateCertificates(
       std::vector<NearbySharePrivateCertificate>());
 
   // The bluetooth adapter returns an invalid Bluetooth MAC address.
@@ -655,7 +654,7 @@ TEST_F(NearbyShareCertificateManagerImplTest,
 
 TEST_F(NearbyShareCertificateManagerImplTest,
        RefreshPrivateCertificates_MissingFullNameAndIconUrl) {
-  cert_store_->SetPrivateCertificates(
+  cert_store_->ReplacePrivateCertificates(
       std::vector<NearbySharePrivateCertificate>());
 
   // Full name and icon URL are missing in local device data manager.

chrome/browser/nearby_sharing/certificates/nearby_share_certificate_storage.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <algorithm>
+
+#include "chrome/browser/nearby_sharing/certificates/common.h"
+#include "chrome/browser/nearby_sharing/certificates/nearby_share_certificate_storage.h"
+
+base::Optional<base::Time>
+NearbyShareCertificateStorage::NextPrivateCertificateExpirationTime() {
+  base::Optional<std::vector<NearbySharePrivateCertificate>> certs =
+      GetPrivateCertificates();
+  if (!certs || certs->empty())
+    return base::nullopt;
+
+  base::Time min_time = base::Time::Max();
+  for (const NearbySharePrivateCertificate& cert : *certs)
+    min_time = std::min(min_time, cert.not_after());
+
+  return min_time;
+}
+
+void NearbyShareCertificateStorage::UpdatePrivateCertificate(
+    const NearbySharePrivateCertificate& private_certificate) {
+  base::Optional<std::vector<NearbySharePrivateCertificate>> certs =
+      GetPrivateCertificates();
+  if (!certs)
+    return;
+
+  auto it = std::find_if(
+      certs->begin(), certs->end(),
+      [&private_certificate](const NearbySharePrivateCertificate& cert) {
+        return cert.id() == private_certificate.id();
+      });
+  if (it == certs->end())
+    return;
+
+  *it = private_certificate;
+  ReplacePrivateCertificates(*certs);
+}
+
+void NearbyShareCertificateStorage::RemoveExpiredPrivateCertificates(
+    base::Time now) {
+  base::Optional<std::vector<NearbySharePrivateCertificate>> certs =
+      GetPrivateCertificates();
+  if (!certs)
+    return;
+
+  std::vector<NearbySharePrivateCertificate> unexpired_certs;
+  for (const NearbySharePrivateCertificate& cert : *certs) {
+    if (!IsNearbyShareCertificateExpired(
+            now, cert.not_after(),
+            /*use_public_certificate_tolerance=*/false)) {
+      unexpired_certs.push_back(cert);
+    }
+  }
+
+  ReplacePrivateCertificates(unexpired_certs);
+}
+
+void NearbyShareCertificateStorage::ClearPrivateCertificates() {
+  ReplacePrivateCertificates(std::vector<NearbySharePrivateCertificate>());
+}
+
+void NearbyShareCertificateStorage::ClearPrivateCertificatesOfVisibility(
+    nearby_share::mojom::Visibility visibility) {
+  base::Optional<std::vector<NearbySharePrivateCertificate>> certs =
+      GetPrivateCertificates();
+  if (!certs)
+    return;
+
+  bool were_certs_removed = false;
+  std::vector<NearbySharePrivateCertificate> new_certs;
+  for (const NearbySharePrivateCertificate& cert : *certs) {
+    if (cert.visibility() == visibility) {
+      were_certs_removed = true;
+    } else {
+      new_certs.push_back(cert);
+    }
+  }
+
+  if (were_certs_removed)
+    ReplacePrivateCertificates(new_certs);
+}

chrome/browser/nearby_sharing/certificates/nearby_share_certificate_storage.h

@@ -10,6 +10,7 @@
 #include "base/time/time.h"
 #include "chrome/browser/nearby_sharing/certificates/nearby_share_private_certificate.h"
 #include "chrome/browser/nearby_sharing/proto/rpc_resources.pb.h"
+#include "chrome/browser/ui/webui/nearby_share/public/mojom/nearby_share_settings.mojom.h"
 
