Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2558983002:
Update CertVerifyProcWeakDigestTest for Sierra (Mac OS 10.12) (Closed)
DescriptionUpdate CertVerifyProcWeakDigestTest for Sierra (Mac OS 10.12)
Starting with Mac OS 10.12, path building stops at the first weak digest (md2 or md5).
BUG=629712
Committed: https://crrev.com/cacd8f757ae49b69e074c0b538c9660ab78a0c83
Cr-Commit-Position: refs/heads/master@{#438007}
Patch Set 1 #Patch Set 2 : simpler, less precise approach #Messages
Total messages: 23 (14 generated)
The CQ bit was checked by mattm@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was checked by mattm@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
mattm@chromium.org changed reviewers: + davidben@chromium.org
note there are two different versions of this CL in patchset 1 and 2. Because this is a parameterized test, updating the expectations to distinguish between sierra & pre-sierra was a bit ugly, but I tried that in patchset 1. Patchset 2 is a much simpler approach of just disabling the failing tests on all macos versions, but that would lose us coverage of those tests on older macos versions. WDYT?
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
When you say "stops building the chain" do you mean that it just straight-up fails to verify anything? Is that distinct from the notes that say NSS doesn't support MD2 and MD4 and friends? (Just trying to make sure I understand what's going on here.)
On 2016/12/08 20:09:27, davidben wrote: > When you say "stops building the chain" do you mean that it just straight-up > fails to verify anything? Is that distinct from the notes that say NSS doesn't > support MD2 and MD4 and friends? (Just trying to make sure I understand what's > going on here.) It's different from the way MD4 fails on Mac OS before Sierra, and also different from the way NSS fails. For example, on sierra if the chain is sha1 root, md4/md5/md2 intermediate, sha1 end-entity, you get back a chain of end-entity <- intermediate, with a TP_NOT_TRUSTED error on the intermediate. So you still get the has_sha1 and has_mdX codes set. (So the CL actually could also enable some of the md4 tests on sierra too, but that would make the conditionals even more ugly.) On 10.11 with a md4 intermediate you get just the end-entity (with TP_NOT_TRUSTED error) and has_sha1 set. On NSS, you get no chain and not even the has_sha1 flag is set.
rsleevi@chromium.org changed reviewers: + rsleevi@chromium.org
(David asked me to peep this) LGTM When going through some of the SHA-1 stuff with David, I realized these tests may be able to be cleaned up better. From thinking in terms of composition: - Test that we can extract the algorithm from all meaningful cert permutations (e.g. that we detect MD2, MD4, MD5, etc) - Test that we can extract algorithm from chains (but this can use 'good' algorithm cases, for consistent bot runs) - Tests that extracted algorithms are translated to errors by CVP (which already has some unittests doing this via a MockCVP overloading VerifyInternal) Right now, this couples those first two, which causes weird issues by coupling chain building when we don't need to.
The CQ bit was checked by mattm@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by mattm@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 20001, "attempt_start_ts": 1481593364562070,
"parent_rev": "194e7226ed8eff24e6f86b6ea4088463077218ab", "commit_rev":
"895cab4f807a03f38ccfc0ba4b5d450c1a7c0512"}
Message was sent while issue was closed.
Description was changed from ========== Update CertVerifyProcWeakDigestTest for Sierra (Mac OS 10.12) Starting with Mac OS 10.12, path building stops at the first weak digest (md2 or md5). BUG=629712 ========== to ========== Update CertVerifyProcWeakDigestTest for Sierra (Mac OS 10.12) Starting with Mac OS 10.12, path building stops at the first weak digest (md2 or md5). BUG=629712 Review-Url: https://codereview.chromium.org/2558983002 ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
Message was sent while issue was closed.
Description was changed from ========== Update CertVerifyProcWeakDigestTest for Sierra (Mac OS 10.12) Starting with Mac OS 10.12, path building stops at the first weak digest (md2 or md5). BUG=629712 Review-Url: https://codereview.chromium.org/2558983002 ========== to ========== Update CertVerifyProcWeakDigestTest for Sierra (Mac OS 10.12) Starting with Mac OS 10.12, path building stops at the first weak digest (md2 or md5). BUG=629712 Committed: https://crrev.com/cacd8f757ae49b69e074c0b538c9660ab78a0c83 Cr-Commit-Position: refs/heads/master@{#438007} ==========
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/cacd8f757ae49b69e074c0b538c9660ab78a0c83 Cr-Commit-Position: refs/heads/master@{#438007} |
