New issue
Advanced search Search tips

Issue 897233 link

Starred by 1 user

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Task



Sign in to add a comment

Add browsertest verifying that policy-provided untrusted authorities are used in path building for //net server cert verification

Project Member Reported by pmarko@chromium.org, Oct 19

Issue description

Prepare the certificates RootCA -> IntermediateCA -> Server (or take an existing chain like that).

Write a browsertest which requests a page from a server which has the Server certificate but does not send IntermediateCA.
The test should prepare ONC user policy which pushes RootCA as a trusted anchor (TrustBits: Web) and IntermediateCA as an untrusted CA (TrustBits: empty).

The expectation is that if IntermediateCA is pushed by policy, the cert verification will regard Server as valid (and if not, it will not be regarded as valid)
 
Status: Started (was: Assigned)
Status -- Preparing CL to add this:
https://chromium-review.googlesource.com/c/chromium/src/+/1336132

Will continue tomorrow.
For my reference: This is a follow-up to  bug 862043 .
I'm not sure if the CQ has any bot that would run with out-of-process network service -- John, would you know?
Local test with NetworkService feature enabled showed that it indeed fails for out-of-process network service, so I'll transform the CL tomorrow to actually pipe through the untrusted authorities to the network service.
Thanks for the test and fix!

We don't run chromeos network service browser tests on CQ yet by default. You can use the optional trybot: linux_mojo_chromeos. We also have an FYI bot: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Mojo%20ChromiumOS
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 19

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f38cb2183ae5708aebaa8ea1121cab016d9c857b

commit f38cb2183ae5708aebaa8ea1121cab016d9c857b
Author: Pavol Marko <pmarko@chromium.org>
Date: Mon Nov 19 20:47:10 2018

Support policy-provided untrusted authorites in OOP network service

Send policy-provided untrusted authority certificates to the network
service along with trust anchors.
Add a browsertest which checks that untrusted authority certificates
provided through user policy are respected.
Also, document certificate-related files in chromeos/test/data/network
and provide a script to generate those.

Bug: 897233
Test: browser_tests --gtest_filter=*PolicyProvided*
Change-Id: I1e66700b14e5d75805f16365e5979e84f278e8ec
Reviewed-on: https://chromium-review.googlesource.com/c/1336132
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609424}
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/BUILD.gn
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/DEPS
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/policy/policy_cert_service.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/policy/policy_cert_service.h
[delete] https://crrev.com/292b63e61e2e9aed03ca05cad8726061e2bd346f/chrome/browser/chromeos/policy/temp_certs_cache_nss.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/net/profile_network_context_service.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/net/profile_network_context_service.h
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/ui/webui/chromeos/DEPS
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/README
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/intermediate_ca_cert.pem
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/ok_cert.pem
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/ok_cert_by_intermediate.pem
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/root-and-intermediate-ca-certs.onc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/root-ca-cert.onc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/root_ca_cert.pem
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/setup-certificates.sh
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/BUILD.gn
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/network_context.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/network_context.h
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/nss_temp_certs_cache_chromeos.cc
[rename] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/nss_temp_certs_cache_chromeos.h
[rename] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/nss_temp_certs_cache_chromeos_unittest.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/public/mojom/network_context.mojom
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/test/test_network_context.h

Sign in to add a comment