 // Stores local-device private certificates and remote-device public
 // certificates. Provides methods to help manage certificate expiration. Due to
@@ -39,8 +40,7 @@ class NearbyShareCertificateStorage {
 
   // Returns the next time a certificate expires or base::nullopt if no
   // certificates are present.
-  virtual base::Optional<base::Time> NextPrivateCertificateExpirationTime()
-      const = 0;
+  base::Optional<base::Time> NextPrivateCertificateExpirationTime();
   virtual base::Optional<base::Time> NextPublicCertificateExpirationTime()
       const = 0;
 
@@ -57,6 +57,13 @@ class NearbyShareCertificateStorage {
           public_certificates,
       ResultCallback callback) = 0;
 
+  // Overwrites an existing record with |private_certificate| if that records
+  // has the same ID . If no such record exists in storage, no action is taken.
+  // This method is necessary for updating the private certificate's list of
+  // consumed salts.
+  void UpdatePrivateCertificate(
+      const NearbySharePrivateCertificate& private_certificate);
+
   // Adds public certificates, or replaces existing certificates
   // by secret_id
   virtual void AddPublicCertificates(
@@ -64,13 +71,22 @@ class NearbyShareCertificateStorage {
           public_certificates,
       ResultCallback callback) = 0;
 
+  // Removes all private certificates from storage with expiration date after
+  // |now|.
+  void RemoveExpiredPrivateCertificates(base::Time now);
+
   // Removes all public certificates from storage with expiration date after
   // |now|.
   virtual void RemoveExpiredPublicCertificates(base::Time now,
                                                ResultCallback callback) = 0;
 
   // Delete all private certificates from memory and persistent storage.
-  virtual void ClearPrivateCertificates() = 0;
+  void ClearPrivateCertificates();
+
+  // Delete private certificates with |visibility| from memory and persistent
+  // storage.
+  void ClearPrivateCertificatesOfVisibility(
+      nearby_share::mojom::Visibility visibility);
 
   // Delete all public certificates from memory and persistent storage.
   virtual void ClearPublicCertificates(ResultCallback callback) = 0;

chrome/browser/nearby_sharing/certificates/nearby_share_certificate_storage_impl.cc

@@ -442,30 +442,11 @@ NearbyShareCertificateStorageImpl::GetPrivateCertificates() const {
     if (!cert)
       return base::nullopt;
 
-    certs.emplace_back(*std::move(cert));
+    certs.push_back(*std::move(cert));
   }
   return certs;
 }
 
-base::Optional<base::Time>
-NearbyShareCertificateStorageImpl::NextPrivateCertificateExpirationTime()
-    const {
-  const base::Value* list =
-      pref_service_->Get(prefs::kNearbySharingPrivateCertificateListPrefName);
-  if (!list || list->GetList().empty())
-    return base::nullopt;
-
-  base::Time min_time = base::Time::Max();
-  for (const base::Value& cert_dict : list->GetList()) {
-    auto cert(NearbySharePrivateCertificate::FromDictionary(cert_dict));
-    if (!cert)
-      return base::nullopt;
-
-    min_time = std::min(min_time, cert->not_after());
-  }
-  return min_time;
-}
-
 base::Optional<base::Time>
 NearbyShareCertificateStorageImpl::NextPublicCertificateExpirationTime() const {
   if (public_certificate_expirations_.empty())
@@ -481,8 +462,8 @@ void NearbyShareCertificateStorageImpl::ReplacePrivateCertificates(
   for (const NearbySharePrivateCertificate& cert : private_certificates) {
     list.Append(cert.ToDictionary());
   }
-  NS_LOG(VERBOSE) << __func__ << ": Overwriting private certificates pref. "
-                  << private_certificates.size() << " new certificates.";
+  NS_LOG(VERBOSE) << __func__ << ": Overwriting private certificates pref with "
+                  << private_certificates.size() << " certificates.";
   pref_service_->Set(prefs::kNearbySharingPrivateCertificateListPrefName, list);
 }
 
