| Index: net/cert/internal/verify_certificate_chain_pkits_unittest.cc
|
| diff --git a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
|
| index 8c16a3a6edb3d5b06fa6b5c96ba69be43d6af13f..8138dae90b86005a2a533fcaf48e553bfe14fd7e 100644
|
| --- a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
|
| +++ b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
|
| @@ -47,13 +47,10 @@ namespace {
|
|
|
| class VerifyCertificateChainPkitsTestDelegate {
|
| public:
|
| - static bool Verify(std::vector<std::string> cert_ders,
|
| - std::vector<std::string> crl_ders,
|
| - const PkitsTestSettings& settings) {
|
| - if (cert_ders.empty()) {
|
| - ADD_FAILURE() << "cert_ders is empty";
|
| - return false;
|
| - }
|
| + static void RunTest(std::vector<std::string> cert_ders,
|
| + std::vector<std::string> crl_ders,
|
| + const PkitsTestInfo& info) {
|
| + ASSERT_FALSE(cert_ders.empty());
|
|
|
| // PKITS lists chains from trust anchor to target, whereas
|
| // VerifyCertificateChain takes them starting with the target and ending
|
| @@ -61,29 +58,26 @@ class VerifyCertificateChainPkitsTestDelegate {
|
| std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
|
| CertErrors parsing_errors;
|
| for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) {
|
| - if (!net::ParsedCertificate::CreateAndAddToVector(
|
| - bssl::UniquePtr<CRYPTO_BUFFER>(
|
| - CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(i->data()),
|
| - i->size(), nullptr)),
|
| - {}, &input_chain, &parsing_errors)) {
|
| - ADD_FAILURE() << "Cert failed to parse:\n"
|
| - << parsing_errors.ToDebugString();
|
| - return false;
|
| - }
|
| + ASSERT_TRUE(net::ParsedCertificate::CreateAndAddToVector(
|
| + bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
|
| + reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)),
|
| + {}, &input_chain, &parsing_errors))
|
| + << parsing_errors.ToDebugString();
|
| }
|
|
|
| SimpleSignaturePolicy signature_policy(1024);
|
|
|
| - // Run all tests at the time the PKITS was published.
|
| - der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};
|
| -
|
| CertPathErrors path_errors;
|
| VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(),
|
| - &signature_policy, time, KeyPurpose::ANY_EKU,
|
| + &signature_policy, info.time, KeyPurpose::ANY_EKU,
|
| &path_errors);
|
| + bool did_succeed = !path_errors.ContainsHighSeverityErrors();
|
|
|
| // TODO(crbug.com/634443): Test errors on failure?
|
| - return !path_errors.ContainsHighSeverityErrors();
|
| + if (info.should_validate != did_succeed) {
|
| + ASSERT_EQ(info.should_validate, did_succeed)
|
| + << path_errors.ToDebugString(input_chain);
|
| + }
|
| }
|
| };
|
|
|
| @@ -99,7 +93,10 @@ TEST_F(PkitsTest01SignatureVerificationCustom,
|
| "ValidDSASignaturesTest4EE"};
|
| const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"};
|
| // DSA signatures are intentionally unsupported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| // Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5
|
| @@ -111,7 +108,10 @@ TEST_F(PkitsTest01SignatureVerificationCustom,
|
| const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL",
|
| "DSAParametersInheritedCACRL"};
|
| // DSA signatures are intentionally unsupported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| class PkitsTest13SignatureVerificationCustom
|
| @@ -126,7 +126,10 @@ TEST_F(PkitsTest13SignatureVerificationCustom,
|
| const char* const crls[] = {"TrustAnchorRootCRL",
|
| "nameConstraintsRFC822CA1CRL"};
|
| // Name constraints on rfc822Names are not supported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| // Modified version of 4.13.23 Valid RFC822 nameConstraints Test23
|
| @@ -138,7 +141,10 @@ TEST_F(PkitsTest13SignatureVerificationCustom,
|
| const char* const crls[] = {"TrustAnchorRootCRL",
|
| "nameConstraintsRFC822CA2CRL"};
|
| // Name constraints on rfc822Names are not supported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| // Modified version of 4.13.25 Valid RFC822 nameConstraints Test25
|
| @@ -150,7 +156,10 @@ TEST_F(PkitsTest13SignatureVerificationCustom,
|
| const char* const crls[] = {"TrustAnchorRootCRL",
|
| "nameConstraintsRFC822CA3CRL"};
|
| // Name constraints on rfc822Names are not supported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| // Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27
|
| @@ -163,7 +172,10 @@ TEST_F(PkitsTest13SignatureVerificationCustom,
|
| const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL",
|
| "nameConstraintsDN1subCA3CRL"};
|
| // Name constraints on rfc822Names are not supported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| // Modified version of 4.13.34 Valid URI nameConstraints Test34
|
| @@ -174,7 +186,10 @@ TEST_F(PkitsTest13SignatureVerificationCustom,
|
| "ValidURInameConstraintsTest34EE"};
|
| const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"};
|
| // Name constraints on uniformResourceIdentifiers are not supported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| // Modified version of 4.13.36 Valid URI nameConstraints Test36
|
| @@ -185,7 +200,10 @@ TEST_F(PkitsTest13SignatureVerificationCustom,
|
| "ValidURInameConstraintsTest36EE"};
|
| const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"};
|
| // Name constraints on uniformResourceIdentifiers are not supported.
|
| - ASSERT_FALSE(this->Verify(certs, crls, {}));
|
| + PkitsTestInfo info;
|
| + info.should_validate = false;
|
| +
|
| + this->RunTest(certs, crls, info);
|
| }
|
|
|
| INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
|
|
|
Chromium Code Reviews
Issue 2907353002:
Update PKITs test data to include "user_constrained_policy_set". (Closed)
