summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/base/cert_test_util.cc15
-rw-r--r--net/base/cert_test_util.h9
-rw-r--r--net/base/x509_certificate_unittest.cc14
-rw-r--r--net/data/ssl/certificates/README12
-rw-r--r--net/data/ssl/certificates/redundant-server-chain.pem271
-rw-r--r--net/data/ssl/certificates/redundant-validated-chain-root.pem16
-rw-r--r--net/data/ssl/certificates/redundant-validated-chain.pem196
-rwxr-xr-xnet/data/ssl/scripts/generate-redundant-test-chains.sh187
-rw-r--r--net/data/ssl/scripts/redundant-ca.cnf80
-rw-r--r--net/socket/ssl_client_socket_mac.cc2
-rw-r--r--net/socket/ssl_client_socket_nss.cc2
-rw-r--r--net/socket/ssl_client_socket_openssl.cc2
-rw-r--r--net/socket/ssl_client_socket_unittest.cc104
-rw-r--r--net/socket/ssl_client_socket_win.cc2
-rw-r--r--net/test/test_server.cc4
-rw-r--r--net/test/test_server.h5
16 files changed, 900 insertions, 21 deletions
diff --git a/net/base/cert_test_util.cc b/net/base/cert_test_util.cc
index fb0c0f8..cce160d 100644
--- a/net/base/cert_test_util.cc
+++ b/net/base/cert_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
@@ -21,6 +21,19 @@ FilePath GetTestCertsDirectory() {
return certs_dir;
}
+CertificateList CreateCertificateListFromFile(
+ const FilePath& certs_dir,
+ const std::string& cert_file,
+ int format) {
+ FilePath cert_path = certs_dir.AppendASCII(cert_file);
+ std::string cert_data;
+ if (!file_util::ReadFileToString(cert_path, &cert_data))
+ return CertificateList();
+ return X509Certificate::CreateCertificateListFromBytes(cert_data.data(),
+ cert_data.size(),
+ format);
+}
+
scoped_refptr<X509Certificate> ImportCertFromFile(
const FilePath& certs_dir,
const std::string& cert_file) {
diff --git a/net/base/cert_test_util.h b/net/base/cert_test_util.h
index a256e02..4078acc 100644
--- a/net/base/cert_test_util.h
+++ b/net/base/cert_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
@@ -9,17 +9,20 @@
#include <string>
#include "base/memory/ref_counted.h"
+#include "net/base/x509_certificate.h"
class FilePath;
namespace net {
-class X509Certificate;
-
// Returns a FilePath object representing the src/net/data/ssl/certificates
// directory in the source tree.
FilePath GetTestCertsDirectory();
+CertificateList CreateCertificateListFromFile(const FilePath& certs_dir,
+ const std::string& cert_file,
+ int format);
+
// Imports a certificate file in the src/net/data/ssl/certificates directory.
// certs_dir represents the test certificates directory. cert_file is the
// name of the certificate file. If cert_file contains multiple certificates,
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 2968c0a..25ddafa 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -179,19 +179,6 @@ const CertificateFormatTestData FormatTestData[] = {
NULL, } },
};
-CertificateList CreateCertificateListFromFile(
- const FilePath& certs_dir,
- const std::string& cert_file,
- int format) {
- FilePath cert_path = certs_dir.AppendASCII(cert_file);
- std::string cert_data;
- if (!file_util::ReadFileToString(cert_path, &cert_data))
- return CertificateList();
- return X509Certificate::CreateCertificateListFromBytes(cert_data.data(),
- cert_data.size(),
- format);
-}
-
void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
unsigned char* expected_fingerprint,
double valid_from, double valid_to) {
@@ -695,6 +682,7 @@ TEST(X509CertificateTest, RejectWeakKeys) {
signer_type != key_types.end(); ++signer_type) {
std::string basename = *ee_type + "-ee-by-" + *signer_type +
"-intermediate.pem";
+ SCOPED_TRACE(basename);
scoped_refptr<X509Certificate> ee_cert =
ImportCertFromFile(certs_dir, basename);
ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index 44c63c5..be9ded9 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -92,3 +92,15 @@ unit tests.
- globalsign_orgv1_ca.pem
- globalsign_root_ca_md5.pem : A certificate chain for the regression test
of http://crbug.com/108514
+
+- redundant-validated-chain.pem
+- redundant-server-chain.pem
+- redundant-validated-chain-root.pem
+
+ Two chains, A -> B -> C -> D and A -> B -> C2 (C and C2 share the same
+ public key) to test that SSLInfo gets the reconstructed, re-ordered
+ chain instead of the chain as served. See
+ SSLClientSocketTest.VerifyReturnChainProperlyOrdered in
+ net/socket/ssl_client_socket_unittest.cc. These chains are valid until
+ 26 Feb 2022 and are generated by
+ net/data/ssl/scripts/generate-redundant-test-chains.sh.
diff --git a/net/data/ssl/certificates/redundant-server-chain.pem b/net/data/ssl/certificates/redundant-server-chain.pem
new file mode 100644
index 0000000..1411d1c
--- /dev/null
+++ b/net/data/ssl/certificates/redundant-server-chain.pem
