Update SSL error handling code to account for Subject CN deprecation

chrome/browser/ssl/ssl_error_handler_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/ssl_error_handler.h"
 
 #include "base/callback.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/metrics/field_trial.h"
@@ skipping 178 matching lines @@
   DISALLOW_COPY_AND_ASSIGN(TestSSLErrorHandlerDelegate);
 };
 
 }  // namespace
 
 // A class to test name mismatch errors. Creates an error handler with a name
 // mismatch error.
 class SSLErrorHandlerNameMismatchTest : public ChromeRenderViewHostTestHarness {
  public:
   SSLErrorHandlerNameMismatchTest() : field_trial_list_(nullptr) {}
+  ~SSLErrorHandlerNameMismatchTest() override {}
 
   void SetUp() override {
     ChromeRenderViewHostTestHarness::SetUp();
     SSLErrorHandler::ResetConfigForTesting();
     SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta());
-    ssl_info_.cert =
-        net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+    ssl_info_.cert = GetCertificate();
     ssl_info_.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
     ssl_info_.public_key_hashes.push_back(
         net::HashValue(kCertPublicKeyHashValue));
 
     delegate_ =
         new TestSSLErrorHandlerDelegate(profile(), web_contents(), ssl_info_);
     error_handler_.reset(new TestSSLErrorHandler(
         std::unique_ptr<SSLErrorHandler::Delegate>(delegate_), web_contents(),
         profile(), net::MapCertStatusToNetError(ssl_info_.cert_status),
         ssl_info_,
         GURL(),  // request_url
         base::Callback<void(content::CertificateRequestResultType)>()));
   }
 
   void TearDown() override {
     EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
     error_handler_.reset(nullptr);
     SSLErrorHandler::ResetConfigForTesting();
     ChromeRenderViewHostTestHarness::TearDown();
   }
 
   TestSSLErrorHandler* error_handler() { return error_handler_.get(); }
   TestSSLErrorHandlerDelegate* delegate() { return delegate_; }
 
   const net::SSLInfo& ssl_info() { return ssl_info_; }
 
  private:
+  // Returns a certificate for the test. Virtual to allow derived fixtures to
+  // use a certificate with different characteristics.
+  virtual scoped_refptr<net::X509Certificate> GetCertificate() {
+    return net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                                   "subjectAltName_www_example_com.pem");
+  }
+
   net::SSLInfo ssl_info_;
   std::unique_ptr<TestSSLErrorHandler> error_handler_;
   TestSSLErrorHandlerDelegate* delegate_;
   base::FieldTrialList field_trial_list_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchTest);
 };
 
+// A class to test name mismatch errors, where the certificate lacks a
+// SubjectAltName. Creates an error handler with a name mismatch error.
+class SSLErrorHandlerNameMismatchNoSANTest
+    : public SSLErrorHandlerNameMismatchTest {
+ public:
+  SSLErrorHandlerNameMismatchNoSANTest() {}
+
+  // Return a certificate that contains no SubjectAltName field.
+  scoped_refptr<net::X509Certificate> GetCertificate() override {

[estark, 2017/04/05 03:37:41]

this should be private too

[elawrence, 2017/04/05 14:51:39]

Done.

+    return net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+  }
+
+  DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchNoSANTest);
+};
+
 // A class to test the captive portal certificate list feature. Creates an error
 // handler with a name mismatch error by default. The error handler can be
 // recreated by calling ResetErrorHandler() with an appropriate cert status.
 class SSLErrorHandlerCaptivePortalCertListTest
     : public ChromeRenderViewHostTestHarness {
  public:
   SSLErrorHandlerCaptivePortalCertListTest() : field_trial_list_(nullptr) {}
 
   void SetUp() override {
     ChromeRenderViewHostTestHarness::SetUp();
@@ skipping 317 matching lines @@
 
   EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
   EXPECT_TRUE(delegate()->ssl_interstitial_shown());
 
   // Note that the suggested URL check is never completed, so there is no entry
   // for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE.
   histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::HANDLE_ALL, 1);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
-                               SSLErrorHandler::WWW_MISMATCH_FOUND, 1);
+                               SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
   histograms.ExpectBucketCount(
       SSLErrorHandler::GetHistogramNameForTesting(),
       SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
 }
 
