CertVerifyProcConstraintsTest: expand leaf isCA=true tests with keyUs…

…age variation builtin verifier behaves differently if keyCertSign is present or not. Bug: 1370748 Change-Id: I0a6a0e2e9b164401b7bc34de88fb39b6b8ec5c54 Cq-Include-Trybots: luci.chromium.try:mac_chromium_10.13_rel_ng,mac_chromium_10.14_rel_ng,mac_chromium_10.15_rel_ng,mac_chromium_11.0_rel_ng,mac-osxbeta-rel,ios15-beta-simulator,ios16-beta-simulator,win11-x64-fyi-rel Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4093318 Reviewed-by: David Benjamin <davidben@chromium.org> Auto-Submit: Matt Mueller <mattm@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/main@{#1081887}
qweri0p · Dec 12, 2022 · 963419b · 963419b
1 parent aba5602
commit 963419b
Showing 1 changed file with 51 additions and 15 deletions.
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
@@ -4291,12 +4291,25 @@ TEST_P(CertVerifyProcConstraintsTest, BasicConstraintsNotCaIntermediate) {
 }
 
 TEST_P(CertVerifyProcConstraintsTest, BasicConstraintsIsCaLeaf) {
-  chain_[0]->SetBasicConstraints(/*is_ca=*/true, /*path_len=*/-1);
+  for (bool has_key_usage_cert_sign : {false, true}) {
+    chain_[0]->SetBasicConstraints(/*is_ca=*/true, /*path_len=*/-1);
 
-  if (VerifyProcTypeIsBuiltin()) {
-    EXPECT_THAT(Verify(), IsError(ERR_CERT_INVALID));
-  } else {
-    EXPECT_THAT(Verify(), IsOk());
+    if (has_key_usage_cert_sign) {
+      chain_[0]->SetKeyUsages(
+          {KEY_USAGE_BIT_KEY_CERT_SIGN, KEY_USAGE_BIT_DIGITAL_SIGNATURE});
+    } else {
+      chain_[0]->SetKeyUsages({KEY_USAGE_BIT_DIGITAL_SIGNATURE});
+    }
+
+    if (VerifyProcTypeIsBuiltin()) {
+      if (has_key_usage_cert_sign) {
+        EXPECT_THAT(Verify(), IsOk());
+      } else {
+        EXPECT_THAT(Verify(), IsError(ERR_CERT_INVALID));
+      }
+    } else {
+      EXPECT_THAT(Verify(), IsOk());
+    }
   }
 }
 
@@ -4840,12 +4853,22 @@ TEST_P(CertVerifyProcConstraintsTrustedLeafTest, BaseCase) {
 }
 
 TEST_P(CertVerifyProcConstraintsTrustedLeafTest, BasicConstraintsIsCa) {
-  chain_[0]->SetBasicConstraints(/*is_ca=*/true, /*path_len=*/-1);
+  for (bool has_key_usage_cert_sign : {false, true}) {
+    chain_[0]->SetBasicConstraints(/*is_ca=*/true, /*path_len=*/-1);
 
-  if (VerifyProcTypeIsBuiltin() || verify_proc_type() == CERT_VERIFY_PROC_WIN) {
-    EXPECT_THAT(Verify(), IsError(ERR_CERT_AUTHORITY_INVALID));
-  } else {
-    EXPECT_THAT(Verify(), IsOk());
+    if (has_key_usage_cert_sign) {
+      chain_[0]->SetKeyUsages(
+          {KEY_USAGE_BIT_KEY_CERT_SIGN, KEY_USAGE_BIT_DIGITAL_SIGNATURE});
+    } else {
+      chain_[0]->SetKeyUsages({KEY_USAGE_BIT_DIGITAL_SIGNATURE});
+    }
+
+    if (VerifyProcTypeIsBuiltin() ||
+        verify_proc_type() == CERT_VERIFY_PROC_WIN) {
+      EXPECT_THAT(Verify(), IsError(ERR_CERT_AUTHORITY_INVALID));
+    } else {
+      EXPECT_THAT(Verify(), IsOk());
+    }
   }
 }
 
@@ -5021,12 +5044,25 @@ TEST_P(CertVerifyProcConstraintsTrustedSelfSignedTest, BaseCase) {
 }
 
 TEST_P(CertVerifyProcConstraintsTrustedSelfSignedTest, BasicConstraintsIsCa) {
-  cert_->SetBasicConstraints(/*is_ca=*/true, /*path_len=*/-1);
+  for (bool has_key_usage_cert_sign : {false, true}) {
+    cert_->SetBasicConstraints(/*is_ca=*/true, /*path_len=*/-1);
 
-  if (VerifyProcTypeIsBuiltin()) {
-    EXPECT_THAT(Verify(), IsError(ERR_CERT_INVALID));
-  } else {
-    EXPECT_THAT(Verify(), IsOk());
+    if (has_key_usage_cert_sign) {
+      cert_->SetKeyUsages(
+          {KEY_USAGE_BIT_KEY_CERT_SIGN, KEY_USAGE_BIT_DIGITAL_SIGNATURE});
+    } else {
+      cert_->SetKeyUsages({KEY_USAGE_BIT_DIGITAL_SIGNATURE});
+    }
+
+    if (VerifyProcTypeIsBuiltin()) {
+      if (has_key_usage_cert_sign) {
+        EXPECT_THAT(Verify(), IsOk());
+      } else {
+        EXPECT_THAT(Verify(), IsError(ERR_CERT_INVALID));
+      }
+    } else {
+      EXPECT_THAT(Verify(), IsOk());
+    }
   }
 }