@@ -0,0 +1,271 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA6NE6YtvtLz7IsraneD9Z/cQ+NURvx3bIYcdmCUvV4dklQnW4
+vpBqRioqElU9EyUY1cgTotOaliOIectRKGB7M9A5v4LWDeZHoifDcx+tpKms2EuY
+mm9AOs35Xbi4Q95CILTvV3OdHez6l++sz+8Ctc361ugd1gq+wKmRn91Qq7k90piC
+spanoHZEx+3BZJMkD5yVGX6c1KUcUQ2YkNH0sOKZ6Ed1v/TQFTQIIXPHs2WLQD/X
+lQEaFOnhKeBF2VGwML170j3xfF/2icoLzWGBNg2pRK9bOziSHfEvOOw7AQ4Ya5ys
+/XC/NuRHc1eGrGBv5rFH/1gu0xIoileLycCGDQIDAQABAoIBADnrU0sky2zlgah0
+KFWR7SFkoNU/oU9ODavFn2zQoPT+wHY4My21X7r04mKNMhSBNhx5Gel4Gw0e6eTi
+393bosrREozCT95FW6zLl6QcTWaZj5Z/uAczhhcbBt56Bd1cfbcFTEXFTWEUg4Mo
+7SUNoO75v12XgVSud6YWiVPsCxWtFmiE91pZINfOM0rBacASY7F+/jJwhlmt04Ru
+qwyG2bWmVB97cj2IcNFMwrH/3vbml5YttTKEb1wlKodrj8BqzOcP5VW3DgXbjbz8
+gZtP+pjpP5e9F6UcmwXek12dGwqp+9Mo8veidI8dXNSEiHpdFiTOolsLTGVXziVP
++spFbAECgYEA96mAIB4RidCH2wYtKoepiGisJmFvebGFpyBUWjKtDFKg0ufJ3S/3
+HFq5Pn8473ii8qVjBwlin/bs9dOEuwEI2lvM39QeoUASVdfLOHoYKsK8dyFo7rTX
+bQdwMQpSqYbJyi5OElHH/Z28celhF522Lt73uKVOFfiyGYlGzjApZV0CgYEA8KfJ
+QCxA27mWTzzHjYtTEGlYskbGpV0XNhjSoCueJvqE8+FYYylSpIB7+yUUI/5g5Iau
+aQlVFt+c2IyG5Fg+k7rc0arFkRm8HGp8df9aE7xdHwdw5BL/6wQDfFuP4sDIWVab
+IdJDUgdp+G4OGKcSgVCBbIfMrlKll/fMqBWxaHECgYEAv0mZH7V5wGNje2VC33WX
+GTgXtzFMw8a8v4A2BtDbXgg4FY5YGVJh3/Gm4MGs/THFUfsyCI5UMc+r6JduDm5X
+IykCjeMtoUh2oP0jBsUvA2AT50PT44OkXJ8BJa+edzgXheTMAlROTvJVSfqDNpVm
+0L8AwQpUzJ2hGh4wpTMH1jUCgYEAz+llqZeSAUL5ZUOxc8wm20roYj1baYpff1E6
+xz5nyG0vaDQL1L/islR+yJ9kIySmOUlSbVSuurA+Jahi8ex7Q85w8IOFZLLDHhmx
+pZATFnHqUeBv29u+ViCFkm7YhKLhdK2qITIzDy9wkj0i2JGfHzGaX1WDtCebAQwJ
+OD5lo0ECgYEA06/8JE1CBm3+NuwLzOEYMabfTUe9oe/2shP6SrGIGKf4s5vleDlk
+yXNIGLFCtx8C3BXQbyEXg3l44dTOFka/rTe3LSfIzw+ed/sRkyoJuJljdL4dAvB+
+EU6DmsPAHawRxNqGDdaIw7USUYQz0OVyKGLnOmmsQUJR1OgDTils9z8=
+-----END RSA PRIVATE KEY-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 236 (0xec)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=B CA
+ Validity
+ Not Before: Feb 29 19:15:59 2012 GMT
+ Not After : Feb 26 19:15:59 2022 GMT
+ Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e8:d1:3a:62:db:ed:2f:3e:c8:b2:b6:a7:78:3f:
+ 59:fd:c4:3e:35:44:6f:c7:76:c8:61:c7:66:09:4b:
+ d5:e1:d9:25:42:75:b8:be:90:6a:46:2a:2a:12:55:
+ 3d:13:25:18:d5:c8:13:a2:d3:9a:96:23:88:79:cb:
+ 51:28:60:7b:33:d0:39:bf:82:d6:0d:e6:47:a2:27:
+ c3:73:1f:ad:a4:a9:ac:d8:4b:98:9a:6f:40:3a:cd:
+ f9:5d:b8:b8:43:de:42:20:b4:ef:57:73:9d:1d:ec:
+ fa:97:ef:ac:cf:ef:02:b5:cd:fa:d6:e8:1d:d6:0a:
+ be:c0:a9:91:9f:dd:50:ab:b9:3d:d2:98:82:b2:96:
+ a7:a0:76:44:c7:ed:c1:64:93:24:0f:9c:95:19:7e:
+ 9c:d4:a5:1c:51:0d:98:90:d1:f4:b0:e2:99:e8:47:
+ 75:bf:f4:d0:15:34:08:21:73:c7:b3:65:8b:40:3f:
+ d7:95:01:1a:14:e9:e1:29:e0:45:d9:51:b0:30:bd:
+ 7b:d2:3d:f1:7c:5f:f6:89:ca:0b:cd:61:81:36:0d:
+ a9:44:af:5b:3b:38:92:1d:f1:2f:38:ec:3b:01:0e:
+ 18:6b:9c:ac:fd:70:bf:36:e4:47:73:57:86:ac:60:
+ 6f:e6:b1:47:ff:58:2e:d3:12:28:8a:57:8b:c9:c0:
+ 86:0d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 78:3F:CB:F8:30:EA:63:A3:6E:FE:86:22:50:DE:24:BD:22:C8:BE:9D
+ X509v3 Authority Key Identifier:
+ keyid:4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:a9:e5:68:e2:e9:94:d5:7d:fd:f8:76:e8:e3:23:2e:b9:a6:
+ 7c:0d:7a:d8:8b:9e:91:19:79:56:2d:1b:15:ad:90:1e:9a:d6:
+ 47:c0:3f:28:f3:ec:88:dd:25:4c:68:73:b5:b2:27:21:50:f6:
+ a6:b0:81:16:13:0f:b7:18:4e:a2:ed:2d:fe:ad:af:19:c5:f4:
+ b6:68:b9:50:05:37:29:f1:2d:97:d8:9f:fe:59:a1:f5:f7:ec:
+ 6c:18:18:7e:f4:e6:99:08:01:73:ab:60:98:51:4f:c3:ca:70:
+ e6:18:ab:90:04:7c:73:f2:84:0c:35:e5:1b:22:f1:50:ee:f4:
+ d8:24:7b:84:7b:39:21:a6:e4:53:04:7f:a5:38:58:da:29:86:
+ 1e:40:f0:dc:6d:ec:92:1c:4b:da:af:79:e6:27:ce:3f:53:f8:
+ dc:f1:48:3a:f0:e8:7b:9d:81:8b:44:28:c6:d7:4f:23:98:09:
+ 53:b8:68:db:76:0c:09:d8:59:4f:c8:34:bb:1b:b1:b4:09:59:
+ 09:5d:53:b4:b9:9e:6d:4d:a3:f0:08:5d:2a:a0:b9:dd:9d:64:
+ 37:13:d6:41:61:6c:a8:18:37:7b:a7:55:3c:e5:78:ba:c0:aa:
+ d1:a7:a0:d5:1e:65:e7:34:41:b0:da:b6:05:cc:d7:51:66:cc:
+ 3a:00:c0:b1
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMGAxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
+DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDo0Tpi2+0vPsiytqd4P1n9xD41RG/Hdshhx2YJ
+S9Xh2SVCdbi+kGpGKioSVT0TJRjVyBOi05qWI4h5y1EoYHsz0Dm/gtYN5keiJ8Nz
+H62kqazYS5iab0A6zflduLhD3kIgtO9Xc50d7PqX76zP7wK1zfrW6B3WCr7AqZGf
+3VCruT3SmIKylqegdkTH7cFkkyQPnJUZfpzUpRxRDZiQ0fSw4pnoR3W/9NAVNAgh
+c8ezZYtAP9eVARoU6eEp4EXZUbAwvXvSPfF8X/aJygvNYYE2DalEr1s7OJId8S84
+7DsBDhhrnKz9cL825EdzV4asYG/msUf/WC7TEiiKV4vJwIYNAgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg/y/gw6mOjbv6GIlDeJL0iyL6dMB8GA1Ud
+IwQYMBaAFEwpAWq0dJj0sWZQ8I+DiPDDnVttMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAqqnlaOLplNV9/fh26OMjLrmm
+fA162IuekRl5Vi0bFa2QHprWR8A/KPPsiN0lTGhztbInIVD2prCBFhMPtxhOou0t
