Emit a warning when NS Server Gated Crypto is used in place of server auth in a certificate chain.

Netscape Server Gated Crypto (2.16.840.1.113730.4.1) is a deprecated mechanism that is still in use by some unexpired (intermediate) certificates. It is not part of the RFC 5280 profile for internet PKI. This change adds a warning for the chain(s) in the certificate that are relying on nsSGC in place of server auth. Bug: 733403 Change-Id: I2994f7f5e2981eecf24bb9839e266d4292cad7f8 Reviewed-on: https://chromium-review.googlesource.com/593207Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#491141}

Emit a warning when NS Server Gated Crypto is used in place of server auth in a certificate chain.
Netscape Server Gated Crypto (2.16.840.1.113730.4.1) is a deprecated mechanism that is still in use by some unexpired (intermediate) certificates. It is not part of the RFC 5280 profile for internet PKI. This change adds a warning for the chain(s) in the certificate that are relying on nsSGC in place of server auth. Bug: 733403 Change-Id: I2994f7f5e2981eecf24bb9839e266d4292cad7f8 Reviewed-on: https://chromium-review.googlesource.com/593207Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#491141}
c8c2d6a7 · Eric Roman · Commit Bot · 058ca543 · c8c2d6a7 · c8c2d6a7
Commit c8c2d6a7 authored Aug 01, 2017 by Eric Roman Committed by Commit Bot Aug 01, 2017
22 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -3662,6 +3662,14 @@ bundle_data("net_unittests_bundle_data") {
    "data/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem",
    "data/verify_certificate_chain_unittest/intermediate-eku-clientauth/clientauth.test",
    "data/verify_certificate_chain_unittest/intermediate-eku-clientauth/serverauth.test",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-any.test",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-clientAuth.test",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-serverAuth.test",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-chain.pem",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-any.test",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test",
+    "data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test",
    "data/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/chain.pem",
    "data/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/main.test",
    "data/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem",

--- a/net/cert/internal/common_cert_errors.cc
+++ b/net/cert/internal/common_cert_errors.cc
@@ -40,6 +40,9 @@ DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
                     "than TBSCertificate.signature");
 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth,
                     "The extended key usage does not include server auth");
+DEFINE_CERT_ERROR_ID(kEkuLacksServerAuthButHasGatedCrypto,
+                     "The extended key usage does not include server auth but "
+                     "instead includes Netscape Server Gated Crypto");
 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
                     "The extended key usage does not include client auth");
 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor,

--- a/net/cert/internal/common_cert_errors.h
+++ b/net/cert/internal/common_cert_errors.h
@@ -108,6 +108,10 @@ NET_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm;
 // What constitutes as "acceptable" is determined by the verification delegate.
 NET_EXPORT extern const CertErrorId kUnacceptablePublicKey;

+// The certificate's EKU is missing serverAuth. However Netscape Server Gated
+// Crypto is present instead.
+NET_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto;
+
 }  // namespace cert_errors

 }  // namespace net

--- a/net/cert/internal/extended_key_usage.cc
+++ b/net/cert/internal/extended_key_usage.cc
@@ -42,6 +42,13 @@ const der::Input ServerAuth() {
  return der::Input(server_auth);
 }

+// In dotted notation: 2.16.840.1.113730.4.1
+const der::Input NetscapeServerGatedCrypto() {
+  static const uint8_t data[] = {0x60, 0x86, 0x48, 0x01, 0x86,
+                                 0xf8, 0x42, 0x04, 0x01};
+  return der::Input(data);
+}
+
 const der::Input ClientAuth() {
  // From RFC 5280 section 4.2.1.12:
  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }

--- a/net/cert/internal/extended_key_usage.h
+++ b/net/cert/internal/extended_key_usage.h
@@ -23,6 +23,11 @@ NET_EXPORT const der::Input EmailProtection();
 NET_EXPORT const der::Input TimeStamping();
 NET_EXPORT const der::Input OCSPSigning();

