[Nearby] Use fake cert manager in service tests

Bug: 1113850 Change-Id: I9d82f7a8074b0a0d2fe918bff8125f046e120ad8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353876 Commit-Queue: Josh Nohle <nohle@chromium.org> Reviewed-by: Himanshu Jaju <himanshujaju@chromium.org> Cr-Commit-Position: refs/heads/master@{#798066}

[Nearby] Use fake cert manager in service tests
Bug: 1113850 Change-Id: I9d82f7a8074b0a0d2fe918bff8125f046e120ad8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353876 Commit-Queue: Josh Nohle <nohle@chromium.org> Reviewed-by: Himanshu Jaju <himanshujaju@chromium.org> Cr-Commit-Position: refs/heads/master@{#798066}
ecbdf319 · Josh Nohle · Commit Bot · 6e7df486 · ecbdf319 · ecbdf319
Commit ecbdf319 authored Aug 14, 2020 by Josh Nohle Committed by Commit Bot Aug 14, 2020
10 changed files
--- a/chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.h
+++ b/chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.h
@@ -21,7 +21,8 @@ class FakeNearbyShareCertificateManager : public NearbyShareCertificateManager {
  // Factory that creates FakeNearbyShareCertificateManager instances. Use in
  // NearbyShareCertificateManagerImpl::Factor::SetFactoryForTesting() in unit
  // tests.
-  class Factory : NearbyShareCertificateManagerImpl::Factory {
+  class Factory : public NearbyShareCertificateManagerImpl::Factory {
+   public:
    Factory();
    ~Factory() override;
@@ -75,6 +76,14 @@ class FakeNearbyShareCertificateManager : public NearbyShareCertificateManager {
  using NearbyShareCertificateManager::NotifyPrivateCertificatesChanged;
  using NearbyShareCertificateManager::NotifyPublicCertificatesDownloaded;
+  size_t num_get_valid_private_certificate_calls() {
+    return num_get_valid_private_certificate_calls_;
+  }
+  size_t num_download_public_certificates_calls() {
+    return num_download_public_certificates_calls_;
+  }
  std::vector<GetDecryptedPublicCertificateCall>&
  get_decrypted_public_certificate_calls() {
    return get_decrypted_public_certificate_calls_;

--- a/chrome/browser/nearby_sharing/certificates/test_util.cc
+++ b/chrome/browser/nearby_sharing/certificates/test_util.cc
@@ -278,3 +278,12 @@ GetNearbyShareTestPublicCertificate() {
      }());
  return *cert;
 }
+const NearbyShareDecryptedPublicCertificate&
+GetNearbyShareTestDecryptedPublicCertificate() {
+  static const base::NoDestructor<NearbyShareDecryptedPublicCertificate> cert(
+      *NearbyShareDecryptedPublicCertificate::DecryptPublicCertificate(
+          GetNearbyShareTestPublicCertificate(),
+          GetNearbyShareTestEncryptedMetadataKey()));
+  return *cert;
+}
--- a/chrome/browser/nearby_sharing/certificates/test_util.h
+++ b/chrome/browser/nearby_sharing/certificates/test_util.h
@@ -9,6 +9,7 @@
 #include <vector>
 #include "base/time/time.h"
+#include "chrome/browser/nearby_sharing/certificates/nearby_share_decrypted_public_certificate.h"
 #include "chrome/browser/nearby_sharing/certificates/nearby_share_encrypted_metadata_key.h"
 #include "chrome/browser/nearby_sharing/certificates/nearby_share_private_certificate.h"
 #include "chrome/browser/nearby_sharing/proto/encrypted_metadata.pb.h"
@@ -46,4 +47,7 @@ NearbySharePrivateCertificate GetNearbyShareTestPrivateCertificate(
 const nearbyshare::proto::PublicCertificate&
 GetNearbyShareTestPublicCertificate();
+const NearbyShareDecryptedPublicCertificate&
+GetNearbyShareTestDecryptedPublicCertificate();
 #endif  // CHROME_BROWSER_NEARBY_SHARING_CERTIFICATES_TEST_UTIL_H_
--- a/chrome/browser/nearby_sharing/contacts/fake_nearby_share_contact_manager.h
+++ b/chrome/browser/nearby_sharing/contacts/fake_nearby_share_contact_manager.h
@@ -24,7 +24,8 @@ class FakeNearbyShareContactManager : public NearbyShareContactManager {
  // Factory that creates FakeNearbyShareContactManager instances. Use in
  // NearbyShareContactManagerImpl::Factor::SetFactoryForTesting() in unit
  // tests.
