Include both certificate chains in invalid cert reporting

chrome/browser/net/chrome_fraudulent_certificate_reporter_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/net/chrome_fraudulent_certificate_reporter.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop/message_loop.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/thread.h"
+#include "chrome/browser/net/cert_logger.pb.h"
 #include "content/public/test/test_browser_thread.h"
 #include "net/base/request_priority.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/x509_certificate.h"
 #include "net/http/transport_security_state.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
 #include "net/url_request/fraudulent_certificate_reporter.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
@@ skipping 30 matching lines @@
 static SSLInfo GetGoodSSLInfo() {
   SSLInfo info;
 
   info.cert = net::ImportCertFromFile(net::GetTestCertsDirectory(),
                                       "test_mail_google_com.pem");
   info.is_issued_by_known_root = true;
 
   return info;
 }
 
+static SSLInfo GetExtendedReportingSSLInfo() {
+  SSLInfo info;
+  // Use different cert chains for the verified chain and the chain as
+  // sent by the server, and make sure that they are both included in
+  // the report.
+  info.cert = net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                                      "test_mail_google_com.pem");
+  info.is_issued_by_known_root = true;
+  info.unverified_server_cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "expired_cert.pem");
+  return info;
+}
+
 // Checks that |info| is good as required by the SSL checks performed in
 // URLRequestHttpJob::OnStartCompleted, which are enough to trigger pin
 // checking but not sufficient to pass
 // DomainState::IsChainOfPublicKeysPermitted.
 static bool IsGoodSSLInfo(const SSLInfo& info) {
   return info.is_valid() && info.is_issued_by_known_root;
 }
 
 class TestReporter : public ChromeFraudulentCertificateReporter {
  public:
@@ skipping 57 matching lines @@
   }
 
   void SendReport(ReportType type,
                   const std::string& hostname,
                   const net::SSLInfo& ssl_info) override {
     DCHECK(!hostname.empty());
     DCHECK(ssl_info.is_valid());
     ChromeFraudulentCertificateReporter::SendReport(REPORT_TYPE_PIN_VIOLATION,
                                                     hostname, ssl_info);
   }
+
+  static std::string BuildReportPublic(ReportType type,
+                                       const std::string& hostname,
+                                       const net::SSLInfo& ssl_info) {
+    return BuildReport(type, hostname, ssl_info);
+  }
 };
 
 static void DoReportIsSent() {
   net::TestURLRequestContext context;
   SendingTestReporter reporter(&context);
   SSLInfo info = GetGoodSSLInfo();
   reporter.SendReport(FraudulentCertificateReporter::REPORT_TYPE_PIN_VIOLATION,
                       "mail.google.com", info);
 }
 
@@ skipping 35 matching lines @@
   loop.RunUntilIdle();
 }
 
 TEST(ChromeFraudulentCertificateReporterTest, ReportIsNotSent) {
   base::MessageLoopForIO loop;
   content::TestBrowserThread io_thread(BrowserThread::IO, &loop);
   loop.PostTask(FROM_HERE, base::Bind(&DoReportIsNotSent));
   loop.RunUntilIdle();
 }
 
+// Test that a report for a google.com pinning violation contains the
+// right data.
+TEST(ChromeFraudulentCertificateReporterTest, BuildReportForPinningViolation) {
+  SSLInfo info = GetGoodSSLInfo();
+  std::string report = MockReporter::BuildReportPublic(
+      ChromeFraudulentCertificateReporter::REPORT_TYPE_EXTENDED_REPORTING,
+      "mail.google.com", info);
+  CertLoggerRequest request;
+  request.ParseFromString(report);
+
+  std::vector<std::string> cert_chain;
+  info.cert->GetPEMEncodedChain(&cert_chain);
+
+  std::string expected_cert_chain;
+  for (size_t i = 0; i < cert_chain.size(); ++i) {
+    expected_cert_chain += cert_chain[i];
+  }
+
+  EXPECT_EQ(request.hostname(), "mail.google.com");
+  EXPECT_EQ(request.cert_chain(), expected_cert_chain);
+}
+
+// Test that an extended reporting report (used for invalid certificate
+// chains) contains the right data, including the chain as received by
+// the client and as verified by the client (which could be different
+// chains).
+TEST(ChromeFraudulentCertificateReporterTest, BuildReportForInvalidCertChain) {
+  SSLInfo info = GetExtendedReportingSSLInfo();
+  std::string report = MockReporter::BuildReportPublic(
+      ChromeFraudulentCertificateReporter::REPORT_TYPE_EXTENDED_REPORTING,
+      "mail.google.com", info);
+  CertLoggerRequest request;
+  request.ParseFromString(report);
+
+  std::vector<std::string> cert_chain;
+  info.cert->GetPEMEncodedChain(&cert_chain);
+  std::vector<std::string> unverified_server_cert_chain;
+  info.unverified_server_cert->GetPEMEncodedChain(
+      &unverified_server_cert_chain);
+
+  std::string expected_cert;
+  std::string expected_unverified_server_cert;
+  for (size_t i = 0; i < cert_chain.size(); ++i) {
+    expected_cert += cert_chain[i];
+  }
+  for (size_t i = 0; i < cert_chain.size(); ++i) {
+    expected_unverified_server_cert += unverified_server_cert_chain[i];
+  }
+
+  EXPECT_EQ(request.hostname(), "mail.google.com");
+  EXPECT_EQ(request.cert_chain(), expected_cert);
+  EXPECT_EQ(request.unverified_server_cert_chain(),
+            expected_unverified_server_cert);
+}
+
 }  // namespace chrome_browser_net