Find reasons for the SSL common name invalid error.

chrome/browser/ssl/ssl_error_classification_unittest.cc

Index: chrome/browser/ssl/ssl_error_classification_unittest.cc
diff --git a/chrome/browser/ssl/ssl_error_classification_unittest.cc b/chrome/browser/ssl/ssl_error_classification_unittest.cc
index fc4e23fc615da4cdc43ef2f237f4c90126c9d22e..81f89eafbdb52b04e2756db8fb6d94ca966de199 100644
--- a/chrome/browser/ssl/ssl_error_classification_unittest.cc
+++ b/chrome/browser/ssl/ssl_error_classification_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright (c) 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,6 +11,7 @@
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
 
 using base::Time;
 
@@ -19,23 +20,92 @@ TEST(SSLErrorClassification, TestDateInvalidScore) {
   scoped_refptr<net::X509Certificate> expired_cert =
       net::ImportCertFromFile(certs_dir, "expired_cert.pem");
   base::Time time;
+  GURL origin("https://example.com");
 
   {
     EXPECT_TRUE(base::Time::FromString("Wed, 03 Jan 2007 12:00:00 GMT", &time));
-    SSLErrorClassification ssl_error(time, *expired_cert);
+    SSLErrorClassification ssl_error(time, origin, *expired_cert);
     EXPECT_FLOAT_EQ(0.2f, ssl_error.CalculateScoreTimePassedSinceExpiry());
   }
 
   {
     EXPECT_TRUE(base::Time::FromString("Sat, 06 Jan 2007 12:00:00 GMT", &time));
-    SSLErrorClassification ssl_error(time, *expired_cert);
+    SSLErrorClassification ssl_error(time, origin, *expired_cert);
     EXPECT_FLOAT_EQ(0.3f, ssl_error.CalculateScoreTimePassedSinceExpiry());
   }
 
   {
     EXPECT_TRUE(base::Time::FromString("Mon, 08 Jan 2007 12:00:00 GMT", &time));
-    SSLErrorClassification ssl_error(time, *expired_cert);
+    SSLErrorClassification ssl_error(time, origin, *expired_cert);
     EXPECT_FLOAT_EQ(0.4f, ssl_error.CalculateScoreTimePassedSinceExpiry());
   }
+}
+
+TEST(SSLErrorClassification, TestNameMismatch) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), google_cert);
+  base::Time time = base::Time::NowFromSystemTime();
+
+  {
+    GURL origin("https://google.com");
+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_TRUE(ssl_error.IsWWWDifference());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainMatch());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainInverseMatch());
+    EXPECT_FALSE(ssl_error.IsHostNameTooBroad());
+    EXPECT_FALSE(ssl_error.IsSelfSigned());
+  }
 
+  {
+    GURL origin("https://foo.blah.google.com");
+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_FALSE(ssl_error.IsWWWDifference());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainMatch());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainInverseMatch());
+    EXPECT_FALSE(ssl_error.IsHostNameTooBroad());
+  }
+
+  {
+    GURL origin("https://foo.www.google.com");

[felt, 2014/07/15 00:52:44]

can you also test https://www.google.com.foo to make sure it is right aligning?

[radhikabhar, 2014/07/15 17:34:09]

The expected behaviour is false right now. Wouldn't www.google.com.foo be an
attack for www.google.com and shouldn't it be rejected? Or should we consider it
as a false positive?

[felt, 2014/07/15 20:44:33]

yes that is what I mean, can you check that IsWWWDifference will return false
for www.google.com.foo when compared to google.com?

+    SSLErrorClassification ssl_error(time, origin, *google_cert);
+    EXPECT_FALSE(ssl_error.IsWWWDifference());
+    EXPECT_TRUE(ssl_error.IsRegisteredDomainMatch());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainInverseMatch());
+    EXPECT_FALSE(ssl_error.IsHostNameTooBroad());
+  }
+
+  scoped_refptr<net::X509Certificate> webkit_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), webkit_cert);
+  {
+    GURL origin("https://a.b.webkit.org");
+    SSLErrorClassification ssl_error(time, origin, *webkit_cert);
+    EXPECT_FALSE(ssl_error.IsWWWDifference());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainMatch());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainInverseMatch());
+    EXPECT_TRUE(ssl_error.IsHostNameTooBroad());
+    EXPECT_FALSE(ssl_error.IsSelfSigned());
+  }
+
+  {
+    GURL origin("https://org");
+    SSLErrorClassification ssl_error(time, origin, *webkit_cert);
+    EXPECT_FALSE(ssl_error.IsWWWDifference());
+    EXPECT_FALSE(ssl_error.IsRegisteredDomainMatch());
+    EXPECT_TRUE(ssl_error.IsRegisteredDomainInverseMatch());
+    EXPECT_FALSE(ssl_error.IsHostNameTooBroad());
+  }
+
+  scoped_refptr<net::X509Certificate> self_signed_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                              "unittest.selfsigned.der");
+  ASSERT_NE(static_cast<net::X509Certificate*>(NULL), self_signed_cert);
+  {
+    GURL origin("https://example.com");
+    SSLErrorClassification ssl_error(time, origin, *self_signed_cert);
+    EXPECT_TRUE(ssl_error.IsSelfSigned());
+  }
 }