Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3283)

Unified Diff: chrome/browser/ssl/ssl_browser_tests.cc

Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)
Patch Set: Add --ignore-certificate-errors-spki-list switch and UMA histogram. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/browser/ssl/ssl_browser_tests.cc
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index 26bd68b463538aff948b8f31cf699b1cab6792bd..2cda7743d40e21addd3a783d1d1523aa01497bbd 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -4,6 +4,7 @@
#include <utility>
+#include "base/base64.h"
#include "base/base_switches.h"
#include "base/bind.h"
#include "base/bind_helpers.h"
@@ -54,6 +55,7 @@
#include "chrome/common/chrome_switches.h"
#include "chrome/common/pref_names.h"
#include "chrome/test/base/in_process_browser_test.h"
+#include "chrome/test/base/test_launcher_utils.h"
#include "chrome/test/base/ui_test_utils.h"
#include "components/content_settings/core/browser/host_content_settings_map.h"
#include "components/network_time/network_time_test_utils.h"
@@ -318,7 +320,10 @@ class SSLUITest : public InProcessBrowserTest {
https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS),
wss_server_expired_(net::SpawnedTestServer::TYPE_WSS,
SSLOptions(SSLOptions::CERT_EXPIRED),
- net::GetWebSocketTestDataDirectory()) {
+ net::GetWebSocketTestDataDirectory()),
+ wss_server_mismatched_(net::SpawnedTestServer::TYPE_WSS,
+ SSLOptions(SSLOptions::CERT_MISMATCHED_NAME),
+ net::GetWebSocketTestDataDirectory()) {
https_server_.AddDefaultHandlers(base::FilePath(kDocRoot));
https_server_expired_.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED);
@@ -632,6 +637,7 @@ class SSLUITest : public InProcessBrowserTest {
net::EmbeddedTestServer https_server_expired_;
net::EmbeddedTestServer https_server_mismatched_;
net::SpawnedTestServer wss_server_expired_;
+ net::SpawnedTestServer wss_server_mismatched_;
protected:
// Navigates to an interstitial and clicks through the certificate
@@ -690,6 +696,42 @@ class SSLUITestIgnoreCertErrors : public SSLUITest {
}
};
+static std::string MakeCertSPKIFingerprint(net::X509Certificate* cert) {
+ net::HashValue hash = GetSPKIHash(cert);
+ std::string hash_base64;
+ base::Base64Encode(
+ base::StringPiece(reinterpret_cast<const char*>(hash.data()),
+ hash.size()),
+ &hash_base64);
+ return hash_base64;
+}
+
+class SSLUITestIgnoreCertErrorsBySPKIHTTPS : public SSLUITest {
+ protected:
+ void SetUpCommandLine(base::CommandLine* command_line) override {
+ std::string whitelist_flag = MakeCertSPKIFingerprint(
+ https_server_mismatched_.GetCertificate().get());
+ // Browser will ignore certificate errors for chains matching one of the
+ // public keys from the list.
+ command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList,
+ whitelist_flag);
+ }
+};
+
+class SSLUITestIgnoreCertErrorsBySPKIWSS : public SSLUITest {
+ public:
+ SSLUITestIgnoreCertErrorsBySPKIWSS() : SSLUITest() {}
+
+ void SetUpCommandLine(base::CommandLine* command_line) override {
+ std::string whitelist_flag =
+ MakeCertSPKIFingerprint(wss_server_expired_.GetCertificate().get());
+ // Browser will ignore certificate errors for chains matching one of the
+ // public keys from the list.
+ command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList,
+ whitelist_flag);
+ }
+};
+
class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest {
public:
SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {}
@@ -2665,6 +2707,83 @@ IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors, TestWSS) {
EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
}
+// Visit a page and establish a WebSocket connection over bad https with
+// --ignore-certificate-errors-spki-list. The connection should be established
+// without interstitial page showing.
+#if !defined(OS_CHROMEOS) // Chrome OS does not support the flag.
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIWSS, TestWSSExpired) {
+ ASSERT_TRUE(wss_server_expired_.Start());
+
+ // Setup page title observer.
+ WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+ content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
+ watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
+
+ // Visit bad HTTPS page.
+ GURL::Replacements replacements;
+ replacements.SetSchemeStr("https");
+ ui_test_utils::NavigateToURL(browser(),
+ wss_server_expired_.GetURL("connect_check.html")
+ .ReplaceComponents(replacements));
+
+ // We shouldn't have an interstitial page showing here.
+
+ // Test page run a WebSocket wss connection test. The result will be shown
+ // as page title.
+ const base::string16 result = watcher.WaitAndGetTitle();
+ EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
+}
+#endif // !defined(OS_CHROMEOS)
+
+// Test that HTTPS pages with a bad certificate don't show an interstitial if
+// the public key matches a value from --ignore-certificate-errors-spki-list.
+#if !defined(OS_CHROMEOS) // Chrome OS does not support the flag.
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIHTTPS, TestHTTPS) {
+ ASSERT_TRUE(https_server_mismatched_.Start());
+
+ WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+
+ ui_test_utils::NavigateToURL(
+ browser(),
+ https_server_mismatched_.GetURL("/ssl/page_with_subresource.html"));
+
+ // We should see no interstitial. The script tag in the page should have
+ // loaded and ran (and wasn't blocked by the certificate error).
+ CheckAuthenticatedState(tab, AuthState::NONE);
+ base::string16 title;
+ ui_test_utils::GetCurrentTabTitle(browser(), &title);
+ EXPECT_EQ(title, base::ASCIIToUTF16("This script has loaded"));
+}
+#endif // !defined(OS_CHROMEOS)
+
+// Test subresources from an origin with a bad certificate are loaded if the
+// public key matches a value from --ignore-certificate-errors-spki-list.
+#if !defined(OS_CHROMEOS) // Chrome OS does not support the flag.
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIHTTPS,
+ TestInsecureSubresource) {
+ ASSERT_TRUE(https_server_.Start());
+ ASSERT_TRUE(https_server_mismatched_.Start());
+
+ WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+
+ std::string replacement_path;
+ GetFilePathWithHostAndPortReplacement(
+ "/ssl/page_with_unsafe_image.html",
+ https_server_mismatched_.host_port_pair(), &replacement_path);
+ ui_test_utils::NavigateToURL(browser(),
+ https_server_.GetURL(replacement_path));
+
+ // We should see no interstitial.
+ CheckAuthenticatedState(tab, AuthState::NONE);
+ // In order to check that the image was loaded, check its width.
+ // The actual image (Google logo) is 276 pixels wide.
+ int img_width = 0;
+ EXPECT_TRUE(content::ExecuteScriptAndExtractInt(
+ tab, "window.domAutomationController.send(ImageWidth());", &img_width));
+ EXPECT_GT(img_width, 200);
+}
+#endif // !defined(OS_CHROMEOS)
+
// Verifies that the interstitial can proceed, even if JavaScript is disabled.
// http://crbug.com/322948
#if defined(OS_LINUX)
« no previous file with comments | « chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc ('k') | chrome/browser/ui/startup/bad_flags_prompt.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698