Index: net/cert/internal/verify_certificate_chain_pkits_unittest.cc |
diff --git a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc |
index f86e1e9ec40aba0ab2032f7237d4872564c386c6..1c342daf61221edf36bae281cba777994692507f 100644 |
--- a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc |
+++ b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc |
@@ -10,29 +10,6 @@ |
#include "net/der/input.h" |
#include "third_party/boringssl/src/include/openssl/pool.h" |
-// Disable tests that require DSA signatures (DSA signatures are intentionally |
-// unsupported). Custom versions of the DSA tests are defined below which expect |
-// verification to fail. |
-#define Section1ValidDSASignaturesTest4 DISABLED_Section1ValidDSASignaturesTest4 |
-#define Section1ValidDSAParameterInheritanceTest5 \ |
- DISABLED_Section1ValidDSAParameterInheritanceTest5 |
- |
-// Disable tests that require name constraints with name types that are |
-// intentionally unsupported. Custom versions of the tests are defined below |
-// which expect verification to fail. |
-#define Section13ValidRFC822nameConstraintsTest21 \ |
- DISABLED_Section13ValidRFC822nameConstraintsTest21 |
-#define Section13ValidRFC822nameConstraintsTest23 \ |
- DISABLED_Section13ValidRFC822nameConstraintsTest23 |
-#define Section13ValidRFC822nameConstraintsTest25 \ |
- DISABLED_Section13ValidRFC822nameConstraintsTest25 |
-#define Section13ValidDNandRFC822nameConstraintsTest27 \ |
- DISABLED_Section13ValidDNandRFC822nameConstraintsTest27 |
-#define Section13ValidURInameConstraintsTest34 \ |
- DISABLED_Section13ValidURInameConstraintsTest34 |
-#define Section13ValidURInameConstraintsTest36 \ |
- DISABLED_Section13ValidURInameConstraintsTest36 |
- |
// TODO(mattm): these require CRL support: |
#define Section7InvalidkeyUsageCriticalcRLSignFalseTest4 \ |
DISABLED_Section7InvalidkeyUsageCriticalcRLSignFalseTest4 |
@@ -78,141 +55,32 @@ class VerifyCertificateChainPkitsTestDelegate { |
&path_errors); |
bool did_succeed = !path_errors.ContainsHighSeverityErrors(); |
+ EXPECT_EQ(info.should_validate, did_succeed); |
EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set); |
- // TODO(crbug.com/634443): Test errors on failure? |
- if (info.should_validate != did_succeed) { |
- ASSERT_EQ(info.should_validate, did_succeed) |
- << path_errors.ToDebugString(input_chain); |
+ // Check that the errors match expectations. The errors are saved in a |
+ // parallel file, as they don't apply generically to the third_party |
+ // PKITS data. |
+ if (!info.should_validate && !did_succeed) { |
+ std::string errors_file_path = |
+ std::string( |
+ "net/data/verify_certificate_chain_unittest/pkits_errors/") + |
+ info.test_number + std::string(".txt"); |
+ |
+ std::string expected_errors = ReadTestFileToString(errors_file_path); |
+ |
+ // Check that the errors match. |
+ VerifyCertPathErrors(expected_errors, path_errors, input_chain, |
+ errors_file_path); |
+ } else if (!did_succeed) { |
+ // If it failed and wasn't supposed to fail, print the errors. |
+ EXPECT_EQ("", path_errors.ToDebugString(input_chain)); |
} |
} |
}; |
} // namespace |
-class PkitsTest01SignatureVerificationCustom |
- : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; |
- |
-// Modified version of 4.1.4 Valid DSA Signatures Test4 |
-TEST_F(PkitsTest01SignatureVerificationCustom, |
- Section1ValidDSASignaturesTest4Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
- "ValidDSASignaturesTest4EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL"}; |
- // DSA signatures are intentionally unsupported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-// Modified version of 4.1.5 Valid DSA Parameter Inheritance Test5 |
-TEST_F(PkitsTest01SignatureVerificationCustom, |
- Section1ValidDSAParameterInheritanceTest5Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", "DSACACert", |
- "DSAParametersInheritedCACert", |
- "ValidDSAParameterInheritanceTest5EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", "DSACACRL", |
- "DSAParametersInheritedCACRL"}; |
- // DSA signatures are intentionally unsupported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-class PkitsTest13SignatureVerificationCustom |
- : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; |
- |
-// Modified version of 4.13.21 Valid RFC822 nameConstraints Test21 |
-TEST_F(PkitsTest13SignatureVerificationCustom, |
- Section13ValidRFC822nameConstraintsTest21Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", |
- "nameConstraintsRFC822CA1Cert", |
- "ValidRFC822nameConstraintsTest21EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", |
- "nameConstraintsRFC822CA1CRL"}; |
- // Name constraints on rfc822Names are not supported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-// Modified version of 4.13.23 Valid RFC822 nameConstraints Test23 |
-TEST_F(PkitsTest13SignatureVerificationCustom, |
- Section13ValidRFC822nameConstraintsTest23Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", |
- "nameConstraintsRFC822CA2Cert", |
- "ValidRFC822nameConstraintsTest23EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", |
- "nameConstraintsRFC822CA2CRL"}; |
- // Name constraints on rfc822Names are not supported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-// Modified version of 4.13.25 Valid RFC822 nameConstraints Test25 |
-TEST_F(PkitsTest13SignatureVerificationCustom, |
- Section13ValidRFC822nameConstraintsTest25Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", |
- "nameConstraintsRFC822CA3Cert", |
- "ValidRFC822nameConstraintsTest25EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", |
- "nameConstraintsRFC822CA3CRL"}; |
- // Name constraints on rfc822Names are not supported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-// Modified version of 4.13.27 Valid DN and RFC822 nameConstraints Test27 |
-TEST_F(PkitsTest13SignatureVerificationCustom, |
- Section13ValidDNandRFC822nameConstraintsTest27Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", |
- "nameConstraintsDN1CACert", |
- "nameConstraintsDN1subCA3Cert", |
- "ValidDNandRFC822nameConstraintsTest27EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsDN1CACRL", |
- "nameConstraintsDN1subCA3CRL"}; |
- // Name constraints on rfc822Names are not supported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-// Modified version of 4.13.34 Valid URI nameConstraints Test34 |
-TEST_F(PkitsTest13SignatureVerificationCustom, |
- Section13ValidURInameConstraintsTest34Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", |
- "nameConstraintsURI1CACert", |
- "ValidURInameConstraintsTest34EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI1CACRL"}; |
- // Name constraints on uniformResourceIdentifiers are not supported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
-// Modified version of 4.13.36 Valid URI nameConstraints Test36 |
-TEST_F(PkitsTest13SignatureVerificationCustom, |
- Section13ValidURInameConstraintsTest36Custom) { |
- const char* const certs[] = {"TrustAnchorRootCertificate", |
- "nameConstraintsURI2CACert", |
- "ValidURInameConstraintsTest36EE"}; |
- const char* const crls[] = {"TrustAnchorRootCRL", "nameConstraintsURI2CACRL"}; |
- // Name constraints on uniformResourceIdentifiers are not supported. |
- PkitsTestInfo info; |
- info.should_validate = false; |
- |
- this->RunTest(certs, crls, info); |
-} |
- |
INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain, |
PkitsTest01SignatureVerification, |
VerifyCertificateChainPkitsTestDelegate); |