Work around GTE CyberTrust/Baltimore CyberTrust cross-signing issues

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 0645d741878d473d4ff58f5e7a97dcc9d5c4b475..eb9399fa69cbb606b62d509cbc60311b2c1d7c87 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -859,6 +859,111 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
 }
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+// Tests that, on OS X, issues with a cross-certified Baltimore CyberTrust
+// Root can be successfully worked around once Apple completes removing the
+// older GTE CyberTrust Root from its trusted root store.
+//
+// The issue is caused by servers supplying the cross-certified intermediate
+// (necessary for certain mobile platforms), which OS X does not recognize
+// as already existing within its trust store.
+TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
+  CertificateList certs = CreateCertificateListFromFile(
+      GetTestCertsDirectory(),
+      "cybertrust_omniroot_chain.pem",
+      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+  ASSERT_EQ(2U, certs.size());
+
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(certs[1]->os_cert_handle());
+
+  scoped_refptr<X509Certificate> cybertrust_basic =
+      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+                                        intermediates);
+  ASSERT_TRUE(cybertrust_basic.get());
+
+  scoped_refptr<X509Certificate> baltimore_root =
+      ImportCertFromFile(GetTestCertsDirectory(),
+                         "cybertrust_baltimore_root.pem");
+  ASSERT_TRUE(baltimore_root.get());
+
+  ScopedTestRoot scoped_root(baltimore_root);
+
+  // Ensure that ONLY the Baltimore CyberTrust Root is trusted. This
+  // simulates Keychain removing support for the GTE CyberTrust Root.
+  TestRootCerts::GetInstance()->SetAllowSystemTrust(false);
+  base::ScopedClosureRunner reset_system_trust(
+      base::Bind(&TestRootCerts::SetAllowSystemTrust,
+                 base::Unretained(TestRootCerts::GetInstance()),
+                 true));
+
+  // First, make sure a simple certificate chain from
+  //   EE -> Public SureServer SV -> Baltimore CyberTrust
+  // works. Only the first two certificates are included in the chain.
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cybertrust_basic, "cacert.omniroot.com", flags, NULL,
+                     empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Attempt to verify with the first known cross-certified intermediate
+  // provided.
+  scoped_refptr<X509Certificate> baltimore_intermediate_1 =
+      ImportCertFromFile(GetTestCertsDirectory(),
+                         "cybertrust_baltimore_cross_certified_1.pem");
+  ASSERT_TRUE(baltimore_intermediate_1.get());
+
+  X509Certificate::OSCertHandles intermediate_chain_1 =
+      cybertrust_basic->GetIntermediateCertificates();
+  intermediate_chain_1.push_back(baltimore_intermediate_1->os_cert_handle());
+
+  scoped_refptr<X509Certificate> baltimore_chain_1 =
+      X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+                                        intermediate_chain_1);
+  error = Verify(baltimore_chain_1, "cacert.omniroot.com", flags, NULL,
+                 empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Attempt to verify with the second known cross-certified intermediate
+  // provided.
+  scoped_refptr<X509Certificate> baltimore_intermediate_2 =
+      ImportCertFromFile(GetTestCertsDirectory(),
+                         "cybertrust_baltimore_cross_certified_2.pem");
+  ASSERT_TRUE(baltimore_intermediate_2.get());
+
+  X509Certificate::OSCertHandles intermediate_chain_2 =
+      cybertrust_basic->GetIntermediateCertificates();
+  intermediate_chain_2.push_back(baltimore_intermediate_2->os_cert_handle());
+
+  scoped_refptr<X509Certificate> baltimore_chain_2 =
+      X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+                                        intermediate_chain_2);
+  error = Verify(baltimore_chain_2, "cacert.omniroot.com", flags, NULL,
+                 empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Attempt to verify when both a cross-certified intermediate AND
+  // the legacy GTE root are provided.
+  scoped_refptr<X509Certificate> cybertrust_root =
+      ImportCertFromFile(GetTestCertsDirectory(),
+                         "cybertrust_gte_root.pem");
+  ASSERT_TRUE(cybertrust_root.get());
+
+  intermediate_chain_2.push_back(cybertrust_root->os_cert_handle());
+  scoped_refptr<X509Certificate> baltimore_chain_with_root =
+      X509Certificate::CreateFromHandle(cybertrust_basic->os_cert_handle(),
+                                        intermediate_chain_2);
+  error = Verify(baltimore_chain_with_root, "cacert.omniroot.com", flags,
+                 NULL, empty_cert_list_, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+}
+#endif
+
 #if defined(USE_NSS) || defined(OS_IOS) || defined(OS_WIN) || defined(OS_MACOSX)
 static const uint8 kCRLSetThawteSPKIBlocked[] = {
   0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,