Include cert status in invalid certificate reports

This CL sends |SSLInfo::cert_status| along with the rest of the data in invalid certificate reports. BUG=462713, 461588 Review URL: https://codereview.chromium.org/1117173005 Cr-Commit-Position: refs/heads/master@{#329197}
author: estark <estark@chromium.org> 2015-05-11 11:38:57 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-05-11 18:40:16 +0000
commit: 1d306d54916abfd8596049dc00a268d01ca9f200 (patch)
tree: 9d76ea6f09b2a7d55dd52c454f96c5a82a82b810
parent: 432edd07b8440a371ec734d0f56d49fbae9ebc46 (diff)
download: chromium_src-1d306d54916abfd8596049dc00a268d01ca9f200.zip
chromium_src-1d306d54916abfd8596049dc00a268d01ca9f200.tar.gz
chromium_src-1d306d54916abfd8596049dc00a268d01ca9f200.tar.bz2
3 files changed, 82 insertions, 0 deletions
diff --git a/chrome/browser/net/cert_logger.proto b/chrome/browser/net/cert_logger.proto
index 7ef828a..3824c9f 100644
--- a/chrome/browser/net/cert_logger.proto
+++ b/chrome/browser/net/cert_logger.proto
@@ -39,6 +39,26 @@ message CertLoggerRequest {
   // pin contains the string forms of the pins that were matched against for
   // this host.
   repeated string pin = 5;
+
+  enum CertError {
+    ERR_CERT_REVOKED = 1;
+    ERR_CERT_INVALID = 2;
+    ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN = 3;
+    ERR_CERT_AUTHORITY_INVALID = 4;
+    ERR_CERT_COMMON_NAME_INVALID = 5;
+    ERR_CERT_NAME_CONSTRAINT_VIOLATION = 6;
+    ERR_CERT_WEAK_SIGNATURE_ALGORITHM = 7;
+    ERR_CERT_WEAK_KEY = 8;
+    ERR_CERT_DATE_INVALID = 9;
+    ERR_CERT_VALIDITY_TOO_LONG = 10;
+    ERR_CERT_UNABLE_TO_CHECK_REVOCATION = 11;
+    ERR_CERT_NO_REVOCATION_MECHANISM = 12;
+    ERR_CERT_NON_UNIQUE_NAME = 13;
+  };
+
+  // Certificate errors encountered (if any) when validating this
+  // certificate chain.
+  repeated CertError cert_error = 6;
 };
 
 // A wrapper proto containing an encrypted CertLoggerRequest
diff --git a/chrome/browser/net/certificate_error_reporter.cc b/chrome/browser/net/certificate_error_reporter.cc
index acd5201..bb37884 100644
--- a/chrome/browser/net/certificate_error_reporter.cc
+++ b/chrome/browser/net/certificate_error_reporter.cc
@@ -28,6 +28,8 @@
 
 namespace {
 
+using chrome_browser_net::CertLoggerRequest;
+
 // Constants used for crypto
 static const uint8 kServerPublicKey[] = {
     0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18,
@@ -83,6 +85,41 @@ bool EncryptSerializedReport(
 }
 #endif
 
+void AddCertStatusToReportErrors(
+    net::CertStatus cert_status,
+    CertLoggerRequest* report) {
+  if (cert_status & net::CERT_STATUS_REVOKED)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_REVOKED);
+  if (cert_status & net::CERT_STATUS_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_INVALID);
+  if (cert_status & net::CERT_STATUS_PINNED_KEY_MISSING)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN);
+  if (cert_status & net::CERT_STATUS_AUTHORITY_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_AUTHORITY_INVALID);
+  if (cert_status & net::CERT_STATUS_COMMON_NAME_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_COMMON_NAME_INVALID);
+  if (cert_status & net::CERT_STATUS_NON_UNIQUE_NAME)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_NON_UNIQUE_NAME);
+  if (cert_status & net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_CERT_NAME_CONSTRAINT_VIOLATION);
+  if (cert_status & net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_CERT_WEAK_SIGNATURE_ALGORITHM);
+  if (cert_status & net::CERT_STATUS_WEAK_KEY)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_WEAK_KEY);
+  if (cert_status & net::CERT_STATUS_DATE_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_DATE_INVALID);
+  if (cert_status & net::CERT_STATUS_VALIDITY_TOO_LONG)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_VALIDITY_TOO_LONG);
+  if (cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_CERT_UNABLE_TO_CHECK_REVOCATION);
+  if (cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_NO_REVOCATION_MECHANISM);
+}
+
 }  // namespace
 
 namespace chrome_browser_net {
@@ -265,6 +302,8 @@ void CertificateErrorReporter::BuildReport(const std::string& hostname,
     *cert_chain += pem_encoded_chain[i];
 
   out_request->add_pin(ssl_info.pinning_failure_log);
+
+  AddCertStatusToReportErrors(ssl_info.cert_status, out_request);
 }
 
