[Merge m97] Change some tests to avoid churn when regenerating test c…

…erts. CertDatabaseNSSTest.ImportServerCert: Don't depend on NSS database cert ordering X509CertificateModelTest.ProcessRawBitsSignatureWrap: Use a non-generated cert HTTPSOCSPTest, OCSPBrowserTest: calculate root cert hash at runtime Also fix a possible test crash on failed expectations: TransportSecurityStateTest.ExpectCTReporter (cherry picked from commit 3286abc) Bug: 1266634 Change-Id: I8f3269b7882a8467eb5ce9fd45aca85a939dfa72 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3309165 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Carlos IL <carlosil@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#947205} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3525895 Auto-Submit: Chong Gu <chonggu@google.com> Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Srinivas Sista <srinivassista@chromium.org> Owners-Override: Srinivas Sista <srinivassista@chromium.org> Cr-Commit-Position: refs/branch-heads/4692@{#1544} Cr-Branched-From: 038cd96-refs/heads/main@{#938553}
chromium · Mar 17, 2022 · 3e5d8a1 · 3e5d8a1
1 parent 5bdc52a
commit 3e5d8a1
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 62 deletions.
diff --git a/chrome/browser/ssl/ocsp_browsertest.cc b/chrome/browser/ssl/ocsp_browsertest.cc
@@ -27,6 +27,7 @@
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/test_data_directory.h"
 #include "services/network/public/cpp/features.h"
 #include "services/network/public/mojom/ssl_config.mojom.h"
 #include "third_party/blink/public/common/features.h"
@@ -35,14 +36,6 @@ namespace AuthState = ssl_test_util::AuthState;
 
 namespace {
 
-// SHA256 hash of the testserver root_ca_cert DER.
-// openssl x509 -in root_ca_cert.pem -outform der | \
-//   openssl dgst -sha256 -binary | xxd -i
-static const net::SHA256HashValue kTestRootCertHash = {
-    {0xb2, 0xab, 0xa3, 0xa5, 0xd4, 0x11, 0x56, 0xcb, 0xb9, 0x23, 0x35,
-     0x07, 0x6d, 0x0b, 0x51, 0xbe, 0xd3, 0xee, 0x2e, 0xab, 0xe7, 0xab,
-     0x6b, 0xad, 0xcc, 0x2a, 0xfa, 0x35, 0xfb, 0x8e, 0x31, 0x5e}};
-
 // The test EV policy OID used for generated certs.
 static const char kOCSPTestCertPolicy[] = "1.3.6.1.4.1.11129.2.4.1";
 
@@ -84,8 +77,12 @@ class OCSPBrowserTest : public PlatformBrowserTest,
     // TODO(https://crbug.com/1085233): when the CertVerifierService is moved
     // out of process, the ScopedTestEVPolicy needs to be instantiated in
     // that process.
+    scoped_refptr<net::X509Certificate> root_cert = net::ImportCertFromFile(
+        net::GetTestCertsDirectory(), "root_ca_cert.pem");
+    ASSERT_TRUE(root_cert);
     ev_test_policy_ = std::make_unique<net::ScopedTestEVPolicy>(
-        net::EVRootCAMetadata::GetInstance(), kTestRootCertHash,
+        net::EVRootCAMetadata::GetInstance(),
+        net::X509Certificate::CalculateFingerprint256(root_cert->cert_buffer()),
         kOCSPTestCertPolicy);
   }
 

diff --git a/chrome/common/net/x509_certificate_model_nss_unittest.cc b/chrome/common/net/x509_certificate_model_nss_unittest.cc
@@ -384,25 +384,17 @@ TEST_F(X509CertificateModelTest, ProcessSubjectPublicKeyInfo) {
 
 TEST_F(X509CertificateModelTest, ProcessRawBitsSignatureWrap) {
   net::ScopedCERTCertificate cert(net::ImportCERTCertificateFromFile(
-      net::GetTestCertsDirectory(), "root_ca_cert.pem"));
+      net::GetTestCertsDirectory(), "google.single.pem"));
   ASSERT_TRUE(cert.get());
 