-  class Factory : NearbyShareContactManagerImpl::Factory {
+  class Factory : public NearbyShareContactManagerImpl::Factory {
+   public:
    Factory();
    ~Factory() override;

--- a/chrome/browser/nearby_sharing/nearby_sharing_service_factory.cc
+++ b/chrome/browser/nearby_sharing/nearby_sharing_service_factory.cc
@@ -10,7 +10,6 @@
 #include "base/memory/singleton.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_features.h"
-#include "chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl.h"
 #include "chrome/browser/nearby_sharing/common/nearby_share_prefs.h"
 #include "chrome/browser/nearby_sharing/logging/logging.h"
 #include "chrome/browser/nearby_sharing/nearby_connections_manager.h"
@@ -74,8 +73,7 @@ KeyedService* NearbySharingServiceFactory::BuildServiceInstanceFor(
  NS_LOG(VERBOSE) << __func__ << ": creating NearbySharingService.";
  return new NearbySharingServiceImpl(
      pref_service, notification_display_service, profile,
-      std::move(nearby_connections_manager), &process_manager,
+      std::move(nearby_connections_manager), &process_manager);
-      NearbyShareCertificateManagerImpl::Factory::Create());
 }
 content::BrowserContext* NearbySharingServiceFactory::GetBrowserContextToUse(

--- a/chrome/browser/nearby_sharing/nearby_sharing_service_impl.cc
+++ b/chrome/browser/nearby_sharing/nearby_sharing_service_impl.cc
@@ -161,8 +161,7 @@ NearbySharingServiceImpl::NearbySharingServiceImpl(
    NotificationDisplayService* notification_display_service,
    Profile* profile,
    std::unique_ptr<NearbyConnectionsManager> nearby_connections_manager,
-    NearbyProcessManager* process_manager,
+    NearbyProcessManager* process_manager)
-    std::unique_ptr<NearbyShareCertificateManager> certificate_manager)
    : profile_(profile),
      settings_(prefs),
      nearby_connections_manager_(std::move(nearby_connections_manager)),
@@ -176,10 +175,10 @@ NearbySharingServiceImpl::NearbySharingServiceImpl(
              prefs,
              http_client_factory_.get())),
      contact_manager_(NearbyShareContactManagerImpl::Factory::Create()),
-      certificate_manager_(std::move(certificate_manager)) {
+      certificate_manager_(
+          NearbyShareCertificateManagerImpl::Factory::Create()) {
  DCHECK(profile_);
  DCHECK(nearby_connections_manager_);
-  DCHECK(certificate_manager_);
  nearby_process_observer_.Add(process_manager_);

--- a/chrome/browser/nearby_sharing/nearby_sharing_service_impl.h
+++ b/chrome/browser/nearby_sharing/nearby_sharing_service_impl.h
@@ -63,8 +63,7 @@ class NearbySharingServiceImpl
      NotificationDisplayService* notification_display_service,
      Profile* profile,
      std::unique_ptr<NearbyConnectionsManager> nearby_connections_manager,
-      NearbyProcessManager* process_manager,
+      NearbyProcessManager* process_manager);
-      std::unique_ptr<NearbyShareCertificateManager> certificate_manager);
  ~NearbySharingServiceImpl() override;
  // NearbySharingService:
@@ -187,10 +186,9 @@ class NearbySharingServiceImpl
      base::Optional<NearbyShareDecryptedPublicCertificate> certificate);
  void ReceiveIntroduction(ShareTarget share_target,
                           base::Optional<std::string> token);
-  void OnReceivedIntroduction(
+  void OnReceivedIntroduction(ShareTarget share_target,
-      ShareTarget share_target,
+                              base::Optional<std::string> token,
-      base::Optional<std::string> token,
+                              base::Optional<sharing::mojom::V1FramePtr> frame);
-      base::Optional<sharing::mojom::V1FramePtr> frame);
  void OnFrameRead(ShareTarget share_target,
                   base::Optional<sharing::mojom::V1FramePtr> frame);
  void HandleCertificateInfoFrame(

--- a/chrome/browser/nearby_sharing/nearby_sharing_service_impl_unittest.cc
+++ b/chrome/browser/nearby_sharing/nearby_sharing_service_impl_unittest.cc
@@ -16,12 +16,17 @@
 #include "base/test/bind_test_util.h"
 #include "base/test/scoped_feature_list.h"
 #include "chrome/browser/browser_features.h"
