Re-enable EVVerificationMultipleOID test using a synthetic certificate

Bug: 1094358
Change-Id: I497c5de67f50a9727750704b578a4fa7f1f0d30e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2386281Reviewed-by: Matt Mueller <mattm@chromium.org>
Commit-Queue: Panos Astithas <pastithas@google.com>
Cr-Commit-Position: refs/heads/master@{#803910}

net/BUILD.gn

@@ -1973,6 +1973,7 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/duplicate_cn_2.pem",
     "data/ssl/certificates/eku-test-root.pem",
     "data/ssl/certificates/empty_subject_cert.der",
+    "data/ssl/certificates/ev-multi-oid.pem",
     "data/ssl/certificates/ev_test.pem",
     "data/ssl/certificates/ev_test_state_only.pem",
     "data/ssl/certificates/expired_cert.pem",
@@ -2001,7 +2002,6 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/key_usage_rsa_no_extension.pem",
     "data/ssl/certificates/large_key.pem",
     "data/ssl/certificates/localhost_cert.pem",
-    "data/ssl/certificates/login.trustwave.com.pem",
     "data/ssl/certificates/may_2018.pem",
     "data/ssl/certificates/mit.davidben.der",
     "data/ssl/certificates/multi-root-A-by-B.pem",

net/cert/cert_verify_proc_unittest.cc

@@ -461,46 +461,46 @@ INSTANTIATE_TEST_SUITE_P(All,
 // Tests that a certificate is recognized as EV, when the valid EV policy OID
 // for the trust anchor is the second candidate EV oid in the target
 // certificate. This is a regression test for crbug.com/705285.
-// Started failing: https://crbug.com/1094358
-TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerificationMultipleOID) {
+TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
   if (!SupportsEV()) {
     LOG(INFO) << "Skipping test as EV verification is not yet supported";
     return;
   }
 
-  // TODO(eroman): Update this test to use a synthetic certificate, so the test
-  // does not break in the future. The certificate chain in question expires on
-  // Jun 12 14:33:43 2020 GMT, at which point this test will start failing.
-  if (base::Time::Now() >
-      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1591972423)) {
-    FAIL() << "This test uses a certificate chain which is now expired. Please "
-              "disable and file a bug.";
-    return;
-  }
-
-  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
-      GetTestCertsDirectory(), "login.trustwave.com.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-  ASSERT_TRUE(chain);
+  scoped_refptr<X509Certificate> cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "ev-multi-oid.pem");
+  scoped_refptr<X509Certificate> root =
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(cert);
+  ASSERT_TRUE(root);
+  ScopedTestRoot test_root(root.get());
 
   // Build a CRLSet that covers the target certificate.
   //
   // This way CRLSet coverage will be sufficient for EV revocation checking,
   // so this test does not depend on online revocation checking.
-  ASSERT_GE(chain->intermediate_buffers().size(), 1u);
   base::StringPiece spki;
-  ASSERT_TRUE(
-      asn1::ExtractSPKIFromDERCert(x509_util::CryptoBufferAsStringPiece(
-                                       chain->intermediate_buffers()[0].get()),
-                                   &spki));
+  ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
+      x509_util::CryptoBufferAsStringPiece(root->cert_buffer()), &spki));
   SHA256HashValue spki_sha256;
   crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data));
   scoped_refptr<CRLSet> crl_set(
       CRLSet::ForTesting(false, &spki_sha256, "", "", {}));
 
+  // The policies that "ev-multi-oid.pem" target certificate asserts.
+  static const char kOtherTestCertPolicy[] = "2.23.140.1.1";
+  static const char kEVTestCertPolicy[] = "1.2.3.4";
+  // Consider the root of the test chain a valid EV root for the test policy.
+  ScopedTestEVPolicy scoped_test_ev_policy(
+      EVRootCAMetadata::GetInstance(),
+      X509Certificate::CalculateFingerprint256(root->cert_buffer()),
+      kEVTestCertPolicy);
+  ScopedTestEVPolicy scoped_test_other_policy(
+      EVRootCAMetadata::GetInstance(), SHA256HashValue(), kOtherTestCertPolicy);
+
   CertVerifyResult verify_result;
   int flags = 0;
-  int error = Verify(chain.get(), "login.trustwave.com", flags, crl_set.get(),
+  int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
                      CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);

net/data/ssl/certificates/README

@@ -10,8 +10,6 @@ unit tests.
 - google.single.der
 - google.single.pem
 - thawte.single.pem : Certificates for testing parsing of different formats.
-- login.trustwave.com.pem :
-     Certificate for testing EV with multiple OIDs. Regression test for crbug.com/705285
 
 - googlenew.chain.pem : The refreshed Google certificate
      (valid until Sept 30 2013).
@@ -213,6 +211,9 @@ unit tests.
      Certificates for testing EV display (including regression test for
      https://crbug.com/1069113).
 
+- ev-multi-oid.pem :
+     Certificate for testing EV with multiple OIDs. Regression test for crbug.com/705285
+
 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem

net/data/ssl/certificates/ev-multi-oid.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            a3:52:01:bf:1d:77:e1:98:22:29:4b:c0:f7:a0:c9:08
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
+        Validity
+            Not Before: Sep  2 01:22:07 2020 GMT
+            Not After : Sep  2 01:22:07 2022 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:d3:f7:5e:b3:61:c1:61:cc:e7:53:d9:f9:93:
+                    05:32:55:00:00:26:9d:09:2f:65:0b:2d:6f:04:1d:
+                    90:9b:dc:19:e0:fd:d0:af:4f:7c:28:a6:89:60:a5:
+                    65:f9:3a:c5:67:b0:37:0b:d0:7b:da:ab:c7:27:be:
+                    2e:54:a5:89:a7:88:4a:67:02:62:72:c2:1a:a1:ab:
+                    f2:b0:5a:19:40:f9:67:65:3f:12:1b:42:11:bc:3a:
+                    82:fb:87:88:97:23:c9:ec:31:14:17:ae:4e:55:ed:
+                    f0:e3:94:a1:0e:e3:e7:e0:c0:04:6a:40:bd:c0:46:
+                    06:c2:6c:d3:7f:eb:60:33:0e:68:2c:06:60:5a:43:
+                    b0:ff:e0:5e:5a:f3:6f:85:71:a5:56:c0:a6:88:f9:
+                    1b:59:fd:c0:39:80:6a:63:30:29:ed:91:32:a2:cb:
+                    c2:39:a5:dd:a1:3f:0c:31:b4:d4:86:40:47:12:19:
+                    b8:d2:3c:10:55:e4:04:54:9c:42:27:ca:06:bb:6a:
+                    9f:e8:3e:8f:49:51:35:b6:d4:b6:f8:01:85:8e:d4:
+                    92:b1:aa:c0:93:bd:5a:98:39:c6:74:5f:e1:60:a4:
+                    a3:d2:00:91:97:60:48:5e:94:42:2d:24:22:c1:ed:
+                    1e:7b:b2:39:dd:f1:b8:70:7b:62:1d:d5:49:05:ec:
+                    09:b9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.1
+                Policy: 1.2.3.4
+
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         ba:ea:30:19:12:cf:a3:cb:c6:4b:9c:8a:5e:0b:2d:4e:2d:ea:
+         7a:08:28:9c:da:a4:39:67:01:d1:16:7a:1f:70:40:cf:b8:18:
+         de:ec:7d:8a:dc:a4:7a:e7:55:e3:47:fc:d4:f4:e9:aa:b0:15:
+         77:04:12:13:fc:69:29:76:f0:ad:9e:ee:07:24:fa:bb:8a:01:
+         66:a5:6c:be:00:78:75:29:bd:dc:4a:66:be:37:5a:d9:7f:29:
+         90:05:48:52:38:a9:ba:76:52:41:0e:59:09:6d:54:43:16:ac:
+         1d:3a:5c:a7:89:62:53:18:96:11:d8:7a:d2:a7:d9:c4:14:39:
+         65:72:58:40:45:10:93:70:94:8c:74:fe:53:29:3c:1e:0e:f4:
+         2b:90:4d:00:21:9c:f4:f1:2d:1a:d8:28:67:5d:ce:0d:74:7c:
+         08:3a:ce:6e:c8:fd:54:04:7c:86:e5:8e:57:77:67:72:f1:d2:
+         c7:8e:53:68:d0:58:7d:23:0a:f1:c1:28:90:dd:a9:9a:79:a5:
+         35:6a:54:a5:5c:d9:35:d2:93:25:58:d9:e2:70:7d:e8:9c:13:
+         27:f5:b3:e6:26:cf:6d:09:bc:f8:4d:de:01:4e:5c:7a:f3:47:
+         47:74:17:7e:72:bd:42:ba:ba:19:28:a2:99:d5:b8:b3:bf:51:
+         38:84:e6:cc
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIRAKNSAb8dd+GYIilLwPegyQgwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMTIyMDdaFw0yMjA5MDIwMTIyMDdaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA0/des2HBYcznU9n5kwUyVQAAJp0JL2UL
+LW8EHZCb3Bng/dCvT3wopolgpWX5OsVnsDcL0Hvaq8cnvi5UpYmniEpnAmJywhqh
+q/KwWhlA+WdlPxIbQhG8OoL7h4iXI8nsMRQXrk5V7fDjlKEO4+fgwARqQL3ARgbC
+bNN/62AzDmgsBmBaQ7D/4F5a82+FcaVWwKaI+RtZ/cA5gGpjMCntkTKiy8I5pd2h
+PwwxtNSGQEcSGbjSPBBV5ARUnEInyga7ap/oPo9JUTW21Lb4AYWO1JKxqsCTvVqY
+OcZ0X+FgpKPSAJGXYEhelEItJCLB7R57sjnd8bhwe2Id1UkF7Am5AgMBAAGjWzBZ
+MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBkG
+A1UdIAQSMBAwBwYFZ4EMAQEwBQYDKgMEMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZI
+hvcNAQELBQADggEBALrqMBkSz6PLxkucil4LLU4t6noIKJzapDlnAdEWeh9wQM+4
+GN7sfYrcpHrnVeNH/NT06aqwFXcEEhP8aSl28K2e7gck+ruKAWalbL4AeHUpvdxK
+Zr43Wtl/KZAFSFI4qbp2UkEOWQltVEMWrB06XKeJYlMYlhHYetKn2cQUOWVyWEBF
+EJNwlIx0/lMpPB4O9CuQTQAhnPTxLRrYKGddzg10fAg6zm7I/VQEfIbljld3Z3Lx
+0seOU2jQWH0jCvHBKJDdqZp5pTVqVKVc2TXSkyVY2eJwfeicEyf1s+Ymz20JvPhN
+3gFOXHrzR0d0F35yvUK6uhkoopnVuLO/UTiE5sw=
+-----END CERTIFICATE-----