   EXPECT_EQ(
-      "B1 B1 83 61 AF DB ED 98 CF 3D 43 5F A7 42 B8 6D\n"
-      "94 36 57 BB AB 04 EE DD 3B B7 6D EC 78 7D 46 59\n"
-      "B1 E6 2A C3 AA A5 70 A7 E1 0C FA 65 37 C6 CB 7D\n"
-      "A1 37 35 A1 FF F0 DD CE B6 A4 2C 12 D4 46 A9 9C\n"
-      "A2 91 3A B0 95 55 97 55 E6 0A DA 63 60 24 19 AC\n"
-      "20 C9 B1 94 40 E9 99 B1 F5 C3 ED 61 5D DE 4C E4\n"
-      "EB D9 0E AC 3A 0A FC 44 7D 0F 77 A6 B6 DA 28 D4\n"
-      "ED EA 3A BC 57 23 9C 72 2B 2D B0 5D 11 02 4D C5\n"
-      "BC B0 D6 7E 00 8E F7 E7 F5 19 3A 23 DF 33 02 AA\n"
-      "4B BF 81 F4 5A 99 EE 74 20 F3 77 A1 F0 85 1E A8\n"
-      "D6 CC A4 CB 31 FA 73 24 A2 0E DD 9F 6F 82 38 5F\n"
-      "85 AC 8D 76 BD D8 F2 69 73 E3 46 44 42 E3 5E F3\n"
-      "AA 5E 44 13 51 EA 0B 78 91 77 96 EE 73 FE 2A B5\n"
-      "88 C1 38 8D 8D A8 19 76 94 05 02 CF D4 6F EB E6\n"
-      "07 F5 9D 52 24 B8 50 A3 0E C4 45 A6 09 B4 06 2D\n"
-      "3E 14 A5 3F 1C 1A BC DA B8 40 3E C1 1C F6 3C 05",
+      "9F 43 CF 5B C4 50 29 B1 BF E2 B0 9A FF 6A 21 1D\n"
+      "2D 12 C3 2C 4E 5A F9 12 E2 CE B9 82 52 2D E7 1D\n"
+      "7E 1A 76 96 90 79 D1 24 52 38 79 BB 63 8D 80 97\n"
+      "7C 23 20 0F 91 4D 16 B9 EA EE F4 6D 89 CA C6 BD\n"
+      "CC 24 68 D6 43 5B CE 2A 58 BF 3C 18 E0 E0 3C 62\n"
+      "CF 96 02 2D 28 47 50 34 E1 27 BA CF 99 D1 50 FF\n"
+      "29 25 C0 36 36 15 33 52 70 BE 31 8F 9F E8 7F E7\n"
+      "11 0C 8D BF 84 A0 42 1A 80 89 B0 31 58 41 07 5F",
       x509_certificate_model::ProcessRawBitsSignatureWrap(cert.get()));
 }
diff --git a/net/cert/nss_cert_database_unittest.cc b/net/cert/nss_cert_database_unittest.cc
@@ -543,12 +543,20 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert) {
   // All the certs in the imported list should now be found in the NSS DB.
   ScopedCERTCertificateList cert_list = ListCerts();
   ASSERT_EQ(3U, cert_list.size());
-  CERTCertificate* found_server_cert = cert_list[1].get();
-  CERTCertificate* found_intermediate_cert = cert_list[2].get();
-  CERTCertificate* found_root_cert = cert_list[0].get();
-  EXPECT_EQ("127.0.0.1", GetSubjectCN(found_server_cert));
-  EXPECT_EQ("Test Intermediate CA", GetSubjectCN(found_intermediate_cert));
-  EXPECT_EQ("Test Root CA", GetSubjectCN(found_root_cert));
+  CERTCertificate* found_server_cert = nullptr;
+  CERTCertificate* found_intermediate_cert = nullptr;
+  CERTCertificate* found_root_cert = nullptr;
+  for (const auto& cert : cert_list) {
+    if (GetSubjectCN(cert.get()) == "127.0.0.1")
+      found_server_cert = cert.get();
+    else if (GetSubjectCN(cert.get()) == "Test Intermediate CA")
+      found_intermediate_cert = cert.get();
+    else if (GetSubjectCN(cert.get()) == "Test Root CA")
+      found_root_cert = cert.get();
+  }
+  ASSERT_TRUE(found_server_cert);
+  ASSERT_TRUE(found_intermediate_cert);
+  ASSERT_TRUE(found_root_cert);
 
   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
             cert_db_->GetCertTrust(found_server_cert, SERVER_CERT));

diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
@@ -1318,7 +1318,8 @@ TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
   EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
   EXPECT_EQ(cert1.get(), reporter.served_certificate_chain());
   EXPECT_EQ(cert2.get(), reporter.validated_certificate_chain());
-  EXPECT_EQ(ssl_info.signed_certificate_timestamps.size(),
+  ASSERT_EQ(1u, ssl_info.signed_certificate_timestamps.size());
+  ASSERT_EQ(ssl_info.signed_certificate_timestamps.size(),
             reporter.signed_certificate_timestamps().size());
   EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].status,
             reporter.signed_certificate_timestamps()[0].status);

diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
@@ -665,6 +665,25 @@ class OCSPErrorTestDelegate : public TestDelegate {
   SSLInfo ssl_info_;
 };
 
+#if !defined(OS_IOS)
+// Compute the root cert's SPKI hash on the fly, to avoid hardcoding it within
+// tests.
+bool GetTestRootCertSPKIHash(SHA256HashValue* root_hash) {
+  scoped_refptr<X509Certificate> root_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  if (!root_cert)
+    return false;
+  base::StringPiece root_spki;
+  if (!asn1::ExtractSPKIFromDERCert(
+          x509_util::CryptoBufferAsStringPiece(root_cert->cert_buffer()),
+          &root_spki)) {
+    return false;
+  }
+  crypto::SHA256HashString(root_spki, root_hash, sizeof(SHA256HashValue));
+  return true;
+}
+#endif
+
 }  // namespace
 
 // Inherit PlatformTest since we require the autorelease pool on Mac OS X.
@@ -10707,22 +10726,6 @@ class HTTPSCertNetFetchingTest : public HTTPSRequestTest {
   TestURLRequestContext context_;
 };
 
-// SHA256 hash of the testserver root_ca_cert DER.
-// openssl x509 -in root_ca_cert.pem -outform der | \
-//   openssl dgst -sha256 -binary | xxd -i
-static const SHA256HashValue kTestRootCertHash = {
-    {0xb2, 0xab, 0xa3, 0xa5, 0xd4, 0x11, 0x56, 0xcb, 0xb9, 0x23, 0x35,
-     0x07, 0x6d, 0x0b, 0x51, 0xbe, 0xd3, 0xee, 0x2e, 0xab, 0xe7, 0xab,
-     0x6b, 0xad, 0xcc, 0x2a, 0xfa, 0x35, 0xfb, 0x8e, 0x31, 0x5e}};
-
-// SHA256 hash of the DER SPKI of the testserver root_ca_cert.
-// openssl x509 -in root_ca_cert.pem -pubkey -noout | \
-//   openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd -i
-static const SHA256HashValue kTestRootCertSPKIHash = {
-    {0x57, 0x2a, 0x4f, 0xdd, 0x55, 0x8b, 0xec, 0xe6, 0xaa, 0x4c, 0x9e,
-     0xe6, 0x20, 0x17, 0xa1, 0x59, 0x89, 0x6f, 0xf2, 0x48, 0x4f, 0xb8,
-     0x51, 0xe9, 0x5a, 0x27, 0x9a, 0xad, 0x92, 0x36, 0x62, 0x32}};
-
 // The test EV policy OID used for generated certs.
 static const char kOCSPTestCertPolicy[] = "1.3.6.1.4.1.11129.2.4.1";
 
@@ -10731,8 +10734,13 @@ class HTTPSOCSPTest : public HTTPSCertNetFetchingTest {
   void SetUp() override {
     HTTPSCertNetFetchingTest::SetUp();
 
+    scoped_refptr<X509Certificate> root_cert =
+        ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+    ASSERT_TRUE(root_cert);
+
     ev_test_policy_ = std::make_unique<ScopedTestEVPolicy>(
-        EVRootCAMetadata::GetInstance(), kTestRootCertHash,
+        EVRootCAMetadata::GetInstance(),
+        X509Certificate::CalculateFingerprint256(root_cert->cert_buffer()),
         kOCSPTestCertPolicy);
   }
 
@@ -11562,8 +11570,10 @@ TEST_F(HTTPSEVCRLSetTest, FreshCRLSetCovered) {
       EmbeddedTestServer::OCSPConfig::ResponseType::kInvalidResponse);
 
   CertVerifier::Config cert_verifier_config = GetCertVerifierConfig();
+  SHA256HashValue root_cert_spki_hash;
+  ASSERT_TRUE(GetTestRootCertSPKIHash(&root_cert_spki_hash));
   cert_verifier_config.crl_set =
-      CRLSet::ForTesting(false, &kTestRootCertSPKIHash, "", "", {});
+      CRLSet::ForTesting(false, &root_cert_spki_hash, "", "", {});
   context_.cert_verifier()->SetConfig(cert_verifier_config);
 
   CertStatus cert_status;
@@ -11670,8 +11680,10 @@ TEST_F(HTTPSCRLSetTest, CRLSetRevoked) {
   ASSERT_TRUE(test_server.Start());
 
   CertVerifier::Config cert_verifier_config = GetCertVerifierConfig();
+  SHA256HashValue root_cert_spki_hash;
+  ASSERT_TRUE(GetTestRootCertSPKIHash(&root_cert_spki_hash));
   cert_verifier_config.crl_set =
-      CRLSet::ForTesting(false, &kTestRootCertSPKIHash,
+      CRLSet::ForTesting(false, &root_cert_spki_hash,
                          test_server.GetCertificate()->serial_number(), "", {});
   context_.cert_verifier()->SetConfig(cert_verifier_config);
 
@@ -11895,17 +11907,8 @@ TEST_F(HTTPSLocalCRLSetTest, InterceptionBlockedAllowOverrideOnHSTS) {
 
   // Configure for kHSTSSubdomainWithKnownInterception
   CertVerifyResult sts_sub_result = fake_result;
-  // Compute the root cert's hash on the fly, to avoid hardcoding it within
-  // tests.
-  scoped_refptr<X509Certificate> root_cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
-  ASSERT_TRUE(root_cert);
-  base::StringPiece root_spki;
-  ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
-      x509_util::CryptoBufferAsStringPiece(root_cert->cert_buffer()),
-      &root_spki));
   SHA256HashValue root_hash;
-  crypto::SHA256HashString(root_spki, &root_hash, sizeof(root_hash));
+  ASSERT_TRUE(GetTestRootCertSPKIHash(&root_hash));
   sts_sub_result.public_key_hashes.push_back(HashValue(root_hash));
   sts_sub_result.cert_status |=
       CERT_STATUS_REVOKED | CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED;