Chromium Code Reviews Chromium Code Reviews
Issue 376333003:
Find reasons for the SSL common name invalid error. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ | 5 #ifndef CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ |
| 6 #define CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ | 6 #define CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ |
| 7 | 7 |
| 8 #include <string> | |
| 9 #include <vector> | |
| 10 | |
| 8 #include "base/time/time.h" | 11 #include "base/time/time.h" |
| 9 #include "net/cert/x509_certificate.h" | 12 #include "net/cert/x509_certificate.h" |
| 13 #include "url/gurl.h" | |
| 10 | 14 |
| 11 // This class calculates the severity scores for the different type of SSL | 15 // This class calculates the severity scores for the different type of SSL |
| 12 // errors. | 16 // errors. |
| 13 class SSLErrorClassification { | 17 class SSLErrorClassification { |
| 14 public: | 18 public: |
| 15 SSLErrorClassification(base::Time current_time, | 19 SSLErrorClassification(base::Time current_time, |
| 20 const GURL& url, | |
| 16 const net::X509Certificate& cert); | 21 const net::X509Certificate& cert); |
| 17 ~SSLErrorClassification(); | 22 ~SSLErrorClassification(); |
| 18 | 23 |
| 19 // This method checks whether the user clock is in the past or not. | 24 // This method checks whether the system time is in the past. |
| 20 static bool IsUserClockInThePast(base::Time time_now); | 25 static bool IsUserClockInThePast(base::Time time_now); |
| 21 | 26 |
| 22 // This method checks whether the system time is too far in the future or | 27 // This method checks whether the system time is too far in the future or |
| 23 // the user is using a version of Chrome which is more than 1 year old. | 28 // the user is using a version of Chrome which is more than 1 year old. |
| 24 static bool IsUserClockInTheFuture(base::Time time_now); | 29 static bool IsUserClockInTheFuture(base::Time time_now); |
| 25 | 30 |
| 26 // A method which calculates the severity score when the ssl error is | 31 // A method which calculates the severity score when the ssl error is |
| 27 // CERT_DATE_INVALID. | 32 // CERT_DATE_INVALID. |
| 28 float InvalidDateSeverityScore() const; | 33 float InvalidDateSeverityScore() const; |
| 29 | 34 |
| 30 static void RecordUMAStatistics(bool overridable); | 35 // A method which calculates the severity score when the ssl error is |
| 36 // CERT_COMMON_NAME_INVALID. | |
| 37 float InvalidCommonNameSeverityScore() const; | |
| 38 | |
| 39 void RecordUMAStatistics(bool overridable, int cert_error); | |
| 31 base::TimeDelta TimePassedSinceExpiry() const; | 40 base::TimeDelta TimePassedSinceExpiry() const; |
| 32 | 41 |
| 33 private: | 42 private: |
| 34 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassification, TestDateInvalidScore); | 43 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestDateInvalidScore); |
| 44 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestNameMismatch); | |
| 45 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, | |
| 46 TestHostNameHasKnownTLD); | |
| 47 | |
| 48 // This method checks whether the hostname has a known Top Level Domain or | |
| 49 // not. | |
| 50 static bool IsHostNameKnownTLD(const std::string& host_name); | |
| 51 | |
| 52 // This method checks whether or not the difference between the hostname in | |
| 53 // the given URL and any DNS name given in the CN or SAN fields of the SSL | |
| 54 // certificate is "www.". | |
|
felt
2014/07/21 21:34:13
My brain still can't parse this comment. Can you t
radhikabhar
2014/07/22 16:03:38
Done.
| |
| 55 bool IsWWWSubDomainMatch() const; | |
| 56 | |
| 57 // This method checks whether or not the hostname in the given URL is a | |
| 58 // subdomain of any DNS name given in the CN or SAN fields of the SSL | |
| 59 // certificate. | |
| 60 bool IsSubDomainMatch( | |
| 61 const std::vector<std::string>& host_name_tokens, | |
| 62 const std::vector<std::vector<std::string>>& dns_name_tokens) const; | |
| 63 | |
| 64 // This method checks whether any DNS name given in the CN or SAN fields of | |
| 65 // the SSL certificate is a subdomain of the given URL or not. | |
| 66 bool IsSubDomainInverseMatch( | |
| 67 const std::vector<std::string>& host_name_tokens, | |
| 68 const std::vector<std::vector<std::string>>& dns_name_tokens) const; | |
| 69 | |
| 70 // This method checks whether the hostname is too broad for the scope of a | |
| 71 // wildcard certificate or not. For e.g. it returns true if the host name of | |
| 72 // the URL is "a.b.example.com" and the DNS name in the CN or SAN field of the | |
| 73 // SSL certificate is "*.example.com". But, it retuns false for the hostname | |
| 74 // "b.example.com". | |
| 75 bool IsSubDomainOutsideWildcard( | |
| 76 const std::vector<std::string>& host_name_tokens) const; | |
| 77 bool IsSelfSigned() const; | |
| 35 | 78 |
| 36 float CalculateScoreTimePassedSinceExpiry() const; | 79 float CalculateScoreTimePassedSinceExpiry() const; |
| 37 | 80 |
| 81 std::vector<std::vector<std::string>> GetTokenizedDNSNames( | |
| 82 std::vector<std::string>& dns_names) const; | |
| 83 | |
| 38 // This stores the current time. | 84 // This stores the current time. |
| 39 base::Time current_time_; | 85 base::Time current_time_; |
| 40 | 86 |
| 87 const GURL& request_url_; | |
| 88 | |
| 41 // This stores the certificate. | 89 // This stores the certificate. |
| 42 const net::X509Certificate& cert_; | 90 const net::X509Certificate& cert_; |
| 43 }; | 91 }; |
| 44 | 92 |
| 45 #endif // CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ | 93 #endif // CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_ |
| OLD | NEW |