+// Netscape Server Gated Crypto (2.16.840.1.113730.4.1) is a deprecated OID
+// which in some situations is considered equivalent to the serverAuth key
+// purpose.
+NET_EXPORT const der::Input NetscapeServerGatedCrypto();
+
 // Parses |extension_value|, which contains the extnValue field of an X.509v3
 // Extended Key Usage extension, and populates |eku_oids| with the list of
 // DER-encoded OID values (that is, without tag and length). Returns false if

--- a/net/cert/internal/verify_certificate_chain.cc
+++ b/net/cert/internal/verify_certificate_chain.cc
@@ -178,6 +178,18 @@ void VerifyExtendedKeyUsage(const ParsedCertificate& cert,
          return;
      }

+      // Add a warning if the certificate contains Netscape Server Gated Crypto.
+      // nsSGC is a deprecated mechanism, and not part of RFC 5280's
+      // profile. Some unexpired certificate chains still rely on it though
+      // (there are intermediates valid until 2020 that use it). See
+      // crbug.com/733403 for details.
+      for (const auto& key_purpose_oid : cert.extended_key_usage()) {
+        if (key_purpose_oid == NetscapeServerGatedCrypto()) {
+          errors->AddWarning(cert_errors::kEkuLacksServerAuthButHasGatedCrypto);
+          break;
+        }
+      }
+
      errors->AddError(cert_errors::kEkuLacksServerAuth);
      break;
    }

--- a/net/cert/internal/verify_certificate_chain_typed_unittest.h
+++ b/net/cert/internal/verify_certificate_chain_typed_unittest.h
@@ -140,6 +140,16 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, ExtendedKeyUsage) {
  this->RunTest("target-eku-none/clientauth.test");
  this->RunTest("root-eku-clientauth/serverauth.test");
  this->RunTest("root-eku-clientauth/serverauth-ta-with-constraints.test");
+  this->RunTest("intermediate-eku-server-gated-crypto/sha1-eku-any.test");
+  this->RunTest(
+      "intermediate-eku-server-gated-crypto/sha1-eku-clientAuth.test");
+  this->RunTest(
+      "intermediate-eku-server-gated-crypto/sha1-eku-serverAuth.test");
+  this->RunTest("intermediate-eku-server-gated-crypto/sha256-eku-any.test");
+  this->RunTest(
+      "intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test");
+  this->RunTest(
+      "intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test");
 }