+/q2vGcX0tmi5UAU3KfEtl9if/lmh9ffsbBgYfvTmmQgBc6tgmFFPw8pw5hirkAR8
+c/KEDDXlGyLxUO702CR7hHs5IabkUwR/pThY2imGHkDw3G3skhxL2q955ifOP1P4
+3PFIOvDoe52Bi0QoxtdPI5gJU7ho23YMCdhZT8g0uxuxtAlZCV1TtLmebU2j8Ahd
+KqC53Z1kNxPWQWFsqBg3e6dVPOV4usCq0aeg1R5l5zRBsNq2BczXUWbMOgDAsQ==
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 236 (0xec)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=C CA
+ Validity
+ Not Before: Feb 29 19:15:59 2012 GMT
+ Not After : Feb 26 19:15:59 2022 GMT
+ Subject: CN=B CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d5:6d:be:6c:68:cd:70:e2:d6:02:3a:16:40:21:
+ 2c:93:56:de:74:88:61:ca:b4:0e:ab:cc:e9:bc:79:
+ 51:47:bf:a8:88:6d:3a:ad:93:db:43:f3:58:db:29:
+ 8a:47:21:4c:54:0e:e7:24:26:cc:83:aa:ec:ae:cc:
+ d1:ce:14:c2:ce:56:c8:02:6a:4d:39:9f:6e:67:ff:
+ b1:e2:fe:d6:99:9f:af:90:bb:87:08:c4:77:6e:e7:
+ 07:79:d4:72:cf:1c:20:51:54:1f:ef:bc:76:02:d4:
+ 9e:c7:27:a6:53:fb:62:2b:b8:b1:63:ba:f6:13:84:
+ 05:b3:aa:bb:33:81:66:8f:37:6d:b9:fb:30:56:a6:
+ eb:69:fe:2f:a8:2a:ab:2f:f9:49:31:c1:d2:9c:9c:
+ 20:72:67:fd:35:37:bf:8e:f6:4c:58:52:f3:4c:ee:
+ a4:c4:68:21:ef:42:e4:f2:ba:e1:84:d5:4a:86:2b:
+ f2:25:11:07:52:6a:18:62:c9:ca:68:b8:d0:92:d9:
+ 09:d8:c0:16:8e:fd:56:c2:e3:63:8c:cd:49:23:ac:
+ 75:7d:24:19:c6:81:b3:a5:90:e3:56:78:7a:35:c8:
+ 35:97:3b:c5:e1:60:51:97:02:c3:1e:bb:33:68:8d:
+ eb:37:f7:c4:62:b4:11:b9:e5:29:95:4e:a4:e3:14:
+ 66:c5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha1WithRSAEncryption
+ 42:71:38:e7:27:f1:c4:3b:59:57:c3:68:99:1f:95:81:9c:2d:
+ 8e:c8:91:85:40:31:24:d2:1c:92:8e:d5:22:95:80:55:7b:a9:
+ db:48:a5:fd:5e:a3:46:f6:a0:17:1b:13:79:79:f8:c3:c7:fe:
+ 62:c2:c9:fa:fe:c4:59:97:19:12:92:98:c1:47:a4:5f:7c:d6:
+ 25:b7:84:6e:08:6a:9f:77:e0:2b:62:fb:ee:23:f5:3d:d7:99:
+ d2:2e:92:47:cc:b3:c1:d5:4b:6d:92:3e:1a:6f:68:93:af:2d:
+ a7:f5:2f:a2:6a:27:d2:32:ab:39:53:1f:0a:1e:cc:4e:af:46:
+ 77:a4:ed:b9:99:b3:13:06:f0:01:9d:db:ad:fd:0e:8b:53:ed:
+ 90:3a:e6:c2:c5:fb:13:ce:e4:1a:51:f9:1b:f3:76:3d:e6:da:
+ dd:e2:77:6e:72:18:0b:b4:74:fa:bf:78:72:80:98:b3:3c:59:
+ 2a:70:74:08:c5:73:0f:66:a6:1c:f6:79:f9:59:21:a8:0b:12:
+ f2:a7:6d:3b:18:e9:80:12:71:4c:2c:59:ac:fa:57:f4:e1:ab:
+ 04:76:e3:ff:60:e1:7d:f5:bd:12:0c:01:54:46:e4:f3:ca:f2:
+ 06:dd:5e:2f:87:07:cb:9a:04:6e:c5:33:dd:8e:52:c6:73:7a:
+ 65:21:b9:a4
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVbb5saM1w4tYCOhZA
+ISyTVt50iGHKtA6rzOm8eVFHv6iIbTqtk9tD81jbKYpHIUxUDuckJsyDquyuzNHO
+FMLOVsgCak05n25n/7Hi/taZn6+Qu4cIxHdu5wd51HLPHCBRVB/vvHYC1J7HJ6ZT
++2IruLFjuvYThAWzqrszgWaPN225+zBWputp/i+oKqsv+UkxwdKcnCByZ/01N7+O
+9kxYUvNM7qTEaCHvQuTyuuGE1UqGK/IlEQdSahhiycpouNCS2QnYwBaO/VbC42OM
+zUkjrHV9JBnGgbOlkONWeHo1yDWXO8XhYFGXAsMeuzNojes398RitBG55SmVTqTj
+FGbFAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEwpAWq0dJj0
+sWZQ8I+DiPDDnVttMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEA
+QnE45yfxxDtZV8NomR+VgZwtjsiRhUAxJNIcko7VIpWAVXup20il/V6jRvagFxsT
+eXn4w8f+YsLJ+v7EWZcZEpKYwUekX3zWJbeEbghqn3fgK2L77iP1PdeZ0i6SR8yz
+wdVLbZI+Gm9ok68tp/Uvomon0jKrOVMfCh7MTq9Gd6TtuZmzEwbwAZ3brf0Oi1Pt
+kDrmwsX7E87kGlH5G/N2Peba3eJ3bnIYC7R0+r94coCYszxZKnB0CMVzD2amHPZ5
++VkhqAsS8qdtOxjpgBJxTCxZrPpX9OGrBHbj/2DhffW9EgwBVEbk88ryBt1eL4cH
+y5oEbsUz3Y5SxnN6ZSG5pA==
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 236 (0xec)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=D Root CA
+ Validity
+ Not Before: Feb 29 19:15:59 2012 GMT
+ Not After : Feb 26 19:15:59 2022 GMT
+ Subject: CN=C CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a5:fc:1e:cc:76:82:f7:6a:d2:ed:5c:6a:9d:5b:
+ de:83:64:de:69:14:f6:54:8d:ce:01:ee:51:40:c4:
+ cc:d6:73:4c:c5:73:ca:60:4d:64:dc:84:f9:08:90:
+ ce:45:7a:84:4d:4b:3d:07:32:6b:95:6d:18:48:21:
+ 56:49:01:d0:11:75:54:c0:8c:a7:43:d8:33:bd:bf:
+ d8:ef:89:a3:d9:43:2b:83:b6:7e:5a:e5:d9:53:58:
+ 3f:1c:40:56:dd:6b:6c:67:eb:83:27:69:7e:4f:ff:
+ a4:23:6d:54:33:85:ed:d4:e3:01:47:29:2c:a7:91:
+ b7:2b:89:cd:64:96:3b:6d:fb:b2:1b:80:a6:c2:ec:
+ 32:4c:79:ef:80:aa:84:3c:77:60:47:2e:3f:bd:71:
+ 67:c5:7a:f4:98:70:73:17:53:a3:43:ff:f9:a2:9c:
+ d3:3b:69:61:99:eb:82:0d:fa:10:f0:68:3f:6f:3f:
+ f5:d5:04:7e:ac:2f:4e:d1:74:5f:19:39:b8:57:5c:
+ 79:82:ac:95:e7:4c:d0:8b:fc:59:2e:0a:d4:bc:e8:
+ 1b:1f:70:b5:ae:07:b8:f4:e7:97:4f:0b:3c:90:03:
+ e3:c3:b2:ed:5b:aa:ce:8f:cc:b9:e3:94:29:69:87:
+ c5:fe:a7:29:a6:a9:59:c8:17:10:34:31:0c:a8:61:
+ 8c:ab
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ B7:9B:E7:1E:00:25:BE:D8:ED:12:69:0D:4B:73:6D:A1:3A:5E:F1:4C
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha1WithRSAEncryption
+ 44:22:94:02:ad:82:a3:c8:6d:70:b6:20:42:d3:8f:29:62:3c:
+ b6:dd:e4:e7:9d:b2:77:2d:0f:e9:9c:8c:b3:61:4b:ca:1e:24:
+ da:0d:93:88:1f:c9:2d:3a:b1:24:3f:79:62:51:88:0a:66:49:
+ 8c:95:a9:34:52:a5:b0:25:d6:41:f1:81:6b:26:93:dc:cc:29:
+ 17:1f:ae:b8:27:18:40:00:2d:9c:de:e6:17:1d:29:52:f8:b1:
+ 5e:3e:8a:f6:0a:06:e2:f6:3f:73:37:89:fe:af:ee:fb:81:7a:
+ c9:16:89:22:4d:81:ad:5a:73:17:d5:99:08:63:71:c0:c1:09:
+ 5d:f6:66:04:73:5c:c6:16:b5:77:e0:3f:80:6b:08:18:4c:12:
+ 98:07:97:ac:cb:92:b8:48:47:a6:ef:d1:c7:48:35:7c:cf:53:
+ c6:0d:28:c6:98:0c:d8:60:4e:99:f5:49:b3:3c:2c:34:60:0d:
+ bd:aa:98:c5:60:5a:b6:b1:28:ca:e2:53:55:e5:c2:31:43:f3:
+ bf:de:45:2c:d2:b4:a6:75:25:3f:2b:91:42:5b:57:a5:25:98:
+ 39:30:71:d8:66:b8:35:c5:77:d8:f6:53:b3:9f:ee:1f:73:8d:
+ cc:31:11:76:bc:f3:65:4b:1a:59:60:04:7c:ec:76:9e:4b:8a:
+ fb:17:88:55
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAcmgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJRCBS
+b290IENBMB4XDTEyMDIyOTE5MTU1OVoXDTIyMDIyNjE5MTU1OVowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX8Hsx2gvdq
+0u1cap1b3oNk3mkU9lSNzgHuUUDEzNZzTMVzymBNZNyE+QiQzkV6hE1LPQcya5Vt
+GEghVkkB0BF1VMCMp0PYM72/2O+Jo9lDK4O2flrl2VNYPxxAVt1rbGfrgydpfk//
+pCNtVDOF7dTjAUcpLKeRtyuJzWSWO237shuApsLsMkx574CqhDx3YEcuP71xZ8V6
+9JhwcxdTo0P/+aKc0ztpYZnrgg36EPBoP28/9dUEfqwvTtF0Xxk5uFdceYKsledM
+0Iv8WS4K1LzoGx9wta4HuPTnl08LPJAD48Oy7Vuqzo/MueOUKWmHxf6nKaapWcgX
+EDQxDKhhjKsCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUt5vn
+HgAlvtjtEmkNS3NtoTpe8UwwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUA
+A4IBAQBEIpQCrYKjyG1wtiBC048pYjy23eTnnbJ3LQ/pnIyzYUvKHiTaDZOIH8kt
+OrEkP3liUYgKZkmMlak0UqWwJdZB8YFrJpPczCkXH664JxhAAC2c3uYXHSlS+LFe
+Por2Cgbi9j9zN4n+r+77gXrJFokiTYGtWnMX1ZkIY3HAwQld9mYEc1zGFrV34D+A
+awgYTBKYB5esy5K4SEem79HHSDV8z1PGDSjGmAzYYE6Z9UmzPCw0YA29qpjFYFq2
+sSjK4lNV5cIxQ/O/3kUs0rSmdSU/K5FCW1elJZg5MHHYZrg1xXfY9lOzn+4fc43M
+MRF2vPNlSxpZYAR87HaeS4r7F4hV
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICpDCCAYwCCQCGninElsmhPzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAlE
+IFJvb3QgQ0EwHhcNMTIwMjI5MTkxNTU5WhcNMjIwMjI2MTkxNTU5WjAUMRIwEAYD
+VQQDDAlEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
+wxbkVPUSUZ/UyGiWSOgnvyJSFU0VIQMtbvmyy71XlCI21euFyVMTWukkJeHXV7lA
+2nsQ3XfC6FvsbxYPd5auSSM2sIWCNO49KEX/xJXL5zQswh+WcDTz079fhjOf/dz2
+TLDufP2IuFaIGRJennTlaNBCRUVJyPcdysfiw3UfnCwxG5V7bpF/Rfr5y0UdC2W5
+yhKUfe7U1NfYQwfJ058OgBydSNuNaVnFm7E09khsBjET3Z/EsNq4n/Q3SnE16I9G
+Bu+DrsrKiabKfh28bBzKLCHtbf+0FlAhAj/eSY3rVW23OushOeyFWWsxbmo5FM/V
+ACEHD3OzFwBgnoiJHNn1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAGZ0lFGL7+Et
+uuQcbDLkc3NWKtqISAJx/Bms8nigQ2J/IFHDVp19NjCj29wJi7Dy8+p0Thfy8O2F
+4/3aV3Ptl5Ay+1PVqVVhM4RkqLpuLHY2pHtjgREeflJEtcDGLX3v3zia7plHEGo5
+T22O6vLvFK/RbuAkFvmOjLif2JBnQQAaI+dUvrRtKGI0Ax1b8XkYD5p2Zalbbkd2
+uJOC0Mc7iyRkbUbP2e/fAzq9B/OXI2gD6uU25x4nskTptMvO6YNvTny8/zyhXdDc
+U8Ue+UDeZ6VFg8K02N1gF5e0WgIdiM8ndkNS6r1g+2DNEZfoCFYGW1Ta8D5+n+uV
+jFY6jvAVnlQ=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/redundant-validated-chain-root.pem b/net/data/ssl/certificates/redundant-validated-chain-root.pem
new file mode 100644
index 0000000..6acfc1e
--- /dev/null
+++ b/net/data/ssl/certificates/redundant-validated-chain-root.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQCjrv+JsRC02TANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARD
+IENBMB4XDTEyMDIyOTE5MTU1OVoXDTIyMDIyNjE5MTU1OVowDzENMAsGA1UEAwwE
+QyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX8Hsx2gvdq0u1c
+ap1b3oNk3mkU9lSNzgHuUUDEzNZzTMVzymBNZNyE+QiQzkV6hE1LPQcya5VtGEgh
+VkkB0BF1VMCMp0PYM72/2O+Jo9lDK4O2flrl2VNYPxxAVt1rbGfrgydpfk//pCNt
+VDOF7dTjAUcpLKeRtyuJzWSWO237shuApsLsMkx574CqhDx3YEcuP71xZ8V69Jhw
+cxdTo0P/+aKc0ztpYZnrgg36EPBoP28/9dUEfqwvTtF0Xxk5uFdceYKsledM0Iv8
+WS4K1LzoGx9wta4HuPTnl08LPJAD48Oy7Vuqzo/MueOUKWmHxf6nKaapWcgXEDQx
+DKhhjKsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAcDhE2mVuhe8Z5IGzakzIRbN4
+5jQieOQhg+eO9h0ywr+Z0c1Ib88CoTQa3oJXwBojo86zn0aPoifRsOSj8mV1l9Te
+tGupoZwCjpPYHgL7j49ZY1nLMIQCmhiCaORXoJJTZWaQL79s4cnJ8bdIC3HPOtXF
+inhESDT3+B2vkozWIzUZytAfcu0PCubbQ2AmLT0GZgP9yhg8R90m81yF3ZYnIuJt
+bJSPo6at+aypb8NL//rVUAgzwMXn56DQ5+VcaPVVT8hgdpmQNXreCPTwbXWuXr1J
+56OQVe9KHKXlpScLmwDFdc+6Kh+AM9Oz/czpdJZmPMnsAtgOeBN2Ad0Sqq6BBQ==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/redundant-validated-chain.pem b/net/data/ssl/certificates/redundant-validated-chain.pem
new file mode 100644
index 0000000..211b5f6
--- /dev/null
+++ b/net/data/ssl/certificates/redundant-validated-chain.pem
@@ -0,0 +1,196 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA6NE6YtvtLz7IsraneD9Z/cQ+NURvx3bIYcdmCUvV4dklQnW4
+vpBqRioqElU9EyUY1cgTotOaliOIectRKGB7M9A5v4LWDeZHoifDcx+tpKms2EuY
+mm9AOs35Xbi4Q95CILTvV3OdHez6l++sz+8Ctc361ugd1gq+wKmRn91Qq7k90piC
+spanoHZEx+3BZJMkD5yVGX6c1KUcUQ2YkNH0sOKZ6Ed1v/TQFTQIIXPHs2WLQD/X
+lQEaFOnhKeBF2VGwML170j3xfF/2icoLzWGBNg2pRK9bOziSHfEvOOw7AQ4Ya5ys
+/XC/NuRHc1eGrGBv5rFH/1gu0xIoileLycCGDQIDAQABAoIBADnrU0sky2zlgah0
+KFWR7SFkoNU/oU9ODavFn2zQoPT+wHY4My21X7r04mKNMhSBNhx5Gel4Gw0e6eTi
+393bosrREozCT95FW6zLl6QcTWaZj5Z/uAczhhcbBt56Bd1cfbcFTEXFTWEUg4Mo
+7SUNoO75v12XgVSud6YWiVPsCxWtFmiE91pZINfOM0rBacASY7F+/jJwhlmt04Ru
+qwyG2bWmVB97cj2IcNFMwrH/3vbml5YttTKEb1wlKodrj8BqzOcP5VW3DgXbjbz8
+gZtP+pjpP5e9F6UcmwXek12dGwqp+9Mo8veidI8dXNSEiHpdFiTOolsLTGVXziVP
++spFbAECgYEA96mAIB4RidCH2wYtKoepiGisJmFvebGFpyBUWjKtDFKg0ufJ3S/3
+HFq5Pn8473ii8qVjBwlin/bs9dOEuwEI2lvM39QeoUASVdfLOHoYKsK8dyFo7rTX
+bQdwMQpSqYbJyi5OElHH/Z28celhF522Lt73uKVOFfiyGYlGzjApZV0CgYEA8KfJ
+QCxA27mWTzzHjYtTEGlYskbGpV0XNhjSoCueJvqE8+FYYylSpIB7+yUUI/5g5Iau
+aQlVFt+c2IyG5Fg+k7rc0arFkRm8HGp8df9aE7xdHwdw5BL/6wQDfFuP4sDIWVab
+IdJDUgdp+G4OGKcSgVCBbIfMrlKll/fMqBWxaHECgYEAv0mZH7V5wGNje2VC33WX
+GTgXtzFMw8a8v4A2BtDbXgg4FY5YGVJh3/Gm4MGs/THFUfsyCI5UMc+r6JduDm5X
+IykCjeMtoUh2oP0jBsUvA2AT50PT44OkXJ8BJa+edzgXheTMAlROTvJVSfqDNpVm
+0L8AwQpUzJ2hGh4wpTMH1jUCgYEAz+llqZeSAUL5ZUOxc8wm20roYj1baYpff1E6
+xz5nyG0vaDQL1L/islR+yJ9kIySmOUlSbVSuurA+Jahi8ex7Q85w8IOFZLLDHhmx
+pZATFnHqUeBv29u+ViCFkm7YhKLhdK2qITIzDy9wkj0i2JGfHzGaX1WDtCebAQwJ
+OD5lo0ECgYEA06/8JE1CBm3+NuwLzOEYMabfTUe9oe/2shP6SrGIGKf4s5vleDlk
+yXNIGLFCtx8C3BXQbyEXg3l44dTOFka/rTe3LSfIzw+ed/sRkyoJuJljdL4dAvB+
+EU6DmsPAHawRxNqGDdaIw7USUYQz0OVyKGLnOmmsQUJR1OgDTils9z8=
+-----END RSA PRIVATE KEY-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 236 (0xec)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=B CA
+ Validity
+ Not Before: Feb 29 19:15:59 2012 GMT
+ Not After : Feb 26 19:15:59 2022 GMT
+ Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e8:d1:3a:62:db:ed:2f:3e:c8:b2:b6:a7:78:3f:
+ 59:fd:c4:3e:35:44:6f:c7:76:c8:61:c7:66:09:4b:
+ d5:e1:d9:25:42:75:b8:be:90:6a:46:2a:2a:12:55:
+ 3d:13:25:18:d5:c8:13:a2:d3:9a:96:23:88:79:cb:
+ 51:28:60:7b:33:d0:39:bf:82:d6:0d:e6:47:a2:27:
+ c3:73:1f:ad:a4:a9:ac:d8:4b:98:9a:6f:40:3a:cd:
+ f9:5d:b8:b8:43:de:42:20:b4:ef:57:73:9d:1d:ec:
+ fa:97:ef:ac:cf:ef:02:b5:cd:fa:d6:e8:1d:d6:0a:
+ be:c0:a9:91:9f:dd:50:ab:b9:3d:d2:98:82:b2:96:
+ a7:a0:76:44:c7:ed:c1:64:93:24:0f:9c:95:19:7e:
+ 9c:d4:a5:1c:51:0d:98:90:d1:f4:b0:e2:99:e8:47:
+ 75:bf:f4:d0:15:34:08:21:73:c7:b3:65:8b:40:3f:
+ d7:95:01:1a:14:e9:e1:29:e0:45:d9:51:b0:30:bd:
+ 7b:d2:3d:f1:7c:5f:f6:89:ca:0b:cd:61:81:36:0d:
+ a9:44:af:5b:3b:38:92:1d:f1:2f:38:ec:3b:01:0e:
+ 18:6b:9c:ac:fd:70:bf:36:e4:47:73:57:86:ac:60:
+ 6f:e6:b1:47:ff:58:2e:d3:12:28:8a:57:8b:c9:c0:
+ 86:0d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 78:3F:CB:F8:30:EA:63:A3:6E:FE:86:22:50:DE:24:BD:22:C8:BE:9D
+ X509v3 Authority Key Identifier:
+ keyid:4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ Signature Algorithm: sha1WithRSAEncryption
+ aa:a9:e5:68:e2:e9:94:d5:7d:fd:f8:76:e8:e3:23:2e:b9:a6:
+ 7c:0d:7a:d8:8b:9e:91:19:79:56:2d:1b:15:ad:90:1e:9a:d6:
+ 47:c0:3f:28:f3:ec:88:dd:25:4c:68:73:b5:b2:27:21:50:f6:
+ a6:b0:81:16:13:0f:b7:18:4e:a2:ed:2d:fe:ad:af:19:c5:f4:
+ b6:68:b9:50:05:37:29:f1:2d:97:d8:9f:fe:59:a1:f5:f7:ec:
+ 6c:18:18:7e:f4:e6:99:08:01:73:ab:60:98:51:4f:c3:ca:70:
+ e6:18:ab:90:04:7c:73:f2:84:0c:35:e5:1b:22:f1:50:ee:f4:
+ d8:24:7b:84:7b:39:21:a6:e4:53:04:7f:a5:38:58:da:29:86:
+ 1e:40:f0:dc:6d:ec:92:1c:4b:da:af:79:e6:27:ce:3f:53:f8:
+ dc:f1:48:3a:f0:e8:7b:9d:81:8b:44:28:c6:d7:4f:23:98:09:
+ 53:b8:68:db:76:0c:09:d8:59:4f:c8:34:bb:1b:b1:b4:09:59:
+ 09:5d:53:b4:b9:9e:6d:4d:a3:f0:08:5d:2a:a0:b9:dd:9d:64:
+ 37:13:d6:41:61:6c:a8:18:37:7b:a7:55:3c:e5:78:ba:c0:aa:
+ d1:a7:a0:d5:1e:65:e7:34:41:b0:da:b6:05:cc:d7:51:66:cc:
+ 3a:00:c0:b1
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMGAxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
+DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDo0Tpi2+0vPsiytqd4P1n9xD41RG/Hdshhx2YJ
+S9Xh2SVCdbi+kGpGKioSVT0TJRjVyBOi05qWI4h5y1EoYHsz0Dm/gtYN5keiJ8Nz
+H62kqazYS5iab0A6zflduLhD3kIgtO9Xc50d7PqX76zP7wK1zfrW6B3WCr7AqZGf
+3VCruT3SmIKylqegdkTH7cFkkyQPnJUZfpzUpRxRDZiQ0fSw4pnoR3W/9NAVNAgh
+c8ezZYtAP9eVARoU6eEp4EXZUbAwvXvSPfF8X/aJygvNYYE2DalEr1s7OJId8S84
+7DsBDhhrnKz9cL825EdzV4asYG/msUf/WC7TEiiKV4vJwIYNAgMBAAGjbzBtMAwG
+A1UdEwEB/wQCMAAwHQYDVR0OBBYEFHg/y/gw6mOjbv6GIlDeJL0iyL6dMB8GA1Ud
+IwQYMBaAFEwpAWq0dJj0sWZQ8I+DiPDDnVttMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAqqnlaOLplNV9/fh26OMjLrmm
+fA162IuekRl5Vi0bFa2QHprWR8A/KPPsiN0lTGhztbInIVD2prCBFhMPtxhOou0t
+/q2vGcX0tmi5UAU3KfEtl9if/lmh9ffsbBgYfvTmmQgBc6tgmFFPw8pw5hirkAR8
+c/KEDDXlGyLxUO702CR7hHs5IabkUwR/pThY2imGHkDw3G3skhxL2q955ifOP1P4
+3PFIOvDoe52Bi0QoxtdPI5gJU7ho23YMCdhZT8g0uxuxtAlZCV1TtLmebU2j8Ahd
+KqC53Z1kNxPWQWFsqBg3e6dVPOV4usCq0aeg1R5l5zRBsNq2BczXUWbMOgDAsQ==
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 236 (0xec)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=C CA
+ Validity
+ Not Before: Feb 29 19:15:59 2012 GMT
+ Not After : Feb 26 19:15:59 2022 GMT
+ Subject: CN=B CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d5:6d:be:6c:68:cd:70:e2:d6:02:3a:16:40:21:
+ 2c:93:56:de:74:88:61:ca:b4:0e:ab:cc:e9:bc:79:
+ 51:47:bf:a8:88:6d:3a:ad:93:db:43:f3:58:db:29:
+ 8a:47:21:4c:54:0e:e7:24:26:cc:83:aa:ec:ae:cc:
+ d1:ce:14:c2:ce:56:c8:02:6a:4d:39:9f:6e:67:ff:
+ b1:e2:fe:d6:99:9f:af:90:bb:87:08:c4:77:6e:e7:
+ 07:79:d4:72:cf:1c:20:51:54:1f:ef:bc:76:02:d4:
+ 9e:c7:27:a6:53:fb:62:2b:b8:b1:63:ba:f6:13:84:
+ 05:b3:aa:bb:33:81:66:8f:37:6d:b9:fb:30:56:a6:
+ eb:69:fe:2f:a8:2a:ab:2f:f9:49:31:c1:d2:9c:9c:
+ 20:72:67:fd:35:37:bf:8e:f6:4c:58:52:f3:4c:ee:
+ a4:c4:68:21:ef:42:e4:f2:ba:e1:84:d5:4a:86:2b:
+ f2:25:11:07:52:6a:18:62:c9:ca:68:b8:d0:92:d9:
+ 09:d8:c0:16:8e:fd:56:c2:e3:63:8c:cd:49:23:ac:
+ 75:7d:24:19:c6:81:b3:a5:90:e3:56:78:7a:35:c8:
+ 35:97:3b:c5:e1:60:51:97:02:c3:1e:bb:33:68:8d:
+ eb:37:f7:c4:62:b4:11:b9:e5:29:95:4e:a4:e3:14:
+ 66:c5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 4C:29:01:6A:B4:74:98:F4:B1:66:50:F0:8F:83:88:F0:C3:9D:5B:6D
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha1WithRSAEncryption
+ 42:71:38:e7:27:f1:c4:3b:59:57:c3:68:99:1f:95:81:9c:2d:
+ 8e:c8:91:85:40:31:24:d2:1c:92:8e:d5:22:95:80:55:7b:a9:
+ db:48:a5:fd:5e:a3:46:f6:a0:17:1b:13:79:79:f8:c3:c7:fe:
+ 62:c2:c9:fa:fe:c4:59:97:19:12:92:98:c1:47:a4:5f:7c:d6:
+ 25:b7:84:6e:08:6a:9f:77:e0:2b:62:fb:ee:23:f5:3d:d7:99:
+ d2:2e:92:47:cc:b3:c1:d5:4b:6d:92:3e:1a:6f:68:93:af:2d:
+ a7:f5:2f:a2:6a:27:d2:32:ab:39:53:1f:0a:1e:cc:4e:af:46:
+ 77:a4:ed:b9:99:b3:13:06:f0:01:9d:db:ad:fd:0e:8b:53:ed:
+ 90:3a:e6:c2:c5:fb:13:ce:e4:1a:51:f9:1b:f3:76:3d:e6:da:
+ dd:e2:77:6e:72:18:0b:b4:74:fa:bf:78:72:80:98:b3:3c:59:
+ 2a:70:74:08:c5:73:0f:66:a6:1c:f6:79:f9:59:21:a8:0b:12:
+ f2:a7:6d:3b:18:e9:80:12:71:4c:2c:59:ac:fa:57:f4:e1:ab:
+ 04:76:e3:ff:60:e1:7d:f5:bd:12:0c:01:54:46:e4:f3:ca:f2:
+ 06:dd:5e:2f:87:07:cb:9a:04:6e:c5:33:dd:8e:52:c6:73:7a:
+ 65:21:b9:a4
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgICAOwwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAwwEQyBD
+QTAeFw0xMjAyMjkxOTE1NTlaFw0yMjAyMjYxOTE1NTlaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVbb5saM1w4tYCOhZA
+ISyTVt50iGHKtA6rzOm8eVFHv6iIbTqtk9tD81jbKYpHIUxUDuckJsyDquyuzNHO
+FMLOVsgCak05n25n/7Hi/taZn6+Qu4cIxHdu5wd51HLPHCBRVB/vvHYC1J7HJ6ZT
++2IruLFjuvYThAWzqrszgWaPN225+zBWputp/i+oKqsv+UkxwdKcnCByZ/01N7+O
+9kxYUvNM7qTEaCHvQuTyuuGE1UqGK/IlEQdSahhiycpouNCS2QnYwBaO/VbC42OM
+zUkjrHV9JBnGgbOlkONWeHo1yDWXO8XhYFGXAsMeuzNojes398RitBG55SmVTqTj
+FGbFAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEwpAWq0dJj0
+sWZQ8I+DiPDDnVttMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEA
+QnE45yfxxDtZV8NomR+VgZwtjsiRhUAxJNIcko7VIpWAVXup20il/V6jRvagFxsT
+eXn4w8f+YsLJ+v7EWZcZEpKYwUekX3zWJbeEbghqn3fgK2L77iP1PdeZ0i6SR8yz
+wdVLbZI+Gm9ok68tp/Uvomon0jKrOVMfCh7MTq9Gd6TtuZmzEwbwAZ3brf0Oi1Pt
+kDrmwsX7E87kGlH5G/N2Peba3eJ3bnIYC7R0+r94coCYszxZKnB0CMVzD2amHPZ5
++VkhqAsS8qdtOxjpgBJxTCxZrPpX9OGrBHbj/2DhffW9EgwBVEbk88ryBt1eL4cH
+y5oEbsUz3Y5SxnN6ZSG5pA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQCjrv+JsRC02TANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARD
+IENBMB4XDTEyMDIyOTE5MTU1OVoXDTIyMDIyNjE5MTU1OVowDzENMAsGA1UEAwwE
+QyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX8Hsx2gvdq0u1c
+ap1b3oNk3mkU9lSNzgHuUUDEzNZzTMVzymBNZNyE+QiQzkV6hE1LPQcya5VtGEgh
+VkkB0BF1VMCMp0PYM72/2O+Jo9lDK4O2flrl2VNYPxxAVt1rbGfrgydpfk//pCNt
+VDOF7dTjAUcpLKeRtyuJzWSWO237shuApsLsMkx574CqhDx3YEcuP71xZ8V69Jhw
+cxdTo0P/+aKc0ztpYZnrgg36EPBoP28/9dUEfqwvTtF0Xxk5uFdceYKsledM0Iv8
+WS4K1LzoGx9wta4HuPTnl08LPJAD48Oy7Vuqzo/MueOUKWmHxf6nKaapWcgXEDQx
+DKhhjKsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAcDhE2mVuhe8Z5IGzakzIRbN4
+5jQieOQhg+eO9h0ywr+Z0c1Ib88CoTQa3oJXwBojo86zn0aPoifRsOSj8mV1l9Te
+tGupoZwCjpPYHgL7j49ZY1nLMIQCmhiCaORXoJJTZWaQL79s4cnJ8bdIC3HPOtXF
+inhESDT3+B2vkozWIzUZytAfcu0PCubbQ2AmLT0GZgP9yhg8R90m81yF3ZYnIuJt
+bJSPo6at+aypb8NL//rVUAgzwMXn56DQ5+VcaPVVT8hgdpmQNXreCPTwbXWuXr1J
+56OQVe9KHKXlpScLmwDFdc+6Kh+AM9Oz/czpdJZmPMnsAtgOeBN2Ad0Sqq6BBQ==
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/generate-redundant-test-chains.sh b/net/data/ssl/scripts/generate-redundant-test-chains.sh
new file mode 100755
index 0000000..58768e8
--- /dev/null
+++ b/net/data/ssl/scripts/generate-redundant-test-chains.sh
@@ -0,0 +1,187 @@
+#!/bin/sh
+
+# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This script generates two chains of test certificates:
+#
+# 1. A (end-entity) -> B -> C -> D (self-signed root)
+# 2. A (end-entity) -> B -> C2 (self-signed root)
+#
+# in which A, B, C, and D have distinct keypairs. C2 is a self-signed root
+# certificate that uses the same keypair as C.
