Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6373)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/ssl/ssl_browser_tests.cc

Issue 2690333006: Captive portal certificate list should be checked when name mismatch is the only error (Closed)
Patch Set: estark comments and rebase Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | chrome/browser/ssl/ssl_error_handler.cc » ('j') | chrome/browser/ssl/ssl_error_handler_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/ssl/ssl_browser_tests.cc
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index 67ff7174b028b2a00628697adbfbb36cd4f2cd19..5804fa7abec4c32e54ce87db5b272e4a627f570f 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -4104,13 +4104,8 @@ class SSLUICaptivePortalListResourceBundleTest
public:
SSLUICaptivePortalListResourceBundleTest()
: CertVerifierBrowserTest(),
- https_server_(net::EmbeddedTestServer::TYPE_HTTPS),
- https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS) {
+ https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
https_server_.ServeFilesFromSourceDirectory(base::FilePath(kDocRoot));
-
- https_server_mismatched_.SetSSLConfig(
- net::EmbeddedTestServer::CERT_MISMATCHED_NAME);
- https_server_mismatched_.AddDefaultHandlers(base::FilePath(kDocRoot));
}
void SetUp() override {
@@ -4125,6 +4120,39 @@ class SSLUICaptivePortalListResourceBundleTest
}
protected:
+ // Checks that a captive portal interstitial isn't displayed, even though the
+ // server's certificate is marked as a captive portal certificate.
+ void TestNoCaptivePortalInterstitial(net::CertStatus cert_status,
+ int net_error) {
+ ASSERT_TRUE(https_server()->Start());
+ base::HistogramTester histograms;
+
+ // Mark the server's cert as a captive portal cert.
+ SetUpCertVerifier(cert_status, net_error, kCaptivePortalSPKI);
+
+ // Navigate to an unsafe page on the server. CaptivePortalCertificateList
+ // feature is enabled but either the error is not name-mismatch, or it's not
+ // the only error, so a generic SSL interstitial should be displayed.
+ WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+ SSLInterstitialTimerObserver interstitial_timer_observer(tab);
+ ui_test_utils::NavigateToURL(browser(), https_server()->GetURL("/"));
+ content::WaitForInterstitialAttach(tab);
+
+ InterstitialPage* interstitial_page = tab->GetInterstitialPage();
+ ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
+ interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
+ EXPECT_TRUE(interstitial_timer_observer.timer_started());
+
+ // Check that the histogram for the captive portal cert was recorded.
+ histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(),
+ 2);
+ histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+ SSLErrorHandler::HANDLE_ALL, 1);
+ histograms.ExpectBucketCount(
+ SSLErrorHandler::GetHistogramNameForTesting(),
+ SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
+ }
+
void SetUpCertVerifier(net::CertStatus cert_status,
int net_result,
const std::string& spki_hash) {
@@ -4145,13 +4173,9 @@ class SSLUICaptivePortalListResourceBundleTest
}
net::EmbeddedTestServer* https_server() { return &https_server_; }
- net::EmbeddedTestServer* https_server_mismatched() {
- return &https_server_mismatched_;
- }
private:
net::EmbeddedTestServer https_server_;
- net::EmbeddedTestServer https_server_mismatched_;
};
} // namespace
@@ -4322,34 +4346,30 @@ IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest,
scoped_feature_list.InitFromCommandLine(
"CaptivePortalCertificateList" /* enabled */,
std::string() /* disabled */);
- ASSERT_TRUE(https_server()->Start());
- base::HistogramTester histograms;
- // Mark the server's cert as a captive portal cert, but with an
- // authority-invalid error.
- SetUpCertVerifier(net::CERT_STATUS_AUTHORITY_INVALID,
- net::ERR_CERT_AUTHORITY_INVALID, kCaptivePortalSPKI);
-
- // Navigate to an unsafe page on the server. CaptivePortalCertificateList
- // feature is enabled but the error is not a name mismatch, so a generic SSL
- // interstitial should be displayed.
- WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
- SSLInterstitialTimerObserver interstitial_timer_observer(tab);
- ui_test_utils::NavigateToURL(browser(), https_server()->GetURL("/"));
- content::WaitForInterstitialAttach(tab);
+ TestNoCaptivePortalInterstitial(net::CERT_STATUS_AUTHORITY_INVALID,
+ net::ERR_CERT_AUTHORITY_INVALID);
+}
- InterstitialPage* interstitial_page = tab->GetInterstitialPage();
- ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
- interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
- EXPECT_TRUE(interstitial_timer_observer.timer_started());
+// Same as SSLUICaptivePortalListResourceBundleTest.Enabled_AuthorityInvalid,
+// but this time there are two errors (name mismatch + weak key). Captive portal
+// interstitial should not be shown when name mismatch isn't the only error.
+IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalListResourceBundleTest,
+ Enabled_NameMismatchAndWeakKey) {
+ base::test::ScopedFeatureList scoped_feature_list;
+ scoped_feature_list.InitFromCommandLine(
+ "CaptivePortalCertificateList" /* enabled */,
+ std::string() /* disabled */);
- // Check that the histogram for the captive portal cert was recorded.
- histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
- histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
- SSLErrorHandler::HANDLE_ALL, 1);
- histograms.ExpectBucketCount(
- SSLErrorHandler::GetHistogramNameForTesting(),
- SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
+ // Sanity check that COMMON_NAME_INVALID is seen as the net error, since the
estark 2017/02/28 21:12:06 optional nit: I'd maybe put this comment the line
meacer 2017/02/28 23:57:00 Done.
+ // test is designed to verify that SSLErrorHandler notices other errors in the
+ // CertStatus even when COMMON_NAME_INVALID is the net error.
+ const net::CertStatus cert_status =
+ net::CERT_STATUS_COMMON_NAME_INVALID | net::CERT_STATUS_WEAK_KEY;
+ ASSERT_EQ(net::ERR_CERT_COMMON_NAME_INVALID,
+ net::MapCertStatusToNetError(cert_status));
+ TestNoCaptivePortalInterstitial(cert_status,
+ net::ERR_CERT_COMMON_NAME_INVALID);
}
#else
« no previous file with comments | « no previous file | chrome/browser/ssl/ssl_error_handler.cc » ('j') | chrome/browser/ssl/ssl_error_handler_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698