diff options
Diffstat (limited to 'chromium/net/cert')
-rw-r--r-- | chromium/net/cert/cert_verify_proc_unittest.cc | 44 | ||||
-rw-r--r-- | chromium/net/cert/internal/revocation_util_unittest.cc | 17 | ||||
-rw-r--r-- | chromium/net/cert/x509_certificate_unittest.cc | 7 |
3 files changed, 34 insertions, 34 deletions
diff --git a/chromium/net/cert/cert_verify_proc_unittest.cc b/chromium/net/cert/cert_verify_proc_unittest.cc index d1967a765c5..82182acc616 100644 --- a/chromium/net/cert/cert_verify_proc_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_unittest.cc @@ -461,46 +461,46 @@ INSTANTIATE_TEST_SUITE_P(All, // Tests that a certificate is recognized as EV, when the valid EV policy OID // for the trust anchor is the second candidate EV oid in the target // certificate. This is a regression test for crbug.com/705285. -// Started failing: https://crbug.com/1094358 -TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerificationMultipleOID) { +TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) { if (!SupportsEV()) { LOG(INFO) << "Skipping test as EV verification is not yet supported"; return; } - // TODO(eroman): Update this test to use a synthetic certificate, so the test - // does not break in the future. The certificate chain in question expires on - // Jun 12 14:33:43 2020 GMT, at which point this test will start failing. - if (base::Time::Now() > - base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1591972423)) { - FAIL() << "This test uses a certificate chain which is now expired. Please " - "disable and file a bug."; - return; - } - - scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile( - GetTestCertsDirectory(), "login.trustwave.com.pem", - X509Certificate::FORMAT_PEM_CERT_SEQUENCE); - ASSERT_TRUE(chain); + scoped_refptr<X509Certificate> cert = + ImportCertFromFile(GetTestCertsDirectory(), "ev-multi-oid.pem"); + scoped_refptr<X509Certificate> root = + ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"); + ASSERT_TRUE(cert); + ASSERT_TRUE(root); + ScopedTestRoot test_root(root.get()); // Build a CRLSet that covers the target certificate. // // This way CRLSet coverage will be sufficient for EV revocation checking, // so this test does not depend on online revocation checking. - ASSERT_GE(chain->intermediate_buffers().size(), 1u); base::StringPiece spki; - ASSERT_TRUE( - asn1::ExtractSPKIFromDERCert(x509_util::CryptoBufferAsStringPiece( - chain->intermediate_buffers()[0].get()), - &spki)); + ASSERT_TRUE(asn1::ExtractSPKIFromDERCert( + x509_util::CryptoBufferAsStringPiece(root->cert_buffer()), &spki)); SHA256HashValue spki_sha256; crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data)); scoped_refptr<CRLSet> crl_set( CRLSet::ForTesting(false, &spki_sha256, "", "", {})); + // The policies that "ev-multi-oid.pem" target certificate asserts. + static const char kOtherTestCertPolicy[] = "2.23.140.1.1"; + static const char kEVTestCertPolicy[] = "1.2.3.4"; + // Consider the root of the test chain a valid EV root for the test policy. + ScopedTestEVPolicy scoped_test_ev_policy( + EVRootCAMetadata::GetInstance(), + X509Certificate::CalculateFingerprint256(root->cert_buffer()), + kEVTestCertPolicy); + ScopedTestEVPolicy scoped_test_other_policy( + EVRootCAMetadata::GetInstance(), SHA256HashValue(), kOtherTestCertPolicy); + CertVerifyResult verify_result; int flags = 0; - int error = Verify(chain.get(), "login.trustwave.com", flags, crl_set.get(), + int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(), CertificateList(), &verify_result); EXPECT_THAT(error, IsOk()); EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); diff --git a/chromium/net/cert/internal/revocation_util_unittest.cc b/chromium/net/cert/internal/revocation_util_unittest.cc index 9b8fcbb484c..40a1f028307 100644 --- a/chromium/net/cert/internal/revocation_util_unittest.cc +++ b/chromium/net/cert/internal/revocation_util_unittest.cc @@ -5,7 +5,6 @@ #include "net/cert/internal/revocation_util.h" #include "base/time/time.h" -#include "build/build_config.h" #include "net/der/encode_values.h" #include "net/der/parse_values.h" #include "testing/gtest/include/gtest/gtest.h" @@ -138,13 +137,15 @@ TEST(CheckRevocationDateTest, VerifyTimeMinusAgeFromBeforeWindowsEpoch) { der::GeneralizedTime encoded_this_update; ASSERT_TRUE( der::EncodeTimeAsGeneralizedTime(this_update, &encoded_this_update)); -#if defined(OS_WIN) - EXPECT_FALSE(CheckRevocationDateValid(encoded_this_update, nullptr, - verify_time, kOneWeek)); -#else - EXPECT_TRUE(CheckRevocationDateValid(encoded_this_update, nullptr, - verify_time, kOneWeek)); -#endif + // Note: Not all platforms can explode Time before the Windows Epoch. So, + // CheckRevocationDateValid() should succeed iff UTCExplode() will also + // succeed for a Time 6 days before the Windows Epoch. + base::Time::Exploded exploded; + (verify_time - kOneWeek).UTCExplode(&exploded); + const bool can_encode_before_windows_epoch = exploded.HasValidValues(); + EXPECT_EQ(can_encode_before_windows_epoch, + CheckRevocationDateValid(encoded_this_update, nullptr, verify_time, + kOneWeek)); } } // namespace net diff --git a/chromium/net/cert/x509_certificate_unittest.cc b/chromium/net/cert/x509_certificate_unittest.cc index 44e00992d86..b6434dbe3a1 100644 --- a/chromium/net/cert/x509_certificate_unittest.cc +++ b/chromium/net/cert/x509_certificate_unittest.cc @@ -815,7 +815,7 @@ TEST(X509CertificateTest, Equals) { intermediates2.push_back(bssl::UpRef(certs[2]->cert_buffer())); scoped_refptr<X509Certificate> cert0_with_intermediate2 = X509Certificate::CreateFromBuffer(bssl::UpRef(certs[0]->cert_buffer()), - std::move(intermediates1)); + std::move(intermediates2)); ASSERT_TRUE(cert0_with_intermediate2); // Comparing X509Certificate with one intermediate to X509Certificate with @@ -1175,10 +1175,9 @@ struct CertificateNameVerifyTestData { void PrintTo(const CertificateNameVerifyTestData& data, std::ostream* os) { ASSERT_TRUE(data.hostname); ASSERT_TRUE(data.dns_names || data.ip_addrs); - // Using StringPiece to allow for optional fields being NULL. *os << " expected: " << data.expected << "; hostname: " << data.hostname - << "; dns_names: " << base::StringPiece(data.dns_names) - << "; ip_addrs: " << base::StringPiece(data.ip_addrs); + << "; dns_names: " << (data.dns_names ? data.dns_names : "") + << "; ip_addrs: " << (data.ip_addrs ? data.ip_addrs : ""); } const CertificateNameVerifyTestData kNameVerifyTestData[] = { |