Update SSL error handling code to account for Subject CN deprecation

components/ssl_errors/error_classification.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/ssl_errors/error_classification.h"
 
 #include <limits.h>
 #include <stddef.h>
 
 #include <vector>
@@ skipping 86 matching lines @@
     return -1;
 
   int diff_size = static_cast<int>(potential_subdomain.size() - parent.size());
   for (size_t i = 0; i < parent.size(); i++) {
     if (parent[i] != potential_subdomain[i + diff_size])
       return -1;
   }
   return diff_size;
 }
 
-// We accept the inverse case for www for historical reasons.
-bool IsWWWSubDomainMatch(const GURL& request_url,
-                         const net::X509Certificate& cert) {
-  std::string www_host;
-  std::vector<std::string> dns_names;
-  cert.GetDNSNames(&dns_names);
-  return GetWWWSubDomainMatch(request_url, dns_names, &www_host);
-}
-
 // The time to use when doing build time operations in browser tests.
 base::LazyInstance<base::Time>::DestructorAtExit g_testing_build_time =
     LAZY_INSTANCE_INITIALIZER;
 
 }  // namespace
 
 static ssl_errors::ErrorInfo::ErrorType RecordErrorType(int cert_error) {
   ssl_errors::ErrorInfo::ErrorType error_type =
       ssl_errors::ErrorInfo::NetErrorToErrorType(cert_error);
   UMA_HISTOGRAM_ENUMERATION("interstitial.ssl_error_type", error_type,
@@ skipping 23 matching lines @@
     }
     case ssl_errors::ErrorInfo::CERT_COMMON_NAME_INVALID: {
       std::string host_name = request_url.host();
       if (HostNameHasKnownTLD(host_name)) {
         HostnameTokens host_name_tokens = Tokenize(host_name);
         if (IsWWWSubDomainMatch(request_url, cert))
           RecordSSLInterstitialCause(overridable, WWW_SUBDOMAIN_MATCH);
         if (IsSubDomainOutsideWildcard(request_url, cert))
           RecordSSLInterstitialCause(overridable, SUBDOMAIN_OUTSIDE_WILDCARD);
         std::vector<std::string> dns_names;
-        cert.GetDNSNames(&dns_names);
+        cert.GetSubjectAltName(&dns_names, nullptr);
         std::vector<HostnameTokens> dns_name_tokens =
             GetTokenizedDNSNames(dns_names);
         if (NameUnderAnyNames(host_name_tokens, dns_name_tokens))
           RecordSSLInterstitialCause(overridable, SUBDOMAIN_MATCH);

[estark, 2017/04/03 02:01:42]

same nit here about using a new UMA value

[elawrence, 2017/04/04 15:52:28]

Done.

         if (AnyNamesUnderName(dns_name_tokens, host_name_tokens))
           RecordSSLInterstitialCause(overridable, SUBDOMAIN_INVERSE_MATCH);
         if (IsCertLikelyFromMultiTenantHosting(request_url, cert))
           RecordSSLInterstitialCause(overridable, LIKELY_MULTI_TENANT_HOSTING);
         if (IsCertLikelyFromSameDomain(request_url, cert))
           RecordSSLInterstitialCause(overridable, LIKELY_SAME_DOMAIN);
       } else {
         RecordSSLInterstitialCause(overridable, HOST_NAME_NOT_KNOWN_TLD);
       }
       break;
@@ skipping 109 matching lines @@
   return net::registry_controlled_domains::HostHasRegistryControlledDomain(
       host_name, net::registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES,
       net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
 }
 
 HostnameTokens Tokenize(const std::string& name) {
   return base::SplitString(name, ".", base::KEEP_WHITESPACE,
                            base::SPLIT_WANT_ALL);
 }
 
