Enable Cast Fallback CRL Revocation
Enable Cast Fallback CRL Revocation
according to design doc:go/cast-crl-fallback
Bug: 313509587
Change-Id: Iecf61798a43a67dbf849c1fe8dd45b1246eb9609
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5252407
Auto-Submit: Wei-Sheng Su <weishengsu@google.com>
Commit-Queue: Wei-Sheng Su <weishengsu@google.com>
Reviewed-by: Mark Foltz <mfoltz@chromium.org>
Reviewed-by: Ryan Chung <ryanchung@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1257119}
diff --git a/components/media_router/common/providers/cast/channel/cast_auth_util.cc b/components/media_router/common/providers/cast/channel/cast_auth_util.cc
index 1e46b3db..aa60c7d 100644
--- a/components/media_router/common/providers/cast/channel/cast_auth_util.cc
+++ b/components/media_router/common/providers/cast/channel/cast_auth_util.cc
@@ -46,7 +46,7 @@
// overrides kEnforceRevocationChecking.
BASE_FEATURE(kEnforceFallbackCRLRevocationChecking,
"CastFallbackCRLRevocation",
- base::FEATURE_DISABLED_BY_DEFAULT);
+ base::FEATURE_ENABLED_BY_DEFAULT);
// Enforce certificate revocation when enabled.
// If disabled, any revocation failures are ignored.
diff --git a/components/media_router/common/providers/cast/channel/cast_auth_util_unittest.cc b/components/media_router/common/providers/cast/channel/cast_auth_util_unittest.cc
index eeaaf38b..2d1d16cb 100644
--- a/components/media_router/common/providers/cast/channel/cast_auth_util_unittest.cc
+++ b/components/media_router/common/providers/cast/channel/cast_auth_util_unittest.cc
@@ -128,6 +128,9 @@
}
TEST_F(CastAuthUtilTest, VerifyBadSignature) {
+ base::test::ScopedFeatureList scoped_feature_list;
+ scoped_feature_list.InitAndDisableFeature(
+ kEnforceFallbackCRLRevocationChecking);
std::string signed_data;
AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256);
MangleString(auth_response.mutable_signature());
@@ -138,6 +141,9 @@
}
TEST_F(CastAuthUtilTest, VerifyEmptySignature) {
+ base::test::ScopedFeatureList scoped_feature_list;
+ scoped_feature_list.InitAndDisableFeature(
+ kEnforceFallbackCRLRevocationChecking);
std::string signed_data;
AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256);
auth_response.mutable_signature()->clear();
@@ -256,7 +262,8 @@
TEST_F(CastAuthUtilTest,
VerifyInvalidCRLWithFeatureFlagEnforceRevocationChecking) {
base::test::ScopedFeatureList scoped_feature_list;
- scoped_feature_list.InitAndEnableFeature(kEnforceRevocationChecking);
+ scoped_feature_list.InitWithFeatures({kEnforceRevocationChecking},
+ {kEnforceFallbackCRLRevocationChecking});
std::string signed_data;
AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256);
AuthResult result = VerifyCredentials(auth_response, signed_data);
@@ -269,7 +276,8 @@
VerifyMissingCRLWithoutFeatureFlagEnforceRevocationChecking) {
base::test::ScopedFeatureList scoped_feature_list;
std::string signed_data;
- scoped_feature_list.InitAndDisableFeature(kEnforceRevocationChecking);
+ scoped_feature_list.InitWithFeatures(
+ {}, {kEnforceRevocationChecking, kEnforceFallbackCRLRevocationChecking});
AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256);
AuthResult result = VerifyCredentials(auth_response, signed_data);
EXPECT_TRUE(result.success());
@@ -280,7 +288,8 @@
TEST_F(CastAuthUtilTest,
VerifyParsingErrorWithFeatureFlagEnforceRevocationChecking) {
base::test::ScopedFeatureList scoped_feature_list;
- scoped_feature_list.InitAndEnableFeature(kEnforceRevocationChecking);
+ scoped_feature_list.InitWithFeatures({kEnforceRevocationChecking},
+ {kEnforceFallbackCRLRevocationChecking});
std::string signed_data;
AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256);
@@ -320,6 +329,9 @@
}
TEST_F(CastAuthUtilTest, VerifyBadPeerCert) {
+ base::test::ScopedFeatureList scoped_feature_list;
+ scoped_feature_list.InitAndDisableFeature(
+ kEnforceFallbackCRLRevocationChecking);
std::string signed_data;
AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256);
MangleString(&signed_data);
