net: fix CRLSet tests.

This change switches the CRLSet cert verify tests (which have been disabled
because the cert that they used expired) to use a dummy chain instead.

BUG=302088

Review URL: https://codereview.chromium.org/56003004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237163 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 90 insertions, 109 deletions

diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 49ada65..2985274 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1001,7 +1001,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
 #endif
 
 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
-static const uint8 kCRLSetThawteSPKIBlocked[] = {
+static const uint8 kCRLSetLeafSPKIBlocked[] = {
   0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
   0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
   0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
@@ -1009,14 +1009,14 @@ static const uint8 kCRLSetThawteSPKIBlocked[] = {
   0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
   0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
   0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
-  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37,
-  0x58, 0x70, 0x4d, 0x51, 0x4b, 0x78, 0x49, 0x41, 0x39, 0x50, 0x6a, 0x36, 0x37,
-  0x36, 0x38, 0x76, 0x74, 0x55, 0x6b, 0x6b, 0x7a, 0x48, 0x79, 0x7a, 0x41, 0x6f,
-  0x6d, 0x6f, 0x4f, 0x68, 0x4b, 0x55, 0x6e, 0x7a, 0x73, 0x55, 0x3d, 0x22, 0x5d,
+  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x43, 0x38, 0x4d, 0x4a, 0x46, 0x55, 0x55,
+  0x5a, 0x38, 0x43, 0x79, 0x54, 0x2b, 0x4e, 0x57, 0x64, 0x68, 0x69, 0x7a, 0x51,
+  0x68, 0x54, 0x49, 0x65, 0x46, 0x49, 0x37, 0x76, 0x41, 0x77, 0x7a, 0x64, 0x54,
+  0x79, 0x52, 0x59, 0x45, 0x6e, 0x78, 0x6c, 0x33, 0x62, 0x67, 0x3d, 0x22, 0x5d,
   0x7d,
 };
 
-static const uint8 kCRLSetThawteSerialBlocked[] = {
+static const uint8 kCRLSetLeafSerialBlocked[] = {
   0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
   0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
   0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
@@ -1024,17 +1024,14 @@ static const uint8 kCRLSetThawteSerialBlocked[] = {
   0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
   0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
   0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
-  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xb1, 0x12, 0x41, 0x42, 0xa5, 0xa1,
-  0xa5, 0xa2, 0x88, 0x19, 0xc7, 0x35, 0x34, 0x0e, 0xff, 0x8c, 0x9e, 0x2f, 0x81,
-  0x68, 0xfe, 0xe3, 0xba, 0x18, 0x7f, 0x25, 0x3b, 0xc1, 0xa3, 0x92, 0xd7, 0xe2,
-  // Note that this is actually blocking two serial numbers because on XP and
-  // Vista, CryptoAPI finds a different Thawte certificate.
-  0x02, 0x00, 0x00, 0x00,
-  0x04, 0x30, 0x00, 0x00, 0x02,
-  0x04, 0x30, 0x00, 0x00, 0x06,
+  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0x0f, 0x87, 0xe4, 0xc7, 0x75, 0xea,
+  0x46, 0x7e, 0xf3, 0xfd, 0x82, 0xb7, 0x46, 0x7b, 0x10, 0xda, 0xc5, 0xbf, 0xd8,
+  0xd1, 0x29, 0xb2, 0xc6, 0xac, 0x7f, 0x51, 0x42, 0x15, 0x28, 0x51, 0x06, 0x7f,
+  0x01, 0x00, 0x00, 0x00,  // number of serials
+  0x01, 0xed,  // serial 0xed
 };
 
-static const uint8 kCRLSetGoogleSerialBlocked[] = {
+static const uint8 kCRLSetQUICSerialBlocked[] = {
   0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
   0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
   0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
@@ -1042,47 +1039,47 @@ static const uint8 kCRLSetGoogleSerialBlocked[] = {
   0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
   0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
   0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
-  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xe9, 0x7e, 0x8c, 0xc5, 0x1e, 0xd7,
-  0xa4, 0xc4, 0x0a, 0xc4, 0x80, 0x3d, 0x3e, 0x3e, 0xbb, 0xeb, 0xcb, 0xed, 0x52,
-  0x49, 0x33, 0x1f, 0x2c, 0xc0, 0xa2, 0x6a, 0x0e, 0x84, 0xa5, 0x27, 0xce, 0xc5,
-  0x01, 0x00, 0x00, 0x00, 0x10, 0x4f, 0x9d, 0x96, 0xd9, 0x66, 0xb0, 0x99, 0x2b,
-  0x54, 0xc2, 0x95, 0x7c, 0xb4, 0x15, 0x7d, 0x4d,
+  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d,
+  // Issuer SPKI:
+  0x22, 0xe7, 0x71, 0xed, 0xb1, 0x8f, 0xa8, 0x99, 0xcd, 0xc7, 0x44, 0xa8, 0xf6,
+  0xdf, 0x4c, 0x2e, 0x19, 0x03, 0xa4, 0x78, 0x21, 0x16, 0x08, 0xba, 0x1e, 0xf0,
+  0x33, 0xa2, 0x43, 0x88, 0xc6, 0xa3,
+  0x01, 0x00, 0x00, 0x00,  // number of serials
+  0x01, 0x03,  // serial 3
 };
 
