Fix enforcing RSA certificate keyUsage for known roots when cert verification...

Fix enforcing RSA certificate keyUsage for known roots when cert verification completes asynchronously. Bug: 795089 Change-Id: Ic830507465887d6bfe13b6fd9e05dc08d9f52dcc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1763636Reviewed-by: David Benjamin <davidben@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#689159}

Fix enforcing RSA certificate keyUsage for known roots when cert verification...
Fix enforcing RSA certificate keyUsage for known roots when cert verification completes asynchronously. Bug: 795089 Change-Id: Ic830507465887d6bfe13b6fd9e05dc08d9f52dcc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1763636Reviewed-by: David Benjamin <davidben@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#689159}
d6b13668 · Matt Mueller · Commit Bot · 6a530426 · d6b13668 · d6b13668
Commit d6b13668 authored Aug 21, 2019 by Matt Mueller Committed by Commit Bot Aug 21, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 11 deletions

net/socket/ssl_client_socket_impl.cc net/socket/ssl_client_socket_impl.cc +7 -7

net/socket/ssl_client_socket_unittest.cc net/socket/ssl_client_socket_unittest.cc +5 -4

No files found.
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -1194,13 +1194,6 @@ ssl_verify_result_t SSLClientSocketImpl::VerifyCert() {
                     base::Unretained(this)),
      &cert_verifier_request_, net_log_);

-  // Enforce keyUsage extension for RSA leaf certificates chaining up to known
-  // roots.
-  // TODO(795089): Enforce this unconditionally.
-  if (server_cert_verify_result_.is_issued_by_known_root) {
-    SSL_set_enforce_rsa_key_usage(ssl_.get(), 1);
-  }
-
  return HandleVerifyResult();
 }

@@ -1238,6 +1231,13 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
    }
  }

+  // Enforce keyUsage extension for RSA leaf certificates chaining up to known
+  // roots.
+  // TODO(crbug.com/795089): Enforce this unconditionally.
+  if (server_cert_verify_result_.is_issued_by_known_root) {
+    SSL_set_enforce_rsa_key_usage(ssl_.get(), 1);
+  }
+
  // If the connection was good, check HPKP and CT status simultaneously,
  // but prefer to treat the HPKP error as more serious, if there was one.
  if ((result == OK ||

--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -809,6 +809,7 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
            ct_policy_enforcer_.get(),
            ssl_client_session_cache_.get())) {
    cert_verifier_->set_default_result(OK);
+    cert_verifier_->set_async(true);

    EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
        .WillRepeatedly(
@@ -1520,10 +1521,10 @@ TEST_F(SSLClientSocketTest, Connect) {
  EXPECT_FALSE(sock->IsConnected());
 }

-TEST_F(SSLClientSocketTest, ConnectAsyncVerify) {
+TEST_F(SSLClientSocketTest, ConnectSyncVerify) {
  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));

-  cert_verifier_->set_async(true);
+  cert_verifier_->set_async(false);
  int rv;
  ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
  EXPECT_THAT(rv, IsError(OK));
@@ -1548,13 +1549,13 @@ TEST_F(SSLClientSocketTest, ConnectExpired) {
  EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
 }

-TEST_F(SSLClientSocketTest, ConnectExpiredAsyncVerify) {
+TEST_F(SSLClientSocketTest, ConnectExpiredSyncVerify) {
  SpawnedTestServer::SSLOptions ssl_options(
      SpawnedTestServer::SSLOptions::CERT_EXPIRED);
  ASSERT_TRUE(StartTestServer(ssl_options));

  cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
-  cert_verifier_->set_async(true);
+  cert_verifier_->set_async(false);

  int rv;
  ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));