Replace certificate for multiple OID EV test

CertVerifyProcInternalTest.EVVerificationMultipleOID uses a certificate from trustcenter.websecurity.symantec.com, but the test fails with the upcoming Symantec Legacy PKI distrust. This replaces the test certificate with another that has the 2.23.140.1.1 OID before 2.16.840.1.113733.1.7.23.6 in X509v3 Certificate Policies extension. Bug: 705285, 796230 Change-Id: I0ed5d50d727a712d7c38babdb9ecfdfd30d50cc5 Reviewed-on: https://chromium-review.googlesource.com/1147665 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#577471}

Replace certificate for multiple OID EV test
CertVerifyProcInternalTest.EVVerificationMultipleOID uses a certificate from trustcenter.websecurity.symantec.com, but the test fails with the upcoming Symantec Legacy PKI distrust. This replaces the test certificate with another that has the 2.23.140.1.1 OID before 2.16.840.1.113733.1.7.23.6 in X509v3 Certificate Policies extension. Bug: 705285, 796230 Change-Id: I0ed5d50d727a712d7c38babdb9ecfdfd30d50cc5 Reviewed-on: https://chromium-review.googlesource.com/1147665 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#577471}
4ea22148 · Nick Harper · Commit Bot · c44f810c · 4ea22148 · 4ea22148
Commit 4ea22148 authored Jul 24, 2018 by Nick Harper Committed by Commit Bot Jul 24, 2018
5 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -2424,6 +2424,7 @@ bundle_data("test_support_bundle_data") {
    "data/ssl/certificates/key_usage_rsa_no_extension.pem",
    "data/ssl/certificates/large_key.pem",
    "data/ssl/certificates/localhost_cert.pem",
+    "data/ssl/certificates/login.trustwave.com.pem",
    "data/ssl/certificates/mit.davidben.der",
    "data/ssl/certificates/multi-root-A-by-B.pem",
    "data/ssl/certificates/multi-root-B-by-C.pem",
@@ -2486,7 +2487,6 @@ bundle_data("test_support_bundle_data") {
    "data/ssl/certificates/subjectAltName_www_example_com.pem",
    "data/ssl/certificates/thawte.single.pem",
    "data/ssl/certificates/tls_feature_extension.pem",
-    "data/ssl/certificates/trustcenter.websecurity.symantec.com.pem",
    "data/ssl/certificates/unescaped.pem",
    "data/ssl/certificates/unittest.key.bin",
    "data/ssl/certificates/unittest.originbound.der",

--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -341,16 +341,16 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {

  // TODO(eroman): Update this test to use a synthetic certificate, so the test
  // does not break in the future. The certificate chain in question expires on
-  // Dec 22 23:59:59 2018 GMT 2018, at which point this test will start failing.
+  // Jun 12 14:33:43 2020 GMT, at which point this test will start failing.
  if (base::Time::Now() >
-      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1545523199)) {
+      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1591972423)) {
    FAIL() << "This test uses a certificate chain which is now expired. Please "
              "disable and file a bug.";
    return;
  }

  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
-      GetTestCertsDirectory(), "trustcenter.websecurity.symantec.com.pem",
+      GetTestCertsDirectory(), "login.trustwave.com.pem",
      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
  ASSERT_TRUE(chain);

@@ -358,7 +358,7 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
  //
  // This way CRLSet coverage will be sufficient for EV revocation checking,
  // so this test does not depend on online revocation checking.
-  ASSERT_EQ(1u, chain->intermediate_buffers().size());
+  ASSERT_GE(chain->intermediate_buffers().size(), 1u);
  base::StringPiece spki;
  ASSERT_TRUE(
      asn1::ExtractSPKIFromDERCert(x509_util::CryptoBufferAsStringPiece(
@@ -371,7 +371,7 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {

  CertVerifyResult verify_result;
  int flags = 0;
-  int error = Verify(chain.get(), "trustcenter.websecurity.symantec.com", flags,
+  int error = Verify(chain.get(), "login.trustwave.com", flags,
                     crl_set.get(), CertificateList(), &verify_result);
  EXPECT_THAT(error, IsOk());
  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);

--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -10,7 +10,7 @@ unit tests.
 - google.single.der
 - google.single.pem
 - thawte.single.pem : Certificates for testing parsing of different formats.
- trustcenter.websecurity.symantec.com.pem :
+- login.trustwave.com.pem :
     Certificate for testing EV with multiple OIDs. Regression test for crbug.com/705285

 - googlenew.chain.pem : The refreshed Google certificate
@@ -352,4 +352,4 @@ unit tests.
 - key_usage_p256_digitalsignature.pem
 - key_usage_p256_both.pem
     Self-signed P-256 certificates with various combinations of keyUsage
-     flags. Their private key is key_usage_p256.key.
\ No newline at end of file
+     flags. Their private key is key_usage_p256.key.
--- a/net/data/ssl/certificates/login.trustwave.com.pem
+++ b/net/data/ssl/certificates/login.trustwave.com.pem
--- a/net/data/ssl/certificates/trustcenter.websecurity.symantec.com.pem
+++ b/net/data/ssl/certificates/trustcenter.websecurity.symantec.com.pem