Enable limited CRLSet support on Android

This enables the fetching of CRLSets on Chrome for Android. While Android
is not yet using the CertVerifierBuiltin, which enables CRLSets during
path building, it does support CRLSets for known MITM detection and
disclosure.

This ports the existing CRLSet tests (which hang off SSLUITest but are
really browser tests) into platform-agnostic browser_tests, running on
either android_browsertests or browsertests, respectively.

Bug: 1025424
Change-Id: I89b066dfd539b287f35a20bea54d5cb5cb739501
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1930051Reviewed-by: Yaron Friedman <yfriedman@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#720643}

chrome/browser/BUILD.gn

@@ -5550,6 +5550,8 @@ static_library("test_support") {
     "history/history_test_utils.h",
     "installable/fake_installable_manager.cc",
     "installable/fake_installable_manager.h",
+    "interstitials/security_interstitial_page_test_utils.cc",
+    "interstitials/security_interstitial_page_test_utils.h",
     "media/webrtc/fake_desktop_media_list.cc",
     "media/webrtc/fake_desktop_media_list.h",
     "media/webrtc/fake_desktop_media_picker_factory.cc",
@@ -5586,6 +5588,8 @@ static_library("test_support") {
     "signin/e2e_tests/test_accounts_util.h",
     "signin/identity_test_environment_profile_adaptor.cc",
     "signin/identity_test_environment_profile_adaptor.h",
+    "ssl/ssl_browsertest_util.cc",
+    "ssl/ssl_browsertest_util.h",
     "ssl/ssl_client_auth_requestor_mock.cc",
     "ssl/ssl_client_auth_requestor_mock.h",
     "ssl/tls_deprecation_test_utils.cc",
@@ -5835,10 +5839,14 @@ if (!is_android) {
     visibility = [ "//chrome/test:test_support_ui" ]
 
     sources = [
+      "interstitials/security_interstitial_idn_test.cc",
+      "interstitials/security_interstitial_idn_test.h",
       "password_manager/password_manager_test_base.cc",
       "password_manager/password_manager_test_base.h",
       "signin/token_revoker_test_utils.cc",
       "signin/token_revoker_test_utils.h",
+      "ssl/cert_verifier_platform_browser_test.cc",
+      "ssl/cert_verifier_platform_browser_test.h",
       "ui/webui/signin/login_ui_test_utils.cc",
       "ui/webui/signin/login_ui_test_utils.h",
       "ui/webui/test_data_source.cc",

chrome/browser/chrome_browser_main.cc

@@ -515,13 +515,12 @@ void RegisterComponentsForUpdate(bool is_off_the_record_profile,
     component_updater::DeleteLegacySTHSet(path);
 #endif
 
-#if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
+#if !defined(OS_CHROMEOS)
     // CRLSetFetcher attempts to load a CRL set from either the local disk or
     // network.
     // For Chrome OS this registration is delayed until user login.
-    // On Android, we do not register at all.
     component_updater::RegisterCRLSetComponent(cus, path);
-#endif  // !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
+#endif  // !defined(OS_CHROMEOS)
 
     RegisterOriginTrialsComponent(cus, path);
 

chrome/browser/component_updater/crl_set_component_installer_unittest.cc

@@ -107,16 +107,16 @@ TEST_F(CRLSetComponentInstallerTest, ConfiguresOnInstall) {
   ASSERT_EQ(net::OK, client_->completion_status().error_code);
 
   // Simulate a CRLSet being installed.
-  ASSERT_NO_FATAL_FAILURE(InstallCRLSet(
-      net::GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw")));
+  ASSERT_NO_FATAL_FAILURE(
+      InstallCRLSet(net::GetTestCertsDirectory().AppendASCII(
+          "crlset_known_interception_by_root.raw")));
 
