[WebLayer] Add ssl_error_assistant proto to resources allowlist

WebLayer was inadvertently stripping out the ssl_error_assistant proto
from its resources, meaning that it ended up not using any of the data
in the proto (as it also doesn't use the component updater to fetech the
proto). This proto has Chrome's list of known captive portal, MITM, and
dynamic interstitial certificates. The most concrete consequence of this
fact at this time is that WebLayer will not correctly detect known
captive portals.

This CL fixes the bug and adds a test that fails without the fix. To
verify manually, go to captive-portal.badssl.com and check that the
captive portal interstitial appears rather than the generic SSL
interstitial.

Bug: 1128964
Change-Id: Ife74e1c7898b7f57c238871a1fb646eb0ebf677d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414297Reviewed-by: Clark DuVall <cduvall@chromium.org>
Commit-Queue: Colin Blundell <blundell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#807787}

weblayer/browser/ssl_browsertest.cc

@@ -12,8 +12,10 @@
 #include "build/build_config.h"
 #include "components/network_time/network_time_tracker.h"
 #include "components/security_interstitials/content/insecure_form_blocking_page.h"
+#include "components/security_interstitials/content/ssl_error_assistant.h"
 #include "components/security_interstitials/content/ssl_error_handler.h"
 #include "components/security_interstitials/core/features.h"
+#include "net/ssl/ssl_info.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "weblayer/browser/browser_process.h"
 #include "weblayer/browser/weblayer_security_blocking_page_factory.h"
@@ -379,6 +381,26 @@ IN_PROC_BROWSER_TEST_F(SSLBrowserTest, BadClockInterstitial) {
   NavigateToPageWithExpiredCertExpectBadClockInterstitial();
 }
 
+// This test verifies that a certificate in the list of known captive portal
+// certificates in ssl_error_assistant.asciipb is detected as such. This serves
+// to verify that the ssl_error_assistant proto was correctly loaded.
+IN_PROC_BROWSER_TEST_F(SSLBrowserTest,
+                       CertificateInKnownCaptivePortalsListDetected) {
+  net::SSLInfo ssl_info_with_known_captive_portal_cert;
+  net::HashValue captive_portal_public_key;
+
+  // Set up the SSSLInfo with the certificate of captive-portal.badssl.com
+  // (taken from ssl_error_assistant.asciipb).
+  ASSERT_TRUE(captive_portal_public_key.FromString(
+      "sha256/fjZPHewEHTrMDX3I1ecEIeoy3WFxHyGplOLv28kIbtI="));
+  net::HashValueVector public_keys;
+  public_keys.push_back(captive_portal_public_key);
+  ssl_info_with_known_captive_portal_cert.public_key_hashes = public_keys;
+
+  EXPECT_TRUE(SSLErrorAssistant().IsKnownCaptivePortalCertificate(
+      ssl_info_with_known_captive_portal_cert));
+}
+
 // Verifies an error page is not requested for an ssl error.
 IN_PROC_BROWSER_TEST_F(SSLBrowserTest, ErrorPageNotCalledForMismatch) {
   TestErrorPageDelegate error_page_delegate;

weblayer/grit_resources_allowlist.txt

 IDR_SAD_PLUGIN
 IDR_SAD_WEBVIEW
+IDR_SSL_ERROR_ASSISTANT_PB
 IDR_TRANSLATE_JS