@@ -612,10 +593,6 @@ void NearbyShareCertificateStorageImpl::RemoveExpiredPublicCertificates(
                      std::move(callback)));
 }
 
-void NearbyShareCertificateStorageImpl::ClearPrivateCertificates() {
-  pref_service_->ClearPref(prefs::kNearbySharingPrivateCertificateListPrefName);
-}
-
 void NearbyShareCertificateStorageImpl::ClearPublicCertificates(
     ResultCallback callback) {
   if (init_status_ == InitStatus::kFailed) {

chrome/browser/nearby_sharing/certificates/nearby_share_certificate_storage_impl.h

@@ -66,8 +66,6 @@ class NearbyShareCertificateStorageImpl : public NearbyShareCertificateStorage {
   void GetPublicCertificates(PublicCertificateCallback callback) override;
   base::Optional<std::vector<NearbySharePrivateCertificate>>
   GetPrivateCertificates() const override;
-  base::Optional<base::Time> NextPrivateCertificateExpirationTime()
-      const override;
   base::Optional<base::Time> NextPublicCertificateExpirationTime()
       const override;
   void ReplacePrivateCertificates(
@@ -83,7 +81,6 @@ class NearbyShareCertificateStorageImpl : public NearbyShareCertificateStorage {
       ResultCallback callback) override;
   void RemoveExpiredPublicCertificates(base::Time now,
                                        ResultCallback callback) override;
-  void ClearPrivateCertificates() override;
   void ClearPublicCertificates(ResultCallback callback) override;
 
  private:
@@ -131,7 +128,6 @@ class NearbyShareCertificateStorageImpl : public NearbyShareCertificateStorage {
       leveldb_proto::ProtoDatabase<nearbyshare::proto::PublicCertificate>>
       db_;
 
-  std::vector<NearbySharePrivateCertificate> private_certificates_;
   ExpirationList public_certificate_expirations_;
   base::queue<base::OnceClosure> deferred_callbacks_;
 };

chrome/browser/nearby_sharing/certificates/nearby_share_certificate_storage_impl_unittest.cc

@@ -104,12 +104,14 @@ nearbyshare::proto::PublicCertificate CreatePublicCertificate(
   return cert;
 }
 
-std::vector<NearbySharePrivateCertificate> CreatePrivateCertificates(size_t n) {
+std::vector<NearbySharePrivateCertificate> CreatePrivateCertificates(
+    size_t n,
+    nearby_share::mojom::Visibility visibility) {
   std::vector<NearbySharePrivateCertificate> certs;
   certs.reserve(n);
   for (size_t i = 0; i < n; ++i) {
-    certs.emplace_back(nearby_share::mojom::Visibility::kAllContacts,
-                       base::Time::Now(), GetNearbyShareTestMetadata());
+    certs.emplace_back(visibility, base::Time::Now(),
+                       GetNearbyShareTestMetadata());
   }
   return certs;
 }
@@ -119,6 +121,7 @@ base::Time TimestampToTime(nearbyshare::proto::Timestamp timestamp) {
          base::TimeDelta::FromSeconds(timestamp.seconds()) +
          base::TimeDelta::FromNanoseconds(timestamp.nanos());
 }
+
 }  // namespace
 
 class NearbyShareCertificateStorageImplTest : public ::testing::Test {
@@ -431,6 +434,33 @@ TEST_F(NearbyShareCertificateStorageImplTest, ClearPublicCertificates) {
   ASSERT_EQ(0u, db_entries_.size());
 }
 
