| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <utility> | 5 #include <utility> |
| 6 | 6 |
| 7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
| 8 #include "base/bind.h" | 8 #include "base/bind.h" |
| 9 #include "base/bind_helpers.h" | 9 #include "base/bind_helpers.h" |
| 10 #include "base/callback.h" | 10 #include "base/callback.h" |
| (...skipping 4086 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4097 // Test class that mimics a URL request with a certificate whose SPKI hash is in | 4097 // Test class that mimics a URL request with a certificate whose SPKI hash is in |
| 4098 // ssl_error_assistant.asciipb resource. A better way of testing the SPKI hashes | 4098 // ssl_error_assistant.asciipb resource. A better way of testing the SPKI hashes |
| 4099 // inside the resource bundle would be to serve the actual certificate from the | 4099 // inside the resource bundle would be to serve the actual certificate from the |
| 4100 // embedded test server, but the test server can only serve a limited number of | 4100 // embedded test server, but the test server can only serve a limited number of |
| 4101 // predefined certificates. | 4101 // predefined certificates. |
| 4102 class SSLUICaptivePortalListResourceBundleTest | 4102 class SSLUICaptivePortalListResourceBundleTest |
| 4103 : public CertVerifierBrowserTest { | 4103 : public CertVerifierBrowserTest { |
| 4104 public: | 4104 public: |
| 4105 SSLUICaptivePortalListResourceBundleTest() | 4105 SSLUICaptivePortalListResourceBundleTest() |
| 4106 : CertVerifierBrowserTest(), | 4106 : CertVerifierBrowserTest(), |
| 4107 https_server_(net::EmbeddedTestServer::TYPE_HTTPS), | 4107 https_server_(net::EmbeddedTestServer::TYPE_HTTPS) { |
| 4108 https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS) { | |
| 4109 https_server_.ServeFilesFromSourceDirectory(base::FilePath(kDocRoot)); | 4108 https_server_.ServeFilesFromSourceDirectory(base::FilePath(kDocRoot)); |
| 4110 | |
| 4111 https_server_mismatched_.SetSSLConfig( | |
| 4112 net::EmbeddedTestServer::CERT_MISMATCHED_NAME); | |
| 4113 https_server_mismatched_.AddDefaultHandlers(base::FilePath(kDocRoot)); | |
| 4114 } | 4109 } |
| 4115 | 4110 |
| 4116 void SetUp() override { | 4111 void SetUp() override { |
| 4117 CertVerifierBrowserTest::SetUp(); | 4112 CertVerifierBrowserTest::SetUp(); |
| 4118 SSLErrorHandler::ResetConfigForTesting(); | 4113 SSLErrorHandler::ResetConfigForTesting(); |
| 4119 SetUpCertVerifier(0, net::OK, std::string()); | 4114 SetUpCertVerifier(0, net::OK, std::string()); |
| 4120 } | 4115 } |
| 4121 | 4116 |
| 4122 void TearDown() override { | 4117 void TearDown() override { |
| 4123 SSLErrorHandler::ResetConfigForTesting(); | 4118 SSLErrorHandler::ResetConfigForTesting(); |
| 4124 CertVerifierBrowserTest::TearDown(); | 4119 CertVerifierBrowserTest::TearDown(); |
| 4125 } | 4120 } |
| 4126 | 4121 |
| 4127 protected: | 4122 protected: |
| 4123 // Checks that a captive portal interstitial isn't displayed, even though the |
| 4124 // server's certificate is marked as a captive portal certificate. |
| 4125 void TestNoCaptivePortalInterstitial(net::CertStatus cert_status, |
| 4126 int net_error) { |
| 4127 ASSERT_TRUE(https_server()->Start()); |
| 4128 base::HistogramTester histograms; |
| 4129 |
| 4130 // Mark the server's cert as a captive portal cert. |
| 4131 SetUpCertVerifier(cert_status, net_error, kCaptivePortalSPKI); |
| 4132 |
| 4133 // Navigate to an unsafe page on the server. CaptivePortalCertificateList |
| 4134 // feature is enabled but either the error is not name-mismatch, or it's not |
| 4135 // the only error, so a generic SSL interstitial should be displayed. |
| 4136 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
| 4137 SSLInterstitialTimerObserver interstitial_timer_observer(tab); |
| 4138 ui_test_utils::NavigateToURL(browser(), https_server()->GetURL("/")); |
| 4139 content::WaitForInterstitialAttach(tab); |
| 4140 |
| 4141 InterstitialPage* interstitial_page = tab->GetInterstitialPage(); |
| 4142 ASSERT_EQ(SSLBlockingPage::kTypeForTesting, |
| 4143 interstitial_page->GetDelegateForTesting()->GetTypeForTesting()); |
| 4144 EXPECT_TRUE(interstitial_timer_observer.timer_started()); |
| 4145 |
| 4146 // Check that the histogram for the captive portal cert was recorded. |
| 4147 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 4148 2); |
| 4149 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 4150 SSLErrorHandler::HANDLE_ALL, 1); |