-  // Ensure the test server is now blocked.
+  // Ensure the test server is now flagged as a known MITM certificate.
   LoadURL(test_server_.GetURL("/empty.html"));
-  EXPECT_EQ(net::ERR_INSECURE_RESPONSE,
-            client_->completion_status().error_code);
-  ASSERT_TRUE(client_->completion_status().ssl_info.has_value());
-  EXPECT_TRUE(client_->completion_status().ssl_info->cert_status &
-              net::CERT_STATUS_REVOKED);
+  ASSERT_EQ(net::OK, client_->completion_status().error_code);
+  ASSERT_TRUE(client_->ssl_info());
+  EXPECT_TRUE(client_->ssl_info()->cert_status &
+              net::CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
 }
 
 TEST_F(CRLSetComponentInstallerTest, ReconfiguresAfterRestartWithCRLSet) {
@@ -129,16 +129,16 @@ TEST_F(CRLSetComponentInstallerTest, ReconfiguresAfterRestartWithCRLSet) {
   ASSERT_EQ(net::OK, client_->completion_status().error_code);
 
   // Simulate a CRLSet being installed.
-  ASSERT_NO_FATAL_FAILURE(InstallCRLSet(
-      net::GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw")));
+  ASSERT_NO_FATAL_FAILURE(
+      InstallCRLSet(net::GetTestCertsDirectory().AppendASCII(
+          "crlset_known_interception_by_root.raw")));
 
-  // Ensure the test server is now blocked.
+  // Ensure the test server is now flagged as a known MITM certificate.
   LoadURL(test_server_.GetURL("/empty.html"));
-  EXPECT_EQ(net::ERR_INSECURE_RESPONSE,
-            client_->completion_status().error_code);
-  ASSERT_TRUE(client_->completion_status().ssl_info.has_value());
-  EXPECT_TRUE(client_->completion_status().ssl_info->cert_status &
-              net::CERT_STATUS_REVOKED);
+  ASSERT_EQ(net::OK, client_->completion_status().error_code);
+  ASSERT_TRUE(client_->ssl_info());
+  EXPECT_TRUE(client_->ssl_info()->cert_status &
+              net::CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
 
   // Simulate a Network Service crash
   SimulateCrash();
@@ -150,14 +150,13 @@ TEST_F(CRLSetComponentInstallerTest, ReconfiguresAfterRestartWithCRLSet) {
       network_context_.BindNewPipeAndPassReceiver(),
       network::mojom::NetworkContextParams::New());
 
-  // Ensure the test server is still blocked even with a new context and
+  // Ensure the test server is still flagged even with a new context and
   // service.
   LoadURL(test_server_.GetURL("/empty.html"));
-  EXPECT_EQ(net::ERR_INSECURE_RESPONSE,
-            client_->completion_status().error_code);
-  ASSERT_TRUE(client_->completion_status().ssl_info.has_value());
-  EXPECT_TRUE(client_->completion_status().ssl_info->cert_status &
-              net::CERT_STATUS_REVOKED);
+  ASSERT_EQ(net::OK, client_->completion_status().error_code);
+  ASSERT_TRUE(client_->ssl_info());
+  EXPECT_TRUE(client_->ssl_info()->cert_status &
+              net::CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
 }
 
