New issue
Advanced search Search tips

Issue 711588 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug



Sign in to add a comment

OCSP and CRL tests fail on Mac

Project Member Reported by lgar...@chromium.org, Apr 14 2017

Issue description

Tip of tree (5dfa2e4c9eee485cc60a851cf28445de16f91010)
OSX 10.12.4

What steps will reproduce the problem?
(1) Pull tip of tree and `glient sync`
(2) Build and run net_unittests

What is the expected result?
Tests pass.

What happens instead?
The following tests fail:

- HTTPSEVCRLSetTest.ExpiredCRLSet
- HTTPSEVCRLSetTest.FreshCRLSetNotCovered
- HTTPSEVCRLSetTest.MissingCRLSetAndInvalidOCSP
- HTTPSOCSPTest.Invalid

Haven't tested on other places, but presumably these aren't caught by trybots because we don't run Sierra. (That's what happened in  Issue 701222 .)
 
net-unittests-fail-ocsp-crl.log
1.4 MB View Download

Comment 1 by ricea@chromium.org, Apr 14 2017

Components: -Blink>Network Internals>Network

Comment 2 by mmenke@chromium.org, Apr 14 2017

Components: -Internals>Network Internals>Network>Certificate
When you say these fail on Mac, do you mean they fail on Mac Sierra, or more generally?

Comment 3 by eroman@chromium.org, Apr 14 2017

Cc: mattm@chromium.org
> When you say these fail on Mac, do you mean they fail on Mac Sierra, or more generally?

I have no idea. All I know is they fail on my Sierra machine.

Comment 5 by mattm@chromium.org, Apr 20 2017

Cc: -mattm@chromium.org
Owner: mattm@chromium.org
Status: Assigned (was: Untriaged)
These tests all use SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE, which makes the test ocsp server return a garbage response.


On Sierra we only get:
SecTrustGetCssmResultCode = CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK ("revocation check not successful for each cert")
and a chain_info[0].StatusCodes[0] = CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK

These get mapped to CERT_STATUS_NO_REVOCATION_MECHANISM which is then masked off before returning.


On 10.9 we get:
SecTrustGetCssmResultCode = "revocation check not successful for each cert"
chain_info[0].StatusCodes[0] = "unparseable OCSP response"
chain_info[0].StatusCodes[1] = "OCSP service unavailable"

The "unparseable OCSP response" gets mapped to CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, which is what the test is expecting.

Comment 6 by mattm@chromium.org, Apr 20 2017

(And because the CERT_STATUS_NO_REVOCATION_MECHANISM gets masked off, the cert verifies as EV even though the revocation wasn't checked.)

Comment 7 by mattm@chromium.org, Jul 27 2017

Cc: mattm@chromium.org
 Issue 748516  has been merged into this issue.
Project Member

Comment 8 by bugdroid1@chromium.org, Jul 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/66538437a3ea88aebca9413fee12746e6558d063

commit 66538437a3ea88aebca9413fee12746e6558d063
Author: Matt Mueller <mattm@chromium.org>
Date: Fri Jul 28 02:48:28 2017

remap CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK to CERT_STATUS_UNABLE_TO_CHECK_REVOCATION

Starting with later 10.12 versions, CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK is a
catch-all code for failures to check revocation status.

Bug:  711588 
Change-Id: Idf466d89ede45ef0a04250714b5f8ca8680188ab
Reviewed-on: https://chromium-review.googlesource.com/590104
Commit-Queue: Matt Mueller <mattm@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#490224}
[modify] https://crrev.com/66538437a3ea88aebca9413fee12746e6558d063/net/cert/cert_verify_proc_mac.cc

Comment 9 by mattm@chromium.org, Jul 28 2017

Status: Fixed (was: Assigned)

Sign in to add a comment