+TEST_F(NearbyShareCertificateStorageImplTest,
+       RemoveExpiredPrivateCertificates) {
+  db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
+
+  std::vector<NearbySharePrivateCertificate> certs = CreatePrivateCertificates(
+      3, nearby_share::mojom::Visibility::kAllContacts);
+  cert_store_->ReplacePrivateCertificates(certs);
+
+  std::vector<base::Time> expiration_times;
+  for (const NearbySharePrivateCertificate& cert : certs) {
+    expiration_times.push_back(cert.not_after());
+  }
+  std::sort(expiration_times.begin(), expiration_times.end());
+
+  // Set current time to exceed the expiration times of the first two
+  // certificates.
+  base::Time now = expiration_times[1];
+
+  cert_store_->RemoveExpiredPrivateCertificates(now);
+
+  certs = *cert_store_->GetPrivateCertificates();
+  ASSERT_EQ(1u, certs.size());
+  for (const NearbySharePrivateCertificate& cert : certs) {
+    EXPECT_LE(now, cert.not_after());
+  }
+}
+
 TEST_F(NearbyShareCertificateStorageImplTest, RemoveExpiredPublicCertificates) {
   db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
 
@@ -464,7 +494,8 @@ TEST_F(NearbyShareCertificateStorageImplTest, RemoveExpiredPublicCertificates) {
 TEST_F(NearbyShareCertificateStorageImplTest, ReplaceGetPrivateCertificates) {
   db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
 
-  auto certs_before = CreatePrivateCertificates(3);
+  auto certs_before = CreatePrivateCertificates(
+      3, nearby_share::mojom::Visibility::kAllContacts);
   cert_store_->ReplacePrivateCertificates(certs_before);
   auto certs_after = cert_store_->GetPrivateCertificates();
 
@@ -474,7 +505,8 @@ TEST_F(NearbyShareCertificateStorageImplTest, ReplaceGetPrivateCertificates) {
     EXPECT_EQ(certs_before[i].ToDictionary(), (*certs_after)[i].ToDictionary());
   }
 
-  certs_before = CreatePrivateCertificates(1);
+  certs_before = CreatePrivateCertificates(
+      1, nearby_share::mojom::Visibility::kAllContacts);
   cert_store_->ReplacePrivateCertificates(certs_before);
   certs_after = cert_store_->GetPrivateCertificates();
 
@@ -485,11 +517,37 @@ TEST_F(NearbyShareCertificateStorageImplTest, ReplaceGetPrivateCertificates) {
   }
 }
 
+TEST_F(NearbyShareCertificateStorageImplTest, UpdatePrivateCertificates) {
+  db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
+
+  std::vector<NearbySharePrivateCertificate> initial_certs =
+      CreatePrivateCertificates(3,
+                                nearby_share::mojom::Visibility::kAllContacts);
+  cert_store_->ReplacePrivateCertificates(initial_certs);
+
+  NearbySharePrivateCertificate cert_to_update = initial_certs[1];
+  EXPECT_EQ(initial_certs[1].ToDictionary(), cert_to_update.ToDictionary());
+  cert_to_update.EncryptMetadataKey();
+  EXPECT_NE(initial_certs[1].ToDictionary(), cert_to_update.ToDictionary());
+
+  cert_store_->UpdatePrivateCertificate(cert_to_update);
+
+  std::vector<NearbySharePrivateCertificate> new_certs =
+      *cert_store_->GetPrivateCertificates();
+  EXPECT_EQ(initial_certs.size(), new_certs.size());
+  for (size_t i = 0; i < new_certs.size(); ++i) {
+    NearbySharePrivateCertificate expected_cert =
+        i == 1 ? cert_to_update : initial_certs[i];
+    EXPECT_EQ(expected_cert.ToDictionary(), new_certs[i].ToDictionary());
+  }
+}
+
 TEST_F(NearbyShareCertificateStorageImplTest,
        NextPrivateCertificateExpirationTime) {
   db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
 
