Add unit tests for SHA1 warning deprecations

BUG=530359 Review URL: https://codereview.chromium.org/1367373003 Cr-Commit-Position: refs/heads/master@{#351476}
author: estark <estark@chromium.org> 2015-09-29 19:56:21 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-09-30 02:57:29 +0000
commit: e1990c761e0bce266f95e9ac0a5aba20ac7bed80 (patch)
tree: 676d9a990ff1b733926da2f26f42daa21672da7f
parent: a019a0579f1115878f377ccaf67aceb38293cc1d (diff)
download: chromium_src-e1990c761e0bce266f95e9ac0a5aba20ac7bed80.zip
chromium_src-e1990c761e0bce266f95e9ac0a5aba20ac7bed80.tar.gz
chromium_src-e1990c761e0bce266f95e9ac0a5aba20ac7bed80.tar.bz2
6 files changed, 198 insertions, 7 deletions
diff --git a/chrome/browser/ssl/security_state_model_browser_tests.cc b/chrome/browser/ssl/security_state_model_browser_tests.cc
index 8f3bb25..41e3bab 100644
--- a/chrome/browser/ssl/security_state_model_browser_tests.cc
+++ b/chrome/browser/ssl/security_state_model_browser_tests.cc
@@ -496,10 +496,4 @@ IN_PROC_BROWSER_TEST_F(SecurityStateModelTest, AddedTab) {
                              false /* expect cert status error */);
 }
 
-// TODO(estark): https://crbug.com/530359
-// Test the following cases:
-// - warning SHA1 (2016 expiration)
-// - active mixed content + warning SHA1
-// - broken HTTPS + warning SHA1
-
 }  // namespace
diff --git a/chrome/browser/ssl/security_state_model_unittest.cc b/chrome/browser/ssl/security_state_model_unittest.cc
new file mode 100644
index 0000000..7701a0b
--- /dev/null
+++ b/chrome/browser/ssl/security_state_model_unittest.cc
@@ -0,0 +1,98 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/security_state_model.h"
+
+#include "chrome/test/base/chrome_render_view_host_test_harness.h"
+#include "chrome/test/base/testing_profile.h"
+#include "content/public/browser/cert_store.h"
+#include "content/public/test/mock_render_process_host.h"
+#include "content/public/test/test_browser_thread_bundle.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_connection_status_flags.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/test_certificate_data.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace {
+
+const char kUrl[] = "https://foo.test";
+
+void GetTestSSLStatus(int process_id, content::SSLStatus* ssl_status) {
+  content::CertStore* cert_store = content::CertStore::GetInstance();
+  const scoped_refptr<net::X509Certificate>& cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "sha1_2016.pem");
+  ASSERT_TRUE(cert);
+  ssl_status->cert_id = cert_store->StoreCert(cert.get(), process_id);
+  EXPECT_GT(ssl_status->cert_id, 0);
+  ssl_status->cert_status = net::CERT_STATUS_SHA1_SIGNATURE_PRESENT;
+  ssl_status->security_bits = 256;
+  ssl_status->connection_status = net::SSL_CONNECTION_VERSION_TLS1_2
+                                  << net::SSL_CONNECTION_VERSION_SHIFT;
+}
+
+class SecurityStateModelTest : public ChromeRenderViewHostTestHarness {};
+
+// Tests that SHA1-signed certificates expiring in 2016 downgrade the
+// security state of the page.
+TEST_F(SecurityStateModelTest, SHA1Warning) {
+  GURL url(kUrl);
+  Profile* test_profile = profile();
+  SecurityStateModel::SecurityInfo security_info;
+  content::SSLStatus ssl_status;
+  ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status));
+  SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile,
+                                             &security_info);
+  EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_WARNING,
+            security_info.sha1_deprecation_status);
+  EXPECT_EQ(SecurityStateModel::NONE, security_info.security_level);
+}
+
+// Tests that SHA1 warnings don't interfere with the handling of mixed
+// content.
