Add tests for certificates that pass X509CertificateBytes parsing, but fail in...

Add tests for certificates that pass X509CertificateBytes parsing, but fail in CertVerifyProc. Fix iOS. BUG=711077,671420 Review-Url: https://codereview.chromium.org/2889813002 Cr-Commit-Position: refs/heads/master@{#472277}

Add tests for certificates that pass X509CertificateBytes parsing, but fail in...
Add tests for certificates that pass X509CertificateBytes parsing, but fail in CertVerifyProc. Fix iOS. BUG=711077,671420 Review-Url: https://codereview.chromium.org/2889813002 Cr-Commit-Position: refs/heads/master@{#472277}
aef2f1c8 · mattm · Commit bot · 23a57a15 · aef2f1c8 · aef2f1c8
Commit aef2f1c8 authored May 16, 2017 by mattm Committed by Commit bot May 17, 2017
3 changed files
--- a/net/cert/cert_verify_proc_ios.cc
+++ b/net/cert/cert_verify_proc_ios.cc
@@ -257,6 +257,10 @@ int CertVerifyProcIOS::VerifyInternal(
  ScopedCFTypeRef<CFMutableArrayRef> cert_array(
      x509_util::CreateSecCertificateArrayForX509Certificate(cert));
+  if (!cert_array) {
+    verify_result->cert_status |= CERT_STATUS_INVALID;
+    return ERR_CERT_INVALID;
+  }
  ScopedCFTypeRef<SecTrustRef> trust_ref;
  SecTrustResultType trust_result = kSecTrustResultDeny;
  ScopedCFTypeRef<CFArrayRef> final_chain;

--- a/net/cert/cert_verify_proc_mac.cc
+++ b/net/cert/cert_verify_proc_mac.cc
@@ -742,8 +742,10 @@ int VerifyWithGivenFlags(X509Certificate* cert,
    ScopedCFTypeRef<CFMutableArrayRef> cert_array(
        x509_util::CreateSecCertificateArrayForX509Certificate(cert));
-    if (!cert_array)
+    if (!cert_array) {
+      verify_result->cert_status |= CERT_STATUS_INVALID;
      return ERR_CERT_INVALID;
+    }
    // Beginning with the certificate chain as supplied by the server, attempt
    // to verify the chain. If a failure is encountered, trim a certificate

--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -396,6 +396,65 @@ TEST_P(CertVerifyProcInternalTest, DISABLED_PaypalNullCertParsing) {
  // TODO(crbug.com/649017): What expectations to use for the other verifiers?
 }
+#if BUILDFLAG(USE_BYTE_CERTS)
+// Tests the case where the target certificate is accepted by
+// X509CertificateBytes, but has errors that should cause verification to fail.
+TEST_P(CertVerifyProcInternalTest, InvalidTarget) {
+  base::FilePath certs_dir =
+      GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest");
+  scoped_refptr<X509Certificate> bad_cert =
+      ImportCertFromFile(certs_dir, "extensions_data_after_sequence.pem");
+  ASSERT_TRUE(bad_cert);
+  scoped_refptr<X509Certificate> ok_cert(
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
+  ASSERT_TRUE(ok_cert);
+  scoped_refptr<X509Certificate> cert_with_bad_target(
+      X509Certificate::CreateFromHandle(bad_cert->os_cert_handle(),
+                                        {ok_cert->os_cert_handle()}));
+  ASSERT_TRUE(cert_with_bad_target);
+  EXPECT_EQ(1U, cert_with_bad_target->GetIntermediateCertificates().size());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert_with_bad_target.get(), "127.0.0.1", flags, NULL,
+                     CertificateList(), &verify_result);
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+}
+// Tests the case where an intermediate certificate is accepted by
+// X509CertificateBytes, but has errors that should cause verification to fail.
+TEST_P(CertVerifyProcInternalTest, InvalidIntermediate) {
+  base::FilePath certs_dir =
+      GetTestNetDataDirectory().AppendASCII("parse_certificate_unittest");
+  scoped_refptr<X509Certificate> bad_cert =
+      ImportCertFromFile(certs_dir, "extensions_data_after_sequence.pem");
+  ASSERT_TRUE(bad_cert);
+  scoped_refptr<X509Certificate> ok_cert(
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
+  ASSERT_TRUE(ok_cert);
+  scoped_refptr<X509Certificate> cert_with_bad_intermediate(
+      X509Certificate::CreateFromHandle(ok_cert->os_cert_handle(),
+                                        {bad_cert->os_cert_handle()}));
+  ASSERT_TRUE(cert_with_bad_intermediate);
+  EXPECT_EQ(1U,
+            cert_with_bad_intermediate->GetIntermediateCertificates().size());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert_with_bad_intermediate.get(), "127.0.0.1", flags, NULL,
+                     CertificateList(), &verify_result);
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+}
+#endif  // BUILDFLAG(USE_BYTE_CERTS)
 // A regression test for http://crbug.com/31497.
 TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) {
  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {