Add tests for VerifyCertificateChain() when the last certificate is not trusted.

Review-Url: https://codereview.chromium.org/2860853003 Cr-Commit-Position: refs/heads/master@{#469421}

Add tests for VerifyCertificateChain() when the last certificate is not trusted.
Review-Url: https://codereview.chromium.org/2860853003 Cr-Commit-Position: refs/heads/master@{#469421}
d1c9c9bd · eroman · Commit bot · 8b9dc9a3 · d1c9c9bd · d1c9c9bd
Commit d1c9c9bd authored May 04, 2017 by eroman Committed by Commit bot May 04, 2017
5 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -3445,7 +3445,9 @@ bundle_data("net_unittests_bundle_data") {
    "data/verify_certificate_chain_unittest/root-lacks-basic-constraints/main.test",
    "data/verify_certificate_chain_unittest/root-lacks-basic-constraints/ta-with-constraints.test",
    "data/verify_certificate_chain_unittest/target-and-intermediate/chain.pem",
+    "data/verify_certificate_chain_unittest/target-and-intermediate/distrusted-root.test",
    "data/verify_certificate_chain_unittest/target-and-intermediate/main.test",
+    "data/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test",
    "data/verify_certificate_chain_unittest/target-has-keycertsign-but-not-ca/chain.pem",
    "data/verify_certificate_chain_unittest/target-has-keycertsign-but-not-ca/main.test",
    "data/verify_certificate_chain_unittest/target-has-pathlen-but-not-ca/chain.pem",

--- a/net/cert/internal/verify_certificate_chain.cc
+++ b/net/cert/internal/verify_certificate_chain.cc
@@ -519,9 +519,6 @@ void ProcessRootCertificate(
      break;
    case CertificateTrustType::DISTRUSTED:
      // Chains to an actively distrusted certificate.
-      //
-      // TODO(eroman): There are not currently any verification or path building
-      //               tests for the distrusted case.
      errors->AddError(kCertIsDistrusted);
      break;
    case CertificateTrustType::TRUSTED_ANCHOR:

--- a/net/cert/internal/verify_certificate_chain_typed_unittest.h
+++ b/net/cert/internal/verify_certificate_chain_typed_unittest.h
@@ -81,6 +81,11 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WrongSignature) {
  this->RunTest("incorrect-trust-anchor/main.test");
 }

+TYPED_TEST_P(VerifyCertificateChainSingleRootTest, LastCertificateNotTrusted) {
+  this->RunTest("target-and-intermediate/distrusted-root.test");
+  this->RunTest("target-and-intermediate/unspecified-trust-root.test");
+}
+
 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetSignedBy512bitRsa) {
  this->RunTest("target-signed-by-512bit-rsa/main.test");
 }
@@ -156,6 +161,7 @@ REGISTER_TYPED_TEST_CASE_P(VerifyCertificateChainSingleRootTest,
                           UnknownExtension,
                           Md5,
                           WrongSignature,
+                           LastCertificateNotTrusted,
                           TargetSignedBy512bitRsa,
                           TargetSignedUsingEcdsa,
                           Expired,

--- a/net/data/verify_certificate_chain_unittest/target-and-intermediate/distrusted-root.test
+++ b/net/data/verify_certificate_chain_unittest/target-and-intermediate/distrusted-root.test
+chain: chain.pem
+last_cert_trust: DISTRUSTED
+utc_time: 150302120000Z
+key_purpose: SERVER_AUTH
+expected_errors:
+----- Certificate i=2 (CN=Root) -----
+ERROR: Certificate is distrusted
+
--- a/net/data/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test
+++ b/net/data/verify_certificate_chain_unittest/target-and-intermediate/unspecified-trust-root.test
+chain: chain.pem
+last_cert_trust: UNSPECIFIED
+utc_time: 150302120000Z
+key_purpose: SERVER_AUTH
+expected_errors:
+----- Certificate i=2 (CN=Root) -----
+ERROR: Certificate is not a trust anchor
+