 TYPED_TEST_P(VerifyCertificateChainSingleRootTest,

--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/generate-chains.py
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/generate-chains.py
+#!/usr/bin/python
+# Copyright (c) 2017 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""Generates certificate chains where the intermediate contains netscape server
+gated crypto rather than serverAuth."""
+
+import sys
+sys.path += ['..']
+
+import common
+
+def generate_chain(intermediate_digest_algorithm):
+  # Self-signed root certificate.
+  root = common.create_self_signed_root_certificate('Root')
+
+  # Intermediate certificate.
+  intermediate = common.create_intermediate_certificate('Intermediate', root)
+  intermediate.set_signature_hash(intermediate_digest_algorithm)
+  intermediate.get_extensions().set_property('extendedKeyUsage',
+                                             'nsSGC')
+
+  # Target certificate.
+  target = common.create_end_entity_certificate('Target', intermediate)
+  target.get_extensions().set_property('extendedKeyUsage',
+                                   'serverAuth,clientAuth')
+
+  chain = [target, intermediate, root]
+  common.write_chain(__doc__, chain,
+                     '%s-chain.pem' % intermediate_digest_algorithm)
+
+# Generate two chains, whose only difference is the digest algorithm used for
+# the intermediate's signature.
+for digest in ['sha1', 'sha256']:
+  generate_chain(digest)
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Intermediate.key
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Intermediate.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA0UFAb8slBdkp0KPH/i/wU61GNhmqsR8/eqLg+wMrd2Vqeevz
+oxYTNIM7Qt6iu+K/2NJ1PUg4hrsqfRSjiPd8APQKa2uqm0QkYv7bo0JVFWcqMv+y
+TYCT0ITvG9x8rFYtVAgC9hhutYCod1IfuCwJbcz4HASRYm4e3R2JsvEjC01MbNpJ
+PWGDcg9mNhI/8/9TUnNToco4vcNIv3ovExnXwijhbzIAXmSsSwV6d2JXValZg9Xt
+oy4oNHF5L7nDnt+zKrFZzQQAHYsRVq7GZ/ZPHVgHZeCwL+9Xbd7BoHxuOKhFJiGW
+4PbvDijPAXBX3CAVCK3o45h0jFQywSgX4N6hiwIDAQABAoIBAQCfjcSHOXtyWSLE
+Ho3Y6E60TvOxPqLjSTNK3DT10HXtJRwp+Nqd6LAeI04lb8LfxkaIGfkhEBdhzAba
+tsj3H9WimHH1dHPyzeN8xF1Ov75GgpIvrr4S0E5k+Wekc9twQIlxgGZZpUmNBZvu
+12SuNo299kLcgjMkvVi1OteK5MjWzOiqEw8BJPDBXJlmdPo0YIOxTR2+H+xHpuwo
+aMf7siXmryJ1uh7gOo8N6U1X0GpQ5UzmirU1vfauV81YYjc7EreenqvDye2D50wA
+tWTLpv36txOwWrpUJiEk2a2SlkTlAFOb3vDbYwrvf7XHkX4YKEt4d4jjbB9GlTOD
+al4OsJZJAoGBAPs9xCqsnhecW4JlQYxpMZ4bPRCn2dxI14aDUoterDSg25r12E38
+Ph9fM9FGBB2pprLGj+nJxfHocLcmLCzBAfblky14wafm7F2Xp9IyprcB5Jri/FXI