-  auto certs = CreatePrivateCertificates(3);
+  auto certs = CreatePrivateCertificates(
+      3, nearby_share::mojom::Visibility::kAllContacts);
   cert_store_->ReplacePrivateCertificates(certs);
   base::Optional<base::Time> next_expiration =
       cert_store_->NextPrivateCertificateExpirationTime();
@@ -526,7 +584,8 @@ TEST_F(NearbyShareCertificateStorageImplTest, ClearPrivateCertificates) {
   db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
 
   std::vector<NearbySharePrivateCertificate> certs_before =
-      CreatePrivateCertificates(3);
+      CreatePrivateCertificates(3,
+                                nearby_share::mojom::Visibility::kAllContacts);
   cert_store_->ReplacePrivateCertificates(certs_before);
   cert_store_->ClearPrivateCertificates();
   auto certs_after = cert_store_->GetPrivateCertificates();
@@ -534,3 +593,61 @@ TEST_F(NearbyShareCertificateStorageImplTest, ClearPrivateCertificates) {
   ASSERT_TRUE(certs_after.has_value());
   EXPECT_EQ(0u, certs_after->size());
 }
+
+TEST_F(NearbyShareCertificateStorageImplTest,
+       ClearPrivateCertificatesOfVisibility) {
+  db_->InitStatusCallback(leveldb_proto::Enums::InitStatus::kOK);
+
+  std::vector<NearbySharePrivateCertificate> certs_all_contacts =
+      CreatePrivateCertificates(3,
+                                nearby_share::mojom::Visibility::kAllContacts);
+  std::vector<NearbySharePrivateCertificate> certs_selected_contacts =
+      CreatePrivateCertificates(
+          3, nearby_share::mojom::Visibility::kSelectedContacts);
+  std::vector<NearbySharePrivateCertificate> all_certs;
+  all_certs.reserve(certs_all_contacts.size() + certs_selected_contacts.size());
+  all_certs.insert(all_certs.end(), certs_all_contacts.begin(),
+                   certs_all_contacts.end());
+  all_certs.insert(all_certs.end(), certs_selected_contacts.begin(),
+                   certs_selected_contacts.end());
+
+  // Remove all-contacts certs then selected-contacts certs.
+  {
+    cert_store_->ReplacePrivateCertificates(all_certs);
+    cert_store_->ClearPrivateCertificatesOfVisibility(
+        nearby_share::mojom::Visibility::kAllContacts);
+    auto certs_after = cert_store_->GetPrivateCertificates();
+    ASSERT_TRUE(certs_after.has_value());
+    ASSERT_EQ(certs_selected_contacts.size(), certs_after->size());
+    for (size_t i = 0; i < certs_selected_contacts.size(); ++i) {
+      EXPECT_EQ(certs_selected_contacts[i].ToDictionary(),
+                (*certs_after)[i].ToDictionary());
+    }
+
+    cert_store_->ClearPrivateCertificatesOfVisibility(
+        nearby_share::mojom::Visibility::kSelectedContacts);
+    certs_after = cert_store_->GetPrivateCertificates();
+    ASSERT_TRUE(certs_after.has_value());
+    EXPECT_EQ(0u, certs_after->size());
+  }
+
+  // Remove selected-contacts certs then all-contacts certs.
+  {
+    cert_store_->ReplacePrivateCertificates(all_certs);
+    cert_store_->ClearPrivateCertificatesOfVisibility(
+        nearby_share::mojom::Visibility::kSelectedContacts);
+    auto certs_after = cert_store_->GetPrivateCertificates();
+    ASSERT_TRUE(certs_after.has_value());
+    ASSERT_EQ(certs_all_contacts.size(), certs_after->size());
+    for (size_t i = 0; i < certs_all_contacts.size(); ++i) {
+      EXPECT_EQ(certs_all_contacts[i].ToDictionary(),
+                (*certs_after)[i].ToDictionary());
+    }
+
+    cert_store_->ClearPrivateCertificatesOfVisibility(
+        nearby_share::mojom::Visibility::kAllContacts);
+    certs_after = cert_store_->GetPrivateCertificates();
+    ASSERT_TRUE(certs_after.has_value());
+    EXPECT_EQ(0u, certs_after->size());
+  }
+}