+#
+# We use these cert chains in
+# SSLClientSocketTest.VerifyReturnChainProperlyOrdered to ensure that
+# SSLInfo objects see the certificate chain as validated rather than as
+# served by the server. The server serves chain 1. The client has C2, NOT D,
+# installed as a trusted root. Therefore, the chain will validate as chain
+# 2, even though the server served chain 1.
+
+try () {
+ echo "$@"
+ $@ || exit 1
+}
+
+generate_key_command () {
+ case "$1" in
+ rsa)
+ echo genrsa
+ ;;
+ *)
+ exit 1
+ esac
+}
+
+try rm -rf out
+try mkdir out
+
+echo Create the serial number files.
+serial=100
+for i in B C C2 D
+do
+ try echo $serial > out/$i-serial
+ serial=$(expr $serial + 1)
+done
+
+echo Generate the keys.
+try openssl genrsa -out out/A.key 2048
+try openssl genrsa -out out/B.key 2048
+try openssl genrsa -out out/C.key 2048
+try openssl genrsa -out out/D.key 2048
+
+echo Generate the D CSR.
+CA_COMMON_NAME="D Root CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ KEY_SIZE=2048 \
+ ALGO=rsa \
+ CERT_TYPE=root \
+ TYPE=D CERTIFICATE=D \
+ try openssl req \
+ -new \
+ -key out/D.key \
+ -out out/D.csr \
+ -config redundant-ca.cnf
+
+echo D signs itself.
+CA_COMMON_NAME="D Root CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ try openssl x509 \
+ -req -days 3650 \
+ -in out/D.csr \
+ -extensions ca_cert \
+ -signkey out/D.key \
+ -out out/D.pem
+
+echo Generate the C2 root CSR.
+CA_COMMON_NAME="C CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ KEY_SIZE=2048 \
+ ALGO=rsa \
+ CERT_TYPE=root \
+ TYPE=C2 CERTIFICATE=C2 \
+ try openssl req \
+ -new \
+ -key out/C.key \
+ -out out/C2.csr \
+ -config redundant-ca.cnf
+
+echo C2 signs itself.
+CA_COMMON_NAME="C CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ try openssl x509 \
+ -req -days 3650 \
+ -in out/C2.csr \
+ -extensions ca_cert \
+ -signkey out/C.key \
+ -out out/C2.pem
+
+echo Generate the B and C intermediaries\' CSRs.
+for i in B C
+do
+ name="$i Intermediate CA"
+ CA_COMMON_NAME="$i CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ KEY_SIZE=2048 \
+ ALGO=rsa \
+ CERT_TYPE=root \
+ TYPE=$i CERTIFICATE=$i \
+ try openssl req \
+ -new \
+ -key out/$i.key \
+ -out out/$i.csr \
+ -config redundant-ca.cnf
+done
+
+echo D signs the C intermediate.
+# Make sure the signer's DB file exists.
+touch out/D-index.txt
+CA_COMMON_NAME="D Root CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ KEY_SIZE=2048 \
+ ALGO=rsa \
+ CERT_TYPE=root \
+ TYPE=D CERTIFICATE=D \
+ try openssl ca \
+ -batch \
+ -extensions ca_cert \
+ -in out/C.csr \
+ -out out/C.pem \
+ -config redundant-ca.cnf
+
+echo C signs the B intermediate.
+touch out/C-index.txt
+CA_COMMON_NAME="C CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ KEY_SIZE=2048 \
+ ALGO=rsa \
+ CERT_TYPE=root \
+ TYPE=C CERTIFICATE=C \
+ try openssl ca \
+ -batch \
+ -extensions ca_cert \
+ -in out/B.csr \
+ -out out/B.pem \
+ -config redundant-ca.cnf
+
+echo Generate the A end-entity CSR.
+try openssl req \
+ -new \
+ -key out/A.key \
+ -out out/A.csr \
+ -config ee.cnf
+
+echo B signs A.
+touch out/B-index.txt
+CA_COMMON_NAME="B CA" \
+ CA_DIR=out \
+ CA_NAME=req_env_dn \
+ KEY_SIZE=$signer_key_size \
+ ALGO=$signer_algo \
+ CERT_TYPE=intermediate \
+ TYPE=B CERTIFICATE=B \
+ try openssl ca \
+ -batch \
+ -extensions user_cert \
+ -in out/A.csr \
+ -out out/A.pem \
+ -config redundant-ca.cnf
+
+echo Create redundant-server-chain.pem
+cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
+ > redundant-server-chain.pem
+
+echo Create redundant-validated-chain.pem
+cat out/A.key out/A.pem out/B.pem out/C2.pem > redundant-validated-chain.pem
+
+echo Create redundant-validated-chain-root.pem
+cp out/C2.pem redundant-validated-chain-root.pem
+
diff --git a/net/data/ssl/scripts/redundant-ca.cnf b/net/data/ssl/scripts/redundant-ca.cnf
new file mode 100644
index 0000000..e1b24e0
--- /dev/null
+++ b/net/data/ssl/scripts/redundant-ca.cnf
@@ -0,0 +1,80 @@
+[ca]
+default_ca = CA_root
+preserve = yes
+
+# The default test root, used to generate certificates and CRLs.
+[CA_root]
+dir = $ENV::CA_DIR
+key_size = $ENV::KEY_SIZE
+algo = $ENV::ALGO
+cert_type = $ENV::CERT_TYPE
+type = $ENV::TYPE
+certificate = $ENV::CERTIFICATE
+database = $dir/$type-index.txt
+new_certs_dir = $dir
+serial = $dir/$type-serial
+certificate = $dir/$certificate.pem
+private_key = $dir/$type.key
+RANDFILE = $dir/rand
+default_days = 3650
+default_crl_days = 30
+default_md = sha1
+policy = policy_anything
+unique_subject = no
+
+[user_cert]
+# Extensions to add when signing a request for an EE cert
+basicConstraints = critical, CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+extendedKeyUsage = serverAuth,clientAuth
+
+[ca_cert]
+# Extensions to add when signing a request for an intermediate/CA cert
+basicConstraints = critical, CA:true
+subjectKeyIdentifier = hash
+#authorityKeyIdentifier = keyid:always
+keyUsage = critical, keyCertSign, cRLSign
+
+[crl_extensions]
+# Extensions to add when signing a CRL
+authorityKeyIdentifier = keyid:always
+
+[policy_anything]
+# Default signing policy
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[req]
+# The request section used to generate the root CA certificate. This should
+# not be used to generate end-entity certificates. For certificates other
+# than the root CA, see README to find the appropriate configuration file
+# (ie: openssl_cert.cnf).
