New issue
Advanced search Search tips

Issue 897233 link

Starred by 1 user
Status: Started
Owner:
pmarko@chromium.org
Cc:
jam@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Task



Sign in to add a comment

Add browsertest verifying that policy-provided untrusted authorities are used in path building for //net server cert verification

Project Member Reported by pmarko@chromium.org, Oct 19 
Prepare the certificates RootCA -> IntermediateCA -> Server (or take an existing chain like that).

Write a browsertest which requests a page from a server which has the Server certificate but does not send IntermediateCA.
The test should prepare ONC user policy which pushes RootCA as a trusted anchor (TrustBits: Web) and IntermediateCA as an untrusted CA (TrustBits: empty).

The expectation is that if IntermediateCA is pushed by policy, the cert verification will regard Server as valid (and if not, it will not be regarded as valid)

Comment 1 by pmarko@chromium.org, Nov 14

Status: Started (was: Assigned)
Status -- Preparing CL to add this:
https://chromium-review.googlesource.com/c/chromium/src/+/1336132

Will continue tomorrow.

Comment 2 by pmarko@chromium.org, Nov 14 

For my reference: This is a follow-up to  bug 862043 .
I'm not sure if the CQ has any bot that would run with out-of-process network service -- John, would you know?

Comment 3 by pmarko@chromium.org, Nov 14 

Local test with NetworkService feature enabled showed that it indeed fails for out-of-process network service, so I'll transform the CL tomorrow to actually pipe through the untrusted authorities to the network service.

Comment 4 by jam@chromium.org, Nov 14 

Thanks for the test and fix!

We don't run chromeos network service browser tests on CQ yet by default. You can use the optional trybot: linux_mojo_chromeos. We also have an FYI bot: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Mojo%20ChromiumOS
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 19 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f38cb2183ae5708aebaa8ea1121cab016d9c857b

commit f38cb2183ae5708aebaa8ea1121cab016d9c857b
Author: Pavol Marko <pmarko@chromium.org>
Date: Mon Nov 19 20:47:10 2018

Support policy-provided untrusted authorites in OOP network service

Send policy-provided untrusted authority certificates to the network
service along with trust anchors.
Add a browsertest which checks that untrusted authority certificates
provided through user policy are respected.
Also, document certificate-related files in chromeos/test/data/network
and provide a script to generate those.

Bug: 897233
Test: browser_tests --gtest_filter=*PolicyProvided*
Change-Id: I1e66700b14e5d75805f16365e5979e84f278e8ec
Reviewed-on: https://chromium-review.googlesource.com/c/1336132
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609424}
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/BUILD.gn
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/DEPS
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/policy/policy_cert_service.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/policy/policy_cert_service.h
[delete] https://crrev.com/292b63e61e2e9aed03ca05cad8726061e2bd346f/chrome/browser/chromeos/policy/temp_certs_cache_nss.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/net/profile_network_context_service.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/net/profile_network_context_service.h
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/ui/webui/chromeos/DEPS
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/README
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/intermediate_ca_cert.pem
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/ok_cert.pem
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/ok_cert_by_intermediate.pem
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/root-and-intermediate-ca-certs.onc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/root-ca-cert.onc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/root_ca_cert.pem
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/chromeos/test/data/network/setup-certificates.sh
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/BUILD.gn
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/network_context.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/network_context.h
[add] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/nss_temp_certs_cache_chromeos.cc
[rename] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/nss_temp_certs_cache_chromeos.h
[rename] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/nss_temp_certs_cache_chromeos_unittest.cc
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/public/mojom/network_context.mojom
[modify] https://crrev.com/f38cb2183ae5708aebaa8ea1121cab016d9c857b/services/network/test/test_network_context.h

Sign in to add a comment