Index: chrome/browser/ssl/ssl_browser_tests.cc |
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc |
index 169a55beaabd1ba6c20bffcc897328375fa8a76f..8797d940fe276fff0a4147d0ee9ef2bc894efe22 100644 |
--- a/chrome/browser/ssl/ssl_browser_tests.cc |
+++ b/chrome/browser/ssl/ssl_browser_tests.cc |
@@ -4,6 +4,7 @@ |
#include <utility> |
+#include "base/base64.h" |
#include "base/base_switches.h" |
#include "base/bind.h" |
#include "base/bind_helpers.h" |
@@ -53,6 +54,7 @@ |
#include "chrome/common/chrome_switches.h" |
#include "chrome/common/pref_names.h" |
#include "chrome/test/base/in_process_browser_test.h" |
+#include "chrome/test/base/test_launcher_utils.h" |
#include "chrome/test/base/ui_test_utils.h" |
#include "components/content_settings/core/browser/host_content_settings_map.h" |
#include "components/network_time/network_time_test_utils.h" |
@@ -317,7 +319,10 @@ class SSLUITest : public InProcessBrowserTest { |
https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS), |
wss_server_expired_(net::SpawnedTestServer::TYPE_WSS, |
SSLOptions(SSLOptions::CERT_EXPIRED), |
- net::GetWebSocketTestDataDirectory()) { |
+ net::GetWebSocketTestDataDirectory()), |
+ wss_server_mismatched_(net::SpawnedTestServer::TYPE_WSS, |
+ SSLOptions(SSLOptions::CERT_MISMATCHED_NAME), |
+ net::GetWebSocketTestDataDirectory()) { |
https_server_.AddDefaultHandlers(base::FilePath(kDocRoot)); |
https_server_expired_.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED); |
@@ -631,6 +636,7 @@ class SSLUITest : public InProcessBrowserTest { |
net::EmbeddedTestServer https_server_expired_; |
net::EmbeddedTestServer https_server_mismatched_; |
net::SpawnedTestServer wss_server_expired_; |
+ net::SpawnedTestServer wss_server_mismatched_; |
protected: |
// Navigates to an interstitial and clicks through the certificate |
@@ -689,6 +695,40 @@ class SSLUITestIgnoreCertErrors : public SSLUITest { |
} |
}; |
+static std::string MakeCertSPKIFingerprint(net::X509Certificate* cert) { |
+ net::HashValue hash = GetSPKIHash(cert); |
+ std::string hash_base64; |
+ base::Base64Encode( |
+ base::StringPiece(reinterpret_cast<const char*>(hash.data()), |
+ hash.size()), |
+ &hash_base64); |
+ return hash_base64; |
+} |
+ |
+class SSLUITestIgnoreCertErrorsBySPKIHTTPS : public SSLUITest { |
+ protected: |
+ void SetUpCommandLine(base::CommandLine* command_line) override { |
+ std::string whitelist_flag = MakeCertSPKIFingerprint( |
+ https_server_mismatched_.GetCertificate().get()); |
+ command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList, |
+ whitelist_flag); |
+ } |
+}; |
+ |
+class SSLUITestIgnoreCertErrorsBySPKIWSS : public SSLUITest { |
+ public: |
+ SSLUITestIgnoreCertErrorsBySPKIWSS() : SSLUITest() {} |
+ |
+ void SetUpCommandLine(base::CommandLine* command_line) override { |
+ std::string whitelist_flag = |
+ MakeCertSPKIFingerprint(wss_server_expired_.GetCertificate().get()); |
+ // Browser will ignore certificate errors for chains matching one of the |
+ // public keys from the list. |
estark
2017/05/17 18:04:18
optional nit: just for consistency, include this c
martinkr
2017/05/23 18:30:43
Done.
|
+ command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList, |
+ whitelist_flag); |
+ } |
+}; |
+ |
class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest { |
public: |
SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {} |
@@ -2664,6 +2704,52 @@ IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors, TestWSS) { |
EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass")); |
} |
+// Visit a page and establish a WebSocket connection over bad https with |
estark
2017/05/17 18:04:18
Question: are you testing WebSockets because they
martinkr
2017/05/23 18:30:43
I was actually just aping SSLUITestIgnoreCertError
|
+// --disable-certificate-errors-spki-list. The connection should be established |
estark
2017/05/17 18:04:18
nit: s/disable/ignore? (same on line 2735)
martinkr
2017/05/23 18:30:43
Done.
|
+// without interstitial page showing. |
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIWSS, TestWSSExpired) { |
+ ASSERT_TRUE(embedded_test_server()->Start()); |
estark
2017/05/17 18:04:19
Do you need this? Doesn't look like you use it unl
martinkr
2017/05/23 18:30:43
Done.
|
+ ASSERT_TRUE(wss_server_expired_.Start()); |
+ |
+ // Setup page title observer. |
+ WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
+ content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS")); |
+ watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL")); |
+ |
+ // Visit bad HTTPS page. |
+ GURL::Replacements replacements; |
+ replacements.SetSchemeStr("https"); |
+ ui_test_utils::NavigateToURL(browser(), |
+ wss_server_expired_.GetURL("connect_check.html") |
+ .ReplaceComponents(replacements)); |
+ |
+ // We shouldn't have an interstitial page showing here. |
+ |
+ // Test page run a WebSocket wss connection test. The result will be shown |
+ // as page title. |
+ const base::string16 result = watcher.WaitAndGetTitle(); |
+ EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass")); |
+} |
+ |
+// Test that HTTPS pages with a bad certificate don't show an interstitial if |
+// the public key matches a value from --disable-certificate-errors-spki-list. |
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIHTTPS, TestHTTPS) { |
+ ASSERT_TRUE(https_server_mismatched_.Start()); |
+ |
+ WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents(); |
+ |
+ ui_test_utils::NavigateToURL( |
+ browser(), |
+ https_server_mismatched_.GetURL("/ssl/page_with_subresource.html")); |
+ |
+ // We should see no interstitial. The script tag in the page should have |
+ // loaded and ran (and wasn't blocked by the certificate error). |
+ CheckAuthenticatedState(tab, AuthState::NONE); |
+ base::string16 title; |
+ ui_test_utils::GetCurrentTabTitle(browser(), &title); |
+ EXPECT_EQ(title, base::ASCIIToUTF16("This script has loaded")); |
+} |
+ |
// Verifies that the interstitial can proceed, even if JavaScript is disabled. |
// http://crbug.com/322948 |
#if defined(OS_LINUX) |