Record when certificates signed with md[2,4,5] are encountered on OS X.

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
@@ skipping 1482 matching lines @@
     }
   }
 
   EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(
       test_data.hostname, common_name, dns_names, ip_addressses));
 }
 
 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,
                         testing::ValuesIn(kNameVerifyTestData));
 
-// Not implemented on Mac or OpenSSL - http://crbug.com/101123
-#if defined(USE_NSS) || defined(OS_WIN)
+// Not implemented on OpenSSL - http://crbug.com/101123
+#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
 
 struct WeakDigestTestData {
   const char* root_cert_filename;
   const char* intermediate_cert_filename;
   const char* ee_cert_filename;
   bool expected_has_md5;
   bool expected_has_md4;
   bool expected_has_md2;
   bool expected_has_md5_ca;
   bool expected_has_md2_ca;
@@ skipping 63 matching lines @@
 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
 // pre-processor will expand macros such as MAYBE_test_name before
 // instantiating the test.
 #define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
     INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
 
 // The signature algorithm of the root CA should not matter.
 const WeakDigestTestData kVerifyRootCATestData[] = {
   { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, false, false, false, false },
+#if !defined(OS_MACOSX)  // OS X does not support MD4.
   { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, false, false, false, false },
+#endif  // !defined(OS_MACOSX)
   { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, false, false, false, false },
 };
 INSTANTIATE_TEST_CASE_P(VerifyRoot, X509CertificateWeakDigestTest,
                         testing::ValuesIn(kVerifyRootCATestData));
 
 // The signature algorithm of intermediates should be properly detected.
 const WeakDigestTestData kVerifyIntermediateCATestData[] = {
   { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
     "weak_digest_sha1_ee.pem", true, false, false, true, false },
-// NSS does not support MD4 and does not enable MD2 by policy.
-#if !defined(USE_NSS)
+#if !defined(USE_NSS) && !defined(OS_MACOSX)  // NSS & OS X don't support MD4.

[wtc, 2011/11/02 00:28:43]

Nit: I suggest that you just say "MD4 is not supported." in
these comments.

MD4 is rarely used and was probably never mentioned in
PKCS #1.  So it's not surprising that Mac doesn't support it.

   { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, true, false, false, false },
+#endif
+#if !defined(USE_NSS)  // NSS disables MD2 by policy.

[wtc, 2011/11/02 00:28:43]

Nit: "by default" may be better than "by policy".  I don't
understand what you meant by "disable by policy".

   { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, false, true, false, true },
 #endif
 };
 INSTANTIATE_TEST_CASE_P(VerifyIntermediate, X509CertificateWeakDigestTest,
                         testing::ValuesIn(kVerifyIntermediateCATestData));
 
 // The signature algorithm of end-entity should be properly detected.
 const WeakDigestTestData kVerifyEndEntityTestData[] = {
   { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_md5_ee.pem", true, false, false, false, false },
-// NSS does not support MD4 and does not enable MD2 by policy.
-#if !defined(USE_NSS)
+#if !defined(USE_NSS) && !defined(OS_MACOSX)  // NSS & OS X don't support MD4.
   { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_md4_ee.pem", false, true, false, false, false },
+#endif
+#if !defined(USE_NSS)  // NSS disables MD2 by policy.
   { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_md2_ee.pem", false, false, true, false, false },
 #endif
 };
 // Disabled on NSS - NSS caches chains/signatures in such a way that cannot
 // be cleared until NSS is cleanly shutdown, which is not presently supported
 // in Chromium.
 #if defined(USE_NSS)
 #define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
 #else
 #define MAYBE_VerifyEndEntity VerifyEndEntity
 #endif
 WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
                                 X509CertificateWeakDigestTest,
                                 testing::ValuesIn(kVerifyEndEntityTestData));
 
 // Incomplete chains should still report the status of the intermediate.
 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
   { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
     true, false, false, true, false },
+#if !defined(OS_MACOSX)  // OS X does not support MD4.
   { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
     false, true, false, false, false },
+#endif
   { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
     false, false, true, false, true },
 };
 // Disabled on Windows - http://crbug.com/101123. The Windows implementation
 // does not report the status of the last intermediate for incomplete chains.
 // Disabled on NSS - libpkix does not return constructed chains on error,
 // preventing us from detecting/inspecting the verified chain.
 #if defined(OS_WIN) || defined(USE_NSS)
 #define MAYBE_VerifyIncompleteIntermediate \
     DISABLED_VerifyIncompleteIntermediate
 #else
 #define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
 #endif
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     MAYBE_VerifyIncompleteIntermediate,
     X509CertificateWeakDigestTest,
     testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
 
 // Incomplete chains should still report the status of the end-entity.
 const WeakDigestTestData kVerifyIncompleteEETestData[] = {
   { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
     true, false, false, false, false },
+#if !defined(OS_MACOSX)  // OS X does not support MD4.
   { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
     false, true, false, false, false },
+#endif
   { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
     false, false, true, false, false },
 };
 // Disabled on NSS - libpkix does not return constructed chains on error,
 // preventing us from detecting/inspecting the verified chain.
 #if defined(USE_NSS)
 #define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
 #else
 #define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
 #endif
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     MAYBE_VerifyIncompleteEndEntity,
     X509CertificateWeakDigestTest,
     testing::ValuesIn(kVerifyIncompleteEETestData));
 
 // Differing algorithms between the intermediate and the EE should still be
 // reported.
 const WeakDigestTestData kVerifyMixedTestData[] = {
   { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
     "weak_digest_md2_ee.pem", true, false, true, true, false },
   { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
     "weak_digest_md5_ee.pem", true, false, true, false, true },
+#if !defined(OS_MACOSX)  // OS X does not support MD4.
   { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
     "weak_digest_md2_ee.pem", false, true, true, false, false },
+#endif
 };
 // NSS does not support MD4 and does not enable MD2 by policy, making all
 // permutations invalid.
 #if defined(USE_NSS)
 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
 #else
 #define MAYBE_VerifyMixed VerifyMixed
 #endif
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     MAYBE_VerifyMixed,
     X509CertificateWeakDigestTest,
     testing::ValuesIn(kVerifyMixedTestData));
 
-#endif  // defined(USE_NSS) || defined(OS_WIN)
+#endif  // defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
 
 }  // namespace net