| Index: net/cert/cert_verify_proc_unittest.cc
|
| diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
|
| index 18596457988892f3a1d8276f2760e09fc49a1b7f..de1a7c16d246cf81a25ce9999387c8d694f4ec14 100644
|
| --- a/net/cert/cert_verify_proc_unittest.cc
|
| +++ b/net/cert/cert_verify_proc_unittest.cc
|
| @@ -1801,6 +1801,73 @@ TEST_F(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
|
| VerifyCertName(".test.example", false);
|
| }
|
|
|
| +// Tests that commonName-fallback is handled correctly:
|
| +// - If it's a publicly trusted certificate, the commonName should never
|
| +// match.
|
| +// - If it chains to a private root, the commonName should not match if
|
| +// the subjectAltName is absent, and the flags don't allow fallback.
|
| +// - If it chains to a private root, the commonName SHOULD match iff the
|
| +// subjectAltName is absent and the flags allow a fallback.
|
| +TEST_F(CertVerifyProcNameTest, HandlesCommonNameFallbackLocalAnchors) {
|
| + scoped_refptr<X509Certificate> cert(
|
| + ImportCertFromFile(GetTestCertsDirectory(), "salesforce_com_test.pem"));
|
| + ASSERT_TRUE(cert);
|
| +
|
| + CertVerifyResult result;
|
| + scoped_refptr<CertVerifyProc> verify_proc;
|
| + CertVerifyResult verify_result;
|
| + int error;
|
| +
|
| + // Publicly trusted: Always ignores commonName, regardless of flags.
|
| + result = CertVerifyResult();
|
| + verify_result = CertVerifyResult();
|
| + error = 0;
|
| + result.is_issued_by_known_root = true;
|
| + verify_proc = new MockCertVerifyProc(result);
|
| + error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",
|
| + std::string(), 0, nullptr, CertificateList(),
|
| + &verify_result);
|
| + EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| +
|
| + result = CertVerifyResult();
|
| + verify_result = CertVerifyResult();
|
| + error = 0;
|
| + result.is_issued_by_known_root = true;
|
| + verify_proc = new MockCertVerifyProc(result);
|
| + error = verify_proc->Verify(
|
| + cert.get(), "prerelna1.pre.salesforce.com", std::string(),
|
| + CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,
|
| + CertificateList(), &verify_result);
|
| + EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| +
|
| + // Privately trusted: Ignores commonName by default.
|
| + result = CertVerifyResult();
|
| + verify_result = CertVerifyResult();
|
| + error = 0;
|
| + result.is_issued_by_known_root = false;
|
| + verify_proc = new MockCertVerifyProc(result);
|
| + error = verify_proc->Verify(cert.get(), "prerelna1.pre.salesforce.com",
|
| + std::string(), 0, nullptr, CertificateList(),
|
| + &verify_result);
|
| + EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
|
| + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| +
|
| + // Privately trusted: Falls back to common name if flags allow.
|
| + result = CertVerifyResult();
|
| + verify_result = CertVerifyResult();
|
| + error = 0;
|
| + result.is_issued_by_known_root = false;
|
| + verify_proc = new MockCertVerifyProc(result);
|
| + error = verify_proc->Verify(
|
| + cert.get(), "prerelna1.pre.salesforce.com", std::string(),
|
| + CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS, nullptr,
|
| + CertificateList(), &verify_result);
|
| + EXPECT_THAT(error, IsOk());
|
| + EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
|
| +}
|
| +
|
| // Tests that CertVerifyProc records a histogram correctly when a
|
| // certificate chaining to a private root contains the TLS feature
|
| // extension and does not have a stapled OCSP response.
|
|
|
Chromium Code Reviews
Issue 2735733003:
Disable commonName matching for certificates (Closed)
