SignedExchange: Add a test that uses real CertVerifier

- Add a browser test case that uses real (not mocked) CertVerifier.
- Re-generate test certificates removing the critical flag of
  CanSignHttpExchangesDraft extension, since the extension is not known to
  the OS cert verifiers.

Bug: 851778
Change-Id: Ic43319229feddcbaa0349a4f81c995011e63bc7b
Reviewed-on: https://chromium-review.googlesource.com/1116406Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#571770}

content/browser/web_package/signed_exchange_request_handler_browsertest.cc

@@ -4,6 +4,7 @@
 
 #include "base/files/file_path.h"
 #include "base/path_service.h"
+#include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_restrictions.h"
@@ -28,6 +29,7 @@
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/test/cert_test_util.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/test_data_directory.h"
 #include "net/test/url_request/url_request_mock_http_job.h"
@@ -73,7 +75,12 @@ class NavigationFailureObserver : public WebContentsObserver {
 class SignedExchangeRequestHandlerBrowserTest : public ContentBrowserTest {
  public:
   SignedExchangeRequestHandlerBrowserTest()
-      : mock_cert_verifier_(std::make_unique<net::MockCertVerifier>()){};
+      : mock_cert_verifier_(std::make_unique<net::MockCertVerifier>()) {
+    // This installs "root_ca_cert.pem" from which our test certificates are
+    // created. (Needed for the tests that use real certificate, i.e.
+    // RealCertVerifier)
+    net::EmbeddedTestServer::RegisterTestCerts();
+  }
 
   void SetUp() override {
     SignedExchangeHandler::SetCertVerifierForTesting(mock_cert_verifier_.get());
@@ -292,4 +299,51 @@ IN_PROC_BROWSER_TEST_F(
   EXPECT_EQ(PAGE_TYPE_ERROR, entry->GetPageType());
 }
 
+IN_PROC_BROWSER_TEST_F(SignedExchangeRequestHandlerBrowserTest,
+                       RealCertVerifier) {
+  InstallUrlInterceptor(
+      GURL("https://cert.example.org/cert.msg"),
+      "content/test/data/htxg/test.example.org.public.pem.cbor");
+
+  // Use "real" CertVerifier.
+  SignedExchangeHandler::SetCertVerifierForTesting(nullptr);
+
+  embedded_test_server()->RegisterRequestMonitor(
+      base::BindRepeating([](const net::test_server::HttpRequest& request) {
+        if (request.relative_url == "/htxg/test.example.org_test.htxg") {
+          const auto& accept_value = request.headers.find("accept")->second;
+          EXPECT_THAT(accept_value,
+                      ::testing::HasSubstr("application/signed-exchange;v=b1"));
+        }
+      }));
+  embedded_test_server()->ServeFilesFromSourceDirectory("content/test/data");
+  ASSERT_TRUE(embedded_test_server()->Start());
+  GURL url = embedded_test_server()->GetURL("/htxg/test.example.org_test.htxg");
+
+  // "test.example.org_test.htxg" should pass CertVerifier::Verify() and then
+  // fail at SignedExchangeHandler::CheckOCSPStatus() because of the dummy OCSP
+  // response.
+  // TODO(https://crbug.com/815024): Make this test pass the OCSP check. We'll
+  // need to either generate an OCSP response on the fly, or override the OCSP
+  // verification time.
+  content::ConsoleObserverDelegate console_observer(shell()->web_contents(),
+                                                    "*OCSP*");
+  shell()->web_contents()->SetDelegate(&console_observer);
+
+  NavigationFailureObserver failure_observer(shell()->web_contents());
+  NavigateToURL(shell(), url);
+  EXPECT_TRUE(failure_observer.did_fail());
+  NavigationEntry* entry =
+      shell()->web_contents()->GetController().GetVisibleEntry();
+  EXPECT_EQ(PAGE_TYPE_ERROR, entry->GetPageType());
+
+  // Verify that it failed at the OCSP check step.
+  // TODO(https://crbug.com/803774): Find a better way than matching against the
+  // error message. We can probably make DevToolsProxy derive some context from
+  // StoragePartition so that we can record and extract the detailed error
+  // status for testing via that.
+  EXPECT_TRUE(base::StartsWith(console_observer.message(), "OCSP check failed.",
+                               base::CompareCase::SENSITIVE));
+}
+
 }  // namespace content