 TEST_F(CRLSetComponentInstallerTest, ReconfiguresAfterRestartWithNoCRLSet) {

chrome/browser/interstitials/security_interstitial_idn_test.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/interstitials/security_interstitial_idn_test.h"
+
+#include "base/strings/stringprintf.h"
+#include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ui/browser.h"
+#include "chrome/browser/ui/tabs/tab_strip_model.h"
+#include "components/language/core/browser/pref_names.h"
+#include "components/prefs/pref_service.h"
+#include "components/security_interstitials/content/security_interstitial_page.h"
+#include "components/security_interstitials/core/controller_client.h"
+#include "content/public/browser/interstitial_page.h"
+#include "content/public/browser/web_contents.h"
+#include "url/gurl.h"
+
+namespace chrome_browser_interstitials {
+
+testing::AssertionResult SecurityInterstitialIDNTest::VerifyIDNDecoded() const {
+  const char kHostname[] = "xn--d1abbgf6aiiy.xn--p1ai";
+  const char kHostnameJSUnicode[] =
+      "\\u043f\\u0440\\u0435\\u0437\\u0438\\u0434\\u0435\\u043d\\u0442."
+      "\\u0440\\u0444";
+  std::string request_url_spec = base::StringPrintf("https://%s/", kHostname);
+  GURL request_url(request_url_spec);
+
+  content::WebContents* contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  DCHECK(contents);
+  security_interstitials::SecurityInterstitialPage* blocking_page =
+      CreateInterstitial(contents, request_url);
+  blocking_page->Show();
+
+  WaitForInterstitialAttach(contents);
+  if (!WaitForRenderFrameReady(contents->GetInterstitialPage()->GetMainFrame()))
+    return testing::AssertionFailure() << "Render frame not ready";
+
+  if (IsInterstitialDisplayingText(
+          contents->GetInterstitialPage()->GetMainFrame(),
+          kHostnameJSUnicode)) {
+    return testing::AssertionSuccess();
+  }
+  return testing::AssertionFailure() << "Interstitial not displaying text";
+}
+
+}  // namespace chrome_browser_interstitials

chrome/browser/interstitials/security_interstitial_idn_test.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_INTERSTITIALS_SECURITY_INTERSTITIAL_IDN_TEST_H_
+#define CHROME_BROWSER_INTERSTITIALS_SECURITY_INTERSTITIAL_IDN_TEST_H_
+
+#include "chrome/test/base/in_process_browser_test.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace content {
+class WebContents;
+}  // namespace content
+
+class GURL;
+
+namespace security_interstitials {
+class SecurityInterstitialPage;
+}  // namespace security_interstitials
+
+namespace chrome_browser_interstitials {
+
+// This class is used for testing the display of IDN names in security
+// interstitials.
+class SecurityInterstitialIDNTest : public InProcessBrowserTest {
+ public:
+  // Run a test that creates an interstitial with an IDN request URL
+  // and checks that it is properly decoded.
+  testing::AssertionResult VerifyIDNDecoded() const;
+
+ protected:
+  virtual security_interstitials::SecurityInterstitialPage* CreateInterstitial(
+      content::WebContents* contents,
+      const GURL& request_url) const = 0;
+};
+
+}  // namespace chrome_browser_interstitials
+
+#endif  // CHROME_BROWSER_INTERSTITIALS_SECURITY_INTERSTITIAL_IDN_TEST_H_

chrome/browser/interstitials/security_interstitial_page_test_utils.cc

@@ -4,22 +4,13 @@
 
 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
 
-#include <string>
-
 #include "base/strings/stringprintf.h"
-#include "chrome/browser/profiles/profile.h"
-#include "chrome/browser/ui/browser.h"
-#include "chrome/browser/ui/tabs/tab_strip_model.h"
-#include "components/language/core/browser/pref_names.h"
-#include "components/prefs/pref_service.h"
 #include "components/security_interstitials/content/security_interstitial_page.h"
+#include "components/security_interstitials/content/security_interstitial_tab_helper.h"
 #include "components/security_interstitials/core/controller_client.h"
-#include "content/public/browser/interstitial_page.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/test/browser_test_utils.h"
-#include "testing/gtest/include/gtest/gtest.h"
-#include "url/gurl.h"
 
 namespace chrome_browser_interstitials {
 
@@ -40,36 +31,53 @@ bool IsInterstitialDisplayingText(content::RenderFrameHost* interstitial_frame,
   return result == security_interstitials::CMD_TEXT_FOUND;
 }
 
