chrome/browser/ssl/connection_security.cc - Issue 1181293003: Expand SecurityStyleChanged interfaces to include explanations

Side by Side Diff: chrome/browser/ssl/connection_security.cc

Issue 1181293003: Expand SecurityStyleChanged interfaces to include explanations (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: comments, style tweaks Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/ssl/connection_security.h"	5 #include "chrome/browser/ssl/connection_security.h"

6	6

7 #include "base/command_line.h"	7 #include "base/command_line.h"

8 #include "base/metrics/field_trial.h"	8 #include "base/metrics/field_trial.h"

9 #include "base/metrics/histogram_macros.h"	9 #include "base/metrics/histogram_macros.h"

10 #include "base/prefs/pref_service.h"	10 #include "base/prefs/pref_service.h"

(...skipping 53 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
64 level = connection_security::SECURITY_ERROR;	64 level = connection_security::SECURITY_ERROR;

65 } else {	65 } else {

66 status = NEUTRAL;	66 status = NEUTRAL;

67 level = connection_security::NONE;	67 level = connection_security::NONE;

68 }	68 }

69	69

70 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS);	70 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS);

71 return level;	71 return level;

72 }	72 }

73	73

	74 scoped_refptr<net::X509Certificate> GetCertForSSLStatus(

	75 const content::SSLStatus& ssl) {

	76 scoped_refptr<net::X509Certificate> cert;

	77 if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert))
	Peter Kasting 2015/06/16 06:29:10 Nit: Shorter: return content::CertStore::GetIns Nit: Shorter: return content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) ? cert : nullptr; estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:10, Peter Kasting wrote: > Nit: Shorter: > > return content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) ? > cert : nullptr; Done.
	78 return cert;

	79 return nullptr;

	80 }

	81

	82 connection_security::SHA1DeprecationStatus GetSHA1DeprecationStatus(

	83 scoped_refptr<net::X509Certificate> cert,

	84 const content::SSLStatus& ssl) {

	85 if (cert && (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) {

	86 // The internal representation of the dates for UI treatment of SHA-1.

	87 // See http://crbug.com/401365 for details.

	88 static const int64_t kJanuary2017 = INT64_C(13127702400000000);

	89 // kJanuary2016 needs to be kept in sync with

	90 // ToolbarModelAndroid::IsDeprecatedSHA1Present().

	91 static const int64_t kJanuary2016 = INT64_C(13096080000000000);
	Peter Kasting 2015/06/16 06:29:11 Nit: I'd move this second constant and its comment Nit: I'd move this second constant and its comment below the first conditional. estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:11, Peter Kasting wrote: > Nit: I'd move this second constant and its comment below the first conditional. Done.
	92 if (cert->valid_expiry() >= base::Time::FromInternalValue(kJanuary2017)) {
	Peter Kasting 2015/06/16 06:29:10 Nit: No {} (2 places) Nit: No {} (2 places) estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:10, Peter Kasting wrote: > Nit: No {} (2 places) Done.
	93 return connection_security::DEPRECATED_SHA1_BROKEN;

	94 }

	95 if (cert->valid_expiry() >= base::Time::FromInternalValue(kJanuary2016)) {

	96 return connection_security::DEPRECATED_SHA1_WARNING;

	97 }

	98 }

	99

	100 return connection_security::NO_DEPRECATED_SHA1;

	101 }

	102

	103 connection_security::MixedContentStatus GetMixedContentStatus(

	104 const content::SSLStatus& ssl) {

	105 if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT)

	106 return connection_security::DISPLAYED_MIXED_CONTENT;

	107 if (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT)
	Peter Kasting 2015/06/16 06:29:11 Since these are bitfield values and thus both coul Since these are bitfield values and thus both could be set, shouldn't you check RAN before DISPLAYED? estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:11, Peter Kasting wrote: > Since these are bitfield values and thus both could be set, shouldn't you check > RAN before DISPLAYED? Done.
	108 return connection_security::RAN_MIXED_CONTENT;

	109 return connection_security::NO_MIXED_CONTENT;