 TEST_F(SSLErrorHandlerNameMismatchTest,
        ShouldNotHandleNameMismatchOnNonOverridableError) {
   base::HistogramTester histograms;
   delegate()->set_non_overridable_error();
   delegate()->set_suggested_url_exists();
@@ skipping 53 matching lines @@
   EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
   EXPECT_TRUE(delegate()->ssl_interstitial_shown());
   EXPECT_FALSE(delegate()->redirected_to_suggested_url());
 
   // Note that the suggested URL check is never completed, so there is no entry
   // for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE.
   histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::HANDLE_ALL, 1);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
-                               SSLErrorHandler::WWW_MISMATCH_FOUND, 1);
+                               SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
   histograms.ExpectBucketCount(
       SSLErrorHandler::GetHistogramNameForTesting(),
       SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
 }
 
 TEST_F(SSLErrorHandlerNameMismatchTest,
        ShouldRedirectOnSuggestedUrlCheckResult) {
   base::HistogramTester histograms;
   delegate()->set_suggested_url_exists();
   error_handler()->StartHandlingError();
@@ skipping 11 matching lines @@
       GURL("https://random.example.com"));
 
   EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
   EXPECT_FALSE(delegate()->ssl_interstitial_shown());
   EXPECT_TRUE(delegate()->redirected_to_suggested_url());
 
   histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::HANDLE_ALL, 1);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
-                               SSLErrorHandler::WWW_MISMATCH_FOUND, 1);
+                               SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::WWW_MISMATCH_URL_AVAILABLE, 1);
 }
 
+// No suggestions should be requested if certificate lacks a SubjectAltName.
+TEST_F(SSLErrorHandlerNameMismatchNoSANTest,
+       SSLCommonNameMismatchHandlingRequiresSubjectAltName) {
+  base::HistogramTester histograms;
+  EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
+  delegate()->set_suggested_url_exists();
+  error_handler()->StartHandlingError();
+
+  EXPECT_FALSE(delegate()->suggested_url_checked());
+  base::RunLoop().RunUntilIdle();
+
+  EXPECT_TRUE(delegate()->ssl_interstitial_shown());
+  EXPECT_FALSE(delegate()->redirected_to_suggested_url());
+
+  histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::HANDLE_ALL, 1);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 0);
+  histograms.ExpectBucketCount(
+      SSLErrorHandler::GetHistogramNameForTesting(),
+      SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
+}
+
 TEST_F(SSLErrorHandlerNameMismatchTest,
        ShouldShowSSLInterstitialOnInvalidUrlCheckResult) {
   base::HistogramTester histograms;
   delegate()->set_suggested_url_exists();
   error_handler()->StartHandlingError();
 
   EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
   EXPECT_TRUE(delegate()->suggested_url_checked());
   EXPECT_FALSE(delegate()->ssl_interstitial_shown());
   EXPECT_FALSE(delegate()->redirected_to_suggested_url());
   // Fake an Invalid Suggested URL Check result.
   delegate()->SendSuggestedUrlCheckResult(
       CommonNameMismatchHandler::SuggestedUrlCheckResult::
           SUGGESTED_URL_NOT_AVAILABLE,
       GURL());
 
   EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
   EXPECT_TRUE(delegate()->ssl_interstitial_shown());
   EXPECT_FALSE(delegate()->redirected_to_suggested_url());
 
   histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 4);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::HANDLE_ALL, 1);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
-                               SSLErrorHandler::WWW_MISMATCH_FOUND, 1);
+                               SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::WWW_MISMATCH_URL_NOT_AVAILABLE,
                                1);
   histograms.ExpectBucketCount(
       SSLErrorHandler::GetHistogramNameForTesting(),
       SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
 }
 
 TEST_F(SSLErrorHandlerDateInvalidTest, TimeQueryStarted) {
   base::HistogramTester histograms;
@@ skipping 230 matching lines @@
 
   histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
   histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
                                SSLErrorHandler::HANDLE_ALL, 1);
   histograms.ExpectBucketCount(
       SSLErrorHandler::GetHistogramNameForTesting(),
       SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
 }
 
 #endif  // BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)