+TEST_F(SecurityStateModelTest, SHA1WarningMixedContent) {
+  GURL url(kUrl);
+  Profile* test_profile = profile();
+  SecurityStateModel::SecurityInfo security_info;
+  content::SSLStatus ssl_status;
+  ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status));
+  ssl_status.content_status = content::SSLStatus::DISPLAYED_INSECURE_CONTENT;
+  SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile,
+                                             &security_info);
+  EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_WARNING,
+            security_info.sha1_deprecation_status);
+  EXPECT_EQ(SecurityStateModel::DISPLAYED_MIXED_CONTENT,
+            security_info.mixed_content_status);
+  EXPECT_EQ(SecurityStateModel::NONE, security_info.security_level);
+
+  ssl_status.security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN;
+  ssl_status.content_status = content::SSLStatus::RAN_INSECURE_CONTENT;
+  SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile,
+                                             &security_info);
+  EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_WARNING,
+            security_info.sha1_deprecation_status);
+  EXPECT_EQ(SecurityStateModel::RAN_MIXED_CONTENT,
+            security_info.mixed_content_status);
+  EXPECT_EQ(SecurityStateModel::SECURITY_ERROR, security_info.security_level);
+}
+
+// Tests that SHA1 warnings don't interfere with the handling of major
+// cert errors.
+TEST_F(SecurityStateModelTest, SHA1WarningBrokenHTTPS) {
+  GURL url(kUrl);
+  Profile* test_profile = profile();
+  SecurityStateModel::SecurityInfo security_info;
+  content::SSLStatus ssl_status;
+  ASSERT_NO_FATAL_FAILURE(GetTestSSLStatus(process()->GetID(), &ssl_status));
+  ssl_status.security_style = content::SECURITY_STYLE_AUTHENTICATION_BROKEN;
+  ssl_status.cert_status |= net::CERT_STATUS_DATE_INVALID;
+  SecurityStateModel::SecurityInfoForRequest(url, ssl_status, test_profile,
+                                             &security_info);
+  EXPECT_EQ(SecurityStateModel::DEPRECATED_SHA1_WARNING,
+            security_info.sha1_deprecation_status);
+  EXPECT_EQ(SecurityStateModel::SECURITY_ERROR, security_info.security_level);
+}
+
+}  // namespace
diff --git a/chrome/chrome_tests_unit.gypi b/chrome/chrome_tests_unit.gypi
index 2b6a7cf..4dc43b9 100644
--- a/chrome/chrome_tests_unit.gypi
+++ b/chrome/chrome_tests_unit.gypi
@@ -216,6 +216,7 @@
       'browser/signin/signin_manager_unittest.cc',
       'browser/signin/signin_tracker_unittest.cc',
       'browser/signin/test_signin_client_builder.cc',
+      'browser/ssl/security_state_model_unittest.cc',
       'browser/ssl/ssl_error_classification_unittest.cc',
       'browser/ssl/ssl_error_handler_unittest.cc',
       'browser/status_icons/status_icon_menu_model_unittest.cc',
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
index 0e17308..6eed2be 100644
--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -21,7 +21,7 @@ unit tests.
 
 - www_us_army_mil_cert.der
 - dod_ca_17_cert.der
-- dod_root_ca_2_cert.der : 
+- dod_root_ca_2_cert.der :
      A certificate chain used for testing certificate imports
 
 - unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
@@ -155,6 +155,9 @@ unit tests.
 - punycodetest.pem : A test self-signed server certificate with punycode name.
      The common name is "xn--wgv71a119e.com" (日本語.com)
 
+- sha1_2016.pem
+    Used to test the handling of SHA1 certificates expiring in 2016.
