Fix EV PageInfo check

Before we required Organization, Country, and Locality to be set, but EV certificates require Organization, Country, and at least one of Locality OR State. This updates the check in PageInfoBubbleView to only check the fields that are actually used in the UI, and adds a regression test (and certificate) exercising this case. Fixed: 1069113 Change-Id: I5a5eff339eb875fa4d36c61f0e5ffc1d4ba95ce3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2142714Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#758296}

Fix EV PageInfo check
Before we required Organization, Country, and Locality to be set, but EV certificates require Organization, Country, and at least one of Locality OR State. This updates the check in PageInfoBubbleView to only check the fields that are actually used in the UI, and adds a regression test (and certificate) exercising this case. Fixed: 1069113 Change-Id: I5a5eff339eb875fa4d36c61f0e5ffc1d4ba95ce3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2142714Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#758296}
973da38f · Chris Thompson · Commit Bot · 1a12ec50 · 973da38f · 973da38f
Commit 973da38f authored Apr 10, 2020 by Chris Thompson Committed by Commit Bot Apr 10, 2020
8 changed files
--- a/chrome/browser/ui/views/page_info/page_info_bubble_view.cc
+++ b/chrome/browser/ui/views/page_info/page_info_bubble_view.cc
@@ -820,10 +820,8 @@ void PageInfoBubbleView::SetIdentityInfo(const IdentityInfo& identity_info) {
              PageInfo::SITE_IDENTITY_STATUS_EV_CERT &&
          identity_info.connection_status ==
              PageInfo::SITE_CONNECTION_STATUS_ENCRYPTED) {
-        // An EV cert is required to have an organization name, a city
-        // (localityName), and country, but state is "if any".
+        // An EV cert is required to have an organization name and a country.
        if (!certificate_->subject().organization_names.empty() &&
-            !certificate_->subject().locality_name.empty() &&
            !certificate_->subject().country_name.empty()) {
          subtitle_text = l10n_util::GetStringFUTF16(
              IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_VERIFIED,

--- a/chrome/browser/ui/views/page_info/page_info_bubble_view_unittest.cc
+++ b/chrome/browser/ui/views/page_info/page_info_bubble_view_unittest.cc
@@ -742,9 +742,50 @@ TEST_F(PageInfoBubbleViewTest, CertificateButtonShowsEvCertDetails) {
                                     &connection_status);
  net::SSLInfo ssl_info;
  ssl_info.connection_status = connection_status;
-  ssl_info.cert = net::X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
+  ssl_info.cert =
+      net::ImportCertFromFile(net::GetTestCertsDirectory(), "ev_test.pem");
+  ASSERT_TRUE(ssl_info.cert);
+  ssl_info.cert_status = net::CERT_STATUS_IS_EV;
+
+  navigation->SetSSLInfo(ssl_info);
+
+  navigation->Commit();
+  EXPECT_EQ(l10n_util::GetStringUTF16(IDS_PAGE_INFO_SECURE_SUMMARY),
+            api_->GetWindowTitle());
+
+  // The certificate button subtitle should show the EV certificate organization
+  // name and country of incorporation.
+  EXPECT_EQ(l10n_util::GetStringFUTF16(
+                IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_VERIFIED,
+                base::UTF8ToUTF16("Test Org"), base::UTF8ToUTF16("US")),
+            api_->GetCertificateButtonSubtitleText());
+}
+
+// Regression test for crbug.com/1069113. Test cert includes country and state
+// but not locality.
+TEST_F(PageInfoBubbleViewTest, EvDetailsShowForCertWithStateButNoLocality) {
+  SecurityStateTabHelper::CreateForWebContents(
+      web_contents_helper_.web_contents());
+  std::unique_ptr<content::NavigationSimulator> navigation =
+      content::NavigationSimulator::CreateRendererInitiated(
+          GURL(kSecureUrl),
+          web_contents_helper_.web_contents()->GetMainFrame());
+  navigation->Start();
+  api_->CreateView();
+
+  // Set up a test SSLInfo so that Page Info sees the connection as secure and
+  // using an EV certificate.
+  uint16_t cipher_suite = 0xc02f;  // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  int connection_status = 0;
+  net::SSLConnectionStatusSetCipherSuite(cipher_suite, &connection_status);
+  net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_2,
+                                     &connection_status);
+  net::SSLInfo ssl_info;
+  ssl_info.connection_status = connection_status;
+  ssl_info.cert = net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                                          "ev_test_state_only.pem");
  ASSERT_TRUE(ssl_info.cert);
+
  ssl_info.cert_status = net::CERT_STATUS_IS_EV;

