diff options
Diffstat (limited to 'chromium/net/cert/internal/trust_store_win_unittest.cc')
-rw-r--r-- | chromium/net/cert/internal/trust_store_win_unittest.cc | 57 |
1 files changed, 26 insertions, 31 deletions
diff --git a/chromium/net/cert/internal/trust_store_win_unittest.cc b/chromium/net/cert/internal/trust_store_win_unittest.cc index b1b73c4a92d..c37b88bb96d 100644 --- a/chromium/net/cert/internal/trust_store_win_unittest.cc +++ b/chromium/net/cert/internal/trust_store_win_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -150,12 +150,8 @@ TEST(TrustStoreWin, GetTrust) { // // - kMultiRootDByD: only has szOID_PKIX_KP_SERVER_AUTH EKU set // - kMultiRootEByE: only has szOID_PKIX_KP_CLIENT_AUTH set +// - kMultiRootCByE: only has szOID_ANY_ENHANCED_KEY_USAGE set // - kMultiRootCByD: no EKU usages set -// -// And the intermediate store as follows: -// -// - kMultiRootCByE: only has szOID_PKIX_KP_CLIENT_AUTH set -// - kMultiRootCByD: only has szOID_PKIX_KP_SERVER_AUTH EKU set TEST(TrustStoreWin, GetTrustRestrictedEKU) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -168,12 +164,10 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) { szOID_PKIX_KP_SERVER_AUTH)); ASSERT_TRUE(AddToStoreWithEKURestriction(root_store.get(), kMultiRootEByE, szOID_PKIX_KP_CLIENT_AUTH)); + ASSERT_TRUE(AddToStoreWithEKURestriction(root_store.get(), kMultiRootCByE, + szOID_ANY_ENHANCED_KEY_USAGE)); ASSERT_TRUE( AddToStoreWithEKURestriction(root_store.get(), kMultiRootCByD, nullptr)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByE, szOID_PKIX_KP_CLIENT_AUTH)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH)); std::unique_ptr<TrustStoreWin> trust_store_win = TrustStoreWin::CreateForTesting(std::move(root_store), std::move(intermediate_store), @@ -186,15 +180,14 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) { // Root cert with EKU szOID_PKIX_KP_SERVER_AUTH usage set should be // trusted. {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, + // Root cert with EKU szOID_ANY_ENHANCED_KEY_USAGE usage set should be + // trusted. + {kMultiRootCByE, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, // Root cert with EKU szOID_PKIX_KP_CLIENT_AUTH does not allow usage of - // cert for server auth. - {kMultiRootEByE, CertificateTrustType::DISTRUSTED}, - // Root cert with no EKU usages but is also an intermediate cert that is - // allowed for server auth, so we let it be used for path building. + // cert for server auth, return UNSPECIFIED. + {kMultiRootEByE, CertificateTrustType::UNSPECIFIED}, + // Root cert with no EKU usages, return UNSPECIFIED. {kMultiRootCByD, CertificateTrustType::UNSPECIFIED}, - // Intermediate cert with EKU szOID_PKIX_KP_CLIENT_AUTH does not allow - // usage of cert for server auth. - {kMultiRootCByE, CertificateTrustType::DISTRUSTED}, // Unknown cert has unspecified trust. {kMultiRootFByE, CertificateTrustType::UNSPECIFIED}, }; @@ -209,7 +202,17 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) { } // Test if duplicate certs are added to the root and intermediate stores, -// possibly with different EKU usages. +// possibly with different EKU usages. Root store set up as follows: +// +// - kMultiRootDByD: only has szOID_PKIX_KP_CLIENT_AUTH EKU set +// - kMultiRootDByD (dupe): only has szOID_PKIX_KP_SERVER_AUTH set +// - kMultiRootDByD (dupe 2): no EKU usages set +// +// And the intermediate store as follows: +// +// - kMultiRootCByD: only has szOID_PKIX_KP_CLIENT_AUTH set +// - kMultiRootCByD (dupe): only has szOID_PKIX_KP_SERVER_AUTH EKU set + TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -224,10 +227,6 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { szOID_PKIX_KP_SERVER_AUTH)); ASSERT_TRUE( AddToStoreWithEKURestriction(root_store.get(), kMultiRootDByD, nullptr)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH)); std::unique_ptr<TrustStoreWin> trust_store_win = TrustStoreWin::CreateForTesting(std::move(root_store), std::move(intermediate_store), @@ -237,10 +236,8 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { base::StringPiece file_name; CertificateTrustType expected_result; } kTestData[] = { - {kMultiRootDByD, CertificateTrustType::DISTRUSTED}, - // Root cert with no EKU usages but is also an intermediate cert that is - // allowed for server auth, so we let it be used for path building. - {kMultiRootCByD, CertificateTrustType::UNSPECIFIED}, + // One copy of the Root cert is trusted for TLS Server Auth. + {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, }; for (const auto& test_data : kTestData) { SCOPED_TRACE(test_data.file_name); @@ -252,8 +249,7 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { } } -// Test that disallowed certs with the right EKU settings will be -// distrusted. +// Test that disallowed certs will be distrusted regardless of EKU settings. TEST(TrustStoreWin, GetTrustDisallowedCerts) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -277,9 +273,8 @@ TEST(TrustStoreWin, GetTrustDisallowedCerts) { base::StringPiece file_name; CertificateTrustType expected_result; } kTestData[] = { - // dByD in root, also in distrusted but without szOID_PKIX_KP_SERVER_AUTH - // set. - {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, + // dByD in root, distrusted but without szOID_PKIX_KP_SERVER_AUTH set. + {kMultiRootDByD, CertificateTrustType::DISTRUSTED}, // dByD in root, also in distrusted with szOID_PKIX_KP_SERVER_AUTH set. {kMultiRootEByE, CertificateTrustType::DISTRUSTED}, }; |