Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(853)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_unittest.cc

Issue 14492003: Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: With unittests Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/test_root_certs.h » ('j') | net/cert/test_root_certs_mac.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index c1722d5d69c1a4f04141fad2dec463f9059632ab..433decc735beb7a7f37f9606459636a778451886 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -731,6 +731,111 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
}
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+// Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
+// Root can be successfully worked around once Apple completes removing the
+// older GTE CyberTrust Root from its trusted root store.
+//
+// The issue is caused by servers supplying the cross-certified intermediate
+// (necessary for certain mobile platforms), which OS X does not recognize
+// as already existing within its trust store.
+TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
+ CertificateList certs = CreateCertificateListFromFile(
+ GetTestCertsDirectory(),
+ "cybertrust_omniroot_chain.pem",
+ X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+ ASSERT_EQ(2U, certs.size());
+
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(certs[1]->os_cert_handle());
+
+ scoped_refptr<X509Certificate> cybertrust_basic =
+ X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+ intermediates);
+ ASSERT_TRUE(cybertrust_basic.get());
+
+ scoped_refptr<X509Certificate> baltimore_root =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_baltimore_root.pem");
+ ASSERT_TRUE(baltimore_root.get());
+
+ ScopedTestRoot scoped_root(baltimore_root);
+
+ // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
+ // simulates Keychain removing support for the GTE CyberTrust Root.
+ TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
+ base::ScopedClosureRunner reset_system_trust(
+ base::Bind(&TestRootCerts::SetAllowSystemTrust,
+ base::Unretained(TestRootCerts::GetInstance()),
+ true));
+
+ // First, make sure a simple certificate chain from
+ // EE -> Public SureServer SV -> Baltimore CyberTrust
+ // works. Only the first two certificates are included in the chain.
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = Verify(cybertrust_basic, "cacert.omniroot.com", flags, NULL,
+ empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+ // Attempt to verify with the first known cross-certified intermediate
+ // provided.
+ scoped_refptr<X509Certificate> baltimore_intermediate_1 =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_baltimore_cross_certified_1.pem");
+ ASSERT_TRUE(baltimore_intermediate_1.get());
+
+ X509Certificate::OSCertHandles intermediate_chain_1 =
+ cybertrust_basic->GetIntermediateCertificates();
+ intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
+
+ scoped_refptr<X509Certificate> baltimore_chain_1 =
+ X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+ intermediate_chain_1);
+ error = Verify(baltimore_chain_1, "cacert.omniroot.com", flags, NULL,
+ empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+ // Attempt to verify with the second known cross-certified intermediate
+ // provided.
+ scoped_refptr<X509Certificate> baltimore_intermediate_2 =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_baltimore_cross_certified_2.pem");
+ ASSERT_TRUE(baltimore_intermediate_2.get());
+
+ X509Certificate::OSCertHandles intermediate_chain_2 =
+ cybertrust_basic->GetIntermediateCertificates();
+ intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
+
+ scoped_refptr<X509Certificate> baltimore_chain_2 =
+ X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+ intermediate_chain_2);
+ error = Verify(baltimore_chain_2, "cacert.omniroot.com", flags, NULL,
+ empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+ // Attempt to verify when both a cross-certified intermediate AND
+ // the legacy GTE root are provided.
+ scoped_refptr<X509Certificate> cybertrust_root =
+ ImportCertFromFile(GetTestCertsDirectory(),
+ "cybertrust_gte_root.pem");
+ ASSERT_TRUE(cybertrust_root.get());
+
+ intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
+ scoped_refptr<X509Certificate> baltimore_chain_with_root =
+ X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+ intermediate_chain_2);
+ error = Verify(baltimore_chain_with_root, "cacert.omniroot.com", flags,
+ NULL, empty_cert_list_, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+
+}
+#endif
+
#if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
static const uint8 kCRLSetThawteSPKIBlocked[] = {
0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/test_root_certs.h » ('j') | net/cert/test_root_certs_mac.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698