Add tests for keyUsage to the built-in cert verifier.

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 1184 matching lines @@
 
   // |public_key_hashes| does not have an ordering guarantee.
   EXPECT_THAT(expected_public_key_hashes,
               testing::UnorderedElementsAreArray(public_key_hash_strings));
 }
 
 // A regression test for http://crbug.com/70293.
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.
 TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) {
-  if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
-    LOG(INFO) << "TODO(crbug.com/649017): Skipping test as not yet implemented "
-                 "in builting verifier";
-    return;
-  }
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
                      CertificateList(), &verify_result);
 
   // TODO(eroman): Change the test data so results are consistent across
   //               verifiers.
-  if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
+  if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL ||
+      verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {

[mattm, 2017/04/12 01:58:05]

From your other email, NSS was the only one that checks the key usage right? Why
is it that the other platforms don't need to be special cased here too?

[eroman, 2017/04/14 21:07:47]

This test is not well described. There are two core problems with the
certificate being verified:
  (1) It has an EKU for clientAuth (and not serverAuth)
  (2) It is not signed by a provided trust anchor

So really the core problem is that the EKU is wrong (clientAuth and not
serverAuth). NSS can balk about the key usage (whose expectations it sets based
on the required key purpose).

The test would have been more interesting if it set the KeyUsage as
digitalSignature AND it set EKU to serverAuth, since now it would solely be
testing the key usage bit. However if that were the test, then everything but
NSS would be failing consistently with AUTHORITY_INVALID, as they don't actually
care about the key usage.

The specific errors that the implementations return are variations of these two
underlying causes.
   INVALID -- for the incorrect EKU (or in NSS's case, also key usage)
   AUTHORITY_INVALID -- for not chaining to a trust anchor

I will go ahead and update the test description, and try to make the
expectations less confusing.

[eroman, 2017/04/14 21:42:48]

Done.

     // This certificate has two errors: "invalid key usage" and "untrusted CA".
-    // However, OpenSSL returns only one (the latter), and we can't detect
-    // the other errors.
+    // However, the wrong key usage is not checked.
     EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   } else {
     EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
   }
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
   if (verify_proc_type() != CERT_VERIFY_PROC_NSS &&
       verify_proc_type() != CERT_VERIFY_PROC_IOS &&
       verify_proc_type() != CERT_VERIFY_PROC_ANDROID) {
@@ skipping 1151 matching lines @@
   int flags = 0;
   CertVerifyResult verify_result;
   int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
                                   NULL, CertificateList(), &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 }
 
 }  // namespace net