Chromium Code Reviews Chromium Code Reviews
Issue 1181293003:
Expand SecurityStyleChanged interfaces to include explanations (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/connection_security.h" | 5 #include "chrome/browser/ssl/connection_security.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/metrics/field_trial.h" | 8 #include "base/metrics/field_trial.h" |
| 9 #include "base/metrics/histogram_macros.h" | 9 #include "base/metrics/histogram_macros.h" |
| 10 #include "base/prefs/pref_service.h" | 10 #include "base/prefs/pref_service.h" |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 64 level = connection_security::SECURITY_ERROR; | 64 level = connection_security::SECURITY_ERROR; |
| 65 } else { | 65 } else { |
| 66 status = NEUTRAL; | 66 status = NEUTRAL; |
| 67 level = connection_security::NONE; | 67 level = connection_security::NONE; |
| 68 } | 68 } |
| 69 | 69 |
| 70 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS); | 70 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS); |
| 71 return level; | 71 return level; |
| 72 } | 72 } |
| 73 | 73 |
| 74 scoped_refptr<net::X509Certificate> GetCertForSSLStatus( | |
| 75 const content::SSLStatus& ssl) { | |
| 76 scoped_refptr<net::X509Certificate> cert; | |
| 77 return content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) | |
| 78 ? cert | |
| 79 : nullptr; | |
| 80 } | |
| 81 | |
| 82 connection_security::SHA1DeprecationStatus GetSHA1DeprecationStatus( | |
| 83 scoped_refptr<net::X509Certificate> cert, | |
| 84 const content::SSLStatus& ssl) { | |
| 85 if (cert && (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) { | |
|
Ryan Sleevi
2015/06/16 23:58:54
Suggestion: Optimize for the early return, to redu
estark
2015/06/17 04:38:29
Done.
| |
| 86 // The internal representation of the dates for UI treatment of SHA-1. | |
| 87 // See http://crbug.com/401365 for details. | |
| 88 static const int64_t kJanuary2017 = INT64_C(13127702400000000); | |
| 89 if (cert->valid_expiry() >= base::Time::FromInternalValue(kJanuary2017)) | |
| 90 return connection_security::DEPRECATED_SHA1_BROKEN; | |
| 91 // kJanuary2016 needs to be kept in sync with | |
| 92 // ToolbarModelAndroid::IsDeprecatedSHA1Present(). | |
| 93 static const int64_t kJanuary2016 = INT64_C(13096080000000000); | |
| 94 if (cert->valid_expiry() >= base::Time::FromInternalValue(kJanuary2016)) | |
| 95 return connection_security::DEPRECATED_SHA1_WARNING; | |
| 96 } | |
| 97 | |
| 98 return connection_security::NO_DEPRECATED_SHA1; | |
| 99 } | |
| 100 | |
| 101 connection_security::MixedContentStatus GetMixedContentStatus( | |
| 102 const content::SSLStatus& ssl) { | |
| 103 if (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT) | |
| 104 return connection_security::RAN_MIXED_CONTENT; | |
| 105 if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) | |
| 106 return connection_security::DISPLAYED_MIXED_CONTENT; | |
| 107 return connection_security::NO_MIXED_CONTENT; | |
| 108 } | |
| 109 | |
| 74 } // namespace | 110 } // namespace |
| 75 | 111 |
| 76 namespace connection_security { | 112 namespace connection_security { |
| 77 | 113 |
| 78 SecurityLevel GetSecurityLevelForWebContents( | 114 SecurityLevel GetSecurityLevelForWebContents( |
| 79 const content::WebContents* web_contents) { | 115 const content::WebContents* web_contents) { |
| 80 if (!web_contents) | 116 if (!web_contents) |
| 81 return NONE; | 117 return NONE; |
| 82 | 118 |
| 83 content::NavigationEntry* entry = | 119 content::NavigationEntry* entry = |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 101 return SECURITY_ERROR; | 137 return SECURITY_ERROR; |
| 102 | 138 |
| 103 case content::SECURITY_STYLE_AUTHENTICATED: { | 139 case content::SECURITY_STYLE_AUTHENTICATED: { |
| 104 #if defined(OS_CHROMEOS) | 140 #if defined(OS_CHROMEOS) |
| 105 policy::PolicyCertService* service = | 141 policy::PolicyCertService* service = |
| 106 policy::PolicyCertServiceFactory::GetForProfile( | 142 policy::PolicyCertServiceFactory::GetForProfile( |
| 107 Profile::FromBrowserContext(web_contents->GetBrowserContext())); | 143 Profile::FromBrowserContext(web_contents->GetBrowserContext())); |
| 108 if (service && service->UsedPolicyCertificates()) | 144 if (service && service->UsedPolicyCertificates()) |
| 109 return SECURITY_POLICY_WARNING; | 145 return SECURITY_POLICY_WARNING; |
| 110 #endif | 146 #endif |
| 111 if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) | 147 |
| 148 MixedContentStatus mixed_content_status = GetMixedContentStatus(ssl); | |
| 149 // Active mixed content is downgraded to the BROKEN style and | |
| 150 // handled above. | |
| 151 DCHECK_NE(RAN_MIXED_CONTENT, mixed_content_status); | |