-void SecurityInterstitialIDNTest::SetUpOnMainThread() {
-  // Clear AcceptLanguages to force punycode decoding.
-  browser()->profile()->GetPrefs()->SetString(language::prefs::kAcceptLanguages,
-                                              std::string());
+bool InterstitialHasProceedLink(content::RenderFrameHost* interstitial_frame) {
+  int result = security_interstitials::CMD_ERROR;
+  const std::string javascript = base::StringPrintf(
+      "domAutomationController.send("
+      "(document.querySelector(\"#proceed-link\") === null) "
+      "? (%d) : (%d))",
+      security_interstitials::CMD_TEXT_NOT_FOUND,
+      security_interstitials::CMD_TEXT_FOUND);
+  EXPECT_TRUE(content::ExecuteScriptAndExtractInt(interstitial_frame,
+                                                  javascript, &result));
+  return result == security_interstitials::CMD_TEXT_FOUND;
+}
+
+bool IsShowingInterstitial(content::WebContents* tab) {
+  security_interstitials::SecurityInterstitialTabHelper* helper =
+      security_interstitials::SecurityInterstitialTabHelper::FromWebContents(
+          tab);
+  return helper &&
+         helper->GetBlockingPageForCurrentlyCommittedNavigationForTesting();
+}
+
+bool IsShowingCaptivePortalInterstitial(content::WebContents* tab) {
+  return IsShowingInterstitial(tab) &&
+         IsInterstitialDisplayingText(tab->GetMainFrame(), "Connect to");
 }
 
-testing::AssertionResult SecurityInterstitialIDNTest::VerifyIDNDecoded() const {
-  const char kHostname[] = "xn--d1abbgf6aiiy.xn--p1ai";
-  const char kHostnameJSUnicode[] =
-      "\\u043f\\u0440\\u0435\\u0437\\u0438\\u0434\\u0435\\u043d\\u0442."
-      "\\u0440\\u0444";
-  std::string request_url_spec = base::StringPrintf("https://%s/", kHostname);
-  GURL request_url(request_url_spec);
+bool IsShowingSSLInterstitial(content::WebContents* tab) {
+  return IsShowingInterstitial(tab) &&
+         IsInterstitialDisplayingText(tab->GetMainFrame(),
+                                      "Your connection is not private");
+}
 
-  content::WebContents* contents =
-      browser()->tab_strip_model()->GetActiveWebContents();
-  DCHECK(contents);
-  security_interstitials::SecurityInterstitialPage* blocking_page =
-      CreateInterstitial(contents, request_url);
-  blocking_page->Show();
+bool IsShowingMITMInterstitial(content::WebContents* tab) {
+  return IsShowingInterstitial(tab) &&
+         IsInterstitialDisplayingText(tab->GetMainFrame(),
+                                      "An application is stopping");
+}
 
-  WaitForInterstitialAttach(contents);
-  if (!WaitForRenderFrameReady(contents->GetInterstitialPage()->GetMainFrame()))
-    return testing::AssertionFailure() << "Render frame not ready";
+bool IsShowingBadClockInterstitial(content::WebContents* tab) {
+  return IsShowingInterstitial(tab) &&
+         IsInterstitialDisplayingText(tab->GetMainFrame(), "Your clock is");
+}
 
-  if (IsInterstitialDisplayingText(
-          contents->GetInterstitialPage()->GetMainFrame(),
-          kHostnameJSUnicode)) {
-    return testing::AssertionSuccess();
-  }
-  return testing::AssertionFailure() << "Interstitial not displaying text";
+bool IsShowingBlockedInterceptionInterstitial(content::WebContents* tab) {
+  return IsShowingInterstitial(tab) &&
+         IsInterstitialDisplayingText(tab->GetMainFrame(),
+                                      "Anything you type, any pages you view");
 }
+
 }  // namespace chrome_browser_interstitials

chrome/browser/interstitials/security_interstitial_page_test_utils.h

@@ -7,18 +7,10 @@
 
 #include <string>
 
-#include "chrome/test/base/in_process_browser_test.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
 namespace content {
+class RenderFrameHost;
 class WebContents;
-}
-
-class GURL;
-
-namespace security_interstitials {
-class SecurityInterstitialPage;
-}
+}  // namespace content
 
 namespace chrome_browser_interstitials {
 
@@ -30,22 +22,35 @@ namespace chrome_browser_interstitials {
 bool IsInterstitialDisplayingText(content::RenderFrameHost* interstitial_frame,
                                   const std::string& text);
 
