Include cert status in invalid certificate reports

This CL sends |SSLInfo::cert_status| along with the rest of the data in invalid certificate reports. BUG=462713, 461588 Review URL: https://codereview.chromium.org/1117173005 Cr-Commit-Position: refs/heads/master@{#329197}

Include cert status in invalid certificate reports
This CL sends |SSLInfo::cert_status| along with the rest of the data in invalid certificate reports. BUG=462713, 461588 Review URL: https://codereview.chromium.org/1117173005 Cr-Commit-Position: refs/heads/master@{#329197}
1d306d54 · estark · Commit bot · 432edd07 · 1d306d54 · 1d306d54
Commit 1d306d54 authored May 11, 2015 by estark Committed by Commit bot May 11, 2015
3 changed files
--- a/chrome/browser/net/cert_logger.proto
+++ b/chrome/browser/net/cert_logger.proto
@@ -39,6 +39,26 @@ message CertLoggerRequest {
  // pin contains the string forms of the pins that were matched against for
  // this host.
  repeated string pin = 5;
+
+  enum CertError {
+    ERR_CERT_REVOKED = 1;
+    ERR_CERT_INVALID = 2;
+    ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN = 3;
+    ERR_CERT_AUTHORITY_INVALID = 4;
+    ERR_CERT_COMMON_NAME_INVALID = 5;
+    ERR_CERT_NAME_CONSTRAINT_VIOLATION = 6;
+    ERR_CERT_WEAK_SIGNATURE_ALGORITHM = 7;
+    ERR_CERT_WEAK_KEY = 8;
+    ERR_CERT_DATE_INVALID = 9;
+    ERR_CERT_VALIDITY_TOO_LONG = 10;
+    ERR_CERT_UNABLE_TO_CHECK_REVOCATION = 11;
+    ERR_CERT_NO_REVOCATION_MECHANISM = 12;
+    ERR_CERT_NON_UNIQUE_NAME = 13;
+  };
+
+  // Certificate errors encountered (if any) when validating this
+  // certificate chain.
+  repeated CertError cert_error = 6;
 };

 // A wrapper proto containing an encrypted CertLoggerRequest

--- a/chrome/browser/net/certificate_error_reporter.cc
+++ b/chrome/browser/net/certificate_error_reporter.cc
@@ -28,6 +28,8 @@

 namespace {

+using chrome_browser_net::CertLoggerRequest;
+
 // Constants used for crypto
 static const uint8 kServerPublicKey[] = {
    0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18,
@@ -83,6 +85,41 @@ bool EncryptSerializedReport(
 }
 #endif

+void AddCertStatusToReportErrors(
+    net::CertStatus cert_status,
+    CertLoggerRequest* report) {
+  if (cert_status & net::CERT_STATUS_REVOKED)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_REVOKED);
+  if (cert_status & net::CERT_STATUS_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_INVALID);
+  if (cert_status & net::CERT_STATUS_PINNED_KEY_MISSING)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN);
+  if (cert_status & net::CERT_STATUS_AUTHORITY_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_AUTHORITY_INVALID);
+  if (cert_status & net::CERT_STATUS_COMMON_NAME_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_COMMON_NAME_INVALID);
+  if (cert_status & net::CERT_STATUS_NON_UNIQUE_NAME)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_NON_UNIQUE_NAME);
+  if (cert_status & net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_CERT_NAME_CONSTRAINT_VIOLATION);
+  if (cert_status & net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_CERT_WEAK_SIGNATURE_ALGORITHM);
+  if (cert_status & net::CERT_STATUS_WEAK_KEY)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_WEAK_KEY);
+  if (cert_status & net::CERT_STATUS_DATE_INVALID)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_DATE_INVALID);
+  if (cert_status & net::CERT_STATUS_VALIDITY_TOO_LONG)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_VALIDITY_TOO_LONG);
+  if (cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
+    report->add_cert_error(
+        CertLoggerRequest::ERR_CERT_UNABLE_TO_CHECK_REVOCATION);
+  if (cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM)
+    report->add_cert_error(CertLoggerRequest::ERR_CERT_NO_REVOCATION_MECHANISM);
+}
+
 }  // namespace

 namespace chrome_browser_net {
@@ -265,6 +302,8 @@ void CertificateErrorReporter::BuildReport(const std::string& hostname,
    *cert_chain += pem_encoded_chain[i];

  out_request->add_pin(ssl_info.pinning_failure_log);
+
+  AddCertStatusToReportErrors(ssl_info.cert_status, out_request);
 }

 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) {

--- a/chrome/browser/net/certificate_error_reporter_unittest.cc
+++ b/chrome/browser/net/certificate_error_reporter_unittest.cc
@@ -26,6 +26,7 @@
 #include "net/base/upload_bytes_element_reader.h"
 #include "net/base/upload_data_stream.h"
 #include "net/base/upload_element_reader.h"
+#include "net/cert/cert_status_flags.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/url_request/url_request_failed_job.h"
 #include "net/test/url_request/url_request_mock_data_job.h"
@@ -35,6 +36,7 @@

 using chrome_browser_net::CertificateErrorReporter;
 using content::BrowserThread;
+using net::CertStatus;
 using net::CompletionCallback;
 using net::SSLInfo;
 using net::NetworkDelegateImpl;
@@ -48,12 +50,21 @@ const char kSecondRequestHostname[] = "test2.mail.google.com";
 const char kDummyFailureLog[] = "dummy failure log";
 const char kTestCertFilename[] = "test_mail_google_com.pem";
 const uint32 kServerPublicKeyVersion = 1;
+const CertStatus kCertStatus =
+    net::CERT_STATUS_COMMON_NAME_INVALID | net::CERT_STATUS_REVOKED;
+const size_t kNumCertErrors = 2;
+const chrome_browser_net::CertLoggerRequest::CertError kFirstReportedCertError =
+    chrome_browser_net::CertLoggerRequest::ERR_CERT_COMMON_NAME_INVALID;
+const chrome_browser_net::CertLoggerRequest::CertError
+    kSecondReportedCertError =
+        chrome_browser_net::CertLoggerRequest::ERR_CERT_REVOKED;

 SSLInfo GetTestSSLInfo() {
  SSLInfo info;
  info.cert =
      net::ImportCertFromFile(net::GetTestCertsDirectory(), kTestCertFilename);
  info.is_issued_by_known_root = true;
+  info.cert_status = kCertStatus;
  info.pinning_failure_log = kDummyFailureLog;
  return info;
 }
@@ -120,6 +131,18 @@ void CheckUploadData(URLRequest* request,
  EXPECT_EQ(GetPEMEncodedChain(), uploaded_request.cert_chain());
  EXPECT_EQ(1, uploaded_request.pin().size());
  EXPECT_EQ(kDummyFailureLog, uploaded_request.pin().Get(0));
+  EXPECT_EQ(2, uploaded_request.cert_error().size());
+
+  std::set<chrome_browser_net::CertLoggerRequest::CertError> reported_errors;
+  reported_errors.insert(
+      static_cast<chrome_browser_net::CertLoggerRequest::CertError>(
+          uploaded_request.cert_error().Get(0)));
+  reported_errors.insert(
+      static_cast<chrome_browser_net::CertLoggerRequest::CertError>(
+          uploaded_request.cert_error().Get(1)));
+  EXPECT_EQ(kNumCertErrors, reported_errors.size());
+  EXPECT_EQ(1u, reported_errors.count(kFirstReportedCertError));
+  EXPECT_EQ(1u, reported_errors.count(kSecondReportedCertError));
 }

 // A network delegate that lets tests check that a certificate error