  navigation->SetSSLInfo(ssl_info);
@@ -757,6 +798,6 @@ TEST_F(PageInfoBubbleViewTest, CertificateButtonShowsEvCertDetails) {
  // name and country of incorporation.
  EXPECT_EQ(l10n_util::GetStringFUTF16(
                IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV_VERIFIED,
-                base::UTF8ToUTF16("Thawte Inc"), base::UTF8ToUTF16("US")),
+                base::UTF8ToUTF16("Test Org"), base::UTF8ToUTF16("US")),
            api_->GetCertificateButtonSubtitleText());
 }
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -1961,6 +1961,8 @@ bundle_data("test_support_bundle_data") {
    "data/ssl/certificates/duplicate_cn_2.pem",
    "data/ssl/certificates/eku-test-root.pem",
    "data/ssl/certificates/empty_subject_cert.der",
+    "data/ssl/certificates/ev_test.pem",
+    "data/ssl/certificates/ev_test_state_only.pem",
    "data/ssl/certificates/expired_cert.pem",
    "data/ssl/certificates/explicit-policy-chain.pem",
    "data/ssl/certificates/foaf.me.chromium-test-cert.der",

--- a/net/data/ssl/certificates/README
+++ b/net/data/ssl/certificates/README
@@ -208,6 +208,11 @@ unit tests.
    verification, regardless of the order in which the intermediate/root CA
    certificates are provided.

+- ev_test.pem
+- ev_test_state_only.pem
+     Certificates for testing EV display (including regression test for
+     https://crbug.com/1069113).
+
 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem

--- a/net/data/ssl/certificates/ev_test.pem
+++ b/net/data/ssl/certificates/ev_test.pem
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            76:70:77:fb:69:b5:13:08:c1:79:b8:d7:95:33:03:52:f0:1a:61:13
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = California, L = Mountain View, O = Test Org
+        Validity
+            Not Before: Apr 10 18:36:42 2020 GMT
+            Not After : Apr 10 18:36:42 2022 GMT
+        Subject: C = US, ST = California, L = Mountain View, O = Test Org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bd:83:f9:36:21:cf:0c:f0:fe:30:71:90:e5:bb:
+                    9b:77:67:00:5f:43:96:c1:a6:99:06:bf:d2:41:27:
+                    f9:d5:7f:be:5f:3a:55:a6:ff:4c:7c:07:fe:36:4f:
+                    9f:46:54:2d:3e:d9:13:ab:e3:e0:66:45:b6:ac:5a:
+                    62:21:13:f9:52:d9:20:c9:a7:92:b1:47:b1:46:98:
+                    8e:6a:e6:3e:48:2c:a2:ac:3a:65:b0:ce:7a:14:14:
+                    7f:88:d1:93:4a:9c:4d:dc:e8:89:ba:8b:68:c7:f0:
+                    3f:b7:80:de:97:4d:9c:16:2c:66:a7:e0:37:bd:9f:
+                    01:ed:dd:4a:bb:3b:d3:67:58:27:c5:e9:a6:8e:97:
+                    4a:35:02:00:04:ea:78:65:a3:d0:01:e8:8c:ef:88:
+                    e2:fe:d8:77:a0:60:8e:08:a1:b1:90:e5:8d:4e:2b:
+                    7d:a8:b2:17:24:81:e2:6b:85:68:ee:11:41:65:d1:
+                    5b:08:d3:a8:2d:2a:98:7e:1d:c4:a9:8f:7f:ec:69:
+                    2a:97:a8:5c:bc:d2:85:de:a6:53:5f:73:8e:ca:97:
+                    66:d4:04:41:d8:ef:20:12:0c:3b:21:75:dc:6d:69:
+                    2b:00:a3:e4:09:9a:53:8e:be:f6:92:40:2e:a6:4f:
+                    55:d4:59:34:18:8b:79:0b:19:98:0d:c5:48:45:db:
+                    b1:5b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         70:b2:c2:f6:4f:8e:82:a2:fc:6c:0e:a4:1a:e9:ee:90:ff:0c:
+         70:f3:a3:77:bd:21:76:3d:83:58:12:27:33:9c:1e:74:0d:7f:
+         19:bd:80:4a:ec:29:48:2b:09:5e:d7:f3:1a:db:39:f8:ca:f6:
+         b1:51:f8:84:86:2e:f7:d1:7b:84:93:dd:63:c0:d3:2a:da:3b:
+         be:75:bf:9e:3f:02:ea:82:1f:13:3a:ab:1c:40:a1:16:a2:31:
+         91:71:50:7a:9f:a3:97:37:a6:77:77:84:85:65:3c:4c:47:d8:
+         ef:42:f5:b4:dc:87:1f:2a:3a:b0:72:4f:6f:75:b2:b0:60:f3:
+         ff:a2:e9:f0:ec:a8:b5:a1:dc:1a:74:1d:f3:4a:13:9e:1f:06:
+         c8:c6:c9:6e:b0:9a:67:e8:90:b5:38:51:ce:8f:96:f4:89:f8:
+         b2:b4:44:f5:35:98:20:32:a1:e6:7a:ee:8d:88:9c:cb:fc:36:
+         a3:3d:4b:8a:6f:4a:e0:0b:21:b7:5d:9d:68:ab:88:60:7f:db:
+         61:a0:cd:0a:76:bb:b4:19:36:79:84:c3:ea:69:67:50:60:e3:
+         20:9a:74:74:8f:44:52:fa:b4:31:6b:0d:12:37:38:bc:39:f7:
+         b6:d9:07:10:89:31:50:2a:20:a7:2f:16:df:a6:4c:0c:ae:70:
+         93:24:30:ef
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgkCFHZwd/tptRMIwXm415UzA1LwGmETMA0GCSqGSIb3DQEBCwUAME0x
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3Vu
+dGFpbiBWaWV3MREwDwYDVQQKDAhUZXN0IE9yZzAeFw0yMDA0MTAxODM2NDJaFw0y