-// This class is used for testing the display of IDN names in security
-// interstitials.
-class SecurityInterstitialIDNTest : public InProcessBrowserTest {
- public:
-  // InProcessBrowserTest implementation
-  void SetUpOnMainThread() override;
-
-  // Run a test that creates an interstitial with an IDN request URL
-  // and checks that it is properly decoded.
-  testing::AssertionResult VerifyIDNDecoded() const;
-
- protected:
-  virtual security_interstitials::SecurityInterstitialPage* CreateInterstitial(
-      content::WebContents* contents,
-      const GURL& request_url) const = 0;
-};
+// Returns true if |interstitial_frame| allows the user to override the
+// displayed interstitial.
+bool InterstitialHasProceedLink(content::RenderFrameHost* interstitial_frame);
+
+// Returns true if |tab| is currently displaying an interstitial.
+bool IsShowingInterstitial(content::WebContents* tab);
+
+// The functions below might start causing tests to fail if you change the
+// strings that appear on interstitials. If that happens, it's fine to update
+// the keywords that are checked for in each interstitial. But the keywords
+// should remain fairly unique for each interstitial to ensure that the tests
+// check that the proper interstitial comes up. For example, it wouldn't be good
+// to simply look for the word "security" because that likely shows up on lots
+// of different types of interstitials, not just the type being tested for.
+
+// Returns true if |tab| is displaying a captive-portal related interstitial.
+bool IsShowingCaptivePortalInterstitial(content::WebContents* tab);
+
+// Returns true if |tab| is currently displaying an SSL-related interstitial.
+bool IsShowingSSLInterstitial(content::WebContents* tab);
+
+// Returns true if |tab| is displaying a MITM-related interstitial.
+bool IsShowingMITMInterstitial(content::WebContents* tab);
+
+// Returns true if |tab| is displaying a clock-related interstitial.
+bool IsShowingBadClockInterstitial(content::WebContents* tab);
+
+// Returns true if |tab| is displaying a known-interception interstitial.
+bool IsShowingBlockedInterceptionInterstitial(content::WebContents* tab);
 
 }  // namespace chrome_browser_interstitials
 

chrome/browser/safe_browsing/safe_browsing_blocking_page_test.cc

@@ -25,7 +25,7 @@
 #include "base/values.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
-#include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
+#include "chrome/browser/interstitials/security_interstitial_idn_test.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/safe_browsing/safe_browsing_blocking_page.h"
 #include "chrome/browser/safe_browsing/test_safe_browsing_service.h"

chrome/browser/ssl/captive_portal_blocking_page_browsertest.cc

@@ -17,6 +17,7 @@
 #include "base/run_loop.h"
 #include "base/task/post_task.h"
 #include "base/test/scoped_feature_list.h"
+#include "chrome/browser/interstitials/security_interstitial_idn_test.h"
 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/safe_browsing/certificate_reporting_service_test_utils.h"

chrome/browser/ssl/cert_verifier_platform_browser_test.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/cert_verifier_platform_browser_test.h"
+
+CertVerifierPlatformBrowserTest::CertVerifierPlatformBrowserTest() = default;
+
+CertVerifierPlatformBrowserTest::~CertVerifierPlatformBrowserTest() = default;
+
+void CertVerifierPlatformBrowserTest::SetUpCommandLine(
+    base::CommandLine* command_line) {
+  mock_cert_verifier_.SetUpCommandLine(command_line);
+}
+
+void CertVerifierPlatformBrowserTest::SetUpInProcessBrowserTestFixture() {
+  mock_cert_verifier_.SetUpInProcessBrowserTestFixture();
+}
+
+void CertVerifierPlatformBrowserTest::TearDownInProcessBrowserTestFixture() {
+  mock_cert_verifier_.TearDownInProcessBrowserTestFixture();
+}