+FGckOD9iFzF+3UzzGnnUdpNJyqRhOpsrCk636Ut6T9DWhq8/szM9vP+/AoGBANU3
+5jq9pBBksCletuiuU+IdRSyjkTxabdOqsDnjK2ol7C8ajpvgW54tlKuumGAeQ8vL
+a4bWEOYtWtjVZfsA//AeK+qG/6b1nEJK+Cat9T4Bg1LRQDb7IMihgVL2ZJWJRFWv
+refYKP3qnyzE5A/I0+8PNlld5KUmS6aylJEvhE1AoGBAKKqmxgGK1WeJqGGbao7
+caSsfh0KkEPP5btxyz/xTA3HGGh8RFA5wP8O5L3aV0/dR9D4PrVfromxtUjfrjpL
+vLneaixGwxuyp9bxGfc+VDKpRxoBXN8tbAhbqw9esyWYvi/UNpAqv5sda9aCHS/Z
+7hKJgMMdrg/I1eshkyTaFESBAoGBAL9H2MmV3BvA2LEkgV8ZFbPiom47h03nqmOb
+22DzRb2Cq/JOFuYMTuUG6zth9N02CYhIw/xBCwQUaE3ilAyshu85ghhyZ+O2sCpg
+62J36W1pGhEwHDW28WBMU6LD3NSyQpXEvF4DI0W2KEKavNBJdDpSGxzFBJKBsTK4
+Nw27EfCJAoGActUtucQW5DM9EG3IaHBMM8jl/TBX3Le8UrKbnDpzglkbBeqw8WIa
+pwol7FbBpgkjF2F5fqF+Sd5OWCyHVglzrDSPPc72v8oDnJmX+708Z6YftHRLW4Z4
+m4YhijjwjfCLBFgtNLAh4dRM+t5qPjTA5hyyh8hb9UvuSv5Fd23aKTI=
+-----END RSA PRIVATE KEY-----
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Intermediate_1.key
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Intermediate_1.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAmiEQk5F7dQ2osFGhuCyHuRyfY2N69QOjiUxetQPpUDLC4jBo
+nhbs7nAVdEcPzepdYSgdCz83OYOu8GQFgxXmLcvpaR2YvTrPJfYhos/oV6y7lzJm
+UbvDP0z56KwnMADl4/Vk8eTyeZNqVvaZKIHyIxOsl+I50ICRjvLFMM1GcTyIygO1
+dKLc2+GucCpCsZm41UhgLx7a0x8ni2wSQD1d6w3o8OPwSovNdGLoBkTK2F4qbQlN
+e45HHAQS2urlb2xBLCMdOYPQRKV8xhMObHMqBnFPZbqxXtvT7MquQF4kh2MtrkvV
+9kwl/D/ZbpZlyLKLGqPtM7Q688xKxfxmgT+JWQIDAQABAoIBAEYA2oyLuS0TBRkA
+GpmR8BsNev8jQcdi3bYQb7t7iU6Zn5YoMnwLIZWyZqwnUnBOEBd+pqJjFewTeTNJ
+2o8NNTx7rwnFHYhk24z8W46dK4QWuiUUCRD6XNW1WpRpDGtrHP8Kh8yuFctOPzA8
+VJfnXVi9KNjbMTMYEgSBEzr1IRdwmKVelzMkizWd7Sdd8KjpyzwwuuuYCK8rFaT9
+aGUUIj1chMJ3SPK3H1mo+V6KHralgyf2+1j0hnDVvTEoP/a2sT0y+X2+4pIdrve+
+ZDP3E7gle6jWhDI6JE/nUUMfC0CkZT3lwJk4e90VV9CpreNNYL8S6myMhYuzJwAu
+BSgUUTkCgYEAyKPvKtIDDznLAWqMS8GAexbNRk8GMBA+Z8L3XOzmEShQeGvOJFxm
+KNnGUkv9jybGz+ZTsKocItVedzAuQ81YEUmNzqrPJegAl917tV0p1tI/b+qn+Hjf
+uWmBvpTcTfc3c/5DpmUcWpIaFimv8/q7GnNr31O10gpqPc9K3D/X9GcCgYEAxKfZ
+knsq8BFeQlTM3vyrIys99bMBOEvrQHqhWYmoHX9FlUUC++Lc2TbuFzyl07VFL9r+
+CLPK8AZ8ewvkVqV6nlC8S5NUWvRI03RjTHLMp/WFl1IMMbpTfxGJ+s/z/zG5W6Xt
+MYUImg1N4nRGjt2S885AJJWtlRB1EZiuo4oz/D8CgYAbkyQ4n1paSlgTHsCfXL26
+rPyTUCMKkgDxo8L5W3mXHBJLKo3PQ3+q15tBDj6P4QVr5zzTR93MD8UG3nFNUjhr
+T8+Uerczf3otZPwuhdpNMuITEI37QSmGQvDY736DnJlbcLN9d+H4tKGvMBWFk40J
+apmFvOx9LH9DdWzVblTQuwKBgQCfcPM/Byt97qb8oqJkHHlojzOyFErl6O+4nHRb
+EvfByqGQ754GuR2T4yxQnLRaHHsW3LfgOF1OFAQzAyZDdfEfkJfJso7PG4Y8Iv4r
+SlxRxQdl83i9jLMLsB2tw5KxEhCVlMblwlWCCU1fUCSwykbN8yggQVa2J9yywpa9
