1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_
6 #define CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_
11 #include "base/time/time.h"
12 #include "net/cert/x509_certificate.h"
15 // This class calculates the severity scores for the different type of SSL
17 class SSLErrorClassification {
19 SSLErrorClassification(const base::Time& current_time,
21 const net::X509Certificate& cert);
22 ~SSLErrorClassification();
24 // Returns true if the system time is in the past.
25 static bool IsUserClockInThePast(const base::Time& time_now);
27 // Returns true if the system time is too far in the future or the user is
28 // using a version of Chrome which is more than 1 year old.
29 static bool IsUserClockInTheFuture(const base::Time& time_now);
31 static bool IsWindowsVersionSP3OrLower();
33 // A function which calculates the severity score when the ssl error is
34 // CERT_DATE_INVALID, returns a score between 0.0 and 1.0, higher values
35 // being more severe, indicating how severe the certificate's invalid
37 float InvalidDateSeverityScore(int cert_error) const;
39 // A function which calculates the severity score when the ssl error is
40 // when the SSL error is |CERT_COMMON_NAME_INVALID|, returns a score between
41 // between 0.0 and 1.0, higher values being more severe, indicating how
42 // severe the certificate's common name invalid error is.
43 float InvalidCommonNameSeverityScore(int cert_error) const;
45 void RecordUMAStatistics(bool overridable, int cert_error);
46 base::TimeDelta TimePassedSinceExpiry() const;
49 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestDateInvalidScore);
50 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest, TestNameMismatch);
51 FRIEND_TEST_ALL_PREFIXES(SSLErrorClassificationTest,
52 TestHostNameHasKnownTLD);
54 typedef std::vector<std::string> Tokens;
56 // Returns true if the hostname has a known Top Level Domain.
57 static bool IsHostNameKnownTLD(const std::string& host_name);
59 // Returns true if the site's hostname differs from one of the DNS
60 // names in the certificate (CN or SANs) only by the presence or
61 // absence of the single-label prefix "www". E.g.:
63 // www.example.com ~ example.com -> true
64 // example.com ~ www.example.com -> true
65 // www.food.example.com ~ example.com -> false
66 // mail.example.com ~ example.com -> false
67 bool IsWWWSubDomainMatch() const;
69 // Returns true if |child| is a subdomain of any of the |potential_parents|.
70 bool NameUnderAnyNames(const Tokens& child,
71 const std::vector<Tokens>& potential_parents) const;
73 // Returns true if any of the |potential_children| is a subdomain of the
74 // |parent|. The inverse case should be treated carefully as this is most
75 // likely a MITM attack. We don't want foo.appspot.com to be able to MITM for
77 bool AnyNamesUnderName(const std::vector<Tokens>& potential_children,
78 const Tokens& parent) const;
80 // Returns true if |hostname| is too broad for the scope of a wildcard
83 // a.b.example.com ~ *.example.com --> true
84 // b.example.com ~ *.example.com --> false
85 bool IsSubDomainOutsideWildcard(const Tokens& hostname) const;
87 // Returns true if the certificate is a shared certificate. Note - This
88 // function should be used with caution (only for UMA histogram) as an
89 // attacker could easily get a certificate with more than 5 names in the SAN
91 bool IsCertLikelyFromMultiTenantHosting() const;
93 float CalculateScoreTimePassedSinceExpiry() const;
95 static std::vector<Tokens> GetTokenizedDNSNames(
96 const std::vector<std::string>& dns_names);
98 // If |potential_subdomain| is a subdomain of |parent|, returns the
99 // number of DNS labels by which |potential_subdomain| is under
100 // |parent|. Otherwise, returns 0.
104 // FindSubDomainDifference(Tokenize("a.b.example.com"),
105 // Tokenize("example.com"))
107 size_t FindSubDomainDifference(const Tokens& potential_subdomain,
108 const Tokens& parent) const;
110 static Tokens Tokenize(const std::string& name);
112 // This stores the current time.
113 base::Time current_time_;
115 const GURL& request_url_;
117 // This stores the certificate.
118 const net::X509Certificate& cert_;
121 #endif // CHROME_BROWSER_SSL_SSL_ERROR_CLASSIFICATION_H_