More tests for the new certificateProvider API

Provide test coverage for the following scenarios in the
chrome.certificateProvider extensions API:
* empty certificate chain;
* empty algorithm list;
* an extension subscribing to both legacy and non-legacy
  events simultaneously.

Bug: 1067683
Change-Id: I074967716aba5c91b6b6e946345f84a4767bd722
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2252187
Commit-Queue: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Fabian Sommer <fabiansommer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790996}

chrome/browser/extensions/api/certificate_provider/certificate_provider_apitest.cc

@@ -12,6 +12,7 @@
 
 #include "base/bind.h"
 #include "base/callback.h"
+#include "base/containers/span.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/hash/sha1.h"
@@ -249,8 +250,8 @@ class CertificateProviderApiMockedExtensionTest
   std::string GetKeyPk8() const {
     std::string key_pk8;
     base::ScopedAllowBlockingForTesting allow_io;
-    base::ReadFileToString(extension_path_.AppendASCII("l1_leaf.pk8"),
-                           &key_pk8);
+    EXPECT_TRUE(base::ReadFileToString(
+        extension_path_.AppendASCII("l1_leaf.pk8"), &key_pk8));
     return key_pk8;
   }
 
@@ -302,11 +303,9 @@ class CertificateProviderApiMockedExtensionTest
 
     // Load the private key.
     std::string key_pk8 = GetKeyPk8();
-    const uint8_t* const key_pk8_begin =
-        reinterpret_cast<const uint8_t*>(key_pk8.data());
     std::unique_ptr<crypto::RSAPrivateKey> key(
-        crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(std::vector<uint8_t>(
-            key_pk8_begin, key_pk8_begin + key_pk8.size())));
+        crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(
+            base::as_bytes(base::make_span(key_pk8))));
     ASSERT_TRUE(key);
 
     // Sign using the private key.
@@ -529,6 +528,30 @@ IN_PROC_BROWSER_TEST_F(CertificateProviderApiMockedExtensionTest,
   CheckCertificateAbsent(*certificate);
 }
 
+// Tests an extension that provides certificates both proactively with
+// setCertificates() and in response to both events:
+// onCertificatesUpdateRequested and legacy onCertificatesRequested. Verify that
+// the non-legacy signature event is used.
+IN_PROC_BROWSER_TEST_F(CertificateProviderApiMockedExtensionTest,
+                       ProactiveAndRedundantLegacyResponsiveExtension) {
+  ExecuteJavascript("registerAsCertificateProvider();");
+  ExecuteJavascript("registerAsLegacyCertificateProvider();");
+  ExecuteJavascript("registerForSignatureRequests();");
+  ExecuteJavascript("registerForLegacySignatureRequests();");
+  ExecuteJavascriptAndWaitForCallback("setCertificates();");
+
+  scoped_refptr<net::X509Certificate> certificate = GetCertificate();
+  CheckCertificateProvidedByExtension(*certificate, *extension());
+
+  // Note that this verifies that the non-legacy signature event is used, since
+  // we're processing the raw data signature operation here.
+  TestNavigationToCertificateRequestingWebPage(/*is_raw_data=*/true);
+
+  // Remove the certificate.
+  ExecuteJavascriptAndWaitForCallback("unsetCertificates();");
+  CheckCertificateAbsent(*certificate);
+}
+
 // Tests an extension that only provides certificates proactively via
 // setCertificates().
 IN_PROC_BROWSER_TEST_F(CertificateProviderApiMockedExtensionTest,

chrome/test/data/extensions/api_test/certificate_provider/basic.js

@@ -20,18 +20,29 @@ const INVALID_CERT = new Uint8Array([1, 2, 3, 4, 5]);
 function registerAsCertificateProvider() {
   function reportCertificates(request) {
     assertTrue(Number.isInteger(request.certificatesRequestId));
-    const validCertInfo = {
+    const validCert = {
       certificateChain: [l1LeafCert.buffer],
       supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA1']
     };
-    const invalidCertInfo = {
+    const invalidCertBadDer = {
       certificateChain: [INVALID_CERT.buffer],
       supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA256']
     };
+    const invalidCertEmpty = {
+      certificateChain: [],
+      supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA256']
+    };
+    const invalidCertNoAlgorithms = {
+      certificateChain: [l1LeafCert.buffer],
+      supportedAlgorithms: []
+    };
     chrome.certificateProvider.setCertificates(
         {
           certificatesRequestId: request.certificatesRequestId,
-          clientCertificates: [validCertInfo, invalidCertInfo]
+          clientCertificates: [
+            validCert, invalidCertBadDer, invalidCertEmpty,
+            invalidCertNoAlgorithms
+          ]
         },
         () => {
           chrome.test.succeed();
@@ -68,16 +79,30 @@ function registerAsLegacyCertificateProvider() {
 // This can be combined with registerAsCertificateProvider(), but can also be
 // used on its own.
 function setCertificates() {
-  const validCertInfo = {
+  const validCert = {
     certificateChain: [l1LeafCert.buffer],
     supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA1']
   };
-  const invalidCertInfo = {
+  const invalidCertBadDer = {
     certificateChain: [INVALID_CERT.buffer],
     supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA256']
   };
+  const invalidCertEmpty = {
+    certificateChain: [],
+    supportedAlgorithms: ['RSASSA_PKCS1_v1_5_SHA256']
+  };
+  const invalidCertNoAlgorithms = {
+    certificateChain: [l1LeafCert.buffer],
+    supportedAlgorithms: []
+  };
   chrome.certificateProvider.setCertificates(
-      {clientCertificates: [validCertInfo, invalidCertInfo]}, () => {
+      {
+        clientCertificates: [
+          validCert, invalidCertBadDer, invalidCertEmpty,
+          invalidCertNoAlgorithms
+        ]
+      },
+      () => {
         const success = !chrome.runtime.lastError;
         domAutomationController.send(success);
       });