OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/ssl_errors/error_classification.h" | 5 #include "components/ssl_errors/error_classification.h" |
6 | 6 |
7 #include "base/files/file_path.h" | 7 #include "base/files/file_path.h" |
8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
9 #include "base/message_loop/message_loop.h" | 9 #include "base/message_loop/message_loop.h" |
10 #include "base/strings/string_split.h" | 10 #include "base/strings/string_split.h" |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
46 : field_trial_test_(new network_time::FieldTrialTest()) {} | 46 : field_trial_test_(new network_time::FieldTrialTest()) {} |
47 network_time::FieldTrialTest* field_trial_test() { | 47 network_time::FieldTrialTest* field_trial_test() { |
48 return field_trial_test_.get(); | 48 return field_trial_test_.get(); |
49 } | 49 } |
50 | 50 |
51 private: | 51 private: |
52 std::unique_ptr<network_time::FieldTrialTest> field_trial_test_; | 52 std::unique_ptr<network_time::FieldTrialTest> field_trial_test_; |
53 }; | 53 }; |
54 | 54 |
55 TEST_F(SSLErrorClassificationTest, TestNameMismatch) { | 55 TEST_F(SSLErrorClassificationTest, TestNameMismatch) { |
56 scoped_refptr<net::X509Certificate> google_cert( | 56 scoped_refptr<net::X509Certificate> example_cert = net::ImportCertFromFile( |
57 net::X509Certificate::CreateFromBytes( | 57 net::GetTestCertsDirectory(), "subjectAltName_www_example_com.pem"); |
58 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | 58 ASSERT_TRUE(example_cert.get()); |
59 ASSERT_TRUE(google_cert.get()); | 59 std::vector<std::string> dns_names_example; |
60 std::vector<std::string> dns_names_google; | 60 example_cert->GetDNSNames(&dns_names_example); |
61 google_cert->GetDNSNames(&dns_names_google); | 61 ASSERT_EQ(1u, dns_names_example.size()); // ["www.example.com"] |
Ryan Sleevi
2017/03/31 14:51:34
JUDGEMENT CALL NIT:
ASSERT_THAT(dns_names_example,
elawrence
2017/03/31 16:09:41
Neat. I'd rather the code do the testing than leav
| |
62 ASSERT_EQ(1u, dns_names_google.size()); // ["www.google.com"] | 62 std::vector<std::string> hostname_tokens_example = |
63 std::vector<std::string> hostname_tokens_google = | 63 ssl_errors::Tokenize(dns_names_example[0]); |
64 ssl_errors::Tokenize(dns_names_google[0]); | 64 ASSERT_EQ(3u, hostname_tokens_example.size()); // ["www","example","com"] |
65 ASSERT_EQ(3u, hostname_tokens_google.size()); // ["www","google","com"] | 65 std::vector<std::vector<std::string>> dns_name_tokens_example; |
66 std::vector<std::vector<std::string>> dns_name_tokens_google; | 66 dns_name_tokens_example.push_back(hostname_tokens_example); |
67 dns_name_tokens_google.push_back(hostname_tokens_google); | 67 ASSERT_EQ(1u, dns_name_tokens_example.size()); // [["www","example","com"]] |
68 ASSERT_EQ(1u, dns_name_tokens_google.size()); // [["www","google","com"]] | |
69 | 68 |
70 { | 69 { |
71 GURL origin("https://google.com"); | 70 GURL origin("https://example.com"); |
72 std::string www_host; | 71 std::string www_host; |
73 std::vector<std::string> host_name_tokens = base::SplitString( | 72 std::vector<std::string> host_name_tokens = base::SplitString( |
74 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | 73 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); |
75 EXPECT_TRUE( | 74 EXPECT_TRUE( |
76 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_google, &www_host)); | 75 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_example, &www_host)); |
77 EXPECT_EQ("www.google.com", www_host); | 76 EXPECT_EQ("www.example.com", www_host); |
78 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, | 77 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, |
79 dns_name_tokens_google)); | 78 dns_name_tokens_example)); |
80 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_google, | 79 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_example, |
81 host_name_tokens)); | 80 host_name_tokens)); |
82 EXPECT_FALSE(ssl_errors::IsSubDomainOutsideWildcard(origin, *google_cert)); | 81 EXPECT_FALSE(ssl_errors::IsSubDomainOutsideWildcard(origin, *example_cert)); |
83 EXPECT_FALSE( | 82 EXPECT_FALSE( |
84 ssl_errors::IsCertLikelyFromMultiTenantHosting(origin, *google_cert)); | 83 ssl_errors::IsCertLikelyFromMultiTenantHosting(origin, *example_cert)); |
85 EXPECT_TRUE(ssl_errors::IsCertLikelyFromSameDomain(origin, *google_cert)); | 84 EXPECT_TRUE(ssl_errors::IsCertLikelyFromSameDomain(origin, *example_cert)); |
86 } | 85 } |
87 | 86 |
88 { | 87 { |
89 GURL origin("https://foo.blah.google.com"); | 88 GURL origin("https://foo.blah.example.com"); |
90 std::string www_host; | 89 std::string www_host; |
