Reject certificates that are valid for too long.

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 10a880b42ccc3f7b111f256c65c85e2ea5016f7f..a34db0201ffc1ac7a4c29282d037e05e822852a4 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -615,16 +615,60 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
             verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
 }
 
+TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+  base::FilePath certs_dir = GetTestCertsDirectory();
+
+  DLOG(INFO) << "twitter-chain.pem";
+  scoped_refptr<X509Certificate> twitter =
+      ImportCertFromFile(certs_dir, "twitter-chain.pem");
+  EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*twitter));
+
+  DLOG(INFO) << "start_after_expiry.pem";

[Ryan Sleevi, 2014/11/26 12:25:36]

spam dvlogs are bad, mkay :)

You can use a TEST_P to iterate through this list (I like those much better,
FWIW, and consistent with the file, as it allows it to scale out to multiple
machines simultaneously), or you can use a test data structure (cert name,
expected result)  with a SCOPED_TRACE to log iterations.

[palmer, 2014/12/15 22:55:58]

Oh, I didn't mean to leave them in. Removed.

+  scoped_refptr<X509Certificate> start_after_expiry =
+      ImportCertFromFile(certs_dir, "start_after_expiry.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*start_after_expiry));
+
+  DLOG(INFO) << "pre_br_validity_ok.pem";
+  scoped_refptr<X509Certificate> pre_br_validity_ok =
+      ImportCertFromFile(certs_dir, "pre_br_validity_ok.pem");
+  EXPECT_FALSE(CertVerifyProc::HasTooLongValidity(*pre_br_validity_ok));
+
+  DLOG(INFO) << "pre_br_validity_bad_121.pem";
+  scoped_refptr<X509Certificate> pre_br_validity_bad_121 =
+      ImportCertFromFile(certs_dir, "pre_br_validity_bad_121.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*pre_br_validity_bad_121));
+
+  DLOG(INFO) << "pre_br_validity_bad_2020.pem";
+  scoped_refptr<X509Certificate> pre_br_validity_bad_2020 =
+      ImportCertFromFile(certs_dir, "pre_br_validity_bad_2020.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*pre_br_validity_bad_2020));
+
+  DLOG(INFO) << "11_year_validity.pem";

[Ryan Sleevi, 2014/11/26 12:25:36]

add test for 10 year validity == good

[palmer, 2014/12/15 22:55:58]

Done.

+  scoped_refptr<X509Certificate> eleven_years =
+      ImportCertFromFile(certs_dir, "11_year_validity.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*eleven_years));
+
+  DLOG(INFO) << "40_months_after_2015_04.pem";
+  scoped_refptr<X509Certificate> forty_months =
+      ImportCertFromFile(certs_dir, "40_months_after_2015_04.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*forty_months));

[Ryan Sleevi, 2014/11/26 12:25:36]

add test for 39 months after 2015_04 == good

[palmer, 2014/12/15 22:55:58]

Done.

+
+  DLOG(INFO) << "61_months_after_2012_07.pem";
+  scoped_refptr<X509Certificate> sixty_one_months =
+      ImportCertFromFile(certs_dir, "61_months_after_2012_07.pem");
+  EXPECT_TRUE(CertVerifyProc::HasTooLongValidity(*sixty_one_months));

[Ryan Sleevi, 2014/11/26 12:25:36]

add test for 60 months after 2012_07 == good

[palmer, 2014/12/15 22:55:58]

Done.

+}
+
 TEST_F(CertVerifyProcTest, TestKnownRoot) {
   if (!SupportsDetectingKnownRoots()) {
-    LOG(INFO) << "Skipping this test in this platform.";
+    LOG(INFO) << "Skipping this test on this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(2U, certs.size());
+      certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
@@ -635,20 +679,18 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {
 
   int flags = 0;
   CertVerifyResult verify_result;
-  // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+  // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(),
-                     "satveda.com",
+                     "twitter.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
-  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
-// The certse.pem certificate has been revoked. crbug.com/259723.
 TEST_F(CertVerifyProcTest, PublicKeyHashes) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
@@ -657,8 +699,8 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "satveda.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(2U, certs.size());
+      certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
@@ -669,17 +711,16 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
   int flags = 0;
   CertVerifyResult verify_result;
 
-  // This will blow up, May 24th, 2019. Sorry! Please disable and file a bug
+  // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also TestKnownRoot.
   int error = Verify(cert_chain.get(),
-                     "satveda.com",
+                     "twitter.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
-  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
-  ASSERT_LE(2U, verify_result.public_key_hashes.size());
+  ASSERT_LE(3U, verify_result.public_key_hashes.size());
 
   HashValueVector sha1_hashes;
   for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
@@ -687,10 +728,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
       continue;
     sha1_hashes.push_back(verify_result.public_key_hashes[i]);
   }
-  ASSERT_LE(2u, sha1_hashes.size());
+  ASSERT_LE(3u, sha1_hashes.size());
 
-  for (size_t i = 0; i < 2; ++i) {
-    EXPECT_EQ(HexEncode(kSatvedaSPKIs[i], base::kSHA1Length),
+  for (size_t i = 0; i < 3; ++i) {
+    EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),
               HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
   }
 
@@ -700,10 +741,10 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
       continue;
     sha256_hashes.push_back(verify_result.public_key_hashes[i]);
   }
-  ASSERT_LE(2u, sha256_hashes.size());
+  ASSERT_LE(3u, sha256_hashes.size());
 
-  for (size_t i = 0; i < 2; ++i) {
-    EXPECT_EQ(HexEncode(kSatvedaSPKIsSHA256[i], crypto::kSHA256Length),
+  for (size_t i = 0; i < 3; ++i) {
+    EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
               HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
   }
 }
@@ -810,7 +851,7 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
   }
 
   CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "ok_cert.pem",
+      GetTestCertsDirectory(), "reject_intranet_hosts.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);