Index: net/cert/cert_verify_proc_unittest.cc |
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc |
index fb6d5bbcc17e7e72bfe716d3c7b520be497cfa1b..c59c246f5fecc8736f38b0e039991d46be5ef28f 100644 |
--- a/net/cert/cert_verify_proc_unittest.cc |
+++ b/net/cert/cert_verify_proc_unittest.cc |
@@ -273,6 +273,14 @@ class CertVerifyProcInternalTest |
verify_proc_type() == CERT_VERIFY_PROC_NSS; |
} |
+ bool SupportsEV() const { |
+ // TODO(crbug.com/649017): CertVerifyProcBuiltin does not support EV. |
+ // TODO(crbug.com/117478): Android and iOS do not support EV. |
+ return verify_proc_type() == CERT_VERIFY_PROC_NSS || |
+ verify_proc_type() == CERT_VERIFY_PROC_WIN || |
+ verify_proc_type() == CERT_VERIFY_PROC_MAC; |
+ } |
+ |
CertVerifyProc* verify_proc() const { return verify_proc_.get(); } |
private: |
@@ -287,10 +295,7 @@ INSTANTIATE_TEST_CASE_P(, |
// TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer |
// expired, http://crbug.com/502818 |
TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) { |
- if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID || |
- verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) { |
- // TODO(jnd): http://crbug.com/117478 - EV verification is not yet |
- // supported. |
+ if (!SupportsEV()) { |
LOG(INFO) << "Skipping test as EV verification is not yet supported"; |
return; |
} |
@@ -310,6 +315,39 @@ TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) { |
EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
} |
+// Tests that a certificate is recognized as EV, when the valid EV policy OID |
+// for the trust anchor is the second candidate EV oid in the target |
+// certificate. This is a regression test for crbug.com/705285. |
+TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) { |
+ if (!SupportsEV()) { |
+ LOG(INFO) << "Skipping test as EV verification is not yet supported"; |
+ return; |
+ } |
+ |
+ // TODO(eroman): Update this test to use a synthetic certificate, so the test |
+ // does not break in the future. The certificate chain in question expires on |
+ // Dec 22 23:59:59 2018 GMT 2018, at which point this test will start failing. |
+ if (base::Time::Now() > |
+ base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1545523199)) { |
+ FAIL() << "This test uses a certificate chain which is now expired. Please " |
+ "disable and file a bug."; |
+ return; |
+ } |
+ |
+ scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile( |
+ GetTestCertsDirectory(), "trustcenter.websecurity.symantec.com.pem", |
+ X509Certificate::FORMAT_PEM_CERT_SEQUENCE); |
+ ASSERT_TRUE(chain); |
+ |
+ scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, "")); |
+ CertVerifyResult verify_result; |
+ int flags = CertVerifier::VERIFY_EV_CERT; |
+ int error = Verify(chain.get(), "trustcenter.websecurity.symantec.com", flags, |
+ crl_set.get(), CertificateList(), &verify_result); |
+ EXPECT_THAT(error, IsOk()); |
+ EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
+} |
+ |
// TODO(crbug.com/605457): the test expectation was incorrect on some |
// configurations, so disable the test until it is fixed (better to have |
// a bug to track a failing test than a false sense of security due to |