+// We accept the inverse case for www for historical reasons.
+bool IsWWWSubDomainMatch(const GURL& request_url,
+                         const net::X509Certificate& cert) {
+  std::string www_host;
+  std::vector<std::string> dns_names;
+  cert.GetSubjectAltName(&dns_names, nullptr);
+  return GetWWWSubDomainMatch(request_url, dns_names, &www_host);
+}
+
 bool GetWWWSubDomainMatch(const GURL& request_url,
                           const std::vector<std::string>& dns_names,
                           std::string* www_match_host_name) {
   const std::string& host_name = request_url.host();
 
   if (HostNameHasKnownTLD(host_name)) {
     // Need to account for all possible domains given in the SSL certificate.
     for (const auto& dns_name : dns_names) {
       if (dns_name.empty() || dns_name.find('\0') != std::string::npos ||
           dns_name.length() == host_name.length() ||
@@ skipping 73 matching lines @@
     }
   }
   return row[str2.size()];
 }
 
 bool IsSubDomainOutsideWildcard(const GURL& request_url,
                                 const net::X509Certificate& cert) {
   std::string host_name = request_url.host();
   HostnameTokens host_name_tokens = Tokenize(host_name);
   std::vector<std::string> dns_names;
-  cert.GetDNSNames(&dns_names);
+  cert.GetSubjectAltName(&dns_names, nullptr);

[estark, 2017/04/03 02:01:42]

Blegh, I suppose all these will affect existing histograms too...

[elawrence, 2017/04/04 15:52:28]

yes.

   bool result = false;
 
   // This method requires that the host name be longer than the dns name on
   // the certificate.
   for (const auto& dns_name : dns_names) {
     if (dns_name.length() < 2 || dns_name.length() >= host_name.length() ||
         dns_name.find('\0') != std::string::npos ||
         !HostNameHasKnownTLD(dns_name) || dns_name[0] != '*' ||
         dns_name[1] != '.') {
       continue;
     }
 
     // Move past the "*.".
     std::string extracted_dns_name = dns_name.substr(2);
     if (FindSubdomainDifference(host_name_tokens,
                                 Tokenize(extracted_dns_name)) == 2) {
       return true;
     }
   }
   return result;
 }
 
 bool IsCertLikelyFromMultiTenantHosting(const GURL& request_url,
                                         const net::X509Certificate& cert) {
   std::string host_name = request_url.host();
   std::vector<std::string> dns_names;
   std::vector<std::string> dns_names_domain;
-  cert.GetDNSNames(&dns_names);
+  cert.GetSubjectAltName(&dns_names, nullptr);
   size_t dns_names_size = dns_names.size();
 
   // If there is only 1 DNS name then it is definitely not a shared certificate.
   if (dns_names_size == 0 || dns_names_size == 1)
     return false;
 
   // Check to see if all the domains in the SAN field in the SSL certificate are
   // the same or not.
   for (size_t i = 0; i < dns_names_size; ++i) {
     dns_names_domain.push_back(
@@ skipping 26 matching lines @@
         return false;
     }
   }
   return true;
 }
 
 bool IsCertLikelyFromSameDomain(const GURL& request_url,
                                 const net::X509Certificate& cert) {
   std::string host_name = request_url.host();
   std::vector<std::string> dns_names;
-  cert.GetDNSNames(&dns_names);
+  cert.GetSubjectAltName(&dns_names, nullptr);
+  if (dns_names.empty())
+    return false;
 
   dns_names.push_back(host_name);
   std::vector<std::string> dns_names_domain;
 
   for (const std::string& dns_name : dns_names) {
     dns_names_domain.push_back(
         net::registry_controlled_domains::GetDomainAndRegistry(
             dns_name,
             net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES));
   }
 
   DCHECK(!dns_names_domain.empty());
   const std::string& host_name_domain = dns_names_domain.back();
 
   // Last element is the original domain. So, excluding it.
   return std::find(dns_names_domain.begin(), dns_names_domain.end() - 1,
                    host_name_domain) != dns_names_domain.end() - 1;
 }
 
 bool IsHostnameNonUniqueOrDotless(const std::string& hostname) {
   return net::IsHostnameNonUnique(hostname) ||
          hostname.find('.') == std::string::npos;
 }
 
 }  // namespace ssl_errors