Move error classification into the ssl_errors component

components/ssl_errors/error_classification.h

Index: components/ssl_errors/error_classification.h
diff --git a/components/ssl_errors/error_classification.h b/components/ssl_errors/error_classification.h
new file mode 100644
index 0000000000000000000000000000000000000000..04fee8ecb50067a240af6b86eb403606c7d62b2e
--- /dev/null
+++ b/components/ssl_errors/error_classification.h
@@ -0,0 +1,104 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SSL_ERRORS_ERROR_CLASSIFICATION_H_
+#define COMPONENTS_SSL_ERRORS_ERROR_CLASSIFICATION_H_
+
+#include <string>
+#include <vector>
+
+#include "base/gtest_prod_util.h"

[estark, 2015/10/06 02:35:41]

not needed?

[felt, 2015/10/06 03:15:10]

Done.

+#include "base/time/time.h"

[estark, 2015/10/06 02:35:41]

nit: I think you could forward declare base::Time and move this to the .cc. Same
for the following two #includes.

[felt, 2015/10/06 03:15:10]

Done.

+#include "net/cert/x509_certificate.h"
+#include "url/gurl.h"
+
+namespace ssl_errors {
+
+typedef std::vector<std::string> HostnameTokens;
+
+// Methods for identifying specific error causes. ------------------------------

[estark, 2015/10/06 02:35:41]

whoa what are these mysterious dashes

[felt, 2015/10/06 03:15:10]

     o   o
      )-(
     (O O)
      \=/
     .-"-.
    //\ /\\
  _// / \ \\_
 =./ {,-.} \.=
     || ||
     || ||    
   __|| ||__  
  `---" "---'

Actually they are pretty common in chromium for splitting up header files; but
I'm hoping we won't need them once the helper methods for testing have been
safely tucked away.

+
+// Returns true if the system time is in the past.
+bool IsUserClockInThePast(const base::Time& time_now);
+
+// Returns true if the system time is too far in the future or the user is
+// using a version of Chrome which is more than 1 year old.
+bool IsUserClockInTheFuture(const base::Time& time_now);
+
+// Returns true if |hostname| is too broad for the scope of a wildcard
+// certificate. E.g.:
+//     a.b.example.com ~ *.example.com --> true
+//     b.example.com ~ *.example.com --> false
+bool IsSubDomainOutsideWildcard(const GURL& request_url,
+                                const net::X509Certificate& cert);
+
+// Returns true if the certificate is a shared certificate. Note - This
+// function should be used with caution (only for UMA histogram) as an
+// attacker could easily get a certificate with more than 5 names in the SAN
+// fields.
+bool IsCertLikelyFromMultiTenantHosting(const GURL& request_url,
+                                        const net::X509Certificate& cert);
+
+// Returns true if the hostname in |request_url_| has the same domain
+// (effective TLD + 1 label) as at least one of the subject
+// alternative names in |cert_|.
+bool IsCertLikelyFromSameDomain(const GURL& request_url,
+                                const net::X509Certificate& cert);
+
+// Returns true if the site's hostname differs from one of the DNS
+// names in the certificate (CN or SANs) only by the presence or
+// absence of the single-label prefix "www". E.g.: (The first domain
+// is hostname and the second domain is a DNS name in the certificate)
+//     www.example.com ~ example.com -> true
+//     example.com ~ www.example.com -> true
+//     www.food.example.com ~ example.com -> false
+//     mail.example.com ~ example.com -> false
+bool IsWWWSubDomainMatch(const GURL& request_url,
+                         const net::X509Certificate& cert);
+
+// Provides the output of IsWWWSubDomainMatch() as well as the matching name.
+bool GetWWWSubDomainMatch(const GURL& request_url,
+                          const std::vector<std::string>& dns_names,
+                          std::string* www_match_host_name);
+
+// Method for recording results. -----------------------------------------------
+
+void RecordUMAStatistics(bool overridable,
+                         const base::Time& current_time,
+                         const GURL& request_url,
+                         int cert_error,
+                         const net::X509Certificate& cert);
+
+// Helper methods for classification. ------------------------------------------
+
+// Tokenize DNS names and hostnames.
+HostnameTokens Tokenize(const std::string& name);
+
+// Sets a clock for browser tests that check the build time. Used by
+// IsUserClockInThePast and IsUserClockInTheFuture.
+void SetBuildTimeForTesting(const base::Time& testing_time);
+
+// Returns true if the hostname has a known Top Level Domain.
+bool IsHostNameKnownTLD(const std::string& host_name);
+
+// Returns true if any one of the following conditions hold:
+// 1.|hostname| is an IP Address in an IANA-reserved range.
+// 2.|hostname| is a not-yet-assigned by ICANN gTLD.
+// 3.|hostname| is a dotless domain.
+bool IsHostnameNonUniqueOrDotless(const std::string& hostname);
+
+// Returns true if |child| is a subdomain of any of the |potential_parents|.
+bool NameUnderAnyNames(const HostnameTokens& child,
+                       const std::vector<HostnameTokens>& potential_parents);
+
+// Returns true if any of the |potential_children| is a subdomain of the
+// |parent|. The inverse case should be treated carefully as this is most
+// likely a MITM attack. We don't want foo.appspot.com to be able to MITM for
+// appspot.com.
+bool AnyNamesUnderName(const std::vector<HostnameTokens>& potential_children,
+                       const HostnameTokens& parent);
+
+}  // namespace ssl_errors
+
+#endif  // COMPONENTS_SSL_ERRORS_ERROR_CLASSIFICATION_H_