Measure how often the users are encountering MD5...

net/base/ssl_client_socket_win.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 
 #include "base/lock.h"
 #include "base/singleton.h"
 #include "base/string_util.h"
+#include "net/base/connection_type_histograms.h"
 #include "net/base/net_errors.h"
 #include "net/base/scoped_cert_chain_context.h"
 #include "net/base/ssl_info.h"
 
 #pragma comment(lib, "secur32.lib")
 
 namespace net {
 
 //-----------------------------------------------------------------------------
 
@@ skipping 992 matching lines @@
       &ctxt_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &server_cert_);
   if (status != SEC_E_OK) {
     DLOG(ERROR) << "QueryContextAttributes failed: " << status;
     return MapSecurityError(status);
   }
 
   completed_handshake_ = true;
   return VerifyServerCert();
 }
 
+// static
+void SSLClientSocketWin::LogConnectionTypeMetrics(
+    PCCERT_CHAIN_CONTEXT chain_context) {
+  UpdateConnectionTypeHistograms(CONNECTION_SSL);
+
+  PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
+  int num_elements = first_chain->cElement;
+  PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
+  bool has_md5 = false;
+  bool has_md2 = false;
+  bool has_md4 = false;
+
+  // Each chain starts with the end entity certificate and ends with the root
+  // CA certificate.  Do not inspect the signature algorithm of the root CA
+  // certificate because the signature on the trust anchor is not important.
+  for (int i = 0; i < num_elements - 1; ++i) {
+    PCCERT_CONTEXT cert = element[i]->pCertContext;
+    const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId;
+    if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) {
+      // md5WithRSAEncryption: 1.2.840.113549.1.1.4
+      has_md5 = true;
+    } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) {
+      // md2WithRSAEncryption: 1.2.840.113549.1.1.2
+      has_md2 = true;
+    } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) {
+      // md4WithRSAEncryption: 1.2.840.113549.1.1.3
+      has_md4 = true;
+    }
+  }
+
+  if (has_md5)
+    UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5);
+  if (has_md2)
+    UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2);
+  if (has_md4)
+    UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4);
+}
+
 // Set server_cert_status_ and return OK or a network error.
 int SSLClientSocketWin::VerifyServerCert() {
   DCHECK(server_cert_);
   server_cert_status_ = 0;
 
   // Build and validate certificate chain.
 
   CERT_CHAIN_PARA chain_para;
   memset(&chain_para, 0, sizeof(chain_para));
   chain_para.cbSize = sizeof(chain_para);
@@ skipping 17 matching lines @@
            NULL,  // current system time
            server_cert_->hCertStore,  // search this store
            &chain_para,
            flags,
            NULL,  // reserved
            &chain_context)) {
     return MapSecurityError(GetLastError());
   }
   ScopedCertChainContext scoped_chain_context(chain_context);
 
+  LogConnectionTypeMetrics(chain_context);
+
   server_cert_status_ |= MapCertChainErrorStatusToCertStatus(
       chain_context->TrustStatus.dwErrorStatus);
 
   std::wstring wstr_hostname = ASCIIToWide(hostname_);
 
   SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para;
   memset(&extra_policy_para, 0, sizeof(extra_policy_para));
   extra_policy_para.cbSize = sizeof(extra_policy_para);
   extra_policy_para.dwAuthType = AUTHTYPE_SERVER;
   extra_policy_para.fdwChecks = 0;
@@ skipping 72 matching lines @@
   // compatible with WinHTTP, which doesn't report this error (bug 3004).
   server_cert_status_ &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
 
   if (IsCertStatusError(server_cert_status_))
     return MapCertStatusToNetError(server_cert_status_);
   return OK;
 }
 
 }  // namespace net