-#include "chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.h"
+#include "chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.h"
+#include "chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager_impl.h"
 #include "chrome/browser/nearby_sharing/certificates/test_util.h"
 #include "chrome/browser/nearby_sharing/common/nearby_share_prefs.h"
+#include "chrome/browser/nearby_sharing/contacts/fake_nearby_share_contact_manager.h"
+#include "chrome/browser/nearby_sharing/contacts/nearby_share_contact_manager_impl.h"
 #include "chrome/browser/nearby_sharing/fake_nearby_connection.h"
 #include "chrome/browser/nearby_sharing/fake_nearby_connections_manager.h"
 #include "chrome/browser/nearby_sharing/fast_initiation_manager.h"
+#include "chrome/browser/nearby_sharing/local_device_data/fake_nearby_share_local_device_data_manager.h"
+#include "chrome/browser/nearby_sharing/local_device_data/nearby_share_local_device_data_manager_impl.h"
 #include "chrome/browser/nearby_sharing/mock_nearby_process_manager.h"
 #include "chrome/browser/nearby_sharing/mock_nearby_sharing_decoder.h"
 #include "chrome/browser/nearby_sharing/nearby_connections_manager.h"
@@ -160,25 +165,6 @@ class MockShareTargetDiscoveredCallback : public ShareTargetDiscoveredCallback {
  MOCK_METHOD(void, OnShareTargetLost, (ShareTarget shareTarget), (override));
 };
-class MockNearbyShareCertificateManager : public NearbyShareCertificateManager {
- public:
-  MOCK_METHOD(NearbySharePrivateCertificate,
-              GetValidPrivateCertificate,
-              (NearbyShareVisibility visibility),
-              (override));
-  MOCK_METHOD(void,
-              GetDecryptedPublicCertificate,
-              (base::span<const uint8_t> encrypted_metadata_key,
-               base::span<const uint8_t> salt,
-               CertDecryptedCallback callback),
-              (override));
-  MOCK_METHOD(void, DownloadPublicCertificates, (), (override));
- protected:
-  MOCK_METHOD(void, OnStart, (), (override));
-  MOCK_METHOD(void, OnStop, (), (override));
-};
 namespace {
 const char kServiceId[] = "NearbySharing";
@@ -230,6 +216,13 @@ class NearbySharingServiceImplTest : public testing::Test {
  void SetUp() override {
    ASSERT_TRUE(profile_manager_.SetUp());
+    NearbyShareLocalDeviceDataManagerImpl::Factory::SetFactoryForTesting(
+        &local_device_data_manager_factory_);
+    NearbyShareContactManagerImpl::Factory::SetFactoryForTesting(
+        &contact_manager_factory_);
+    NearbyShareCertificateManagerImpl::Factory::SetFactoryForTesting(
+        &certificate_manager_factory_);
    mock_bluetooth_adapter_ =
        base::MakeRefCounted<NiceMock<device::MockBluetoothAdapter>>();
    ON_CALL(*mock_bluetooth_adapter_, IsPresent())
@@ -265,13 +258,10 @@ class NearbySharingServiceImplTest : public testing::Test {
        std::make_unique<NotificationDisplayServiceTester>(profile);
    NotificationDisplayService* notification_display_service =
        NotificationDisplayServiceFactory::GetForProfile(profile);
-    auto certificate_manager =
-        std::make_unique<NiceMock<MockNearbyShareCertificateManager>>();
-    certificate_manager_ = certificate_manager.get();
    auto service = std::make_unique<NearbySharingServiceImpl>(
        &prefs_, notification_display_service, profile,
        base::WrapUnique(fake_nearby_connections_manager_),
-        &mock_nearby_process_manager_, std::move(certificate_manager));
+        &mock_nearby_process_manager_);
    NearbyProcessManager& process_manager = NearbyProcessManager::GetInstance();
    process_manager.SetActiveProfile(profile);
@@ -307,11 +297,6 @@ class NearbySharingServiceImplTest : public testing::Test {
    return mock_nearby_process_manager_;
  }
-  NiceMock<MockNearbyShareCertificateManager>& certificate_manager() {
-    DCHECK(certificate_manager_);
-    return *certificate_manager_;
-  }
  void SetUpReceiveSurface(NiceMock<MockTransferUpdateCallback>& callback) {
    NearbySharingService::StatusCodes result = service_->RegisterReceiveSurface(