| 152 if (mixed_content_status == DISPLAYED_MIXED_CONTENT) | |
| 112 return SECURITY_WARNING; | 153 return SECURITY_WARNING; |
| 113 scoped_refptr<net::X509Certificate> cert; | 154 |
| 114 if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) && | 155 scoped_refptr<net::X509Certificate> cert = GetCertForSSLStatus(ssl); |
| 115 (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) { | 156 SHA1DeprecationStatus sha1_status = GetSHA1DeprecationStatus(cert, ssl); |
| 116 // The internal representation of the dates for UI treatment of SHA-1. | 157 if (sha1_status == DEPRECATED_SHA1_BROKEN) |
| 117 // See http://crbug.com/401365 for details. | 158 return SECURITY_ERROR; |
| 118 static const int64_t kJanuary2017 = INT64_C(13127702400000000); | 159 if (sha1_status == DEPRECATED_SHA1_WARNING) |
| 119 // kJanuary2016 needs to be kept in sync with | 160 return SECURITY_WARNING; |
| 120 // ToolbarModelAndroid::IsDeprecatedSHA1Present(). | 161 |
| 121 static const int64_t kJanuary2016 = INT64_C(13096080000000000); | |
| 122 if (cert->valid_expiry() >= | |
| 123 base::Time::FromInternalValue(kJanuary2017)) { | |
| 124 return SECURITY_ERROR; | |
| 125 } | |
| 126 if (cert->valid_expiry() >= | |
| 127 base::Time::FromInternalValue(kJanuary2016)) { | |
| 128 return SECURITY_WARNING; | |
| 129 } | |
| 130 } | |
| 131 if (net::IsCertStatusError(ssl.cert_status)) { | 162 if (net::IsCertStatusError(ssl.cert_status)) { |
| 132 DCHECK(net::IsCertStatusMinorError(ssl.cert_status)); | 163 DCHECK(net::IsCertStatusMinorError(ssl.cert_status)); |
| 133 return SECURITY_WARNING; | 164 return SECURITY_WARNING; |
| 134 } | 165 } |
| 135 if (net::SSLConnectionStatusToVersion(ssl.connection_status) == | 166 if (net::SSLConnectionStatusToVersion(ssl.connection_status) == |
| 136 net::SSL_CONNECTION_VERSION_SSL3) { | 167 net::SSL_CONNECTION_VERSION_SSL3) { |
| 137 // SSLv3 will be removed in the future. | 168 // SSLv3 will be removed in the future. |
| 138 return SECURITY_WARNING; | 169 return SECURITY_WARNING; |
| 139 } | 170 } |
| 140 if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert) | 171 if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert) |
| 141 return EV_SECURE; | 172 return EV_SECURE; |
| 142 return SECURE; | 173 return SECURE; |
| 143 } | 174 } |
| 144 | 175 |
| 145 default: | 176 default: |
| 146 NOTREACHED(); | 177 NOTREACHED(); |
| 147 return NONE; | 178 return NONE; |
| 148 } | 179 } |
| 149 } | 180 } |
| 150 | 181 |
| 151 content::SecurityStyle GetSecurityStyleForWebContents( | 182 void GetSecurityInfoForWebContents(const content::WebContents* web_contents, |
| 152 const content::WebContents* web_contents) { | 183 SecurityInfo* security_info) { |
| 184 content::NavigationEntry* entry = | |
| 185 web_contents ? web_contents->GetController().GetVisibleEntry() : nullptr; | |
| 186 if (!entry) { | |
| 187 security_info->security_style = content::SECURITY_STYLE_UNKNOWN; | |
| 188 return; | |
| 189 } | |
| 190 | |
| 153 SecurityLevel security_level = GetSecurityLevelForWebContents(web_contents); | 191 SecurityLevel security_level = GetSecurityLevelForWebContents(web_contents); |
| 154 | |
| 155 switch (security_level) { | 192 switch (security_level) { |
| 156 case NONE: | 193 case NONE: |
| 157 return content::SECURITY_STYLE_UNAUTHENTICATED; | 194 security_info->security_style = content::SECURITY_STYLE_UNAUTHENTICATED; |
| 195 break; | |
| 158 case EV_SECURE: | 196 case EV_SECURE: |
| 159 case SECURE: | 197 case SECURE: |
| 160 return content::SECURITY_STYLE_AUTHENTICATED; | 198 security_info->security_style = content::SECURITY_STYLE_AUTHENTICATED; |
| 199 break; | |
| 161 case SECURITY_WARNING: | 200 case SECURITY_WARNING: |
| 162 case SECURITY_POLICY_WARNING: | 201 case SECURITY_POLICY_WARNING: |
| 163 return content::SECURITY_STYLE_WARNING; | 202 security_info->security_style = content::SECURITY_STYLE_WARNING; |
| 203 break; | |
| 164 case SECURITY_ERROR: | 204 case SECURITY_ERROR: |
| 165 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | 205 security_info->security_style = |
| 206 content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | |
| 207 break; | |
| 166 } | 208 } |
| 167 | 209 |
| 168 NOTREACHED(); | 210 const content::SSLStatus& ssl = entry->GetSSL(); |
| 169 return content::SECURITY_STYLE_UNKNOWN; | 211 scoped_refptr<net::X509Certificate> cert = GetCertForSSLStatus(ssl); |
| 212 security_info->sha1_deprecation_status = GetSHA1DeprecationStatus(cert, ssl); | |
| 213 security_info->mixed_content_status = GetMixedContentStatus(ssl); | |
| 214 security_info->cert_status = ssl.cert_status; | |
| 170 } | 215 } |
| 171 | 216 |
| 172 } // namespace connection_security | 217 } // namespace connection_security |
| OLD | NEW |