	110 }

	111

74 } // namespace	112 } // namespace

75	113

76 namespace connection_security {	114 namespace connection_security {

77	115

78 SecurityLevel GetSecurityLevelForWebContents(	116 SecurityLevel GetSecurityLevelForWebContents(

79 const content::WebContents* web_contents) {	117 const content::WebContents* web_contents) {

80 if (!web_contents)	118 if (!web_contents)

81 return NONE;	119 return NONE;

82	120

83 content::NavigationEntry* entry =	121 content::NavigationEntry* entry =

(...skipping 17 matching lines...) Expand all Loading...
101 return SECURITY_ERROR;	139 return SECURITY_ERROR;

102	140

103 case content::SECURITY_STYLE_AUTHENTICATED: {	141 case content::SECURITY_STYLE_AUTHENTICATED: {

104 #if defined(OS_CHROMEOS)	142 #if defined(OS_CHROMEOS)

105 policy::PolicyCertService* service =	143 policy::PolicyCertService* service =

106 policy::PolicyCertServiceFactory::GetForProfile(	144 policy::PolicyCertServiceFactory::GetForProfile(

107 Profile::FromBrowserContext(web_contents->GetBrowserContext()));	145 Profile::FromBrowserContext(web_contents->GetBrowserContext()));

108 if (service && service->UsedPolicyCertificates())	146 if (service && service->UsedPolicyCertificates())

109 return SECURITY_POLICY_WARNING;	147 return SECURITY_POLICY_WARNING;

110 #endif	148 #endif

111 if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT)	149

	150 MixedContentStatus mixed_content_status = GetMixedContentStatus(ssl);

	151 // Active mixed content is downgraded to the BROKEN style and

	152 // handled above.

	153 DCHECK(mixed_content_status != RAN_MIXED_CONTENT);
	Peter Kasting 2015/06/16 06:29:11 Nit: DCHECK_NE Nit: DCHECK_NE estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:11, Peter Kasting wrote: > Nit: DCHECK_NE Done.
	154 if (mixed_content_status == DISPLAYED_MIXED_CONTENT)

112 return SECURITY_WARNING;	155 return SECURITY_WARNING;

113 scoped_refptr<net::X509Certificate> cert;	156

114 if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) &&	157 scoped_refptr<net::X509Certificate> cert = GetCertForSSLStatus(ssl);

115 (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) {	158 SHA1DeprecationStatus sha1_status = GetSHA1DeprecationStatus(cert, ssl);

116 // The internal representation of the dates for UI treatment of SHA-1.	159 if (sha1_status == DEPRECATED_SHA1_BROKEN)

117 // See http://crbug.com/401365 for details.	160 return SECURITY_ERROR;

118 static const int64_t kJanuary2017 = INT64_C(13127702400000000);	161 else if (sha1_status == DEPRECATED_SHA1_WARNING)
	Peter Kasting 2015/06/16 06:29:10 Nit: No else after return Nit: No else after return estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:10, Peter Kasting wrote: > Nit: No else after return Done.
119 // kJanuary2016 needs to be kept in sync with	162 return SECURITY_WARNING;

120 // ToolbarModelAndroid::IsDeprecatedSHA1Present().	163

121 static const int64_t kJanuary2016 = INT64_C(13096080000000000);

122 if (cert->valid_expiry() >=

123 base::Time::FromInternalValue(kJanuary2017)) {

124 return SECURITY_ERROR;

125 }

126 if (cert->valid_expiry() >=

127 base::Time::FromInternalValue(kJanuary2016)) {

128 return SECURITY_WARNING;

129 }

130 }

131 if (net::IsCertStatusError(ssl.cert_status)) {	164 if (net::IsCertStatusError(ssl.cert_status)) {

132 DCHECK(net::IsCertStatusMinorError(ssl.cert_status));	165 DCHECK(net::IsCertStatusMinorError(ssl.cert_status));

133 return SECURITY_WARNING;	166 return SECURITY_WARNING;

134 }	167 }

135 if (net::SSLConnectionStatusToVersion(ssl.connection_status) ==	168 if (net::SSLConnectionStatusToVersion(ssl.connection_status) ==

136 net::SSL_CONNECTION_VERSION_SSL3) {	169 net::SSL_CONNECTION_VERSION_SSL3) {

137 // SSLv3 will be removed in the future.	170 // SSLv3 will be removed in the future.

