Distrust new WoSign/StartCom certificates

net/cert/cert_verify_proc_whitelist_unittest.cc

Index: net/cert/cert_verify_proc_whitelist_unittest.cc
diff --git a/net/cert/cert_verify_proc_whitelist_unittest.cc b/net/cert/cert_verify_proc_whitelist_unittest.cc
index dea54129ba870e2fcce6cd9f88eef6fa26e63e86..791957315a633a17052c3c2e619d36ca7883e8f6 100644
--- a/net/cert/cert_verify_proc_whitelist_unittest.cc
+++ b/net/cert/cert_verify_proc_whitelist_unittest.cc
@@ -184,6 +184,25 @@ TEST(CertVerifyProcWhitelistTest, AcceptsUnconstrainedLeaf) {
   SetCertificateWhitelistForTesting(nullptr, 0);
 }
 
+TEST(CertVerifyProcWhitelistTest, HandlesWosignCerts) {
+  scoped_refptr<X509Certificate> cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "wosign_before_oct_21.pem");
+  ASSERT_TRUE(cert);
+
+  HashValueVector public_key_hashes;
+  public_key_hashes.emplace_back(SHA256HashValue{
+      {0x15, 0x28, 0x39, 0x7d, 0xa2, 0x12, 0x89, 0x0a, 0x83, 0x0b, 0x0b,
+       0x95, 0xa5, 0x99, 0x68, 0xce, 0xf2, 0x34, 0x77, 0x37, 0x79, 0xdf,
+       0x51, 0x81, 0xcf, 0x10, 0xfa, 0x64, 0x75, 0x34, 0xbb, 0x65}});
+
+  EXPECT_FALSE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+
+  cert = ImportCertFromFile(GetTestCertsDirectory(), "wosign_after_oct_21.pem");
+  ASSERT_TRUE(cert);
+
+  EXPECT_TRUE(IsNonWhitelistedCertificate(*cert, public_key_hashes));
+}
+
 }  // namespace
 
 }  // namespace net