+
 - 10_year_validity.pem
 - 11_year_validity.pem
 - 39_months_after_2015_04.pem
diff --git a/net/data/ssl/certificates/sha1_2016.pem b/net/data/ssl/certificates/sha1_2016.pem
new file mode 100644
index 0000000..074a0db
--- /dev/null
+++ b/net/data/ssl/certificates/sha1_2016.pem
@@ -0,0 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Test Root CA
+        Validity
+            Not Before: Oct 30 00:00:00 2008 GMT
+            Not After : Dec 30 00:00:00 2016 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:96:28:b8:79:2e:15:f8:33:2e:29:06:75:f8:
+                    99:8d:df:03:c3:6e:cf:ed:ff:ef:73:5c:9e:40:af:
+                    5b:3b:14:21:74:11:59:75:c7:35:00:12:f1:af:97:
+                    ca:2f:f6:5b:55:9e:38:5b:a3:e9:5a:23:39:aa:a5:
+                    fa:12:76:db:89:26:64:8a:ff:ec:f9:f1:a3:2e:3c:
+                    a2:f0:f4:95:a0:27:1a:18:04:4f:dd:32:39:c7:96:
+                    85:53:15:48:33:3a:c0:6b:6e:2a:91:12:01:fe:a1:
+                    79:4d:4d:6f:a1:ea:2d:ab:bb:06:ac:cb:8f:10:75:
+                    2f:75:cb:23:05:9b:73:b9:17:ba:4d:3d:b9:e4:54:
+                    12:a7:d2:b4:bd:df:00:c2:b6:3e:e0:60:3a:f3:9a:
+                    08:e4:72:8d:49:5a:b9:92:e9:ea:76:6c:8b:30:4f:
+                    7c:85:09:dd:4b:43:d8:3e:a0:6d:da:ad:2e:8b:af:
+                    e6:cc:a9:8c:b2:a0:81:fc:bb:da:05:45:0e:bc:ea:
+                    f1:b8:5d:a4:4f:ce:f7:78:7e:57:6e:54:f5:2b:40:
+                    be:ee:d6:05:dd:ea:c1:02:cb:cc:1e:5b:24:06:73:
+                    9d:41:8e:18:79:37:4f:f7:e8:dc:f3:b3:c0:db:e4:
+                    48:1e:d3:f4:dc:da:30:2c:2e:86:10:b1:a8:90:ec:
+                    af:c3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                A5:46:1F:A2:BE:47:ED:CD:33:DC:51:DF:70:2C:A5:E1:AB:4F:7D:41
+            X509v3 Authority Key Identifier: 
+                keyid:BC:F7:30:D1:3C:C0:F2:79:FA:EF:9F:C9:6C:5C:93:F3:8A:68:AB:83
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         b5:a1:00:b0:53:8c:6e:61:f1:9e:1c:a4:5c:3b:f0:25:56:66:
+         e9:b1:b1:70:a0:d3:f2:c5:06:d1:99:08:82:bb:d9:b8:d5:c0:
+         57:89:11:90:d1:ad:36:08:d7:68:39:cf:d4:28:59:4b:09:92:
+         f6:65:65:b2:f0:7f:8b:01:0a:46:e4:1f:2b:d8:20:7d:73:2e:
+         2b:a9:8d:8c:d7:08:4e:1c:e2:fb:9e:68:34:b7:60:91:d1:a8:
+         70:0b:7a:50:e9:8c:98:fa:47:1e:e1:f6:f5:65:30:e7:07:be:
+         cb:c2:85:97:91:4d:8a:47:b7:d2:64:49:70:e7:ce:85:ed:f3:
+         f8:6a:72:70:f4:20:9d:c0:91:e9:ba:6b:26:a1:e6:e4:41:0f:
+         8b:f5:d9:7f:5c:2f:4e:46:37:a0:47:3d:de:21:d4:94:91:04:
+         21:ee:3b:b2:1d:64:4c:c6:7b:49:1c:b9:51:7a:99:ca:63:89:
+         7a:04:ca:31:7e:a7:c3:58:1f:96:d7:41:3f:88:e7:b5:cf:55:
+         e2:53:16:07:c2:ad:4a:76:64:b2:1c:07:9a:ae:c9:03:ac:3b:
+         1f:a9:09:45:7f:c0:8a:3f:47:83:41:c6:8a:48:04:32:cd:c5:
+         79:5e:59:4e:48:eb:ed:e4:0e:9d:f9:a2:40:2b:fc:02:59:c0:
+         26:8a:9a:72
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIBATANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IFJvb3QgQ0EwHhcNMDgxMDMwMDAwMDAwWhcNMTYxMjMwMDAwMDAwWjBgMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g
+VmlldzEQMA4GA1UECgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJYouHkuFfgzLikGdfiZjd8Dw27P
+7f/vc1yeQK9bOxQhdBFZdcc1ABLxr5fKL/ZbVZ44W6PpWiM5qqX6EnbbiSZkiv/s
++fGjLjyi8PSVoCcaGARP3TI5x5aFUxVIMzrAa24qkRIB/qF5TU1voeotq7sGrMuP
+EHUvdcsjBZtzuRe6TT255FQSp9K0vd8AwrY+4GA685oI5HKNSVq5kunqdmyLME98
+hQndS0PYPqBt2q0ui6/mzKmMsqCB/LvaBUUOvOrxuF2kT873eH5XblT1K0C+7tYF
+3erBAsvMHlskBnOdQY4YeTdP9+jc87PA2+RIHtP03NowLC6GELGokOyvwwIDAQAB
+o4GAMH4wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUpUYfor5H7c0z3FHfcCyl4atP
+fUEwHwYDVR0jBBgwFoAUvPcw0TzA8nn675/JbFyT84poq4MwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQEL
+BQADggEBALWhALBTjG5h8Z4cpFw78CVWZumxsXCg0/LFBtGZCIK72bjVwFeJEZDR
+rTYI12g5z9QoWUsJkvZlZbLwf4sBCkbkHyvYIH1zLiupjYzXCE4c4vueaDS3YJHR
+qHALelDpjJj6Rx7h9vVlMOcHvsvChZeRTYpHt9JkSXDnzoXt8/hqcnD0IJ3Akem6
+ayah5uRBD4v12X9cL05GN6BHPd4h1JSRBCHuO7IdZEzGe0kcuVF6mcpjiXoEyjF+
+p8NYH5bXQT+I57XPVeJTFgfCrUp2ZLIcB5quyQOsOx+pCUV/wIo/R4NBxopIBDLN
+xXleWU5I6+3kDp35okAr/AJZwCaKmnI=
+-----END CERTIFICATE-----
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh
index feb2453..d777718 100755
--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -170,6 +170,19 @@ try openssl req -x509 -days 3650 \
     -sha256 \
     -out ../certificates/large_key.pem
 
+## SHA1 certificate expiring in 2016.
+try openssl req -config ../scripts/ee.cnf -sha1 \
+  -newkey rsa:2048 -text -out out/sha1_2016.req
+CA_COMMON_NAME="Test Root CA" \
+  try openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 081030000000Z \
+    -enddate   161230000000Z \
+    -in out/sha1_2016.req \
+    -out ../certificates/sha1_2016.pem \
+    -config ca.cnf
+
 ## Validity too long unit test support.
 try openssl req -config ../scripts/ee.cnf \
   -newkey rsa:2048 -text -out ../certificates/10_year_validity.req
author	estark <estark@chromium.org>	2015-09-29 19:56:21 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-09-30 02:57:29 +0000
commit	e1990c761e0bce266f95e9ac0a5aba20ac7bed80 (patch)
tree	676d9a990ff1b733926da2f26f42daa21672da7f
parent	a019a0579f1115878f377ccaf67aceb38293cc1d (diff)
download	chromium_src-e1990c761e0bce266f95e9ac0a5aba20ac7bed80.zip chromium_src-e1990c761e0bce266f95e9ac0a5aba20ac7bed80.tar.gz chromium_src-e1990c761e0bce266f95e9ac0a5aba20ac7bed80.tar.bz2