chrome/browser/ssl/cert_verifier_platform_browser_test.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SSL_CERT_VERIFIER_PLATFORM_BROWSER_TEST_H_
+#define CHROME_BROWSER_SSL_CERT_VERIFIER_PLATFORM_BROWSER_TEST_H_
+
+#include "build/build_config.h"
+#include "content/public/test/content_mock_cert_verifier.h"
+
+#if defined(OS_ANDROID)
+#include "chrome/test/base/android/android_browser_test.h"
+#else
+#include "chrome/test/base/in_process_browser_test.h"
+#endif
+
+// CertVerifierPlatformBrowserTest allows tests to force certificate
+// verification results for requests made with any profile's main
+// request context (such as navigations). To do so, tests can use the
+// MockCertVerifier exposed via
+// CertVerifierPlatformBrowserTest::mock_cert_verifier().
+//
+// In contrast to CertVerifierBrowserTest, which only works with browser_tests,
+// CertVerifierPlatformBrowserTest is platform-agnostic, and can run in both
+// browser_tests and android_browsertests. However, care must be taken to
+// avoid technical debt, as documented in
+// https://groups.google.com/a/chromium.org/d/msg/chromium-dev/E_wqfkuO3JQ/opIZSZaEFAAJ
+class CertVerifierPlatformBrowserTest : public PlatformBrowserTest {
+ public:
+  CertVerifierPlatformBrowserTest();
+  ~CertVerifierPlatformBrowserTest() override;
+
+  CertVerifierPlatformBrowserTest(const CertVerifierPlatformBrowserTest&) =
+      delete;
+  CertVerifierPlatformBrowserTest& operator=(
+      const CertVerifierPlatformBrowserTest&) = delete;
+
+  // PlatformBrowserTest:
+  void SetUpCommandLine(base::CommandLine* command_line) override;
+  void SetUpInProcessBrowserTestFixture() override;
+  void TearDownInProcessBrowserTestFixture() override;
+
+  content::ContentMockCertVerifier::CertVerifier* mock_cert_verifier() {
+    return mock_cert_verifier_.mock_cert_verifier();
+  }
+
+ private:
+  content::ContentMockCertVerifier mock_cert_verifier_;
+};
+
+#endif  // CHROME_BROWSER_SSL_CERT_VERIFIER_PLATFORM_BROWSER_TEST_H_

chrome/browser/ssl/ssl_browsertest_util.cc

@@ -5,13 +5,22 @@
 #include "chrome/browser/ssl/ssl_browsertest_util.h"
 
 #include "base/feature_list.h"
+#include "base/run_loop.h"
+#include "base/time/time.h"
+#include "build/build_config.h"
 #include "chrome/browser/ssl/security_state_tab_helper.h"
 #include "chrome/common/chrome_features.h"
 #include "components/security_state/core/security_state.h"
+#include "content/public/browser/browser_context.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/ssl_status.h"
+#include "content/public/browser/storage_partition.h"
 #include "content/public/common/page_type.h"
+#include "mojo/public/cpp/bindings/sync_call_restrictions.h"
+#include "net/base/features.h"
 #include "net/cert/cert_status_flags.h"
+#include "net/net_buildflags.h"
+#include "services/network/public/mojom/network_context.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace ssl_test_util {
@@ -92,6 +101,25 @@ void CheckSecurityState(content::WebContents* tab,
   AuthState::Check(entry, expected_authentication_state);
 }
 
+void CheckAuthenticatedState(content::WebContents* tab,
+                             int expected_authentication_state) {
+  CheckSecurityState(tab, CertError::NONE, security_state::SECURE,
+                     expected_authentication_state);
+}
+
+void CheckUnauthenticatedState(content::WebContents* tab,
+                               int expected_authentication_state) {
+  CheckSecurityState(tab, CertError::NONE, security_state::NONE,
+                     expected_authentication_state);
+}
+
+void CheckAuthenticationBrokenState(content::WebContents* tab,
+                                    net::CertStatus expected_error,
+                                    int expected_authentication_state) {
+  CheckSecurityState(tab, expected_error, security_state::DANGEROUS,
+                     expected_authentication_state);
+}
+
 SecurityStateWebContentsObserver::SecurityStateWebContentsObserver(
     content::WebContents* web_contents)
     : content::WebContentsObserver(web_contents) {}
@@ -106,4 +134,37 @@ void SecurityStateWebContentsObserver::DidChangeVisibleSecurityState() {
   run_loop_.Quit();
 }
 
