Find reasons for the SSL common name invalid error.

chrome/browser/ssl/ssl_error_classification.h

Index: chrome/browser/ssl/ssl_error_classification.h
diff --git a/chrome/browser/ssl/ssl_error_classification.h b/chrome/browser/ssl/ssl_error_classification.h
index 87851ec60f72ee373063c7b963705c8ae21ee0a7..69eda9dd0f892b1ef10ee6f825470cbae1303640 100644
--- a/chrome/browser/ssl/ssl_error_classification.h
+++ b/chrome/browser/ssl/ssl_error_classification.h
@@ -5,41 +5,106 @@
 #ifndef CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_
 #define CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_
 
+#include <string>
+#include <vector>
+
 #include "base/time/time.h"
 #include "net/cert/x509_certificate.h"
+#include "url/gurl.h"
 
 // This class calculates the severity scores for the different type of SSL
 // errors.
 class SSLErrorClassification {
  public:
   SSLErrorClassification(base::Time current_time,
+                         const GURL& url,
                          const net::X509Certificate& cert);
   ~SSLErrorClassification();
 
-  // This method checks whether the user clock is in the past or not.
+  // Returns true if the system time is in the past.
   static bool IsUserClockInThePast(base::Time time_now);

[palmer, 2014/08/04 23:48:29]

Nit: Searching through the codebase shows a LOT of "const base::Time&" passed by
reference instead of passing by copied value. However, the only data member of a
|base::Time| is a single int64, so as a practical matter it doesn't make a
difference, performance-wise. But you might want to stick to standard practice.
Up to you.

[radhikabhar, 2014/08/05 02:17:37]

Done.

 
-  // This method checks whether the system time is too far in the future or
-  // the user is using a version of Chrome which is more than 1 year old.
+  // Returns true if the system time is too far in the future or the user is
+  // using a version of Chrome which is more than 1 year old.
   static bool IsUserClockInTheFuture(base::Time time_now);
 
   static bool IsWindowsVersionSP3OrLower();
 
-  // A method which calculates the severity score when the ssl error is
-  // CERT_DATE_INVALID.
-  float InvalidDateSeverityScore() const;
+  // A function which calculates the severity score when the ssl error is
+  // CERT_DATE_INVALID, returns a severity score between 0.0. and 1.0 (higher

[palmer, 2014/08/04 23:48:29]

Nit: Be more concise:

// Returns a score between 0.0 and 1.0, higher values being more
// severe, indicating how severe the certificate's invalid date error
// is.

[radhikabhar, 2014/08/05 02:17:36]

Done.

+  // values being more severe).
+  float InvalidDateSeverityScore(int cert_error) const;
+
+  // A function which calculates the severity score when the ssl error is
+  // when the SSL error is |CERT_COMMON_NAME_INVALID|, returns
+  // a severity score between 0.0 and 1.0 (higher values being
+  // more severe).

[palmer, 2014/08/04 23:48:29]

Nit: Prefer the more concise style, as above.

[radhikabhar, 2014/08/05 02:17:37]

Done.

+  float InvalidCommonNameSeverityScore(int cert_error) const;
 
-  static void RecordUMAStatistics(bool overridable);
+  void RecordUMAStatistics(bool overridable, int cert_error);
   base::TimeDelta TimePassedSinceExpiry() const;
 
  private:
-  FRIEND_TEST_ALL_PREFIXES(SSLErrorClassification, TestDateInvalidScore);
+  FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestDateInvalidScore);
+  FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestNameMismatch);
+  FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest,
+                           TestHostNameHasKnownTLD);
+
+  typedef std::vector<std::string> Tokens;
+
+  // Returns true if the hostname has a known Top Level Domain.
+  static bool IsHostNameKnownTLD(const std::string& host_name);
+
+  // Returns true if the site's hostname differs from one of the DNS
+  // names in the certificate (CN or SANs) only by the presence or
+  // absence of the single-label prefix "www". E.g.:
+  //
+  //     www.example.com ~ example.com -> true
+  //     example.com ~ www.example.com -> true
+  //     www.food.example.com ~ example.com -> false
+  //     mail.example.com ~ example.com -> false
+  bool IsWWWSubDomainMatch() const;
+
+  // Returns true if |child| is a subdomain of any of the |potential_parents|.
+  bool NameUnderAnyNames(const Tokens& child,
+                        const std::vector<Tokens>& potential_parents) const;
+
+  // Returns true if any of the |potential_children| is a subdomain of the
+  // |parent|.
+  bool AnyNamesUnderName(const std::vector<Tokens>& potential_children,
+                        const Tokens& parent) const;
+
+  // Returns true if |hostname| is too broad for the scope of a wildcard
+  // certificate. E.g.:
+  //
+  //     a.b.example.com ~ *.example.com --> true
+  //     b.example.com ~ *.example.com --> false
+  bool IsSubDomainOutsideWildcard(const Tokens& hostname) const;
 
   float CalculateScoreTimePassedSinceExpiry() const;
 
+  static std::vector<Tokens> GetTokenizedDNSNames(
+      const std::vector<std::string>& dns_names);
+
+  // If |potential_subdomain| is a subdomain of |parent|, returns the
+  // number of DNS labels by which |potential_subdomain| is under
+  // |parent|. Otherwise, returns 0.
+  //
+  // For example,
+  //
+  //   FindSubDomainDifference(Tokenize("a.b.example.com"),
+  //                           Tokenize("example.com"))
+  // --> 2.
+  size_t FindSubDomainDifference(const Tokens& potential_subdomain,
+                                 const Tokens& parent) const;
+
+  static Tokens Tokenize(const std::string& name);
+
   // This stores the current time.
   base::Time current_time_;
 
+  const GURL& request_url_;
+
   // This stores the certificate.
   const net::X509Certificate& cert_;
 };