Find reasons for the SSL common name invalid error.

chrome/browser/ssl/ssl_error_classification_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/ssl_error_classification.h"
 
 #include "base/files/file_path.h"
+#include "base/strings/string_split.h"
 #include "base/time/time.h"
 #include "net/base/test_data_directory.h"
+#include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
 
 using base::Time;
 
-TEST(SSLErrorClassification, TestDateInvalidScore) {
+class SSLErrorClassificationTest : public testing::Test {
+ public:
+  virtual void SetUp() OVERRIDE { }
+
+  std::vector<std::vector<std::string>> GetTokenizedDNSNames(

[felt, 2014/07/21 21:34:13]

I'm worried about having logic like this in a test function. Could you actually
extract the DNS names and create a std::vector of known strings in the test,
instead of doing this computation every time?

[radhikabhar, 2014/07/22 16:03:38]

Done.

+      std::vector<std::string>& dns_names) const{
+    std::vector<std::vector<std::string>> dns_name_tokens;
+    for (size_t i = 0; i < dns_names.size(); ++i) {
+      std::vector<std::string> dns_name_token_single;
+      if (dns_names[i].empty() ||
+          dns_names[i].find('\0') != std::string::npos) {
+        dns_name_token_single.push_back(std::string());
+      } else {
+        base::SplitStringDontTrim(dns_names[i],
+                                  '.',
+                                  &dns_name_token_single);
+      }
+      dns_name_tokens.push_back(dns_name_token_single);
+    }
+    return dns_name_tokens;
+  }
+
+};
+
+TEST_F(SSLErrorClassificationTest, TestDateInvalidScore) {
   base::FilePath certs_dir = net::GetTestCertsDirectory();
   scoped_refptr<net::X509Certificate> expired_cert =
       net::ImportCertFromFile(certs_dir, "expired_cert.pem");
   base::Time time;
+  GURL origin("https://example.com");
 
   {
     EXPECT_TRUE(base::Time::FromString("Wed, 03 Jan 2007 12:00:00 GMT", &time));
-    SSLErrorClassification ssl_error(time, *expired_cert);
+    SSLErrorClassification ssl_error(time, origin, *expired_cert);
     EXPECT_FLOAT_EQ(0.2f, ssl_error.CalculateScoreTimePassedSinceExpiry());
   }
 
   {
     EXPECT_TRUE(base::Time::FromString("Sat, 06 Jan 2007 12:00:00 GMT", &time));
-    SSLErrorClassification ssl_error(time, *expired_cert);
+    SSLErrorClassification ssl_error(time, origin, *expired_cert);
     EXPECT_FLOAT_EQ(0.3f, ssl_error.CalculateScoreTimePassedSinceExpiry());
   }
 
   {
     EXPECT_TRUE(base::Time::FromString("Mon, 08 Jan 2007 12:00:00 GMT", &time));
-    SSLErrorClassification ssl_error(time, *expired_cert);
+    SSLErrorClassification ssl_error(time, origin, *expired_cert);
     EXPECT_FLOAT_EQ(0.4f, ssl_error.CalculateScoreTimePassedSinceExpiry());
   }
+}
 