        &callback, NearbySharingService::ReceiveSurfaceState::kForeground);
@@ -319,35 +304,27 @@ class NearbySharingServiceImplTest : public testing::Test {
    EXPECT_TRUE(fake_nearby_connections_manager_->IsAdvertising());
  }
-  void SetUpCertificateManager(bool return_empty_certificate) {
+  void ProcessLatestPublicCertificateDecryption(size_t expected_num_calls,
-    EXPECT_CALL(certificate_manager(), GetDecryptedPublicCertificate(
+                                                bool success) {
-                                           testing::_, testing::_, testing::_))
+    std::vector<
-        .WillOnce(testing::Invoke([=](base::span<const uint8_t>
+        FakeNearbyShareCertificateManager::GetDecryptedPublicCertificateCall>&
-                                          input_encrypted_metadata_key,
+        calls = certificate_manager()->get_decrypted_public_certificate_calls();
-                                      base::span<const uint8_t> input_salt,
-                                      MockNearbyShareCertificateManager::
+    ASSERT_FALSE(calls.empty());
-                                          CertDecryptedCallback callback) {
+    EXPECT_EQ(expected_num_calls, calls.size());
-          std::vector<uint8_t> encrypted_metadata =
+    EXPECT_EQ(GetNearbyShareTestEncryptedMetadataKey().encrypted_key(),
-              GetNearbyShareTestEncryptedMetadata();
+              calls.back().encrypted_metadata_key);
-          std::vector<uint8_t> salt = GetNearbyShareTestSalt();
+    EXPECT_EQ(GetNearbyShareTestEncryptedMetadataKey().salt(),
+              calls.back().salt);
-          EXPECT_TRUE(std::equal(salt.begin(), salt.end(), input_salt.begin(),
-                                 input_salt.end()));
+    if (success) {
-          EXPECT_TRUE(std::equal(encrypted_metadata.begin(),
+      std::move(calls.back().callback)
-                                 encrypted_metadata.end(),
+          .Run(NearbyShareDecryptedPublicCertificate::DecryptPublicCertificate(
-                                 input_encrypted_metadata_key.begin(),
+              GetNearbyShareTestPublicCertificate(),
-                                 input_encrypted_metadata_key.end()));
+              GetNearbyShareTestEncryptedMetadataKey()));
+    } else {
-          if (return_empty_certificate) {
+      std::move(calls.back().callback).Run(base::nullopt);
-            std::move(callback).Run(base::nullopt);
+    }
-            return;
-          }
-          std::move(callback).Run(
-              NearbyShareDecryptedPublicCertificate::DecryptPublicCertificate(
-                  GetNearbyShareTestPublicCertificate(),
-                  GetNearbyShareTestEncryptedMetadataKey()));
-        }));
  }
  void SetUpAdvertisementDecoder(const std::vector<uint8_t>& endpoint_info,
@@ -365,8 +342,9 @@ class NearbySharingServiceImplTest : public testing::Test {
              sharing::mojom::AdvertisementPtr advertisement =
                  sharing::mojom::Advertisement::New(
-                      GetNearbyShareTestSalt(),
+                      GetNearbyShareTestEncryptedMetadataKey().salt(),
-                      GetNearbyShareTestEncryptedMetadata(), kDeviceName);
+                      GetNearbyShareTestEncryptedMetadataKey().encrypted_key(),
+                      kDeviceName);
              std::move(callback).Run(std::move(advertisement));
            }));
  }
@@ -404,24 +382,42 @@ class NearbySharingServiceImplTest : public testing::Test {
          share_target = incoming_share_target;
          run_loop.Quit();
        }));
-    SetUpCertificateManager(/*return_empty_certificate=*/false);
    SetUpReceiveSurface(callback);
    service_->OnIncomingConnection(kEndpointId, kValidV1EndpointInfo,
                                   &connection_);
+    ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                             /*success=*/true);
    run_loop.Run();
    return share_target;
  }
 protected:
+  FakeNearbyShareLocalDeviceDataManager* local_device_data_manager() {