+default_bits = $ENV::KEY_SIZE
+default_md = sha1
+string_mask = utf8only
+prompt = no
+encrypt_key = no
+distinguished_name = $ENV::CA_NAME
+
+[req_ca_dn]
+C = US
+ST = California
+L = Mountain View
+O = Test CA
+CN = Test Root 2 CA
+
+[req_intermediate_dn]
+C = US
+ST = California
+L = Mountain View
+O = Test CA
+CN = Test Intermediate 2 CA
+
+[req_env_dn]
+CN = $ENV::CA_COMMON_NAME
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index a7e97d5..9a69ec4 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -719,7 +719,7 @@ void SSLClientSocketMac::GetSSLInfo(SSLInfo* ssl_info) {
if (!server_cert_)
return;
- ssl_info->cert = server_cert_;
+ ssl_info->cert = server_cert_verify_result_.verified_cert;
ssl_info->cert_status = server_cert_verify_result_.cert_status;
ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
ssl_info->is_issued_by_known_root =
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 8188d66..aaa8a17 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -489,7 +489,7 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
return;
ssl_info->cert_status = server_cert_verify_result_->cert_status;
- ssl_info->cert = server_cert_;
+ ssl_info->cert = server_cert_verify_result_->verified_cert;
ssl_info->connection_status = ssl_connection_status_;
ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes;
for (std::vector<SHA1Fingerprint>::const_iterator
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index fcdb644..1c03105 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -581,7 +581,7 @@ void SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
if (!server_cert_)
return;
- ssl_info->cert = server_cert_;
+ ssl_info->cert = server_cert_verify_result_.verified_cert;
ssl_info->cert_status = server_cert_verify_result_.cert_status;
ssl_info->is_issued_by_known_root =
server_cert_verify_result_.is_issued_by_known_root;
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index bf156d1..13bc7c9 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -5,6 +5,7 @@
#include "net/socket/ssl_client_socket.h"
#include "net/base/address_list.h"
+#include "net/base/cert_test_util.h"
#include "net/base/cert_verifier.h"
#include "net/base/host_resolver.h"
#include "net/base/io_buffer.h"
@@ -13,6 +14,7 @@
#include "net/base/net_errors.h"
#include "net/base/ssl_config_service.h"
#include "net/base/test_completion_callback.h"
+#include "net/base/test_root_certs.h"
#include "net/socket/client_socket_factory.h"
#include "net/socket/client_socket_handle.h"
#include "net/socket/socket_test_util.h"
@@ -776,3 +778,105 @@ TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
TEST(SSLClientSocket, ClearSessionCache) {
net::SSLClientSocket::ClearSessionCache();
}
+
+// This tests that SSLInfo contains a properly re-constructed certificate
+// chain. That, in turn, verifies that GetSSLInfo is giving us the chain as
+// verified, not the chain as served by the server. (They may be different.)
+//
+// CERT_CHAIN_WRONG_ROOT is redundant-server-chain.pem. It contains A
+// (end-entity) -> B -> C, and C is signed by D. We do not set D to be a
+// trusted root in this test. Instead, we install C2 as a root; C2 contains
+// the same public key as C. redundant-server-chain.pem should therefore
+// validate as A -> B -> C2. If it does, this test passes.
+//
+// Note that although it is a violation of the TLS specification to send a
+// mal-ordered chain, in practice most clients don't hard-fail on it and
+// some servers do send such chains.
+//
+// This test is the upper-layer analogue for
+// X509CertificateTest.VerifyReturnChainProperlyOrdered.
+#if defined(OS_MACOSX)
+// TODO(rsleevi): http://crbug.com/114343 / http://crbug.com/69278 - OS X
+// path building fails to properly handle cross-certified intermediates
+// without AIA information, so this test is disabled.
+#define MAYBE_VerifyReturnChainProperlyOrdered \
+ DISABLED_VerifyReturnChainProperlyOrdered
+#elif defined(OS_ANDROID)
+// TODO(joth)
+#define MAYBE_VerifyReturnChainProperlyOrdered \
+ DISABLED_VerifyReturnChainProperlyOrdered
+#else
+#define MAYBE_VerifyReturnChainProperlyOrdered \
+ VerifyReturnChainProperlyOrdered
+#endif
+TEST_F(SSLClientSocketTest, MAYBE_VerifyReturnChainProperlyOrdered) {
+ // We will expect SSLInfo to ultimately contain this chain.
+ net::CertificateList certs = CreateCertificateListFromFile(
+ net::GetTestCertsDirectory(), "redundant-validated-chain.pem",
+ net::X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(3U, certs.size());
+
+ // Load and install the root for the validated chain.
+ scoped_refptr<net::X509Certificate> root_cert =
+ net::ImportCertFromFile(net::GetTestCertsDirectory(),
+ "redundant-validated-chain-root.pem");
+ ASSERT_NE(static_cast<net::X509Certificate*>(NULL), root_cert);
+ net::TestRootCerts::GetInstance()->Add(root_cert.get());
+
+ // Set up a test server with CERT_CHAIN_WRONG_ROOT.
+ net::TestServer::HTTPSOptions https_options(
+ net::TestServer::HTTPSOptions::CERT_CHAIN_WRONG_ROOT);
+ net::TestServer test_server(https_options,
+ FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+ ASSERT_TRUE(test_server.Start());
+
+ net::AddressList addr;
+ ASSERT_TRUE(test_server.GetAddressList(&addr));
+
+ net::TestCompletionCallback callback;
+ net::CapturingNetLog log(net::CapturingNetLog::kUnbounded);
+ net::StreamSocket* transport = new net::TCPClientSocket(
+ addr, &log, net::NetLog::Source());
+ int rv = transport->Connect(callback.callback());
+ if (rv == net::ERR_IO_PENDING)
+ rv = callback.WaitForResult();
+ EXPECT_EQ(net::OK, rv);
+
+ scoped_ptr<net::SSLClientSocket> sock(
+ CreateSSLClientSocket(transport, test_server.host_port_pair(),
+ kDefaultSSLConfig));
+ EXPECT_FALSE(sock->IsConnected());
+ rv = sock->Connect(callback.callback());
+
+ net::CapturingNetLog::EntryList entries;
+ log.GetEntries(&entries);
+ EXPECT_TRUE(net::LogContainsBeginEvent(
+ entries, 5, net::NetLog::TYPE_SSL_CONNECT));
+ if (rv == net::ERR_IO_PENDING)
+ rv = callback.WaitForResult();
+
+ EXPECT_EQ(net::OK, rv);
+ EXPECT_TRUE(sock->IsConnected());
+ log.GetEntries(&entries);
+ EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
+
+ net::SSLInfo ssl_info;
+ sock->GetSSLInfo(&ssl_info);
+
+ // Verify that SSLInfo contains the corrected re-constructed chain A -> B
+ // -> C2.
+ const net::X509Certificate::OSCertHandles& intermediates =
+ ssl_info.cert->GetIntermediateCertificates();
+ ASSERT_EQ(2U, intermediates.size());
+ EXPECT_TRUE(net::X509Certificate::IsSameOSCert(
+ ssl_info.cert->os_cert_handle(), certs[0]->os_cert_handle()));
+ EXPECT_TRUE(net::X509Certificate::IsSameOSCert(
+ intermediates[0], certs[1]->os_cert_handle()));
+ EXPECT_TRUE(net::X509Certificate::IsSameOSCert(
+ intermediates[1], certs[2]->os_cert_handle()));
+
+ net::TestRootCerts::GetInstance()->Clear();
+ sock->Disconnect();
+ EXPECT_FALSE(sock->IsConnected());
+}
+
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index 8387fa1..f36b3c8 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -422,7 +422,7 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) {
if (!server_cert_)
return;
- ssl_info->cert = server_cert_;
+ ssl_info->cert = server_cert_verify_result_.verified_cert;
ssl_info->cert_status = server_cert_verify_result_.cert_status;
ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
ssl_info->is_issued_by_known_root =
diff --git a/net/test/test_server.cc b/net/test/test_server.cc
index f38abfa..3d95fb4 100644
--- a/net/test/test_server.cc
+++ b/net/test/test_server.cc
@@ -59,6 +59,10 @@ FilePath TestServer::HTTPSOptions::GetCertificateFile() const {
return FilePath(FILE_PATH_LITERAL("ok_cert.pem"));
case CERT_EXPIRED:
return FilePath(FILE_PATH_LITERAL("expired_cert.pem"));
+ case CERT_CHAIN_WRONG_ROOT:
+ // This chain uses its own dedicated test root certificate to avoid
+ // side-effects that may affect testing.
+ return FilePath(FILE_PATH_LITERAL("redundant-server-chain.pem"));
default:
NOTREACHED();
}
diff --git a/net/test/test_server.h b/net/test/test_server.h
index 6e5eb60..f49a16b 100644
--- a/net/test/test_server.h
+++ b/net/test/test_server.h
@@ -56,6 +56,11 @@ class TestServer {
CERT_OK,
CERT_MISMATCHED_NAME,
CERT_EXPIRED,
+ // Cross-signed certificate to test PKIX path building. Contains an
+ // intermediate cross-signed by an unknown root, while the client (via
+ // TestRootStore) is expected to have a self-signed version of the
+ // intermediate.
+ CERT_CHAIN_WRONG_ROOT,
};
// Bitmask of bulk encryption algorithms that the test server supports
generated by cgit v1.1 at 2025-01-28 23:31:24 +0000