91 std::vector<std::string> host_name_tokens = base::SplitString( | 90 std::vector<std::string> host_name_tokens = base::SplitString( |
92 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | 91 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); |
93 EXPECT_FALSE( | 92 EXPECT_FALSE( |
94 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_google, &www_host)); | 93 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_example, &www_host)); |
95 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, | 94 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, |
96 dns_name_tokens_google)); | 95 dns_name_tokens_example)); |
97 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_google, | 96 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_example, |
98 host_name_tokens)); | 97 host_name_tokens)); |
99 EXPECT_TRUE(ssl_errors::IsCertLikelyFromSameDomain(origin, *google_cert)); | 98 EXPECT_TRUE(ssl_errors::IsCertLikelyFromSameDomain(origin, *example_cert)); |
100 } | 99 } |
101 | 100 |
102 { | 101 { |
103 GURL origin("https://foo.www.google.com"); | 102 GURL origin("https://foo.www.example.com"); |
104 std::string www_host; | 103 std::string www_host; |
105 std::vector<std::string> host_name_tokens = base::SplitString( | 104 std::vector<std::string> host_name_tokens = base::SplitString( |
106 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | 105 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); |
107 EXPECT_FALSE( | 106 EXPECT_FALSE( |
108 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_google, &www_host)); | 107 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_example, &www_host)); |
109 EXPECT_TRUE(ssl_errors::NameUnderAnyNames(host_name_tokens, | 108 EXPECT_TRUE(ssl_errors::NameUnderAnyNames(host_name_tokens, |
110 dns_name_tokens_google)); | 109 dns_name_tokens_example)); |
111 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_google, | 110 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_example, |
112 host_name_tokens)); | 111 host_name_tokens)); |
113 EXPECT_TRUE(ssl_errors::IsCertLikelyFromSameDomain(origin, *google_cert)); | 112 EXPECT_TRUE(ssl_errors::IsCertLikelyFromSameDomain(origin, *example_cert)); |
114 } | 113 } |
115 | 114 |
116 { | 115 { |
117 GURL origin("https://www.google.com.foo"); | 116 GURL origin("https://www.example.com.foo"); |
118 std::string www_host; | 117 std::string www_host; |
119 std::vector<std::string> host_name_tokens = base::SplitString( | 118 std::vector<std::string> host_name_tokens = base::SplitString( |
120 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | 119 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); |
121 EXPECT_FALSE( | 120 EXPECT_FALSE( |
122 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_google, &www_host)); | 121 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_example, &www_host)); |
123 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, | 122 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, |
124 dns_name_tokens_google)); | 123 dns_name_tokens_example)); |
125 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_google, | 124 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_example, |
126 host_name_tokens)); | 125 host_name_tokens)); |
126 EXPECT_FALSE(ssl_errors::IsCertLikelyFromSameDomain(origin, *example_cert)); | |
127 } | |
128 | |
129 { | |
130 GURL origin("https://www.fooexample.com."); | |
131 std::string www_host; | |
132 std::vector<std::string> host_name_tokens = base::SplitString( | |
133 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | |
134 EXPECT_FALSE( | |
135 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_example, &www_host)); | |
136 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, | |
137 dns_name_tokens_example)); | |
138 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_example, | |
139 host_name_tokens)); | |
140 EXPECT_FALSE(ssl_errors::IsCertLikelyFromSameDomain(origin, *example_cert)); | |
141 } | |
142 | |
143 // Ensure that a certificate with no SubjectAltNames does not fall back to | |
144 // the Subject CN when evaluating hostnames. | |
145 { | |
146 scoped_refptr<net::X509Certificate> google_cert( | |
147 net::X509Certificate::CreateFromBytes( | |
148 reinterpret_cast<const char*>(google_der), sizeof(google_der))); | |
149 ASSERT_TRUE(google_cert.get()); | |
150 | |
151 GURL origin("https://google.com"); | |
152 EXPECT_FALSE(ssl_errors::IsWWWSubDomainMatch(origin, *google_cert)); | |
127 EXPECT_FALSE(ssl_errors::IsCertLikelyFromSameDomain(origin, *google_cert)); | 153 EXPECT_FALSE(ssl_errors::IsCertLikelyFromSameDomain(origin, *google_cert)); |