+M10IowKBgQCPm3FySw0oH5VP0uj1J3kntDd1yNbzXfs+FC8bxIJ1P71AyOzdPAiK
+vHwhGiMjGeMMwliHTIjmptiw5JMAGsek5OpSia6qxnCdXwrvWZ2n1CleXVp9RvyK
+NUaWTRW0MUfoE2N1MrGwM20BswQSOZr7RCNPSnwDK2cE5BlPJFcZeQ==
+-----END RSA PRIVATE KEY-----
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Root.key
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Root.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAw5Zmx+f9IRTs30oFGowi2o8+t47Kot7X4wgFzSgc2tSZuq3e
+kgdEGFXntUFrOGQYBqtsuK09uE7I+oz8WCwsqEIIKLSFKqpX4qh2Sm7+OC/RFMZS
+bwWkiVTCD/CTgwm3VVaUe1dlhwndYeoaAjwkpcwt03wK3C5non+RrbR2dgKsf4Vf
+YYYMYBWggn+FFvQQjUkn5DNYdVVrWqvH0b09qDtoG7TeaInEh/6HBNRS84/6LkR5
+wWJGt4hMu3Vh/ebFavuoO++n5hoeRC1hp05jXma494VgdIvqIIKEhHH1HcYMwu4R
+eAGuRFrje5cuAdAYkXcBI3/SIXP085qUrZMuoQIDAQABAoIBAQClr91176LRyYY4
+Sd409Q35lGuO2Bn1C05bd0pi115KStvH9s6baihXbT6Sn86SwMhRrhq1/5xPa/55
+scF7eECEcRu0T+iXkiJNUmSS/Z/CPU+jh7YBcwhFhlW3ZxevZCW411WFfy30zXiL
+H+PUjNqG0YbopyYUDAOi9uqT+lJ3+KGzDV2ZMEC5FvPAYqybS2HWUWMkDsQWypf/
+AmngsckZKf0LtL6d2x27YXlA0DBkPtE5BHbIO1IwY6qBaVIvoxK9HNe9M01yjv/a
+mmnvYuK/oksi+cwkYuCxqSx9gLuKyYRQl6dDXMzZIEpmyevOh1qZ4Sc/b/E5QYaf
+R1qeK6mhAoGBAP4jb1mz32vBwTmIWaVE/VF1/Zg/UsFDolUoOlq8gRv1AP+/qydF
+31yxhAQgTuoH9incoIfKhKUuwKSYdeozE5AK4zdpF0UK61BO7QJR7PcDB8KxSyp3
+DeVDOAh8dJAXp6cOBehm6XO3BNmNIMRlPX4GVFudiY7IspQxci21wLK9AoGBAMUF
+K7gW0A3ZgqEitu96y5vdCrjZ/3A0XvB9OWpWvfHcKR/M5o8IzGtLOfr7t7Yp60tt
+YeDFV4TyW1GuuYv8DCnM9OdNLGN0zgPo8EP9kmblHAOmYiD4zXtlMxr94sZBkdFU
+YxpJvx0BIA3T2H9bBl/Y9oD2sGbPVNeQlEZxhHu1AoGAPSQbSvJ6YvtXWFcUci15
+4FpJq5I4f6Sc7m3iNCg7y5UTK3RaYfVuemd+wltfgPBvabzZpjGz3eW0lSTU4YZu
+Q25LIe6XmZW57TU/0hoRr4+8EzwCQHIqFqkoVupSRMRcIlW+WB5CNgOnGAvbAUT2
+GVa+ftgU2xQv2nVW6eZbOOUCgYEAlxZ6CnhkINrW1F9czpXqoqKGYG+89f0TeXVu
+nF/c1icx2lM11Ca5LObJlfGHVskaygMd9lMf5LI+2YsWe4VUhpHIlcCW88ZVXqY5
+6soAhavZKetkgUiLu79Fy8M7LzKFcnQ2c6huSP3d6Py2oCPb5ZDqqMeFS7Jfq9gR
+/Vt8b6kCgYBSLtyqxhc7YsQZMmLOSHG2VX+Arcn2D/mvHaY1bWYklM230/7zBNhu
+Vqy9Iia4W884pSz/g/WpVRX3xWuCjg4Hx/VCEM+4EL8GNq3VDoJ+8c1F5vzBgELR
+zaMgUu0rh3a1YBcDf3vTURmyphKjFj41gb2+WidlvrsnyJowGCm7wg==
+-----END RSA PRIVATE KEY-----
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Root_1.key
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Root_1.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4rBTBYCEpGLXApaVVa1jyc3XRkEay7cNbHB1BebqqPZk3Z64
+96PaBVAUrQv9H41/0APO7H3e817ri/DbmHDMwsCp9yznJwSleRBHbaeAIroOCyjl
+KvFpFKLdpKisZ3ag24t4wAt+LJxl9uVAt8DKs/AedGl3RTjhjN7JH/xnKO4irk09
+jGtjYp+/72d95u6k10HCYsXyPEmv+UR0tKcm+L3tV+ztFixCdz2FaehIftdwBSG5
