Update CertVerifyProcIOS::GetCertFailureStatusFromTrust for iOS 11.4.

iOS 11.4 introduced "Policy requirements not met." error which is used in varios sutuations. This error is mapped to CERT_STATUS_INVALID and CERT_STATUS_AUTHORITY_INVALID. cert_verify_proc_ios_unittest was changed to be Objective-C source file to use @available keyword (the only clean way to test for OS version). PlatformTest is needed for every Objective-C test to drain autorelease pool. Bug: 830127, 830125 Change-Id: I99d4d3e6a580c16fdbb8e47359418a0a68b0fb48 Reviewed-on: https://chromium-review.googlesource.com/1008128Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Eugene But <eugenebut@chromium.org> Cr-Commit-Position: refs/heads/master@{#550436}

Update CertVerifyProcIOS::GetCertFailureStatusFromTrust for iOS 11.4.
iOS 11.4 introduced "Policy requirements not met." error which is used in varios sutuations. This error is mapped to CERT_STATUS_INVALID and CERT_STATUS_AUTHORITY_INVALID. cert_verify_proc_ios_unittest was changed to be Objective-C source file to use @available keyword (the only clean way to test for OS version). PlatformTest is needed for every Objective-C test to drain autorelease pool. Bug: 830127, 830125 Change-Id: I99d4d3e6a580c16fdbb8e47359418a0a68b0fb48 Reviewed-on: https://chromium-review.googlesource.com/1008128Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Eugene But <eugenebut@chromium.org> Cr-Commit-Position: refs/heads/master@{#550436}
e1309c61 · Eugene But · Commit Bot · bcb59cd6 · e1309c61 · e1309c61
Commit e1309c61 authored Apr 13, 2018 by Eugene But Committed by Commit Bot Apr 13, 2018
Showing with 20 additions and 5 deletions

net/BUILD.gn net/BUILD.gn +1 -1

net/cert/cert_verify_proc_ios.cc net/cert/cert_verify_proc_ios.cc +8 -0

net/cert/cert_verify_proc_ios_unittest.mm net/cert/cert_verify_proc_ios_unittest.mm +11 -4

No files found.
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -4738,7 +4738,7 @@ test("net_unittests") {
    "cert/caching_cert_verifier_unittest.cc",
    "cert/cert_verifier_unittest.cc",
    "cert/cert_verify_proc_android_unittest.cc",
-    "cert/cert_verify_proc_ios_unittest.cc",
+    "cert/cert_verify_proc_ios_unittest.mm",
    "cert/cert_verify_proc_mac_unittest.cc",
    "cert/cert_verify_proc_unittest.cc",
    "cert/crl_set_unittest.cc",

--- a/net/cert/cert_verify_proc_ios.cc
+++ b/net/cert/cert_verify_proc_ios.cc
@@ -205,6 +205,12 @@ CertStatus CertVerifyProcIOS::GetCertFailureStatusFromTrust(SecTrustRef trust) {
      CFBundleCopyLocalizedString(bundle, hostname_mismatch_string,
                                  hostname_mismatch_string,
                                  CFSTR("SecCertificate")));
+  CFStringRef policy_requirements_not_met_string =
+      CFSTR("Policy requirements not met.");
+  ScopedCFTypeRef<CFStringRef> policy_requirements_not_met_error(
+      CFBundleCopyLocalizedString(bundle, policy_requirements_not_met_string,
+                                  policy_requirements_not_met_string,
+                                  CFSTR("SecCertificate")));

  for (CFIndex i = 0; i < properties_length; ++i) {
    CFDictionaryRef dict = reinterpret_cast<CFDictionaryRef>(
@@ -220,6 +226,8 @@ CertStatus CertVerifyProcIOS::GetCertFailureStatusFromTrust(SecTrustRef trust) {
      reason |= CERT_STATUS_WEAK_KEY;
    } else if (CFEqual(error, hostname_mismatch_error)) {
      reason |= CERT_STATUS_COMMON_NAME_INVALID;
+    } else if (CFEqual(error, policy_requirements_not_met_error)) {
+      reason |= CERT_STATUS_INVALID | CERT_STATUS_AUTHORITY_INVALID;
    } else {
      reason |= CERT_STATUS_INVALID;
    }

--- a/net/cert/cert_verify_proc_ios_unittest.cc
+++ b/net/cert/cert_verify_proc_ios_unittest.cc
@@ -14,6 +14,7 @@
 #include "net/test/cert_test_util.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "testing/platform_test.h"

 namespace {

@@ -49,25 +50,31 @@ base::ScopedCFTypeRef<SecTrustRef> CreateSecTrust(

 namespace net {

+using CertVerifyProcIOSTest = PlatformTest;
+
 // Tests |GetCertFailureStatusFromTrust| with null trust object.
-TEST(CertVerifyProcIOSTest, StatusForNullTrust) {
+TEST_F(CertVerifyProcIOSTest, StatusForNullTrust) {
  EXPECT_EQ(CERT_STATUS_INVALID,
            CertVerifyProcIOS::GetCertFailureStatusFromTrust(nullptr));
 }

 // Tests |GetCertFailureStatusFromTrust| with trust object that has not been
 // evaluated backed by ok_cert.pem cert.
-TEST(CertVerifyProcIOSTest, StatusForNotEvaluatedTrust) {
+TEST_F(CertVerifyProcIOSTest, StatusForNotEvaluatedTrust) {
  CertStatus status = CertVerifyProcIOS::GetCertFailureStatusFromTrust(
      CreateSecTrust("ok_cert.pem"));
  EXPECT_TRUE(status & CERT_STATUS_COMMON_NAME_INVALID);
  EXPECT_TRUE(status & CERT_STATUS_AUTHORITY_INVALID);
-  EXPECT_FALSE(status & CERT_STATUS_DATE_INVALID);
+  if (@available(iOS 11.4, *)) {
+    // Prior to iOS 11.4 non-evaluated certs report CERT_STATUS_DATE_INVALID.
+  } else {
+    EXPECT_FALSE(status & CERT_STATUS_DATE_INVALID);
+  }
 }

 // Tests |GetCertFailureStatusFromTrust| with evaluated trust object backed by
 // expired_cert.pem cert.
-TEST(CertVerifyProcIOSTest, StatusForEvaluatedTrust) {
+TEST_F(CertVerifyProcIOSTest, StatusForEvaluatedTrust) {
  base::ScopedCFTypeRef<SecTrustRef> trust(CreateSecTrust("expired_cert.pem"));
  ASSERT_TRUE(trust);
  SecTrustEvaluate(trust, nullptr);