CertVerifyProcTest.PaypalNullCertParsing does not test what it is supposed to test |
|||||
Issue descriptionFrom discussion in https://codereview.chromium.org/1903453003/: On 2016/04/20 22:45:03, Ryan Sleevi wrote: > I'm not comfortable with this fix; it papers over the root issue, and as a > result, causes the test not to cover what it's meant to test. > > In this case, I'd be more comfortable if you disabled the test, and filed a bug > - because then it's at least clear this test is missing coverage. On 2016/04/20 23:03:35, davidben wrote: > Is there actually anything to file a bug about? It seems newer iOS SDKs behave > correctly and while older ones didn't. (I'd buy skipping the test in the old SDK > case though.) On 2016/04/20 23:13:44, Ryan Sleevi wrote: > No, the newer SDKs behave incorrectly - they're treating it as a "CA trust > issue", rather than an "invalid certificate issue". This suggests that the > issuing CA is no longer trusted (perhaps a lack of intermediates to chain to a > newer root), rather than as being a fundamental encoding issue. That's the > concern - we're no longer sure we're actually testing the certificate as > rejected, but instead that the CA is not trusted - which means we're not > actually sure that an (otherwise trusted) embedded-null cert would be rejected. > > One approach to fix this would be to generate a local CA with a > forcibly-embedded NUL, rather than relying on the current test certificate > (which can cause issues like this when the underlying root store changes, as it > did) On 2016/04/20 at 23:19:07, davidben wrote: > I see. Then we should have filed a bug ages ago, no? The non-simulator case > (what we actually care about), Mac, and Windows already all use > ERR_CERT_AUTHORITY_INVALID (line 241 on the RHS). It's just NSS that was doing > anything different before this iOS codepath. > > The new SDK's simulator is correct in that it correctly matches the real result. On 2016/04/20 at 23:20:48, rsleevi wrote: > Correct, we should have. > > Right, it appears this test was inappropriately "fixed" (based on the real world) > to no longer cover what it was supposed to be testing.
,
Apr 21 2016
,
Apr 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/743c8e4de5881808684cf30e58f83f441010d2c4 commit 743c8e4de5881808684cf30e58f83f441010d2c4 Author: sdefresne <sdefresne@chromium.org> Date: Thu Apr 21 14:38:09 2016 Disable CertVerifyProcTest.PaypalNullCertParsing The test expectation is incorrect on some configurations, so disable the test until it is fixed (better to have a bug to track a failing test than a false sense of security due to false positive). BUG=605457 Review URL: https://codereview.chromium.org/1907443005 Cr-Commit-Position: refs/heads/master@{#388770} [modify] https://crrev.com/743c8e4de5881808684cf30e58f83f441010d2c4/net/cert/cert_verify_proc_unittest.cc
,
Jun 1 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 21 2016
,
Jul 12 2016
This issue has been moved once and is lower than Pri-1. Removing the milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 18 2017
Any traction? |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by rsleevi@chromium.org
, Apr 21 2016Labels: OS-All
Owner: rsleevi@chromium.org
Status: Assigned (was: Available)