New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 605960 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug

Blocking:
issue 605963



Sign in to add a comment

CertVerifyProcTest.RejectWeakKeys fails on Android N with CERT_AUTHORITY_INVALID

Project Member Reported by jbudorick@chromium.org, Apr 22 2016

Issue description

e.g. from https://uberchromegw.corp.google.com/i/internal.client.clank/builders/test-n-phone/builds/260/steps/net_unittests/logs/stdio:

C  289.108s Main  [FAIL] CertVerifyProcTest.RejectWeakKeys:
C  289.108s Main  [ RUN      ] CertVerifyProcTest.RejectWeakKeys
C  289.108s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.108s Main  Value of: error
C  289.108s Main    Actual: -202
C  289.108s Main  Expected: OK
C  289.108s Main  Which is: 0
C  289.109s Main  Google Test trace:
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: 1024-rsa-ee-by-1024-rsa-intermediate.pem
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.109s Main  Value of: error
C  289.109s Main    Actual: -202
C  289.109s Main  Expected: OK
C  289.109s Main  Which is: 0
C  289.109s Main  Google Test trace:
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: 1024-rsa-ee-by-2048-rsa-intermediate.pem
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.109s Main  Value of: error
C  289.109s Main    Actual: -202
C  289.109s Main  Expected: OK
C  289.109s Main  Which is: 0
C  289.109s Main  Google Test trace:
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: 1024-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.109s Main  Value of: error
C  289.109s Main    Actual: -202
C  289.109s Main  Expected: OK
C  289.109s Main  Which is: 0
C  289.109s Main  Google Test trace:
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: 2048-rsa-ee-by-1024-rsa-intermediate.pem
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.109s Main  Value of: error
C  289.109s Main    Actual: -202
C  289.109s Main  Expected: OK
C  289.109s Main  Which is: 0
C  289.109s Main  Google Test trace:
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: 2048-rsa-ee-by-2048-rsa-intermediate.pem
C  289.109s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.109s Main  Value of: error
C  289.109s Main    Actual: -202
C  289.109s Main  Expected: OK
C  289.110s Main  Which is: 0
C  289.110s Main  Google Test trace:
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: 2048-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.110s Main  Value of: error
C  289.110s Main    Actual: -202
C  289.110s Main  Expected: OK
C  289.110s Main  Which is: 0
C  289.110s Main  Google Test trace:
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.110s Main  Value of: error
C  289.110s Main    Actual: -202
C  289.110s Main  Expected: OK
C  289.110s Main  Which is: 0
C  289.110s Main  Google Test trace:
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: prime256v1-ecdsa-ee-by-2048-rsa-intermediate.pem
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:413: Failure
C  289.110s Main  Value of: error
C  289.110s Main    Actual: -202
C  289.110s Main  Expected: OK
C  289.110s Main  Which is: 0
C  289.110s Main  Google Test trace:
C  289.110s Main  ../../net/cert/cert_verify_proc_unittest.cc:382: prime256v1-ecdsa-ee-by-prime256v1-ecdsa-intermediate.pem
C  289.110s Main  [  FAILED  ] CertVerifyProcTest.RejectWeakKeys (399 ms)
 
Blocking: 605963
Investigating it looks like we're getting a "Chain validation failed" from the Android Certificate Verification logic. It looks like at some point the N parser got stricter and is giving the error:

java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate
Owner: svaldez@chromium.org
Status: Assigned (was: Available)
Should be fixed on trunk once https://codereview.chromium.org/1906323004/ lands.
excellent, thanks!
Why is this Restrict-View-Google? The Android preview is available, is it not?
internal bot + unreleased version. We try to keep test-n-phone on the weekly dogfood build.
(we could conceivably have an upstream bot with publicly released preview builds, but it hasn't been a high priority)
Can we open this bug at least? There's nothing confidential here other than the URL, and there's nothing magic in that.
Labels: -Restrict-View-Google
I guess so.

Comment 10 Deleted

Project Member

Comment 11 by bugdroid1@chromium.org, Apr 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/655e2234eb572003c5641f817b6c045faae9b24f

commit 655e2234eb572003c5641f817b6c045faae9b24f
Author: svaldez <svaldez@chromium.org>
Date: Fri Apr 22 23:52:26 2016

Fixing generate-weak-test-chains.sh to generate correct certificates

We add extensions to the leaf certificates generated by
generate-weak-test-chains.sh in order to make them valid certificates
for testing on Android.

BUG= 605960 

Review URL: https://codereview.chromium.org/1906323004

Cr-Commit-Position: refs/heads/master@{#389309}

[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/chrome/common/net/x509_certificate_model_unittest.cc
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/1024-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/1024-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/1024-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/1024-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/1024-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/2048-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/2048-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/2048-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/2048-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/2048-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/2048-rsa-root.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/768-rsa-ee-by-1024-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/768-rsa-ee-by-2048-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/768-rsa-ee-by-768-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/768-rsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/768-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-1024-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-2048-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-768-rsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/prime256v1-ecdsa-ee-by-prime256v1-ecdsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/certificates/prime256v1-ecdsa-intermediate.pem
[modify] https://crrev.com/655e2234eb572003c5641f817b6c045faae9b24f/net/data/ssl/scripts/generate-weak-test-chains.sh

Status: Fixed (was: Assigned)
Labels: M-52

Sign in to add a comment