+    EXPECT_EQ(1u, local_device_data_manager_factory_.instances().size());
+    return local_device_data_manager_factory_.instances().back();
+  }
+  FakeNearbyShareContactManager* contact_manager() {
+    EXPECT_EQ(1u, contact_manager_factory_.instances().size());
+    return contact_manager_factory_.instances().back();
+  }
+  FakeNearbyShareCertificateManager* certificate_manager() {
+    EXPECT_EQ(1u, certificate_manager_factory_.instances().size());
+    return certificate_manager_factory_.instances().back();
+  }
  base::test::ScopedFeatureList scoped_feature_list_;
  content::BrowserTaskEnvironment task_environment_;
  ui::ScopedSetIdleState idle_state_{ui::IDLE_STATE_IDLE};
  TestingProfileManager profile_manager_{TestingBrowserProcess::GetGlobal()};
  sync_preferences::TestingPrefServiceSyncable prefs_;
  FakeNearbyConnectionsManager* fake_nearby_connections_manager_ = nullptr;
+  FakeNearbyShareLocalDeviceDataManager::Factory
+      local_device_data_manager_factory_;
+  FakeNearbyShareContactManager::Factory contact_manager_factory_;
+  FakeNearbyShareCertificateManager::Factory certificate_manager_factory_;
  std::unique_ptr<NotificationDisplayServiceTester> notification_tester_;
  std::unique_ptr<NearbySharingServiceImpl> service_;
  std::unique_ptr<FakeFastInitiationManagerFactory>
@@ -433,7 +429,6 @@ class NearbySharingServiceImplTest : public testing::Test {
  NiceMock<MockNearbyProcessManager> mock_nearby_process_manager_;
  std::unique_ptr<net::test::MockNetworkChangeNotifier> network_notifier_ =
      net::test::MockNetworkChangeNotifier::Create();
-  NiceMock<MockNearbyShareCertificateManager>* certificate_manager_ = nullptr;
  NiceMock<MockNearbySharingDecoder> mock_decoder_;
  FakeNearbyConnection connection_;
 };
@@ -718,7 +713,6 @@ TEST_F(NearbySharingServiceImplTest,
  // Ensure decoder parses a valid endpoint advertisement.
  SetUpAdvertisementDecoder(kValidV1EndpointInfo,
                            /*return_empty_advertisement=*/false);
-  SetUpCertificateManager(/*return_empty_certificate=*/false);
  // Start discovering, to ensure a discovery listener is registered.
  base::RunLoop run_loop;
@@ -749,6 +743,8 @@ TEST_F(NearbySharingServiceImplTest,
      kEndpointId,
      location::nearby::connections::mojom::DiscoveredEndpointInfo::New(
          kValidV1EndpointInfo, kServiceId));
+  ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                           /*success=*/true);
  run_loop.Run();
  // Register another send surface, which will automatically catch up discovered
@@ -776,7 +772,6 @@ TEST_F(NearbySharingServiceImplTest, RegisterSendSurfaceEmptyCertificate) {
  // Ensure decoder parses a valid endpoint advertisement.
  SetUpAdvertisementDecoder(kValidV1EndpointInfo,
                            /*return_empty_advertisement=*/false);
-  SetUpCertificateManager(/*return_empty_certificate=*/true);
  // Start discovering, to ensure a discovery listener is registered.
  base::RunLoop run_loop;
@@ -807,6 +802,8 @@ TEST_F(NearbySharingServiceImplTest, RegisterSendSurfaceEmptyCertificate) {
      kEndpointId,
      location::nearby::connections::mojom::DiscoveredEndpointInfo::New(
          kValidV1EndpointInfo, kServiceId));
+  ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                           /*success=*/false);
  run_loop.Run();
  // Register another send surface, which will automatically catch up discovered
@@ -1339,12 +1336,11 @@ TEST_F(NearbySharingServiceImplTest,
  SetConnectionType(net::NetworkChangeNotifier::CONNECTION_WIFI);
  NiceMock<MockTransferUpdateCallback> callback;
  EXPECT_CALL(callback, OnTransferUpdate(testing::_, testing::_)).Times(0);
-  SetUpCertificateManager(/*return_empty_certificate=*/true);
  SetUpReceiveSurface(callback);
  service_->OnIncomingConnection(kEndpointId, kValidV1EndpointInfo,
                                 &connection_);
+  ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                           /*success=*/true);
  connection_.Close();
  // Introduction is ignored without any side effect.