+MjA0MTAxODM2NDJaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MREwDwYDVQQKDAhUZXN0IE9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2D+TYhzwzw/jBxkOW7m3dnAF9D
+lsGmmQa/0kEn+dV/vl86Vab/THwH/jZPn0ZULT7ZE6vj4GZFtqxaYiET+VLZIMmn
+krFHsUaYjmrmPkgsoqw6ZbDOehQUf4jRk0qcTdzoibqLaMfwP7eA3pdNnBYsZqfg
+N72fAe3dSrs702dYJ8Xppo6XSjUCAATqeGWj0AHojO+I4v7Yd6BgjgihsZDljU4r
+faiyFySB4muFaO4RQWXRWwjTqC0qmH4dxKmPf+xpKpeoXLzShd6mU19zjsqXZtQE
+QdjvIBIMOyF13G1pKwCj5AmaU46+9pJALqZPVdRZNBiLeQsZmA3FSEXbsVsCAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEAcLLC9k+OgqL8bA6kGunukP8McPOjd70hdj2D
+WBInM5wedA1/Gb2ASuwpSCsJXtfzGts5+Mr2sVH4hIYu99F7hJPdY8DTKto7vnW/
+nj8C6oIfEzqrHEChFqIxkXFQep+jlzemd3eEhWU8TEfY70L1tNyHHyo6sHJPb3Wy
+sGDz/6Lp8OyotaHcGnQd80oTnh8GyMbJbrCaZ+iQtThRzo+W9In4srRE9TWYIDKh
+5nrujYicy/w2oz1Lim9K4Asht12daKuIYH/bYaDNCna7tBk2eYTD6mlnUGDjIJp0
+dI9EUvq0MWsNEjc4vDn3ttkHEIkxUCogpy8W36ZMDK5wkyQw7w==
+-----END CERTIFICATE-----
--- a/net/data/ssl/certificates/ev_test_state_only.pem
+++ b/net/data/ssl/certificates/ev_test_state_only.pem
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            53:09:3e:01:61:14:4d:c5:a3:57:d3:66:76:b9:9b:ab:c9:07:7a:c6
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = California, O = Test Org
+        Validity
+            Not Before: Apr 10 18:36:42 2020 GMT
+            Not After : Apr 10 18:36:42 2022 GMT
+        Subject: C = US, ST = California, O = Test Org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:f3:e0:35:ed:52:11:24:c5:f3:a2:0f:b9:41:2d:
+                    eb:4d:ec:f9:57:7c:4d:80:8d:9b:3b:f4:73:50:78:
+                    d8:a3:bd:7a:51:7f:20:e6:0a:b4:f7:2a:b4:fa:0e:
+                    1a:6c:aa:a6:19:f7:06:f4:39:8e:33:43:1b:70:f5:
+                    d6:b0:22:0e:c0:36:a6:7d:8a:3c:41:48:b6:a2:8b:
+                    ec:78:e3:f0:8f:7b:1a:14:c9:d8:6f:ca:af:28:4a:
+                    cc:6c:d1:2f:90:16:e1:0d:e8:5e:98:ec:9b:2f:6a:
+                    46:5c:e2:89:05:41:a5:93:bc:87:47:d4:23:05:c4:
+                    7f:a9:76:6d:06:29:c1:46:93:f6:50:9f:06:1b:79:
+                    55:68:74:40:be:cc:e9:41:1b:2e:c8:1a:dc:00:70:
+                    6d:2e:fd:cc:5f:93:2d:cb:9f:35:51:0c:fe:63:fb:
+                    1f:11:74:ed:5d:82:a4:00:67:9a:22:67:dd:91:94:
+                    db:6e:6f:5e:47:f2:bd:04:8d:f1:e7:73:76:bf:db:
+                    69:3a:a7:8a:8f:97:0d:17:11:34:4f:de:5a:c4:3b:
+                    1a:f0:b6:8f:c7:1f:41:7e:5f:68:98:38:d1:18:85:
+                    5e:75:71:29:d0:d9:aa:74:ed:6b:fd:11:07:85:c1:
+                    65:10:04:6b:9e:a4:b9:4d:d5:da:80:8d:02:33:18:
+                    27:7b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         09:46:1a:3e:97:c5:ac:c2:f8:c4:c9:51:e2:ff:9b:e1:68:c2:
+         6a:aa:a2:11:32:34:93:95:a8:37:31:fa:2d:dc:fd:04:c5:e3:
+         0f:15:92:96:53:a6:7b:60:42:65:79:1d:b6:3c:f7:16:93:f8:
+         c9:a6:72:42:c6:e2:1c:26:e5:ca:07:5c:44:96:a7:ad:8e:74:
+         ac:ea:1a:e1:6c:fe:f6:b1:de:b7:03:69:6b:30:ea:8e:8f:af:
+         be:36:2c:10:20:7f:e1:7e:0d:b6:a1:cf:8e:05:4f:59:c8:3c:
+         e8:7c:5c:16:ff:f2:d3:eb:6a:31:57:66:06:da:f6:5c:99:a7:
+         9c:3f:09:f9:6a:b9:fe:4c:5a:b8:81:b8:04:bc:ce:ff:5c:62:
+         f8:0c:e6:0c:e6:68:32:e5:69:61:18:dd:6b:7e:a9:6c:1a:7e:
+         a9:c0:63:a2:bf:c6:48:80:48:17:d7:f8:8b:e6:7d:ae:72:f8:
+         26:75:b3:75:d1:6c:b1:55:53:7a:5b:7d:f3:d9:ca:b0:b8:8b:
+         84:d3:a8:a3:f0:6e:21:79:95:3e:aa:48:bd:cc:c6:5a:8f:6e:
+         fb:eb:9c:12:56:86:1e:d9:48:ec:ce:ce:06:8d:09:43:07:1a:
+         0f:4b:c4:ab:83:a2:13:8d:a5:40:96:1f:f2:da:42:c6:94:a2:
+         35:d1:82:bb
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdkCFFMJPgFhFE3Fo1fTZna5m6vJB3rGMA0GCSqGSIb3DQEBCwUAMDUx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQKDAhUZXN0
+IE9yZzAeFw0yMDA0MTAxODM2NDJaFw0yMjA0MTAxODM2NDJaMDUxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQKDAhUZXN0IE9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPPgNe1SESTF86IPuUEt603s+Vd8
+TYCNmzv0c1B42KO9elF/IOYKtPcqtPoOGmyqphn3BvQ5jjNDG3D11rAiDsA2pn2K
+PEFItqKL7Hjj8I97GhTJ2G/KryhKzGzRL5AW4Q3oXpjsmy9qRlziiQVBpZO8h0fU
+IwXEf6l2bQYpwUaT9lCfBht5VWh0QL7M6UEbLsga3ABwbS79zF+TLcufNVEM/mP7
+HxF07V2CpABnmiJn3ZGU225vXkfyvQSN8edzdr/baTqnio+XDRcRNE/eWsQ7GvC2
+j8cfQX5faJg40RiFXnVxKdDZqnTta/0RB4XBZRAEa56kuU3V2oCNAjMYJ3sCAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEACUYaPpfFrML4xMlR4v+b4WjCaqqiETI0k5Wo
+NzH6Ldz9BMXjDxWSllOme2BCZXkdtjz3FpP4yaZyQsbiHCblygdcRJanrY50rOoa
+4Wz+9rHetwNpazDqjo+vvjYsECB/4X4NtqHPjgVPWcg86HxcFv/y0+tqMVdmBtr2
+XJmnnD8J+Wq5/kxauIG4BLzO/1xi+AzmDOZoMuVpYRjda36pbBp+qcBjor/GSIBI
+F9f4i+Z9rnL4JnWzddFssVVTelt989nKsLiLhNOoo/BuIXmVPqpIvczGWo9u++uc
+ElaGHtlI7M7OBo0JQwcaD0vEq4OiE42lQJYf8tpCxpSiNdGCuw==
+-----END CERTIFICATE-----
--- a/net/data/ssl/scripts/ee.cnf
+++ b/net/data/ssl/scripts/ee.cnf
@@ -55,6 +55,17 @@ CN = SS B
 [req_punycode_dn]
 CN = xn--wgv71a119e.com

+[req_ev_dn]
+C = US
+ST = California
+L = Mountain View
+O = Test Org
+
+[req_ev_state_only_dn]
+C = US
+ST = California
+O = Test Org
+
 [req_extensions]
 subjectAltName = IP:127.0.0.1


--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -589,6 +589,17 @@ CA_NAME="req_ca_dn" \
    -out ../certificates/900_days_after_2019_07_01.pem \
    -config ca.cnf

+## Certificates for testing EV display (DN set with different variations)
+SUBJECT_NAME="req_ev_dn" \
+  openssl req -x509 -days ${CERT_LIFETIME} \
+    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/ev_test.pem
+
+SUBJECT_NAME="req_ev_state_only_dn" \
+  openssl req -x509 -days ${CERT_LIFETIME} \
+    --config ../scripts/ee.cnf -newkey rsa:2048 -text \
+    -out ../certificates/ev_test_state_only.pem
+
 # Regenerate CRLSets
 ## Block a leaf cert directly by SPKI
 python crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \