Add tests for keyUsage to the built-in cert verifier.

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index fdb254d1bc5fc94e8f1c4166efb732dc5340a8e0..baa67dce82ffe6bfd297a8c24507cf5f4748b9cc 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1202,11 +1202,6 @@ TEST_P(CertVerifyProcInternalTest, PublicKeyHashes) {
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.
 TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) {
-  if (verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {
-    LOG(INFO) << "TODO(crbug.com/649017): Skipping test as not yet implemented "
-                 "in builting verifier";
-    return;
-  }
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
@@ -1220,10 +1215,10 @@ TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) {
 
   // TODO(eroman): Change the test data so results are consistent across
   //               verifiers.
-  if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
+  if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL ||
+      verify_proc_type() == CERT_VERIFY_PROC_BUILTIN) {

[mattm, 2017/04/12 01:58:05]

From your other email, NSS was the only one that checks the key usage right? Why
is it that the other platforms don't need to be special cased here too?

[eroman, 2017/04/14 21:07:47]

This test is not well described. There are two core problems with the
certificate being verified:
  (1) It has an EKU for clientAuth (and not serverAuth)
  (2) It is not signed by a provided trust anchor

So really the core problem is that the EKU is wrong (clientAuth and not
serverAuth). NSS can balk about the key usage (whose expectations it sets based
on the required key purpose).

The test would have been more interesting if it set the KeyUsage as
digitalSignature AND it set EKU to serverAuth, since now it would solely be
testing the key usage bit. However if that were the test, then everything but
NSS would be failing consistently with AUTHORITY_INVALID, as they don't actually
care about the key usage.

The specific errors that the implementations return are variations of these two
underlying causes.
   INVALID -- for the incorrect EKU (or in NSS's case, also key usage)
   AUTHORITY_INVALID -- for not chaining to a trust anchor

I will go ahead and update the test description, and try to make the
expectations less confusing.

[eroman, 2017/04/14 21:42:48]

Done.

     // This certificate has two errors: "invalid key usage" and "untrusted CA".
-    // However, OpenSSL returns only one (the latter), and we can't detect
-    // the other errors.
+    // However, the wrong key usage is not checked.
     EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   } else {
     EXPECT_THAT(error, IsError(ERR_CERT_INVALID));