Handle wildcard from --origin_to_force_quic_on in ProofVerifierChromium

ProofVerifierChromium will reject certificates that don't chain to a
known root unless the hostname matches one specified in
--origin_to_force_quic_on. That flag also allows a wildcard "*" to force
QUIC on for all origins, but that wasn't handled in
ProofVerifierChromium. Now it is.

Change-Id: I9576bcfbb14aac8956a81731d35190062e469b23
Bug: b/144497826
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2048034Reviewed-by: Zhongyi Shi <zhongyi@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#741599}

net/quic/crypto/proof_verifier_chromium.cc

@@ -120,6 +120,8 @@ class ProofVerifierChromium::Job {
                        const std::string& signature,
                        const std::string& cert);
 
+  bool ShouldAllowUnknownRootForHost(const std::string& hostname);
+
   // Proof verifier to notify when this jobs completes.
   ProofVerifierChromium* proof_verifier_;
 
@@ -390,6 +392,15 @@ int ProofVerifierChromium::Job::DoVerifyCert(int result) {
       &cert_verifier_request_, net_log_);
 }
 
+bool ProofVerifierChromium::Job::ShouldAllowUnknownRootForHost(
+    const std::string& hostname) {
+  if (base::Contains(proof_verifier_->hostnames_to_allow_unknown_roots_, "")) {
+    return true;
+  }
+  return base::Contains(proof_verifier_->hostnames_to_allow_unknown_roots_,
+                        hostname);
+}
+
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   base::UmaHistogramSparse("Net.QuicSession.CertVerificationResult", -result);
   cert_verifier_request_.reset();
@@ -504,8 +515,7 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
 
   if (result == OK &&
       !verify_details_->cert_verify_result.is_issued_by_known_root &&
-      !base::Contains(proof_verifier_->hostnames_to_allow_unknown_roots_,
-                      hostname_)) {
+      !ShouldAllowUnknownRootForHost(hostname_)) {
     result = ERR_QUIC_CERT_ROOT_NOT_KNOWN;
   }
 

net/quic/crypto/proof_verifier_chromium_test.cc

@@ -959,6 +959,31 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithOverride) {
             verify_details->cert_verify_result.cert_status);
 }
 
+TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithWildcardOverride) {
+  dummy_result_.is_issued_by_known_root = false;
+
+  MockCertVerifier dummy_verifier;
+  dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
+
+  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
+                                       &transport_security_state_,
+                                       ct_verifier_.get(), {""});
+
+  std::unique_ptr<DummyProofVerifierCallback> callback(
+      new DummyProofVerifierCallback);
+  quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
+      kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
+      verify_context_.get(), &error_details_, &details_, std::move(callback));
+  ASSERT_EQ(quic::QUIC_SUCCESS, status);
+
+  ASSERT_TRUE(details_.get());
+  ProofVerifyDetailsChromium* verify_details =
+      static_cast<ProofVerifyDetailsChromium*>(details_.get());
+  EXPECT_EQ(dummy_result_.cert_status,
+            verify_details->cert_verify_result.cert_status);
+}
+
 // Tests that the VerifyCertChain verifies certificates.
 TEST_F(ProofVerifierChromiumTest, VerifyCertChain) {
   MockCertVerifier dummy_verifier;