@@ -1382,12 +1378,11 @@ TEST_F(NearbySharingServiceImplTest,
        EXPECT_TRUE(metadata.is_final_status());
        run_loop.Quit();
      }));
-  SetUpCertificateManager(/*return_empty_certificate=*/false);
  SetUpReceiveSurface(callback);
  service_->OnIncomingConnection(kEndpointId, kValidV1EndpointInfo,
                                 &connection_);
+  ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                           /*success=*/true);
  run_loop.Run();
  // Check data written to connection_.
@@ -1435,12 +1430,11 @@ TEST_F(NearbySharingServiceImplTest,
        EXPECT_FALSE(metadata.is_final_status());
        run_loop.Quit();
      }));
-  SetUpCertificateManager(/*return_empty_certificate=*/true);
  SetUpReceiveSurface(callback);
  service_->OnIncomingConnection(kEndpointId, kValidV1EndpointInfo,
                                 &connection_);
+  ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                           /*success=*/false);
  run_loop.Run();
  // To avoid UAF in OnIncomingTransferUpdate().
@@ -1499,12 +1493,11 @@ TEST_F(NearbySharingServiceImplTest,
        EXPECT_FALSE(metadata.is_final_status());
        run_loop.Quit();
      }));
-  SetUpCertificateManager(/*return_empty_certificate=*/false);
  SetUpReceiveSurface(callback);
  service_->OnIncomingConnection(kEndpointId, kValidV1EndpointInfo,
                                 &connection_);
+  ProcessLatestPublicCertificateDecryption(/*expected_num_calls=*/1,
+                                           /*success=*/true);
  run_loop.Run();
  // To avoid UAF in OnIncomingTransferUpdate().

--- a/chrome/browser/nearby_sharing/paired_key_verification_runner_unittest.cc
+++ b/chrome/browser/nearby_sharing/paired_key_verification_runner_unittest.cc
@@ -13,7 +13,7 @@
 #include "base/run_loop.h"
 #include "base/test/bind_test_util.h"
 #include "base/time/time.h"
-#include "chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.h"
+#include "chrome/browser/nearby_sharing/certificates/fake_nearby_share_certificate_manager.h"
 #include "chrome/browser/nearby_sharing/certificates/nearby_share_decrypted_public_certificate.h"
 #include "chrome/browser/nearby_sharing/certificates/test_util.h"
 #include "chrome/browser/nearby_sharing/fake_nearby_connection.h"
@@ -66,25 +66,6 @@ class MockIncomingFramesReader : public IncomingFramesReader {
      (override));
 };
-class MockNearbyShareCertificateManager : public NearbyShareCertificateManager {
- public:
-  MOCK_METHOD(NearbySharePrivateCertificate,
-              GetValidPrivateCertificate,
-              (NearbyShareVisibility visibility),
-              (override));
-  MOCK_METHOD(void,
-              GetDecryptedPublicCertificate,
-              (base::span<const uint8_t> encrypted_metadata_key,
-               base::span<const uint8_t> salt,
-               CertDecryptedCallback callback),
-              (override));
-  MOCK_METHOD(void, DownloadPublicCertificates, (), (override));
- protected:
-  MOCK_METHOD(void, OnStart, (), (override));
-  MOCK_METHOD(void, OnStop, (), (override));
-};
 PairedKeyVerificationRunner::PairedKeyVerificationResult Merge(
    PairedKeyVerificationRunner::PairedKeyVerificationResult local_result,
    sharing::mojom::PairedKeyResultFrame::Status remote_result) {
@@ -120,12 +101,36 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
      : frames_reader_(&mock_nearby_process_manager_, &profile_, &connection_) {
  }
-  void SetUp() override {
+  void SetUp() override { share_target_.is_incoming = true; }
-    share_target.is_incoming = true;
+  void RunVerification(bool use_valid_public_certificate,
-    EXPECT_CALL(certificate_manager_, GetValidPrivateCertificate(testing::_))
+                       bool restricted_to_contacts,
-        .WillRepeatedly(testing::Return(GetNearbyShareTestPrivateCertificate(
+                       PairedKeyVerificationRunner::PairedKeyVerificationResult
-            NearbyShareVisibility::kAllContacts)));
+                           expected_result) {
+    base::Optional<NearbyShareDecryptedPublicCertificate> public_certificate =
+        use_valid_public_certificate
+            ? base::make_optional<NearbyShareDecryptedPublicCertificate>(
+                  GetNearbyShareTestDecryptedPublicCertificate())
+            : base::nullopt;
+    PairedKeyVerificationRunner runner(
+        share_target_, kEndpointId, kAuthToken, &connection_,
+        std::move(public_certificate), &certificate_manager_,
+        nearby_share::mojom::Visibility::kAllContacts, restricted_to_contacts,
+        &frames_reader_, kTimeout);
+    base::RunLoop run_loop;
+    runner.Run(base::BindLambdaForTesting(
+        [&](PairedKeyVerificationRunner::PairedKeyVerificationResult result) {
+          EXPECT_EQ(expected_result, result);
+          run_loop.Quit();
+        }));
+    run_loop.Run();
+    // The private certificate is at least always immediately retrieved in order
+    // to create the signature for the sent PairedKeyEncryptionFrame.