net/data/ssl/scripts/ca.cnf

@@ -118,3 +118,8 @@ CN = $ENV::CA_COMMON_NAME
 basicConstraints       = critical, CA:true
 keyUsage               = critical, keyCertSign, cRLSign
 subjectKeyIdentifier   = hash
+
+[ev_multi_oid]
+basicConstraints = critical, CA:false
+extendedKeyUsage = serverAuth, clientAuth
+certificatePolicies = 2.23.140.1.1, 1.2.3.4

net/data/ssl/scripts/generate-test-certs.sh

@@ -113,6 +113,14 @@ openssl req \
   -reqexts req_test_names \
   -config ee.cnf
 
+SUBJECT_NAME="req_dn" \
+openssl req \
+  -new \
+  -keyout out/ev-multi-oid.key \
+  -out out/ev-multi-oid.req \
+  -reqexts req_extensions \
+  -config ee.cnf \
+
 # Generate the leaf certificates
 CA_NAME="req_ca_dn" \
   openssl ca \
@@ -201,6 +209,16 @@ CA_NAME="req_ca_dn" \
     -out out/test_names.pem \
     -config ca.cnf
 
+## Certificate for testing EV with multiple OIDs
+CA_NAME="req_ca_dn" \
+  openssl ca \
+    -batch \
+    -extensions ev_multi_oid \
+    -days ${CERT_LIFETIME} \
+    -in out/ev-multi-oid.req \
+    -out out/ev-multi-oid.pem \
+    -config ca.cnf
+
 /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     > ../certificates/ok_cert.pem"
 /bin/sh -c "cat out/wildcard.key out/wildcard.pem \
@@ -227,6 +245,8 @@ CA_NAME="req_ca_dn" \
     > ../certificates/x509_verify_results.chain.pem"
 /bin/sh -c "cat out/test_names.key out/test_names.pem \
     > ../certificates/test_names.pem"
+/bin/sh -c "cat out/ev-multi-oid.pem \
+    > ../certificates/ev-multi-oid.pem"
 
 # Now generate the one-off certs
 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing