net: mark cert as revoked if EV revocation check receives revoked response (Win).

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <shlobj.h>
 #endif
@@ skipping 5709 matching lines @@
   DoConnection(ssl_options, &cert_status);
 
   EXPECT_EQ(ExpectedCertStatusForFailedOnlineRevocationCheck(),
             cert_status & CERT_STATUS_ALL_ERRORS);
 
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_EQ(SystemUsesChromiumEVMetadata(),
             static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED));
 }
 
+TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndRevokedOCSP) {
+  if (!SystemSupportsOCSP()) {
+    LOG(WARNING) << "Skipping test because system doesn't support OCSP";
+    return;
+  }
+
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_AUTO);
+  ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_REVOKED;
+  SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>());
+
+  CertStatus cert_status;
+  DoConnection(ssl_options, &cert_status);
+
+  // Currently only works for Windows. For NSS we request a hard-fail check for
+  // EV OCSP but then cannot tell whether the check failed because of a revoked
+  // response, or an OCSP failure.

[Ryan Sleevi, 2013/08/28 19:23:11]

comment nit: ever trying to reduce the pronoun usage, suggested rewording:

// Currently only works for Windows. When using NSS or OS X, it's not
// possible to determine whether the check failed because of actual
// revocation or because there was an OCSP failure.

[wtc, 2013/08/28 23:58:42]

Perhaps for NSS we can first request a soft-fail check for OCSP for an
EV candidate cert?

[agl, 2013/08/29 16:46:59]

Updated comment.

[agl, 2013/08/29 16:46:59]

That means that we would be making two OCSP requests for any EV certificate
that's not covered by a CRLSet? I'm not convinced that making a single one is
really needed, but I'm pretty sure that two is too much for this.

Counterpoints welcome but I'll save that for a future CL.

+#if defined(OS_WIN)
+  EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
+#else
+  EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
+#endif
+
+  EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
+  EXPECT_EQ(SystemUsesChromiumEVMetadata(),
+            static_cast<bool>(cert_status & CERT_STATUS_REV_CHECKING_ENABLED));
+}
+
 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndGoodOCSP) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
     return;
   }
 
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
   ssl_options.ocsp_status = SpawnedTestServer::SSLOptions::OCSP_OK;
   SSLConfigService::SetCRLSet(scoped_refptr<CRLSet>());
@@ skipping 518 matching lines @@
 
     EXPECT_FALSE(r.is_pending());
     EXPECT_EQ(1, d->response_started_count());
     EXPECT_FALSE(d->received_data_before_response());
     EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size));
   }
 }
 #endif  // !defined(DISABLE_FTP_SUPPORT)
 
 }  // namespace net