128 } | 154 } |
129 | 155 |
130 { | 156 { |
131 GURL origin("https://www.foogoogle.com."); | 157 scoped_refptr<net::X509Certificate> webkit_cert( |
132 std::string www_host; | 158 net::X509Certificate::CreateFromBytes( |
133 std::vector<std::string> host_name_tokens = base::SplitString( | 159 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); |
134 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | 160 ASSERT_TRUE(webkit_cert.get()); |
135 EXPECT_FALSE( | 161 std::vector<std::string> dns_names_webkit; |
136 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_google, &www_host)); | 162 webkit_cert->GetDNSNames(&dns_names_webkit); |
137 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, | 163 ASSERT_EQ(2u, dns_names_webkit.size()); // ["*.webkit.org", "webkit.org"] |
138 dns_name_tokens_google)); | 164 std::vector<std::string> hostname_tokens_webkit_0 = |
139 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_google, | 165 ssl_errors::Tokenize(dns_names_webkit[0]); |
140 host_name_tokens)); | 166 ASSERT_EQ(3u, hostname_tokens_webkit_0.size()); // ["*", "webkit","org"] |
141 EXPECT_FALSE(ssl_errors::IsCertLikelyFromSameDomain(origin, *google_cert)); | 167 std::vector<std::string> hostname_tokens_webkit_1 = |
142 } | 168 ssl_errors::Tokenize(dns_names_webkit[1]); |
143 | 169 ASSERT_EQ(2u, hostname_tokens_webkit_1.size()); // ["webkit","org"] |
144 scoped_refptr<net::X509Certificate> webkit_cert( | 170 std::vector<std::vector<std::string>> dns_name_tokens_webkit; |
145 net::X509Certificate::CreateFromBytes( | 171 dns_name_tokens_webkit.push_back(hostname_tokens_webkit_0); |
146 reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der))); | 172 dns_name_tokens_webkit.push_back(hostname_tokens_webkit_1); |
147 ASSERT_TRUE(webkit_cert.get()); | 173 ASSERT_EQ(2u, dns_name_tokens_webkit.size()); |
148 std::vector<std::string> dns_names_webkit; | |
149 webkit_cert->GetDNSNames(&dns_names_webkit); | |
150 ASSERT_EQ(2u, dns_names_webkit.size()); // ["*.webkit.org", "webkit.org"] | |
151 std::vector<std::string> hostname_tokens_webkit_0 = | |
152 ssl_errors::Tokenize(dns_names_webkit[0]); | |
153 ASSERT_EQ(3u, hostname_tokens_webkit_0.size()); // ["*", "webkit","org"] | |
154 std::vector<std::string> hostname_tokens_webkit_1 = | |
155 ssl_errors::Tokenize(dns_names_webkit[1]); | |
156 ASSERT_EQ(2u, hostname_tokens_webkit_1.size()); // ["webkit","org"] | |
157 std::vector<std::vector<std::string>> dns_name_tokens_webkit; | |
158 dns_name_tokens_webkit.push_back(hostname_tokens_webkit_0); | |
159 dns_name_tokens_webkit.push_back(hostname_tokens_webkit_1); | |
160 ASSERT_EQ(2u, dns_name_tokens_webkit.size()); | |
161 { | |
162 GURL origin("https://a.b.webkit.org"); | 174 GURL origin("https://a.b.webkit.org"); |
163 std::string www_host; | 175 std::string www_host; |
164 std::vector<std::string> host_name_tokens = base::SplitString( | 176 std::vector<std::string> host_name_tokens = base::SplitString( |
165 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); | 177 origin.host(), ".", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); |
166 EXPECT_FALSE( | 178 EXPECT_FALSE( |
167 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_webkit, &www_host)); | 179 ssl_errors::GetWWWSubDomainMatch(origin, dns_names_webkit, &www_host)); |
168 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, | 180 EXPECT_FALSE(ssl_errors::NameUnderAnyNames(host_name_tokens, |
169 dns_name_tokens_webkit)); | 181 dns_name_tokens_webkit)); |
170 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_webkit, | 182 EXPECT_FALSE(ssl_errors::AnyNamesUnderName(dns_name_tokens_webkit, |
171 host_name_tokens)); | 183 host_name_tokens)); |
(...skipping 274 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
446 clock->Advance(base::TimeDelta::FromDays(1)); | 458 clock->Advance(base::TimeDelta::FromDays(1)); |
447 // GetClockState() will fall back to the build time heuristic. | 459 // GetClockState() will fall back to the build time heuristic. |
448 ssl_errors::GetClockState(clock->Now(), &network_time_tracker); | 460 ssl_errors::GetClockState(clock->Now(), &network_time_tracker); |
449 histograms.ExpectTotalCount(kNetworkTimeHistogram, 8); | 461 histograms.ExpectTotalCount(kNetworkTimeHistogram, 8); |
450 histograms.ExpectBucketCount( | 462 histograms.ExpectBucketCount( |
451 kNetworkTimeHistogram, ssl_errors::NETWORK_CLOCK_STATE_UNKNOWN_SYNC_LOST, | 463 kNetworkTimeHistogram, ssl_errors::NETWORK_CLOCK_STATE_UNKNOWN_SYNC_LOST, |
452 1); | 464 1); |
453 | 465 |
454 io_thread.Stop(); | 466 io_thread.Stop(); |
455 } | 467 } |
OLD | NEW |