+TEST_F(SSLErrorClassificationTest, TestNameMismatch) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), google_cert);
+  base::Time time = base::Time::NowFromSystemTime();
+  std::vector<std::string> dns_names_google;
+  google_cert->GetDNSNames(&dns_names_google);
+  std::vector<std::vector<std::string>> dns_name_tokens_google =
+      GetTokenizedDNSNames(dns_names_google);
+
+  {
+    GURL origin("https://google.com");
+    std::string host_name = origin.host();
+    std::vector<std::string> host_name_tokens;
+    base::SplitStringDontTrim(host_name, '.', &host_name_tokens);
+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_TRUE(ssl_error.IsWWWSubDomainMatch());
+    EXPECT_FALSE(ssl_error.IsSubDomainMatch(host_name_tokens,
+                                            dns_name_tokens_google));
+    EXPECT_FALSE(ssl_error.IsSubDomainInverseMatch(host_name_tokens,
+                                                   dns_name_tokens_google));
+    EXPECT_FALSE(ssl_error.IsSubDomainOutsideWildcard(host_name_tokens));
+    EXPECT_FALSE(ssl_error.IsSelfSigned());
+  }
+
+  {
+    GURL origin("https://foo.blah.google.com");
+    std::string host_name = origin.host();
+    std::vector<std::string> host_name_tokens;
+    base::SplitStringDontTrim(host_name, '.', &host_name_tokens);
+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_FALSE(ssl_error.IsWWWSubDomainMatch());
+    EXPECT_FALSE(ssl_error.IsSubDomainMatch(host_name_tokens,
+                                            dns_name_tokens_google));
+    EXPECT_FALSE(ssl_error.IsSubDomainInverseMatch(host_name_tokens,
+                                                   dns_name_tokens_google));
+  }
+
+  {
+    GURL origin("https://foo.www.google.com");
+    std::string host_name = origin.host();
+    std::vector<std::string> host_name_tokens;
+    base::SplitStringDontTrim(host_name, '.', &host_name_tokens);
+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_FALSE(ssl_error.IsWWWSubDomainMatch());
+    EXPECT_TRUE(ssl_error.IsSubDomainMatch(host_name_tokens,
+                                           dns_name_tokens_google));
+    EXPECT_FALSE(ssl_error.IsSubDomainInverseMatch(host_name_tokens,
+                                                   dns_name_tokens_google));
+  }
+
+  {
+     GURL origin("https://www.google.com.foo");
+     std::string host_name = origin.host();
+     std::vector<std::string> host_name_tokens;
+     base::SplitStringDontTrim(host_name, '.', &host_name_tokens);
+     SSLErrorClassification ssl_error(time, origin, *google_cert);
+     EXPECT_FALSE(ssl_error.IsWWWSubDomainMatch());
+     EXPECT_FALSE(ssl_error.IsSubDomainMatch(host_name_tokens,
+                                             dns_name_tokens_google));
+     EXPECT_FALSE(ssl_error.IsSubDomainInverseMatch(host_name_tokens,
+                                                    dns_name_tokens_google));
+  }
+
+  {
+    GURL origin("https://www.foogoogle.com.");
+    std::string host_name = origin.host();
+    std::vector<std::string> host_name_tokens;
+    base::SplitStringDontTrim(host_name, '.', &host_name_tokens);
+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_FALSE(ssl_error.IsWWWSubDomainMatch());
+    EXPECT_FALSE(ssl_error.IsSubDomainMatch(host_name_tokens,
+                                            dns_name_tokens_google));
+    EXPECT_FALSE(ssl_error.IsSubDomainInverseMatch(host_name_tokens,
+                                                   dns_name_tokens_google));
+  }
+
+  scoped_refptr<net::X509Certificate> webkit_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), webkit_cert);
+  std::vector<std::string> dns_names_webkit;
+  webkit_cert->GetDNSNames(&dns_names_webkit);
+  std::vector<std::vector<std::string>> dns_name_tokens_webkit =
+      GetTokenizedDNSNames(dns_names_webkit);
+  {
+    GURL origin("https://a.b.webkit.org");
+    std::string host_name = origin.host();
+    std::vector<std::string> host_name_tokens;
+    base::SplitStringDontTrim(host_name, '.', &host_name_tokens);
+    SSLErrorClassification ssl_error(time, origin, *webkit_cert);
+    EXPECT_FALSE(ssl_error.IsWWWSubDomainMatch());
+    EXPECT_FALSE(ssl_error.IsSubDomainMatch(host_name_tokens,
+                                            dns_name_tokens_webkit));
+    EXPECT_FALSE(ssl_error.IsSubDomainInverseMatch(host_name_tokens,
+                                                   dns_name_tokens_webkit));
+    EXPECT_TRUE(ssl_error.IsSubDomainOutsideWildcard(host_name_tokens));
+  }
+
+  scoped_refptr<net::X509Certificate> self_signed_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                              "unittest.selfsigned.der");
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), self_signed_cert);
+  {
+    GURL origin("https://example.com");
+    SSLErrorClassification ssl_error(time, origin, *self_signed_cert);
+    EXPECT_TRUE(ssl_error.IsSelfSigned());
+  }
 }
+
+TEST_F(SSLErrorClassificationTest, TestHostNameHasKnownTLD) {
+  std::string url1 = "www.google.com";
+  std::string url2 = "b.appspot.com";
+  std::string url3 = "a.private";
+  EXPECT_TRUE(SSLErrorClassification::IsHostNameKnownTLD(url1));
+  EXPECT_TRUE(SSLErrorClassification::IsHostNameKnownTLD(url2));
+  EXPECT_FALSE(SSLErrorClassification::IsHostNameKnownTLD(url3));
+}
+