+FZYLWl2s7mRGG0zrWLD9SP7BAufQwAtSqudRnJORRgXtIy7DCw5QDm44rDFpfXDS
+QN19QT4IMXjG41cdxVPnkW3evN4/LnLe4qBjCwIDAQABAoIBAFQZypNN/Ofn65EA
+QOMKcu0ZuvZLjR9rCEXk6uWHqCOLVhyKmGD3nxk9fo481mnwWyzXXNuMTzzHSGgg
+sbe6kZznUadsN03YgXOKwJVEAVvg3vjw8SSfb7bCPayrD1tLPZ51/hRxrxvp4kJZ
+B0uk8Q8U1Jen0SITWkqjFMcTI0qha6GSuZOvE96cVEnog82LO1p3R4Ue3JTeaX5O
+ZqDPJwg0QFUbPsfnaLRgiDcLlPloZGZQ/R49oIw/vu/u3bKrdFD23kAFr+cBgNy4
+VbrrDve2RLnNBCIRogP426dUXDladWt0tVquCxUh+okavwTimoD3LmJwKivGJykF
+cTDZqTECgYEA/rvAe9tBU85PuV0Z8c8c5o4QLg8h/QDCXMVYXY1lvcj0B3hoKxza
+WWIjBsu0P2D9+BivTJcZxlgqtBvxplIa1SdUWvpc2xfsig7ulA2TUTcOHekAV5Pv
+YaDXSMZ8xqGhgNPT1l2Qg7LovqohsHQZMPqP8sii/lZWzgwjGuHucO8CgYEA49Df
+5uA4vixOT34ECZN1wNZLpi32yBD7OTW7/AoHkRO0f17RTdlUxJdq2FQqhGu6XjnB
+tmTkbzBQClMSLuZZPm4PIOBabbvMFkGpYpQjfEru7LgJVUz7JvvMsLs8DtymHeBn
+gnQvU/HiJYIlfsJG4YfY1NKUHqtM7vaW1WS196UCgYAmHFbu8N20OSCqXeh8yfzL
+7aM0EOWH4a4yjP/sdzQqkb8YwwXqtVVhnBIbeSyNcuhsTt0jO1QK3bP94FRmCtCi
+5VB0kBKGYOztttAw7FsHApKlHPAFKkfdNmAfLjsKyLHOAWMnJjZxzbmOlQuXR7dh
+IYuZyjTAkpBIIX67DeRLlwKBgQCi6bHUFrA9Ps3ZhtI4Tt08Q4LhmakKtSoSZVzD
+BiEXHDJNi2697xbxZx6fCMFG5QrnawId/tRktvXmDDXKmCtlu6rR5d6E7nEp0Vbi
+CfG+Zo+pdIooF97ap+Je1+ZA8oVQhDNBVPirXSRNkl5h4Whyy4TB3LzTmchwcqK2
+g0iliQKBgQDkokLu+1M/pxz4blyTPELmbRELTMWIBOMV3JyxktooS3ZyG+gjeW8Z
+rQcLWCrzPX1H9UInvldY96NniDPm9MZyjBfmybEIb8gtStNl61YrQEvxCKpcNhSD
+My91SJQ9nnh0yXAD5DxwnVkVp0hv6tbM2F0vZhRr0cidombSBuzngw==
+-----END RSA PRIVATE KEY-----
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Target.key
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Target.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAri6LGI33diyUDD+gtupwH17ISMWqrVVrvVVoDY7O5ZknxSyy
+mimpj47DxpeJbTHXpI/YNjdPM8fWQgMRCMR/NYzuDxt6MXQEqgHTHotbAZ1gS5zR
+jx6r5dyPF3dJ4/bVgqUvCujcn5YeKqFB0WcsnvN/lAxuz19VUjcF0Dk3Gm4R7dv6
+qpKnT1ApB2mvHaeZ+uFW8AM4sK5r5xkL3cMHMY6EBKW067i8I/NAsBe0q54/BZaJ
+/IQjzNEGwuSLxmX1JOtyMbxBfTrJVQgM7qauH3gX+Kede7GC9c6Ca6iyxoq5vqXY
+OfRJ4kxTMoUmU01EztU7oGvn2QKhWu/hpYGn+wIDAQABAoIBAAxviEDFigBm6F8D
+f+7vR/gFZVlEu43KhnmrClXFd2IPEDbUnR/Cj7ePIs0f7pDcOSAnoPEl+8Kfpt1p
+qKKunMJvAGQVuyCivt6AaNlKa8HuwXxEgvWr4+vyVkj/nEfpTI8aSgSGYZIHProe
+bzuLGTVz/wzL4nFtxgKrqP+XxiZdzUKadOHgkRbqEIyLq5ONhyhuzr6ruXgoT4Kh
+mmnrKPjTrQPA/igUysw4X0gojeO34byUxLCCkkSX1J/MWVqFvwAS6E3aQ6fkwNP
+vIH0BvqRPsCN/H0Vtmtux7fTfgZlb/tVpk+HQaFT81LyKVoyOBSRUS1Xlaus6tAj
+LykCnDkCgYEA2E2iWRf2498AlB12t9BcltgPCDW9GGAim42+d1EQyidwfEC3i/uk
+bB/jk3DYc3YmUBv1gTwcspTZS9GoQJnsOXd8HFN6Qj+lhxJXjCw2DtOeIubjYYvt
+7mWS4vmKhIN4H5MaQbceJlEyy/yTPPbAEbKgzPqVRJkWW7FnL38DpccCgYEAziX1