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
-TEST_F(CertVerifyProcTest, DISABLED_CRLSet) {
-  CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(),
-      "googlenew.chain.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
+TEST_F(CertVerifyProcTest, CRLSet) {
+  CertificateList ca_cert_list =
+      CreateCertificateListFromFile(GetTestCertsDirectory(),
+                                    "root_ca_cert.pem",
+                                    X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_cert_list.size());
+  ScopedTestRoot test_root(ca_cert_list[0]);
 
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
+  CertificateList cert_list = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> cert(cert_list[0]);
 
+  int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(google_full_chain.get(),
-                     "www.google.com",
-                     0,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(
+      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
   EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
 
   // First test blocking by SPKI.
   base::StringPiece crl_set_bytes(
-      reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked),
-      sizeof(kCRLSetThawteSPKIBlocked));
+      reinterpret_cast<const char*>(kCRLSetLeafSPKIBlocked),
+      sizeof(kCRLSetLeafSPKIBlocked));
   scoped_refptr<CRLSet> crl_set;
   ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
 
-  error = Verify(google_full_chain.get(),
-                 "www.google.com",
-                 0,
+  error = Verify(cert.get(),
+                 "127.0.0.1",
+                 flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
@@ -1090,29 +1087,66 @@ TEST_F(CertVerifyProcTest, DISABLED_CRLSet) {
 
   // Second, test revocation by serial number of a cert directly under the
   // root.
-  crl_set_bytes = base::StringPiece(
-      reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked),
-      sizeof(kCRLSetThawteSerialBlocked));
+  crl_set_bytes =
+      base::StringPiece(reinterpret_cast<const char*>(kCRLSetLeafSerialBlocked),
+                        sizeof(kCRLSetLeafSerialBlocked));
   ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
 
-  error = Verify(google_full_chain.get(),
-                 "www.google.com",
-                 0,
+  error = Verify(cert.get(),
+                 "127.0.0.1",
+                 flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
   EXPECT_EQ(ERR_CERT_REVOKED, error);
+}
 
-  // Lastly, test revocation by serial number of a certificate not under the
-  // root.
-  crl_set_bytes = base::StringPiece(
-      reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked),
-      sizeof(kCRLSetGoogleSerialBlocked));
+TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
+  CertificateList ca_cert_list =
+      CreateCertificateListFromFile(GetTestCertsDirectory(),
+                                    "quic_root.crt",
+                                    X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_cert_list.size());
+  ScopedTestRoot test_root(ca_cert_list[0]);
+
+  CertificateList intermediate_cert_list =
+      CreateCertificateListFromFile(GetTestCertsDirectory(),
+                                    "quic_intermediate.crt",
+                                    X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, intermediate_cert_list.size());
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
+
+  CertificateList cert_list = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "quic_test.example.com.crt",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+
+  scoped_refptr<X509Certificate> leaf =
+      X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
+                                        intermediates);
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(leaf.get(),
+                     "test.example.com",
+                     flags,
+                     NULL,
+                     empty_cert_list_,
+                     &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Test revocation by serial number of a certificate not under the root.
+  scoped_refptr<CRLSet> crl_set;
+  base::StringPiece crl_set_bytes =
+      base::StringPiece(reinterpret_cast<const char*>(kCRLSetQUICSerialBlocked),
+                        sizeof(kCRLSetQUICSerialBlocked));
   ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
 
-  error = Verify(google_full_chain.get(),
-                 "www.google.com",
-                 0,
+  error = Verify(leaf.get(),
+                 "test.example.com",
+                 flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
diff --git a/net/data/ssl/certificates/quic_root.crt b/net/data/ssl/certificates/quic_root.crt
index 55502e6..a0bbe15 100644
--- a/net/data/ssl/certificates/quic_root.crt
+++ b/net/data/ssl/certificates/quic_root.crt
@@ -51,56 +51,3 @@ igmYDlFTeqM3w+yNYSxJZtA0C4toUFh1H/t2h4kWfVbRvi+775UmklU3b8qC4tST
 M4AfnLktHu47kH0TLiibF4wVXxLr7fKGL6X1WeTzB6mZLTJw1CrQQ/Ickm11+GD6
 tY9PB2v2wICzT8if7RG9TdnXSiw=
 -----END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: O=Acme Co, CN=Root CA
-        Validity
-            Not Before: Jan  1 10:00:00 2013 GMT
-            Not After : Dec 31 10:00:00 2023 GMT
-        Subject: O=Acme Co, CN=Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:f3:8f:b5:01:f7:8f:bf:0e:c3:bc:2e:43:f9:63:
-                    32:ae:e2:70:2d:77:70:bf:32:57:77:dd:00:f4:16:
-                    08:e2:f4:b8:b4:c9:bc:41:be:54:ba:44:3f:6f:77:
-                    f9:d1:1b:52:25:16:7d:df:f9:29:79:3c:7c:8f:16:
-                    e3:85:d5:7c:96:5e:2e:60:b3:80:e1:fc:09:b9:04:
-                    4d:ff:bc:05:25:55:96:b8:e7:7e:03:ed:f4:a1:93:
-                    54:66:b6:d5:e4:1f:92:94:52:7d:c3:60:89:5f:79:
-                    f9:63:d1:f4:bb:4d:fa:da:4d:2e:d2:1d:ac:dc:7a:
-                    4f:52:67:3f:ad:eb:ed:ba:cd
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         7c:0f:20:54:85:ea:e9:68:c5:15:fc:10:8a:09:98:0e:51:53:
-         7a:a3:37:c3:ec:8d:61:2c:49:66:d0:34:0b:8b:68:50:58:75:
-         1f:fb:76:87:89:16:7d:56:d1:be:2f:bb:ef:95:26:92:55:37:
-         6f:ca:82:e2:d4:93:33:80:1f:9c:b9:2d:1e:ee:3b:90:7d:13:
-         2e:28:9b:17:8c:15:5f:12:eb:ed:f2:86:2f:a5:f5:59:e4:f3:
-         07:a9:99:2d:32:70:d4:2a:d0:43:f2:1c:92:6d:75:f8:60:fa:
-         b5:8f:4f:07:6b:f6:c0:80:b3:4f:c8:9f:ed:11:bd:4d:d9:d7:
-         4a:2c
------BEGIN CERTIFICATE-----
-MIIB8DCCAVugAwIBAgIBATALBgkqhkiG9w0BAQUwJDEQMA4GA1UEChMHQWNtZSBD
-bzEQMA4GA1UEAxMHUm9vdCBDQTAeFw0xMzAxMDExMDAwMDBaFw0yMzEyMzExMDAw
-MDBaMCQxEDAOBgNVBAoTB0FjbWUgQ28xEDAOBgNVBAMTB1Jvb3QgQ0EwgZ0wCwYJ
-KoZIhvcNAQEBA4GNADCBiQKBgQDzj7UB94+/DsO8LkP5YzKu4nAtd3C/Mld33QD0
-Fgji9Li0ybxBvlS6RD9vd/nRG1IlFn3f+Sl5PHyPFuOF1XyWXi5gs4Dh/Am5BE3/
-vAUlVZa4534D7fShk1RmttXkH5KUUn3DYIlfeflj0fS7TfraTS7SHazcek9SZz+t
-6+26zQIDAQABozgwNjAOBgNVHQ8BAf8EBAMCAAQwEwYDVR0lBAwwCgYIKwYBBQUH
-AwEwDwYDVR0TAQH/BAUwAwEB/zALBgkqhkiG9w0BAQUDgYEAfA8gVIXq6WjFFfwQ
-igmYDlFTeqM3w+yNYSxJZtA0C4toUFh1H/t2h4kWfVbRvi+775UmklU3b8qC4tST
-M4AfnLktHu47kH0TLiibF4wVXxLr7fKGL6X1WeTzB6mZLTJw1CrQQ/Ickm11+GD6
-tY9PB2v2wICzT8if7RG9TdnXSiw=
------END CERTIFICATE-----