 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) {
diff --git a/chrome/browser/net/certificate_error_reporter_unittest.cc b/chrome/browser/net/certificate_error_reporter_unittest.cc
index 3df6583..fbf4c81 100644
--- a/chrome/browser/net/certificate_error_reporter_unittest.cc
+++ b/chrome/browser/net/certificate_error_reporter_unittest.cc
@@ -26,6 +26,7 @@
 #include "net/base/upload_bytes_element_reader.h"
 #include "net/base/upload_data_stream.h"
 #include "net/base/upload_element_reader.h"
+#include "net/cert/cert_status_flags.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/url_request/url_request_failed_job.h"
 #include "net/test/url_request/url_request_mock_data_job.h"
@@ -35,6 +36,7 @@
 
 using chrome_browser_net::CertificateErrorReporter;
 using content::BrowserThread;
+using net::CertStatus;
 using net::CompletionCallback;
 using net::SSLInfo;
 using net::NetworkDelegateImpl;
@@ -48,12 +50,21 @@ const char kSecondRequestHostname[] = "test2.mail.google.com";
 const char kDummyFailureLog[] = "dummy failure log";
 const char kTestCertFilename[] = "test_mail_google_com.pem";
 const uint32 kServerPublicKeyVersion = 1;
+const CertStatus kCertStatus =
+    net::CERT_STATUS_COMMON_NAME_INVALID | net::CERT_STATUS_REVOKED;
+const size_t kNumCertErrors = 2;
+const chrome_browser_net::CertLoggerRequest::CertError kFirstReportedCertError =
+    chrome_browser_net::CertLoggerRequest::ERR_CERT_COMMON_NAME_INVALID;
+const chrome_browser_net::CertLoggerRequest::CertError
+    kSecondReportedCertError =
+        chrome_browser_net::CertLoggerRequest::ERR_CERT_REVOKED;
 
 SSLInfo GetTestSSLInfo() {
   SSLInfo info;
   info.cert =
       net::ImportCertFromFile(net::GetTestCertsDirectory(), kTestCertFilename);
   info.is_issued_by_known_root = true;
+  info.cert_status = kCertStatus;
   info.pinning_failure_log = kDummyFailureLog;
   return info;
 }
@@ -120,6 +131,18 @@ void CheckUploadData(URLRequest* request,
   EXPECT_EQ(GetPEMEncodedChain(), uploaded_request.cert_chain());
   EXPECT_EQ(1, uploaded_request.pin().size());
   EXPECT_EQ(kDummyFailureLog, uploaded_request.pin().Get(0));
+  EXPECT_EQ(2, uploaded_request.cert_error().size());
+
+  std::set<chrome_browser_net::CertLoggerRequest::CertError> reported_errors;
+  reported_errors.insert(
+      static_cast<chrome_browser_net::CertLoggerRequest::CertError>(
+          uploaded_request.cert_error().Get(0)));
+  reported_errors.insert(
+      static_cast<chrome_browser_net::CertLoggerRequest::CertError>(
+          uploaded_request.cert_error().Get(1)));
+  EXPECT_EQ(kNumCertErrors, reported_errors.size());
+  EXPECT_EQ(1u, reported_errors.count(kFirstReportedCertError));
+  EXPECT_EQ(1u, reported_errors.count(kSecondReportedCertError));
 }
 
 // A network delegate that lets tests check that a certificate error
author	estark <estark@chromium.org>	2015-05-11 11:38:57 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-05-11 18:40:16 +0000
commit	1d306d54916abfd8596049dc00a268d01ca9f200 (patch)
tree	9d76ea6f09b2a7d55dd52c454f96c5a82a82b810
parent	432edd07b8440a371ec734d0f56d49fbae9ebc46 (diff)
download	chromium_src-1d306d54916abfd8596049dc00a268d01ca9f200.zip chromium_src-1d306d54916abfd8596049dc00a268d01ca9f200.tar.gz chromium_src-1d306d54916abfd8596049dc00a268d01ca9f200.tar.bz2