content/test/data/htxg/prime256v1-sha256.public.pem

 -----BEGIN CERTIFICATE-----
-MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET
+MIIC1TCCAb2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
-A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE4MDYyNzAz
-MzkzNloXDTE5MDYyMjAzMzkzNlowNzEZMBcGA1UEAwwQdGVzdC5leGFtcGxlLm9y
+A1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290IENBMB4XDTE4MDYyODA1
+MTUzMFoXDTE5MDYyMzA1MTUzMFowNzEZMBcGA1UEAwwQdGVzdC5leGFtcGxlLm9y
 ZzENMAsGA1UECgwEVGVzdDELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjO
 PQMBBwNCAAQJBifccM8+G0y/aHPKMjsTcVTz0SOfNO28t304/nkYsCxoT8UJNZvH
-qso7EXs7iM/Q3c+wjOv6dPWUiLH4enG6o4GNMIGKMAkGA1UdEwQCMAAwEwYKKwYB
-BAHWeQIBFgEB/wQCBQAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBS6dTuFdAI6uyls
-w3cyH3FXfh9g+jAfBgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAbBgNV
-HREEFDASghB0ZXN0LmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQACOzDf
-yCMxIJdPuBrZfL9UkWjhrxOysVl3Q0VsvNYCEeNO9PZdI9QCmNVo4KezyzBe9WY8
-XWcJTDTqRbzPxACfeG/kOnhXcZ6wrqPTAdojkNZxvv3K1ifl4/Z9gDbaSgyIsm0I
-czIPdWOqO02gHljAOE+6XmwZGkYg2B8jDwAUHhHMPLT4Pnmoe69pG7yJqYe2vuh4
-03m+guyB01AsGBNVxKAy5c1+85s6zwhgSXEwKHn2AYbLvlUihMQ9GgD7DHlaA3ri
-JSyGL6qtz/nfnw8hpETNVCHZ36Q59hLDDtMqhxJrvfGNnfX/nmrYQDX8Kres1YDY
-dfEOdDHYpHygtkdb
+qso7EXs7iM/Q3c+wjOv6dPWUiLH4enG6o4GKMIGHMAkGA1UdEwQCMAAwEAYKKwYB
+BAHWeQIBFgQCBQAwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBS6dTuFdAI6uylsw3cy
+H3FXfh9g+jAfBgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAbBgNVHREE
+FDASghB0ZXN0LmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCi/l1E+JDK
+/g3cLa5GD8vthZJuFwYEF6lGaAj1RtZ+UwbtRs1vnkJbEpLD1xX5rKXAdWT5QI99
+yK6gXbbicaJmw0KjeE0qizTT1oEfavQu7FtJZ4gfBjIHLsk8PVqHI3t8hf/pJwOd
+n+E79k3qQ2w1IeeVFZXJfnjhOsxHp2NTbeY+ZnbWsTSyUiL81n5GkuyKNDeZkoXi
+x5M6kp+6ZZJHJvLQFp4CqhU+wvM2lvP5mYYDcSlRnlti+N8xwDUb/yGR0UdNx76K
+7uFRoc8R1W8e4kFvU2NHkrtVbaLL6m+/vHE2LehVPh0QQT34Fv0QugYm+iYNToCT
+k5bUo19UY4w3
 -----END CERTIFICATE-----

content/test/data/htxg/x509.ext

 basicConstraints = CA:FALSE
 # OID required for sxg since d54c469
-1.3.6.1.4.1.11129.2.1.22 = critical,ASN1:NULL
+1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer

net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem

 -----BEGIN CERTIFICATE-----
-MIIDazCCAlOgAwIBAgIJAIymUztkzWQvMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
+MIIDaDCCAlCgAwIBAgIJAL+mLJGnpUF1MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
 aWV3MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMTgw
-NjE4MDM1NjMxWhcNMTkwNjE4MDM1NjMxWjBgMQswCQYDVQQGEwJVUzETMBEGA1UE
+NjI4MDU0MzM2WhcNMTkwNjI4MDU0MzM2WjBgMQswCQYDVQQGEwJVUzETMBEGA1UE
 CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4GA1UECgwH
 VGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAq3WemlGl/h0AYRAiQeLWG51rXk2ayySal/Dp9ovOsKqLarcZ
-JJiNFWhq71Aw3Mqu5pzdN10BMBIxSoBQXWU28XcjiZtIhqhQYyKUmEHJtkas3p4a
-V16MeG2SciwF9XpqBR8BGOTxsGclH1+qK0UgnCeLfwYjqxyATSl2UJF+ZeHvLaYl
-Z1MfuMUzt2mTILxg/7dblHuFcFiPvjcfNiQ6RdxC7y2SBnPL2us0AgJKm3n1/w5S
-zlf5PYccat7qdYe9BgQGWDa9pMQKGO6+9rm7SI8bt2cdUgnqS3ODHV5y5SnS3IjF
-KGBNujSyhIsJqNExjTKRw3nfI4E7b8NPO1mJCwIDAQABoygwJjAPBgNVHREECDAG
-hwR/AAABMBMGCisGAQQB1nkCARYBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQAM
-QDGGqhPiwz1OpJjzYBX5ruUu42mlxkkqdVKnEceLi9c4L1lFSpSSoowxWcpeBelG
-mqXxwVTYkrpN5+4sUexMBcIt8Lsd+po0XPN/JY9Tr2xC10jzQ+7fYaXH9l+38OaP
-Ne4lWjpgF2eUizJweFTugivnU1+7oRYoP9FibN7Oa/CX50eZL5onLkHka8LeOToF
-BlRIrk75U3JNyS+X5jN194tEJ+W0ZYGr955CTOpAmRH90pWcbUO991Zbuj2Sjidb
-WE7SHqatZ1wf7YNDN+hXYHOMl2YuiZ8Y7jQXJnXv5SW3EKKaPIv1kuOEOSXQcZ1Y
-jHLdGk8wx0wnZclbn5LK
+AQ8AMIIBCgKCAQEApHXhhcN/ztDSl5gCN4kKnu0BvMIJuePoHQPK+tSKoZ/KJJlf
+dJXh28dPtkCH/Niyuk/n6noyxFnVZe0oPiSS8YxPJl1mq4EBpojxNiag2CxmTtd+
+KpIkVnxxR9sm9gOtkYoWjKS4ZZrMP/NscDOJczWxa4t/J56S+y5Ai0eO+FnA2muh
+S0wM0hzTMliB8wziEwrwdG/ALRrq41VP+7ENhrEm0XfQR0HAu6E2EcniG582k6Gk
+4K3BhKCA5pPT/wD2F3vtthGkhr6/zNGdHlD3ak/6W8lBpu5m0ZMw0DXDa3AGx8+J
+bHC2wensrIiBfPqIWeLZaV5DGw33h0di1FOqtwIDAQABoyUwIzAPBgNVHREECDAG
+hwR/AAABMBAGCisGAQQB1nkCARYEAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQAO69by
++kSrwuURVR2oWiWPzL6uFmQ3B6hK9Y1xL1EQDfwQdp734J7lvM+HqtQocwkt9Bu3
+FYnkELXve2QM5eyDtp56NJ6hGuavMFucvBuW26xYmOaeQVVR2TEJDJ8aVZ9j+eRc
+UninLwe/tS8bVDgyhVMyAZNRSRNLYcJ4tj69zI5jFfNMOYXFdIkLH43OmS3YDJxZ
+LG04e+kGlVYRRhnxbIQwhpnJen7Xrch9s7knLbnWrBnY6p+zHKFXLZU4xEa0i+Oh
+nq1J52iUIjJJyCQrNCRergz1BW+8Nupz1f86VHS7eAAdq28//fAiguO+AHCrDIaL
+DXQBKUctVk5MY6i7
 -----END CERTIFICATE-----

net/data/ssl/scripts/ee.cnf

@@ -67,7 +67,7 @@ subjectAltName = IP:127.0.0.1
 
 [req_extensions_with_can_sign_http_exchanges_draft]
 subjectAltName = IP:127.0.0.1
-1.3.6.1.4.1.11129.2.1.22 = critical,ASN1:NULL
+1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL
 
 [req_localhost_san]
 subjectAltName = DNS:localhost