+    EXPECT_GE(certificate_manager_.num_get_valid_private_certificate_calls(),
+              1u);
  }
  void SetUpPairedKeyEncryptionFrame(ReturnFrameType frame_type) {
@@ -135,11 +140,20 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
            testing::Eq(sharing::mojom::V1Frame::Tag::PAIRED_KEY_ENCRYPTION),
            testing::_, testing::Eq(kTimeout)))
        .WillOnce(testing::WithArg<1>(testing::Invoke(
-            [frame_type](
+            [frame_type,
-                base::OnceCallback<void(
+             this](base::OnceCallback<void(
-                    base::Optional<sharing::mojom::V1FramePtr>)> callback) {
+                       base::Optional<sharing::mojom::V1FramePtr>)> callback) {
+              // A private certificate retrieval will only be necessary if we
+              // receive a frame that needs verification.
+              size_t initial_num_private_cert_gets =
+                  certificate_manager_
+                      .num_get_valid_private_certificate_calls();
              if (frame_type == ReturnFrameType::kNull) {
                std::move(callback).Run(base::nullopt);
+                EXPECT_EQ(initial_num_private_cert_gets,
+                          certificate_manager_
+                              .num_get_valid_private_certificate_calls());
                return;
              }
@@ -157,6 +171,9 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
              }
              std::move(callback).Run(std::move(mojo_v1frame));
+              EXPECT_EQ(initial_num_private_cert_gets + 1,
+                        certificate_manager_
+                            .num_get_valid_private_certificate_calls());
            })));
  }
@@ -218,59 +235,37 @@ class PairedKeyVerificationRunnerTest : public testing::Test {
  testing::NiceMock<MockNearbyProcessManager> mock_nearby_process_manager_;
  TestingProfile profile_;
  FakeNearbyConnection connection_;
-  testing::NiceMock<MockNearbyShareCertificateManager> certificate_manager_;
+  FakeNearbyShareCertificateManager certificate_manager_;
  testing::NiceMock<MockIncomingFramesReader> frames_reader_;
-  ShareTarget share_target;
+  ShareTarget share_target_;
 };
 TEST_F(PairedKeyVerificationRunnerTest,
       NullCertificate_InvalidPairedKeyEncryptionFrame_RestrictToContacts) {
-  PairedKeyVerificationRunner runner(
-      share_target, kEndpointId, kAuthToken, &connection_,
-      /*certificate=*/base::nullopt, &certificate_manager_,
-      nearby_share::mojom::Visibility::kAllContacts,
-      /*restrict_to_contacts=*/true, &frames_reader_, kTimeout);
  // Empty key encryption frame fails the certificate verification.
