De-prioritize 2.23.140.1.1 when searching for EV policy.

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 235 matching lines @@
     return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
            verify_proc_type() == CERT_VERIFY_PROC_WIN ||
            verify_proc_type() == CERT_VERIFY_PROC_MAC;
   }
 
   bool SupportsCRLSetsInPathBuilding() const {
     return verify_proc_type() == CERT_VERIFY_PROC_WIN ||
            verify_proc_type() == CERT_VERIFY_PROC_NSS;
   }
 
+  bool SupportsEV() const {
+    // TODO(crbug.com/649017): CertVerifyProcBuiltin does not support EV.
+    // TODO(crbug.com/117478): Android and iOS do not support EV.
+    return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+           verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+           verify_proc_type() == CERT_VERIFY_PROC_MAC;
+  }
+
   CertVerifyProc* verify_proc() const { return verify_proc_.get(); }
 
  private:
   scoped_refptr<CertVerifyProc> verify_proc_;
 };
 
 INSTANTIATE_TEST_CASE_P(,
                         CertVerifyProcInternalTest,
                         testing::ValuesIn(kAllCertVerifiers),
                         VerifyProcTypeToName);
 
 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
 // expired, http://crbug.com/502818
 TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) {
-  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID ||
-      verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
-    // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
-    // supported.
+  if (!SupportsEV()) {
     LOG(INFO) << "Skipping test as EV verification is not yet supported";
     return;
   }
 
   CertificateList certs =
       CreateCertificateListFromFile(GetTestCertsDirectory(), "comodo.chain.pem",
                                     X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
   scoped_refptr<X509Certificate> comodo_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
 
   scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
   CertVerifyResult verify_result;
   int flags = CertVerifier::VERIFY_EV_CERT;
   int error = Verify(comodo_chain.get(), "comodo.com", flags, crl_set.get(),
                      CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
 }
 
+// Tests that a certificate is recognized as EV, when the valid EV policy OID
+// for the trust anchor is the second candidate EV oid in the target
+// certificate. This is a regression test for crbug.com/705285.
+TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
+  if (!SupportsEV()) {
+    LOG(INFO) << "Skipping test as EV verification is not yet supported";
+    return;
+  }
+
+  // TODO(eroman): Update this test to use a synthetic certificate, so the test
+  // does not break in the future. The certificate chain in question expires on
+  // Dec 22 23:59:59 2018 GMT 2018, at which point this test will start failing.
+  if (base::Time::Now() >
+      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1545523199)) {
+    FAIL() << "This test uses a certificate chain which is now expired. Please "
+              "disable and file a bug.";
+    return;
+  }
+
+  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
+      GetTestCertsDirectory(), "trustcenter.websecurity.symantec.com.pem",
+      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+  ASSERT_TRUE(chain);
+
+  scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
+  CertVerifyResult verify_result;
+  int flags = CertVerifier::VERIFY_EV_CERT;
+  int error = Verify(chain.get(), "trustcenter.websecurity.symantec.com", flags,
+                     crl_set.get(), CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
+}
+
 // TODO(crbug.com/605457): the test expectation was incorrect on some
 // configurations, so disable the test until it is fixed (better to have
 // a bug to track a failing test than a false sense of security due to
 // false positive).
 TEST_P(CertVerifyProcInternalTest, DISABLED_PaypalNullCertParsing) {
   // A certificate for www.paypal.com with a NULL byte in the common name.
   // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
   SHA256HashValue paypal_null_fingerprint = {{0x00}};
 
   scoped_refptr<X509Certificate> paypal_null_cert(
@@ skipping 2013 matching lines @@
   int flags = 0;
   CertVerifyResult verify_result;
   int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
                                   NULL, CertificateList(), &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 }
 
 }  // namespace net