+RMMPJ21LEeYNcLJlZkb9Bz8zIiBpQPNXyZYMHXCKxDrkCVVkCjqpYb5IbXX4OsEK
+WtDdyHqgVS8kVd05pJV0m6dE/cLwC/3t9H5ZJ39837AQckMiiKDMxFf0K2xM9bd3
+JRUNVdDO3VV8z3aCPfR2Ne32bMvmciP7FWNmXC0CgYEAtgO+FZKg4ueIqRqSB+OB
+xj1RiOsPkC91b8g6+lRw+GtvsF8VFOpQVdwPuMZAnghR/R9J29Ilo/C1WaO3HYVo
+zoLJIVztiEnelGbO3NlnM9rHOz9nH3KMaQt4Kx8pfJDUyF0Uvy/EYyH4yMZlb+uD
+fGEABvzmFq9rrQT/e2w6OYkCgYAMx7+n7qve1uDDkE6fAQBWUepX66wg3n+H/k4f
+kRwAs0nkzsV9QxJsg9UNvbIinrEMbmRncdSKYANJ+oJxLhRIs7i44DcdpxpMenx
+sW+XikjUmVa7rrvSWp23QnipxIIU7bXeP6re+h4JDMa7Ge7DJoe5mjIf1phH1UE4
+tzveVQKBgQC6g1mIw/zEzE9C4M51bM+t9qyjDLHdJA+xBkdNoFhRUMf0+ZWqW/Qx
+LxB9H0gaZQLTkb2Q1ctl3mnXfigXTw15H0Yho6wd7Pkrs1uH5EInM9vFPeRAWzky
+YbjjCmkZnrhftpWrHISNdrcBR/Womab0AiIdZimr7thVvkvzLc0oNg==
+-----END RSA PRIVATE KEY-----
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Target_1.key
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/keys/Target_1.key
+openssl genrsa 2048
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyK+l2RVW3eyxQd00NkirWj8uahQWOB/CrSdk8nJUoYFznP06
+Nyxk+eIKvQ90mnDqnG7JZOmSpL+aMCyaj0zrEh5YCPVqS3LgqKkigcrNfHjNJJuQ
+in2sec9AqdD2pHjv/cOzndPqUe7H7fUrNlxQEb5EqSnN1nm8vVulRtGnhqWGKnP1
+uvn0XpyUnpWB7EL5g/FOpuvJoTzpl4DL7k0GRXWnONvyqRcSRvGZH0BIiaC9B0al
+qxED+6Usosm89wfln84kJj6hqKz+rQlkANnaPMgJw7zHZLmTwrk5TjygfJwU/OW9
+Hx78Tejlqp3/M+33EA5y2oF56R7zZQOwE3cwpQIDAQABAoIBAF9f6qfSlmf91vgA
+UpIB0z2ejUZoqW6e2XxFHpqCb2oaBYH0brhN5udC3+ud7sJ/K2CQ3jGRN9oIHRUL
+/aBg487GkPwg9hVJUS+WwgmBAktHdecR742B0HhLYOXTo4Pi3dtyKGi3j8LEgku6
+moDJOlxUWnkyntpxHJu5dEDF3qIELMsNDVZbh4OMi+ayA/aR8jX9RF4yOxf9oQfP
+QqYlW+gicJNTOQ7qFncYumVO4Kzfc+OVMou2g8V/vvjf8XfB8rDRkiI8rBlAhq8+
+p2lSsmb3g5Tc7SuNkMaPYWMRlQgmg2h+sBkXderF46CuKVeVuEwOAwLYSMWXPA5t
+ADP4UgECgYEA6PVBKWO5gFbrTafn5+1gtAzXmg6uyMxuvlE4ez11ywa9cCqEj5/T
+b06ifOYYpFDhV5ZL+tUBsKutOli6gP/fKaH8NPXM6UWpWNRkcPGU74x9iEq4nZSE
+OBMMD2tbn0UPAqRdQV1hMSHDhYUzkHRQpoZvSWa/d61dq+TnYYKPU0ECgYEA3Ik8
+AC1LBj5VkfaUhvA4pnyta7W5czn2lVuu6/38z1Q8KakQavVhYRtUgZ3uGyyZL7pB
+BiEYBpfCpfWSzo1IPmCEEqH2m6cMhnd20SnIsRLf6aRHXU/VH41quAL5yyLGudCq
+mvWThXyhqlRRLrz99W+lYiifT0ySXbp1lJINWGUCgYAmGD0QpKMoDo6qA0QUFChV
+KSh0o+QHKA8QBj4jQRirG64M0pcc2Xj84bIGlKYA8Mz4wrYoDX8aQeiw+uN8xtra
+dwfELVHV77NSuGC4a3j8d0/r4rQv6KJ6fPri5p5z/BoJR5GMZ9XF8AyGIBMfkzXB
+FYjLSwcSbgI8YtFHi88eQQKBgE2m9L2LNTOJl0/B5yJsS0Yz+ExIvHfaHP0SP1FR
+KUdHfbedk+5VYGh02xiYp1JiLb4kcujZlkAcB6mwAnVAQgPUsCxvYwoDk+F1Bx02
+/Td8UeNOuOIeTgjCHqWURqhEIn0jAC938O27qKD093DhkvpsyWr6qr2dVJw0H1qk
+4pYRAoGAKydTTMJl8lSxSH1+I3Onwx3O8qQ3D8xd6scv05G6P2CnxfQV5WqhEB5h
