Add script for generating certificates that require an explicit policy

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/files/file_path.h"
 #include "base/logging.h"
@@ skipping 188 matching lines @@
   // Either the system crypto library should correctly report a certificate
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_IOS)
   EXPECT_TRUE(verify_result.cert_status &
               (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
 #endif
 }
 
 // A regression test for http://crbug.com/31497.
-// This certificate will expire on 2012-04-08. The test will still
-// pass if error == ERR_CERT_DATE_INVALID.  TODO(wtc): generate test
-// certificates for this unit test. http://crbug.com/111742
-TEST_F(CertVerifyProcTest, IntermediateCARequireExplicitPolicy) {
+#if defined(OS_ANDROID)
+// Disabled on Android, as the Android verification libraries require an
+// explicit policy to be specified, even when anyPolicy is permitted.
+#define MAYBE_IntermediateCARequireExplicitPolicy \
+    DISABLED_IntermediateCARequireExplicitPolicy
+#else
+#define MAYBE_IntermediateCARequireExplicitPolicy \
+    IntermediateCARequireExplicitPolicy
+#endif
+TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
-
-  // The intermediate CA certificate's policyConstraints extension has a
-  // requireExplicitPolicy field with SkipCerts=0.
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  scoped_refptr<X509Certificate> root_cert =
-      ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
-  ScopedTestRoot scoped_root(root_cert.get());
+  CertificateList certs = CreateCertificateListFromFile(
+      certs_dir, "explicit-policy-chain.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
+  intermediates.push_back(certs[1]->os_cert_handle());
+
+  scoped_refptr<X509Certificate> cert =
+      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
+  ASSERT_TRUE(cert.get());
+
+  ScopedTestRoot scoped_root(certs[2].get());
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert_chain.get(),
-                     "www.us.army.mil",
+  int error = Verify(cert.get(),
+                     "policy_test.example",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  if (error == OK) {
-    EXPECT_EQ(0U, verify_result.cert_status);
-  } else {
-    EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
-    EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status);
-  }
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0u, verify_result.cert_status);
 }
 
 
 // Test for bug 58437.
 // This certificate will expire on 2011-12-21. The test will still
 // pass if error == ERR_CERT_DATE_INVALID.
 // This test is DISABLED because it appears that we cannot do
 // certificate revocation checking when running all of the net unit tests.
 // This test passes when run individually, but when run with all of the net
 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
@@ skipping 517 matching lines @@
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
 TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
   ScopedTestRoot scoped_root(certs[2].get());
 
-  scoped_refptr<X509Certificate> unrelated_dod_certificate =
-      ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
-  scoped_refptr<X509Certificate> unrelated_dod_certificate2 =
-      ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2);
+  scoped_refptr<X509Certificate> unrelated_certificate =
+      ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
+  scoped_refptr<X509Certificate> unrelated_certificate2 =
+      ImportCertFromFile(certs_dir, "aia-cert.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2);
 
   // Interject unrelated certificates into the list of intermediates.
   X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(unrelated_dod_certificate->os_cert_handle());
+  intermediates.push_back(unrelated_certificate->os_cert_handle());
   intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(unrelated_dod_certificate2->os_cert_handle());
+  intermediates.push_back(unrelated_certificate2->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
   scoped_refptr<X509Certificate> google_full_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
   ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
@@ skipping 613 matching lines @@
 TEST_P(CertVerifyProcNonUniqueNameTest, IsHostnameNonUnique) {
   const NonUniqueNameTestData& test_data = GetParam();
 
   EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname));
 }
 
 INSTANTIATE_TEST_CASE_P(, CertVerifyProcNonUniqueNameTest,
                         testing::ValuesIn(kNonUniqueNameTestData));
 
 }  // namespace net