| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/ssl/security_level_policy.h" |
| 6 |
| 7 #include "base/command_line.h" |
| 8 #include "base/metrics/field_trial.h" |
| 9 #include "base/prefs/pref_service.h" |
| 10 #include "chrome/browser/profiles/profile.h" |
| 11 #include "chrome/browser/ssl/ssl_error_info.h" |
| 12 #include "chrome/common/chrome_constants.h" |
| 13 #include "chrome/common/chrome_switches.h" |
| 14 #include "chrome/common/pref_names.h" |
| 15 #include "content/public/browser/cert_store.h" |
| 16 #include "content/public/browser/navigation_controller.h" |
| 17 #include "content/public/browser/navigation_entry.h" |
| 18 #include "content/public/browser/web_contents.h" |
| 19 #include "content/public/common/ssl_status.h" |
| 20 #include "net/base/net_util.h" |
| 21 #include "net/cert/cert_status_flags.h" |
| 22 #include "net/cert/x509_certificate.h" |
| 23 #include "net/ssl/ssl_connection_status_flags.h" |
| 24 #include "url/url_constants.h" |
| 25 |
| 26 #if defined(OS_CHROMEOS) |
| 27 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
| 28 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
| 29 #endif |
| 30 |
| 31 namespace { |
| 32 |
| 33 SecurityLevelPolicy::SecurityLevel GetSecurityLevelForNonSecureFieldTrial() { |
| 34 std::string choice = |
| 35 base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
| 36 switches::kMarkNonSecureAs); |
| 37 if (choice == switches::kMarkNonSecureAsNeutral) |
| 38 return SecurityLevelPolicy::NONE; |
| 39 if (choice == switches::kMarkNonSecureAsDubious) |
| 40 return SecurityLevelPolicy::SECURITY_WARNING; |
| 41 if (choice == switches::kMarkNonSecureAsNonSecure) |
| 42 return SecurityLevelPolicy::SECURITY_ERROR; |
| 43 |
| 44 std::string group = base::FieldTrialList::FindFullName("MarkNonSecureAs"); |
| 45 if (group == switches::kMarkNonSecureAsNeutral) |
| 46 return SecurityLevelPolicy::NONE; |
| 47 if (group == switches::kMarkNonSecureAsDubious) |
| 48 return SecurityLevelPolicy::SECURITY_WARNING; |
| 49 if (group == switches::kMarkNonSecureAsNonSecure) |
| 50 return SecurityLevelPolicy::SECURITY_ERROR; |
| 51 |
| 52 return SecurityLevelPolicy::NONE; |
| 53 } |
| 54 |
| 55 } // namespace |
| 56 |
| 57 SecurityLevelPolicy::SecurityLevel |
| 58 SecurityLevelPolicy::GetSecurityLevelForWebContents( |
| 59 content::WebContents* web_contents) { |
| 60 if (!web_contents) |
| 61 return NONE; |
| 62 |
| 63 content::NavigationEntry* entry = |
| 64 web_contents->GetController().GetVisibleEntry(); |
| 65 if (!entry) |
| 66 return NONE; |
| 67 |
| 68 const content::SSLStatus& ssl = entry->GetSSL(); |
| 69 switch (ssl.security_style) { |
| 70 case content::SECURITY_STYLE_UNKNOWN: |
| 71 return NONE; |
| 72 |
| 73 case content::SECURITY_STYLE_UNAUTHENTICATED: { |
| 74 const GURL& url = entry->GetURL(); |
| 75 if (url.SchemeIs(url::kHttpScheme) || url.SchemeIs(url::kFtpScheme)) |
| 76 return GetSecurityLevelForNonSecureFieldTrial(); |
| 77 return NONE; |
| 78 } |
| 79 |
| 80 case content::SECURITY_STYLE_AUTHENTICATION_BROKEN: |
| 81 return SECURITY_ERROR; |
| 82 |
| 83 case content::SECURITY_STYLE_AUTHENTICATED: { |
| 84 #if defined(OS_CHROMEOS) |
| 85 policy::PolicyCertService* service = |
| 86 policy::PolicyCertServiceFactory::GetForProfile( |
| 87 Profile::FromBrowserContext(web_contents->GetBrowserContext())); |
| 88 if (service && service->UsedPolicyCertificates()) |
| 89 return SECURITY_POLICY_WARNING; |
| 90 #endif |
| 91 if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) |
| 92 return SECURITY_WARNING; |
| 93 scoped_refptr<net::X509Certificate> cert; |
| 94 if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) && |
| 95 (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) { |
| 96 // The internal representation of the dates for UI treatment of SHA-1. |
| 97 // See http://crbug.com/401365 for details. |
| 98 static const int64_t kJanuary2017 = INT64_C(13127702400000000); |
| 99 // kJanuary2016 needs to be kept in sync with |
| 100 // ToolbarModelAndroid::IsDeprecatedSHA1Present(). |
| 101 static const int64_t kJanuary2016 = INT64_C(13096080000000000); |
| 102 if (cert->valid_expiry() >= |
| 103 base::Time::FromInternalValue(kJanuary2017)) { |
| 104 return SECURITY_ERROR; |
| 105 } |
| 106 if (cert->valid_expiry() >= |
| 107 base::Time::FromInternalValue(kJanuary2016)) { |
| 108 return SECURITY_WARNING; |
| 109 } |
| 110 } |
| 111 if (net::IsCertStatusError(ssl.cert_status)) { |
| 112 DCHECK(net::IsCertStatusMinorError(ssl.cert_status)); |
| 113 return SECURITY_WARNING; |
| 114 } |
| 115 if (net::SSLConnectionStatusToVersion(ssl.connection_status) == |
| 116 net::SSL_CONNECTION_VERSION_SSL3) { |
| 117 // SSLv3 will be removed in the future. |
| 118 return SECURITY_WARNING; |
| 119 } |
| 120 if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert) |
| 121 return EV_SECURE; |
| 122 return SECURE; |
| 123 } |
| 124 |
| 125 default: |
| 126 NOTREACHED(); |
| 127 return NONE; |
| 128 } |
| 129 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1123943002:
Move SecurityLevel into a class of its own (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master