+static bool UsingBuiltinCertVerifier() {
+#if defined(OS_FUCHSIA)
+  return true;
+#elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
+  if (base::FeatureList::IsEnabled(net::features::kCertVerifierBuiltinFeature))
+    return true;
+#endif
+  return false;
+}
+
+bool CertVerifierSupportsCRLSetBlocking() {
+  if (UsingBuiltinCertVerifier())
+    return true;
+#if defined(OS_ANDROID)
+  return false;
+#else
+  return true;
+#endif
+}
+
+void SetHSTSForHostName(content::BrowserContext* context,
+                        const std::string& hostname) {
+  const base::Time expiry = base::Time::Now() + base::TimeDelta::FromDays(1000);
+  bool include_subdomains = false;
+  mojo::ScopedAllowSyncCallForTesting allow_sync_call;
+  content::StoragePartition* partition =
+      content::BrowserContext::GetDefaultStoragePartition(context);
+  base::RunLoop run_loop;
+  partition->GetNetworkContext()->AddHSTS(hostname, expiry, include_subdomains,
+                                          run_loop.QuitClosure());
+  run_loop.Run();
+}
+
 }  // namespace ssl_test_util

chrome/browser/ssl/ssl_browsertest_util.h

@@ -5,12 +5,15 @@
 #ifndef CHROME_BROWSER_SSL_SSL_BROWSERTEST_UTIL_H_
 #define CHROME_BROWSER_SSL_SSL_BROWSERTEST_UTIL_H_
 
+#include <string>
+
 #include "base/run_loop.h"
 #include "components/security_state/core/security_state.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "net/cert/cert_status_flags.h"
 
 namespace content {
+class BrowserContext;
 class WebContents;
 }
 
@@ -50,6 +53,25 @@ void CheckSecurityState(content::WebContents* tab,
                         security_state::SecurityLevel expected_security_level,
                         int expected_authentication_state);
 
+// Checks that |tab|'s
+//  - connection status is secure
+//  - authentication state is |expected_authentication_state|
+void CheckAuthenticatedState(content::WebContents* tab,
+                             int expected_authentication_state);
+
+// Checks that |tab|'s
+//  - connection status is unauthenticated
+//  - authentication state is |expected_authentication_state|
+void CheckUnauthenticatedState(content::WebContents* tab,
+                               int expected_authentication_state);
+
+// Checks that |tab|'s
+//  - certificate status flags match |expected_error|
+//  - authentication state is |expected_authentication_state|
+void CheckAuthenticationBrokenState(content::WebContents* tab,
+                                    net::CertStatus expected_error,
+                                    int expected_authentication_state);
+
 // A WebContentsObserver that allows the user to wait for a
 // DidChangeVisibleSecurityState event.
 class SecurityStateWebContentsObserver : public content::WebContentsObserver {
@@ -66,6 +88,15 @@ class SecurityStateWebContentsObserver : public content::WebContentsObserver {
   base::RunLoop run_loop_;
 };
 
+// Returns |true| if the default CertVerifier used by the NetworkService is
+// expected to support blocking certificates that appear within a CRLSet.
+bool CertVerifierSupportsCRLSetBlocking();
+
+// Sets HSTS for |hostname|, so that all certificate errors for that host
+// will be non-overridable.
+void SetHSTSForHostName(content::BrowserContext* context,
+                        const std::string& hostname);
+
 }  // namespace ssl_test_util
 
 #endif  // CHROME_BROWSER_SSL_SSL_BROWSERTEST_UTIL_H_

chrome/test/BUILD.gn

@@ -541,6 +541,7 @@ if (is_android) {
       "../browser/payments/payment_request_can_make_payment_browsertest.cc",
       "../browser/payments/personal_data_manager_test_util.cc",
       "../browser/payments/personal_data_manager_test_util.h",
+      "../browser/ssl/crlset_browsertest.cc",
       "android/browsertests_apk/android_browsertests_jni_onload.cc",
       "base/android/android_browser_test_browsertest_android.cc",
     ]
@@ -552,6 +553,7 @@ if (is_android) {
       "$root_gen_dir/components/components_resources.pak",
       "$root_out_dir/browser_tests.pak",
       "//components/test/data/payments/",
+      "//chrome/test/data/ssl/",
     ]
   }
 
