Index: net/base/x509_certificate_unittest.cc |
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc |
index f48336226c0c9701989bb2df21e6a299f23acd56..b34e91d48adc6e8586b87ec235eebb0c1b621ab0 100644 |
--- a/net/base/x509_certificate_unittest.cc |
+++ b/net/base/x509_certificate_unittest.cc |
@@ -1563,12 +1563,40 @@ TEST_P(X509CertificateWeakDigestTest, Verify) { |
int flags = 0; |
CertVerifyResult verify_result; |
- ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); |
+ int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); |
EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); |
EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); |
EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); |
EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); |
EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); |
+ |
+ // Ensure that MD4 and MD2 are tagged as invalid. |
+ if (data.expected_has_md4 || data.expected_has_md2) { |
+ EXPECT_EQ(CERT_STATUS_INVALID, |
+ verify_result.cert_status & CERT_STATUS_INVALID); |
+ } |
+ |
+ // Ensure that MD5 is flagged as weak. |
+ if (data.expected_has_md5) { |
+ EXPECT_EQ( |
+ CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, |
+ verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); |
+ } |
+ |
+ // If a root cert is present, then check that the chain was rejected if any |
+ // weak algorithms are present. This is only checked when a root cert is |
+ // present, as the error reported for incomplete chains with weak algorithms |
+ // varies between implementations, dependent on the algorithm, although all |
+ // variations are fatal. |
wtc
2011/12/02 23:04:59
The second sentence is hard to understand.
One po
Ryan Sleevi
2011/12/02 23:54:28
The latter. I blame serial commas - http://en.wiki
|
+ if (data.root_cert_filename) { |
+ if (data.expected_has_md4 || data.expected_has_md2) { |
+ EXPECT_EQ(ERR_CERT_INVALID, rv); |
+ } else if (data.expected_has_md5) { |
+ EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv); |
+ } else { |
+ EXPECT_EQ(OK, rv); |
+ } |
+ } |
} |
// Unlike TEST/TEST_F, which are macros that expand to further macros, |