| 4151 histograms.ExpectBucketCount( |
| 4152 SSLErrorHandler::GetHistogramNameForTesting(), |
| 4153 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); |
| 4154 } |
| 4155 |
| 4128 void SetUpCertVerifier(net::CertStatus cert_status, | 4156 void SetUpCertVerifier(net::CertStatus cert_status, |
| 4129 int net_result, | 4157 int net_result, |
| 4130 const std::string& spki_hash) { | 4158 const std::string& spki_hash) { |
| 4131 scoped_refptr<net::X509Certificate> cert(https_server_.GetCertificate()); | 4159 scoped_refptr<net::X509Certificate> cert(https_server_.GetCertificate()); |
| 4132 net::CertVerifyResult verify_result; | 4160 net::CertVerifyResult verify_result; |
| 4133 verify_result.is_issued_by_known_root = | 4161 verify_result.is_issued_by_known_root = |
| 4134 (net_result != net::ERR_CERT_AUTHORITY_INVALID); | 4162 (net_result != net::ERR_CERT_AUTHORITY_INVALID); |
| 4135 verify_result.verified_cert = cert; | 4163 verify_result.verified_cert = cert; |
| 4136 verify_result.cert_status = cert_status; | 4164 verify_result.cert_status = cert_status; |
| 4137 | 4165 |
| 4138 // Set the SPKI hash to captive-portal.badssl.com leaf certificate. | 4166 // Set the SPKI hash to captive-portal.badssl.com leaf certificate. |
| 4139 if (!spki_hash.empty()) { | 4167 if (!spki_hash.empty()) { |
| 4140 net::HashValue hash; | 4168 net::HashValue hash; |
| 4141 ASSERT_TRUE(hash.FromString(spki_hash)); | 4169 ASSERT_TRUE(hash.FromString(spki_hash)); |
| 4142 verify_result.public_key_hashes.push_back(hash); | 4170 verify_result.public_key_hashes.push_back(hash); |
| 4143 } | 4171 } |
| 4144 mock_cert_verifier()->AddResultForCert(cert, verify_result, net_result); | 4172 mock_cert_verifier()->AddResultForCert(cert, verify_result, net_result); |
| 4145 } | 4173 } |
| 4146 | 4174 |
| 4147 net::EmbeddedTestServer* https_server() { return &https_server_; } | 4175 net::EmbeddedTestServer* https_server() { return &https_server_; } |
| 4148 net::EmbeddedTestServer* https_server_mismatched() { | |
| 4149 return &https_server_mismatched_; | |
| 4150 } | |
| 4151 | 4176 |
| 4152 private: | 4177 private: |
| 4153 net::EmbeddedTestServer https_server_; | 4178 net::EmbeddedTestServer https_server_; |
| 4154 net::EmbeddedTestServer https_server_mismatched_; | |
| 4155 }; | 4179 }; |
| 4156 | 4180 |
| 4157 } // namespace | 4181 } // namespace |
| 4158 | 4182 |
| 4159 // Same as CaptivePortalCertificateList_Enabled_FromProto, but this time the | 4183 // Same as CaptivePortalCertificateList_Enabled_FromProto, but this time the |
| 4160 // cert's SPKI hash is listed in ssl_error_assistant.asciipb. | 4184 // cert's SPKI hash is listed in ssl_error_assistant.asciipb. |
| 4161 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest, Enabled) { | 4185 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest, Enabled) { |
| 4162 base::test::ScopedFeatureList scoped_feature_list; | 4186 base::test::ScopedFeatureList scoped_feature_list; |
| 4163 scoped_feature_list.InitFromCommandLine( | 4187 scoped_feature_list.InitFromCommandLine( |
| 4164 "CaptivePortalCertificateList" /* enabled */, | 4188 "CaptivePortalCertificateList" /* enabled */, |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4315 } | 4339 } |
| 4316 | 4340 |
| 4317 // Same as SSLUICaptivePortalNameMismatchTest, but this time the error is | 4341 // Same as SSLUICaptivePortalNameMismatchTest, but this time the error is |
| 4318 // authority-invalid. Captive portal interstitial should not be shown. | 4342 // authority-invalid. Captive portal interstitial should not be shown. |
| 4319 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest, | 4343 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest, |
| 4320 Enabled_AuthorityInvalid) { | 4344 Enabled_AuthorityInvalid) { |
| 4321 base::test::ScopedFeatureList scoped_feature_list; | 4345 base::test::ScopedFeatureList scoped_feature_list; |
| 4322 scoped_feature_list.InitFromCommandLine( | 4346 scoped_feature_list.InitFromCommandLine( |
| 4323 "CaptivePortalCertificateList" /* enabled */, | 4347 "CaptivePortalCertificateList" /* enabled */, |
| 4324 std::string() /* disabled */); | 4348 std::string() /* disabled */); |
| 4325 ASSERT_TRUE(https_server()->Start()); | |
| 4326 base::HistogramTester histograms; | |
| 4327 | 4349 |
| 4328 // Mark the server's cert as a captive portal cert, but with an | 4350 TestNoCaptivePortalInterstitial(net::CERT_STATUS_AUTHORITY_INVALID, |