+HoyJYqy5QOyYQGESESQ67O1Z8ikGJuHCb3I9mQ5O/7WBBspjBMMABI7tPjIQol7p
+S2hx4D7ajXlCIxCQ/vKTv5aMNi4hAc+8ib6Ub0FRTPvLpIDhLoM=
+-----END RSA PRIVATE KEY-----
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-chain.pem
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-any.test
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-any.test
+chain: sha1-chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 150302120000Z
+key_purpose: ANY_EKU
+expected_errors:
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-clientAuth.test
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-clientAuth.test
+chain: sha1-chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 150302120000Z
+key_purpose: CLIENT_AUTH
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+ERROR: The extended key usage does not include client auth
+
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-serverAuth.test
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha1-eku-serverAuth.test
+chain: sha1-chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 150302120000Z
+key_purpose: SERVER_AUTH
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+WARNING: The extended key usage does not include server auth but instead includes Netscape Server Gated Crypto
+ERROR: The extended key usage does not include server auth
+
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-chain.pem
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-chain.pem
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-any.test
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-any.test
+chain: sha256-chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 150302120000Z
+key_purpose: ANY_EKU
+expected_errors:
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test
+chain: sha256-chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 150302120000Z
+key_purpose: CLIENT_AUTH
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+ERROR: The extended key usage does not include client auth
+
--- a/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test
+++ b/net/data/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test
+chain: sha256-chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 150302120000Z
+key_purpose: SERVER_AUTH
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+WARNING: The extended key usage does not include server auth but instead includes Netscape Server Gated Crypto
+ERROR: The extended key usage does not include server auth
+