  SetUpPairedKeyEncryptionFrame(ReturnFrameType::kEmpty);
-  base::RunLoop run_loop;
+  RunVerification(
-  runner.Run(base::BindLambdaForTesting(
+      /*use_valid_public_certificate=*/false,
-      [&](PairedKeyVerificationRunner::PairedKeyVerificationResult result) {
+      /*restricted_to_contacts=*/true,
-        EXPECT_EQ(
+      /*expected_result=*/
-            PairedKeyVerificationRunner::PairedKeyVerificationResult::kFail,
+      PairedKeyVerificationRunner::PairedKeyVerificationResult::kFail);
-            result);
-        run_loop.Quit();
-      }));
-  run_loop.Run();
  ExpectPairedKeyEncryptionFrameSent();
 }
 TEST_F(PairedKeyVerificationRunnerTest,
       ValidPairedKeyEncryptionFrame_ResultFrameTimedOut) {
-  PairedKeyVerificationRunner runner(
-      share_target, kEndpointId, kAuthToken, &connection_,
-      NearbyShareDecryptedPublicCertificate::DecryptPublicCertificate(
-          GetNearbyShareTestPublicCertificate(),
-          GetNearbyShareTestEncryptedMetadataKey()),
-      &certificate_manager_, nearby_share::mojom::Visibility::kAllContacts,
-      /*restrict_to_contacts=*/false, &frames_reader_, kTimeout);
  SetUpPairedKeyEncryptionFrame(ReturnFrameType::kValid);
  // Null result frame fails the certificate verification process.
  SetUpPairedKeyResultFrame(ReturnFrameType::kNull);
-  base::RunLoop run_loop;
+  RunVerification(
-  runner.Run(base::BindLambdaForTesting(
+      /*use_valid_public_certificate=*/true,
-      [&](PairedKeyVerificationRunner::PairedKeyVerificationResult result) {
+      /*restricted_to_contacts=*/false,
-        EXPECT_EQ(
+      /*expected_result=*/
-            PairedKeyVerificationRunner::PairedKeyVerificationResult::kFail,
+      PairedKeyVerificationRunner::PairedKeyVerificationResult::kFail);
-            result);
-        run_loop.Quit();
-      }));
-  run_loop.Run();
  ExpectPairedKeyEncryptionFrameSent();
  ExpectPairedKeyResultFrameSent(sharing::nearby::PairedKeyResultFrame::UNABLE);
@@ -308,32 +303,15 @@ TEST_P(ParameterisedPairedKeyVerificationRunnerTest,
  PairedKeyVerificationRunner::PairedKeyVerificationResult expected_result =
      Merge(params.result, status);
-  share_target.is_known = params.is_target_known;
+  share_target_.is_known = params.is_target_known;
-  base::Optional<NearbyShareDecryptedPublicCertificate> certificate;
-  if (params.is_valid_certificate) {
-    certificate =
-        NearbyShareDecryptedPublicCertificate::DecryptPublicCertificate(
-            GetNearbyShareTestPublicCertificate(),
-            GetNearbyShareTestEncryptedMetadataKey());
-  }
-  PairedKeyVerificationRunner runner(
-      share_target, kEndpointId, kAuthToken, &connection_,
-      std::move(certificate), &certificate_manager_,
-      nearby_share::mojom::Visibility::kAllContacts,
-      /*restricted_to_contacts=*/false, &frames_reader_, kTimeout);
  SetUpPairedKeyEncryptionFrame(params.encryption_frame_type);
  SetUpPairedKeyResultFrame(
      PairedKeyVerificationRunnerTest::ReturnFrameType::kValid, status);
-  base::RunLoop run_loop;
+  RunVerification(
-  runner.Run(base::BindLambdaForTesting(
+      /*use_valid_public_certificate=*/params.is_valid_certificate,
-      [&](PairedKeyVerificationRunner::PairedKeyVerificationResult result) {
+      /*restricted_to_contacts=*/false, expected_result);
-        EXPECT_EQ(expected_result, result);
-        run_loop.Quit();
-      }));
-  run_loop.Run();
  ExpectPairedKeyEncryptionFrameSent();
  if (params.encryption_frame_type ==

--- a/chrome/test/BUILD.gn
+++ b/chrome/test/BUILD.gn
@@ -4423,8 +4423,11 @@ test("unit_tests") {
    }
    deps += [
+      "//chrome/browser/nearby_sharing/certificates:test_support",
      "//chrome/browser/nearby_sharing/certificates:unit_tests",
      "//chrome/browser/nearby_sharing/client:unit_tests",
+      "//chrome/browser/nearby_sharing/contacts:test_support",
+      "//chrome/browser/nearby_sharing/local_device_data:test_support",
      "//chrome/browser/nearby_sharing/local_device_data:unit_tests",
      "//chrome/browser/nearby_sharing/logging:unit_tests",
      "//chrome/browser/nearby_sharing/proto",