138 return SECURITY_WARNING;	171 return SECURITY_WARNING;

139 }	172 }

140 if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert)	173 if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert)

141 return EV_SECURE;	174 return EV_SECURE;

142 return SECURE;	175 return SECURE;

143 }	176 }

144	177

145 default:	178 default:

146 NOTREACHED();	179 NOTREACHED();

147 return NONE;	180 return NONE;

148 }	181 }

149 }	182 }

150	183

151 content::SecurityStyle GetSecurityStyleForWebContents(	184 void GetSecurityInfoForWebContents(const content::WebContents* web_contents,

152 const content::WebContents* web_contents) {	185 SecurityInfo* security_info) {

	186 if (!web_contents) {
	Peter Kasting 2015/06/16 06:29:11 Nit: Shorter: content::NavigationEntry* entry = Nit: Shorter: content::NavigationEntry* entry = web_contents ? web_contents->GetController().GetVisibleEntry() : nullptr; if (!entry) { ... estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:11, Peter Kasting wrote: > Nit: Shorter: > > content::NavigationEntry* entry = > web_contents ? web_contents->GetController().GetVisibleEntry() : nullptr; > if (!entry) { > ... Done.
	187 security_info->security_style = content::SECURITY_STYLE_UNKNOWN;

	188 return;

	189 }

	190

	191 content::NavigationEntry* entry =

	192 web_contents->GetController().GetVisibleEntry();

	193 if (!entry) {

	194 security_info->security_style = content::SECURITY_STYLE_UNKNOWN;

	195 return;

	196 }

	197

	198 const content::SSLStatus& ssl = entry->GetSSL();
	Peter Kasting 2015/06/16 06:29:10 Nit: Declare this just above the first use below r Nit: Declare this just above the first use below rather than here. estark 2015/06/16 15:32:34 Done. Show quoted text On 2015/06/16 06:29:10, Peter Kasting wrote: > Nit: Declare this just above the first use below rather than here. Done.
	199

153 SecurityLevel security_level = GetSecurityLevelForWebContents(web_contents);	200 SecurityLevel security_level = GetSecurityLevelForWebContents(web_contents);

154

155 switch (security_level) {	201 switch (security_level) {

156 case NONE:	202 case NONE:

157 return content::SECURITY_STYLE_UNAUTHENTICATED;	203 security_info->security_style = content::SECURITY_STYLE_UNAUTHENTICATED;

	204 break;

158 case EV_SECURE:	205 case EV_SECURE:

159 case SECURE:	206 case SECURE:

160 return content::SECURITY_STYLE_AUTHENTICATED;	207 security_info->security_style = content::SECURITY_STYLE_AUTHENTICATED;

	208 break;

161 case SECURITY_WARNING:	209 case SECURITY_WARNING:

162 case SECURITY_POLICY_WARNING:	210 case SECURITY_POLICY_WARNING:

163 return content::SECURITY_STYLE_WARNING;	211 security_info->security_style = content::SECURITY_STYLE_WARNING;

	212 break;

164 case SECURITY_ERROR:	213 case SECURITY_ERROR:

165 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN;	214 security_info->security_style =

	215 content::SECURITY_STYLE_AUTHENTICATION_BROKEN;

	216 break;

166 }	217 }

167	218

168 NOTREACHED();	219 scoped_refptr<net::X509Certificate> cert = GetCertForSSLStatus(ssl);

169 return content::SECURITY_STYLE_UNKNOWN;	220 security_info->sha1_deprecation_status = GetSHA1DeprecationStatus(cert, ssl);

	221 security_info->mixed_content_status = GetMixedContentStatus(ssl);

	222 security_info->cert_status = ssl.cert_status;

170 }	223 }

171	224

172 } // namespace connection_security	225 } // namespace connection_security

OLD	NEW

« chrome/browser/ssl/connection_security.h ('K') | « chrome/browser/ssl/connection_security.h ('k') | chrome/browser/ui/browser.h » ('j') | chrome/browser/ui/browser.cc » ('J')