@@ -560,6 +562,8 @@ if (is_android) {
     testonly = true
 
     sources = [
+      "../browser/ssl/cert_verifier_platform_browser_test.cc",
+      "../browser/ssl/cert_verifier_platform_browser_test.h",
       "base/android/android_browser_test.cc",
       "base/android/android_browser_test.h",
     ]
@@ -924,8 +928,6 @@ if (!is_android) {
       "../browser/infobars/infobar_observer.h",
       "../browser/infobars/infobars_browsertest.cc",
       "../browser/installable/installable_manager_browsertest.cc",
-      "../browser/interstitials/security_interstitial_page_test_utils.cc",
-      "../browser/interstitials/security_interstitial_page_test_utils.h",
       "../browser/invalidation/deprecated_profile_invalidation_provider_factory_browsertest.cc",
       "../browser/invalidation/profile_invalidation_provider_factory_browsertest.cc",
       "../browser/lifetime/browser_close_manager_browsertest.cc",
@@ -1175,11 +1177,10 @@ if (!is_android) {
       "../browser/ssl/chrome_expect_ct_reporter_browsertest.cc",
       "../browser/ssl/chrome_ssl_host_state_delegate_test.cc",
       "../browser/ssl/connection_help_tab_helper_browsertest.cc",
+      "../browser/ssl/crlset_browsertest.cc",
       "../browser/ssl/known_interception_disclosure_infobar_browsertest.cc",
       "../browser/ssl/security_state_tab_helper_browsertest.cc",
       "../browser/ssl/ssl_browsertest.cc",
-      "../browser/ssl/ssl_browsertest_util.cc",
-      "../browser/ssl/ssl_browsertest_util.h",
       "../browser/ssl/ssl_client_certificate_selector_test.cc",
       "../browser/ssl/ssl_client_certificate_selector_test.h",
       "../browser/ssl/typed_navigation_timing_throttle_browsertest.cc",
@@ -2977,6 +2978,7 @@ test("unit_tests") {
     "../browser/complex_tasks/endpoint_fetcher/endpoint_fetcher_unittest.cc",
     "../browser/complex_tasks/task_tab_helper_unittest.cc",
     "../browser/component_updater/chrome_component_updater_configurator_unittest.cc",
+    "../browser/component_updater/crl_set_component_installer_unittest.cc",
     "../browser/component_updater/games_component_installer_unittest.cc",
     "../browser/component_updater/optimization_hints_component_installer_unittest.cc",
     "../browser/component_updater/origin_trials_component_installer_unittest.cc",
@@ -3419,9 +3421,6 @@ test("unit_tests") {
 
   if (!is_android) {
     sources += [
-      # CRLSets are not supported on Android or iOS, but available on all other
-      # platforms.
-      "../browser/component_updater/crl_set_component_installer_unittest.cc",
       "../browser/profiles/profile_avatar_icon_util_unittest.cc",
       "../browser/ui/autofill/payments/autofill_dialog_models_unittest.cc",
       "../browser/ui/bookmarks/bookmark_editor_unittest.cc",

chrome/test/android/browsertests_apk/src/org/chromium/android_browsertests_apk/ChromeBrowserTestsApplication.java

@@ -15,7 +15,7 @@ import org.chromium.ui.base.ResourceBundle;
  * A basic chrome.browser.tests {@link android.app.Application}.
  */
 public class ChromeBrowserTestsApplication extends NativeBrowserTestApplication {
-    static final String PRIVATE_DATA_DIRECTORY_SUFFIX = "chrome";
+    static final String PRIVATE_DATA_DIRECTORY_SUFFIX = "android_browsertests";
 
     @Override
     protected void attachBaseContext(Context base) {