Index: net/cert/cert_verify_proc_unittest.cc |
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc |
index 18596457988892f3a1d8276f2760e09fc49a1b7f..de1a7c16d246cf81a25ce9999387c8d694f4ec14 100644 |
--- a/net/cert/cert_verify_proc_unittest.cc |
+++ b/net/cert/cert_verify_proc_unittest.cc |
@@ -1801,6 +1801,73 @@ TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) { |
VerifyCertName(".test.example", false); |
} |
+// Tests that commonName-fallback is handled correctly: |
+// - If it's a publicly trusted certificate, the commonName should never |
+// match. |
+// - If it chains to a private root, the commonName should not match if |
+// the subjectAltName is absent, and the flags don't allow fallback. |
+// - If it chains to a private root, the commonName SHOULD match iff the |
+// subjectAltName is absent and the flags allow a fallback. |
+TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) { |
+ scoped_refptr<X509Certificate> cert( |
+ ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem")); |
+ ASSERT_TRUE(cert); |
+ |
+ CertVerifyResult result; |
+ scoped_refptr<CertVerifyProc> verify_proc; |
+ CertVerifyResult verify_result; |
+ int error; |
+ |
+ // Publicly trusted: Always ignores commonName, regardless of flags. |
+ result = CertVerifyResult(); |
+ verify_result = CertVerifyResult(); |
+ error = 0; |
+ result.is_issued_by_known_root = true; |
+ verify_proc = new MockCertVerifyProc(result); |
+ error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", |
+ std::string(), 0, nullptr, CertificateList(), |
+ &verify_result); |
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
+ |
+ result = CertVerifyResult(); |
+ verify_result = CertVerifyResult(); |
+ error = 0; |
+ result.is_issued_by_known_root = true; |
+ verify_proc = new MockCertVerifyProc(result); |
+ error = verify_proc->Verify( |
+ cert.get(), "prerelna1.pre.salesforce.com", std::string(), |
+ CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, |
+ CertificateList(), &verify_result); |
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
+ |
+ // Privately trusted: Ignores commonName by default. |
+ result = CertVerifyResult(); |
+ verify_result = CertVerifyResult(); |
+ error = 0; |
+ result.is_issued_by_known_root = false; |
+ verify_proc = new MockCertVerifyProc(result); |
+ error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com", |
+ std::string(), 0, nullptr, CertificateList(), |
+ &verify_result); |
+ EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID)); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
+ |
+ // Privately trusted: Falls back to common name if flags allow. |
+ result = CertVerifyResult(); |
+ verify_result = CertVerifyResult(); |
+ error = 0; |
+ result.is_issued_by_known_root = false; |
+ verify_proc = new MockCertVerifyProc(result); |
+ error = verify_proc->Verify( |
+ cert.get(), "prerelna1.pre.salesforce.com", std::string(), |
+ CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr, |
+ CertificateList(), &verify_result); |
+ EXPECT_THAT(error, IsOk()); |
+ EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID); |
+} |
+ |
// Tests that CertVerifyProc records a histogram correctly when a |
// certificate chaining to a private root contains the TLS feature |
// extension and does not have a stapled OCSP response. |