| 4329 // authority-invalid error. | 4351 net::ERR_CERT_AUTHORITY_INVALID); |
| 4330 SetUpCertVerifier(net::CERT_STATUS_AUTHORITY_INVALID, | 4352 } |
| 4331 net::ERR_CERT_AUTHORITY_INVALID, kCaptivePortalSPKI); | |
| 4332 | 4353 |
| 4333 // Navigate to an unsafe page on the server. CaptivePortalCertificateList | 4354 // Same as SSLUICaptivePortalListResourceBundleTest.Enabled_AuthorityInvalid, |
| 4334 // feature is enabled but the error is not a name mismatch, so a generic SSL | 4355 // but this time there are two errors (name mismatch + weak key). Captive portal |
| 4335 // interstitial should be displayed. | 4356 // interstitial should not be shown when name mismatch isn't the only error. |
| 4336 WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); | 4357 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest, |
| 4337 SSLInterstitialTimerObserver interstitial_timer_observer(tab); | 4358 Enabled_NameMismatchAndWeakKey) { |
| 4338 ui_test_utils::NavigateToURL(browser(), https_server()->GetURL("/")); | 4359 base::test::ScopedFeatureList scoped_feature_list; |
| 4339 content::WaitForInterstitialAttach(tab); | 4360 scoped_feature_list.InitFromCommandLine( |
| 4361 "CaptivePortalCertificateList" /* enabled */, |
| 4362 std::string() /* disabled */); |
| 4340 | 4363 |
| 4341 InterstitialPage* interstitial_page = tab->GetInterstitialPage(); | 4364 const net::CertStatus cert_status = |
| 4342 ASSERT_EQ(SSLBlockingPage::kTypeForTesting, | 4365 net::CERT_STATUS_COMMON_NAME_INVALID | net::CERT_STATUS_WEAK_KEY; |
| 4343 interstitial_page->GetDelegateForTesting()->GetTypeForTesting()); | 4366 // Sanity check that COMMON_NAME_INVALID is seen as the net error, since the |
| 4344 EXPECT_TRUE(interstitial_timer_observer.timer_started()); | 4367 // test is designed to verify that SSLErrorHandler notices other errors in the |
| 4345 | 4368 // CertStatus even when COMMON_NAME_INVALID is the net error. |
| 4346 // Check that the histogram for the captive portal cert was recorded. | 4369 ASSERT_EQ(net::ERR_CERT_COMMON_NAME_INVALID, |
| 4347 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2); | 4370 net::MapCertStatusToNetError(cert_status)); |
| 4348 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 4371 TestNoCaptivePortalInterstitial(cert_status, |
| 4349 SSLErrorHandler::HANDLE_ALL, 1); | 4372 net::ERR_CERT_COMMON_NAME_INVALID); |
| 4350 histograms.ExpectBucketCount( | |
| 4351 SSLErrorHandler::GetHistogramNameForTesting(), | |
| 4352 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); | |
| 4353 } | 4373 } |
| 4354 | 4374 |
| 4355 #else | 4375 #else |
| 4356 | 4376 |
| 4357 // Tests that the captive portal certificate list is not used when captive | 4377 // Tests that the captive portal certificate list is not used when captive |
| 4358 // portal checks are disabled by build, even if the captive portal certificate | 4378 // portal checks are disabled by build, even if the captive portal certificate |
| 4359 // list feature is enabled via Finch. The list is passed to SSLErrorHandler via | 4379 // list feature is enabled via Finch. The list is passed to SSLErrorHandler via |
| 4360 // a proto. | 4380 // a proto. |
| 4361 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListTest, PortalChecksDisabled) { | 4381 IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListTest, PortalChecksDisabled) { |
| 4362 base::test::ScopedFeatureList scoped_feature_list; | 4382 base::test::ScopedFeatureList scoped_feature_list; |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4404 | 4424 |
| 4405 // Visit a page over https that contains a frame with a redirect. | 4425 // Visit a page over https that contains a frame with a redirect. |
| 4406 | 4426 |
| 4407 // XMLHttpRequest insecure content in synchronous mode. | 4427 // XMLHttpRequest insecure content in synchronous mode. |
| 4408 | 4428 |
| 4409 // XMLHttpRequest insecure content in asynchronous mode. | 4429 // XMLHttpRequest insecure content in asynchronous mode. |
| 4410 | 4430 |
| 4411 // XMLHttpRequest over bad ssl in synchronous mode. | 4431 // XMLHttpRequest over bad ssl in synchronous mode. |
| 4412 | 4432 |
| 4413 // XMLHttpRequest over OK ssl in synchronous mode. | 4433 // XMLHttpRequest over OK ssl in synchronous mode. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2690333006:
Captive portal certificate list should be checked when name mismatch is the only error (Closed)
