| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "components/ssl_errors/error_info.h" | |
| 6 | |
| 7 #include "base/i18n/message_formatter.h" | |
| 8 #include "base/strings/utf_string_conversions.h" | |
| 9 #include "grit/components_strings.h" | |
| 10 #include "net/base/escape.h" | |
| 11 #include "net/base/net_errors.h" | |
| 12 #include "net/cert/cert_status_flags.h" | |
| 13 #include "net/ssl/ssl_info.h" | |
| 14 #include "ui/base/l10n/l10n_util.h" | |
| 15 #include "url/gurl.h" | |
| 16 | |
| 17 using base::UTF8ToUTF16; | |
| 18 | |
| 19 namespace ssl_errors { | |
| 20 | |
| 21 ErrorInfo::ErrorInfo(const base::string16& details, | |
| 22 const base::string16& short_description) | |
| 23 : details_(details), short_description_(short_description) {} | |
| 24 | |
| 25 // static | |
| 26 ErrorInfo ErrorInfo::CreateError(ErrorType error_type, | |
| 27 net::X509Certificate* cert, | |
| 28 const GURL& request_url) { | |
| 29 base::string16 details, short_description; | |
| 30 switch (error_type) { | |
| 31 case CERT_COMMON_NAME_INVALID: { | |
| 32 // If the certificate contains multiple DNS names, we choose the most | |
| 33 // representative one -- either the DNS name that's also in the subject | |
| 34 // field, or the first one. If this heuristic turns out to be | |
| 35 // inadequate, we can consider choosing the DNS name that is the | |
| 36 // "closest match" to the host name in the request URL, or listing all | |
| 37 // the DNS names with an HTML <ul>. | |
| 38 std::vector<std::string> dns_names; | |
| 39 cert->GetDNSNames(&dns_names); | |
| 40 DCHECK(!dns_names.empty()); | |
| 41 size_t i = 0; | |
| 42 for (; i < dns_names.size(); ++i) { | |
| 43 if (dns_names[i] == cert->subject().common_name) | |
| 44 break; | |
| 45 } | |
| 46 if (i == dns_names.size()) | |
| 47 i = 0; | |
| 48 details = l10n_util::GetStringFUTF16( | |
| 49 IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS, | |
| 50 UTF8ToUTF16(request_url.host()), | |
| 51 net::EscapeForHTML(UTF8ToUTF16(dns_names[i]))); | |
| 52 short_description = l10n_util::GetStringUTF16( | |
| 53 IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION); | |
| 54 break; | |
| 55 } | |
| 56 case CERT_DATE_INVALID: | |
| 57 if (cert->HasExpired()) { | |
| 58 // Make sure to round up to the smallest integer value not less than | |
| 59 // the expiration value (https://crbug.com/476758). | |
| 60 int expiration_value = | |
| 61 (base::Time::Now() - cert->valid_expiry()).InDays() + 1; | |
| 62 details = base::i18n::MessageFormatter::FormatWithNumberedArgs( | |
| 63 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DETAILS), | |
| 64 request_url.host(), expiration_value, base::Time::Now()); | |
| 65 short_description = | |
| 66 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION); | |
| 67 } else if (base::Time::Now() < cert->valid_start()) { | |
| 68 details = base::i18n::MessageFormatter::FormatWithNumberedArgs( | |
| 69 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DETAILS), | |
| 70 request_url.host(), | |
| 71 (cert->valid_start() - base::Time::Now()).InDays()); | |
| 72 short_description = | |
| 73 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION); | |
| 74 } else { | |
| 75 // Two possibilities: (1) an intermediate or root certificate has | |
| 76 // expired, or (2) the certificate has become valid since the error | |
| 77 // occurred. Both are probably rare cases. To avoid giving the wrong | |
| 78 // date, remove the information. | |
| 79 details = l10n_util::GetStringFUTF16( | |
| 80 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DETAILS, | |
| 81 UTF8ToUTF16(request_url.host())); | |
| 82 short_description = l10n_util::GetStringUTF16( | |
| 83 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DESCRIPTION); | |
| 84 } | |
| 85 break; | |
| 86 case CERT_AUTHORITY_INVALID: | |
| 87 details = | |
| 88 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS, | |
| 89 UTF8ToUTF16(request_url.host())); | |
| 90 short_description = l10n_util::GetStringUTF16( | |
| 91 IDS_CERT_ERROR_AUTHORITY_INVALID_DESCRIPTION); | |
| 92 break; | |
| 93 case CERT_CONTAINS_ERRORS: | |
| 94 details = | |
| 95 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS, | |
| 96 UTF8ToUTF16(request_url.host())); | |
| 97 short_description = | |
| 98 l10n_util::GetStringUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DESCRIPTION); | |
| 99 break; | |
| 100 case CERT_NO_REVOCATION_MECHANISM: | |
| 101 details = l10n_util::GetStringUTF16( | |
| 102 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DETAILS); | |
| 103 short_description = l10n_util::GetStringUTF16( | |
| 104 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION); | |
| 105 break; | |
| 106 case CERT_REVOKED: | |
| 107 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_REVOKED_CERT_DETAILS, | |
| 108 UTF8ToUTF16(request_url.host())); | |
| 109 short_description = | |
| 110 l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_DESCRIPTION); | |
| 111 break; | |
| 112 case CERT_INVALID: | |
| 113 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_INVALID_CERT_DETAILS, | |
| 114 UTF8ToUTF16(request_url.host())); | |
| 115 short_description = | |
| 116 l10n_util::GetStringUTF16(IDS_CERT_ERROR_INVALID_CERT_DESCRIPTION); | |
| 117 break; | |
| 118 case CERT_WEAK_SIGNATURE_ALGORITHM: | |
| 119 details = l10n_util::GetStringFUTF16( | |
| 120 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS, | |
| 121 UTF8ToUTF16(request_url.host())); | |
| 122 short_description = l10n_util::GetStringUTF16( | |
| 123 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION); | |
| 124 break; | |
| 125 case CERT_WEAK_KEY: | |
| 126 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_WEAK_KEY_DETAILS, | |
| 127 UTF8ToUTF16(request_url.host())); | |
| 128 short_description = | |
| 129 l10n_util::GetStringUTF16(IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION); | |
| 130 break; | |
| 131 case CERT_WEAK_KEY_DH: | |
| 132 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_WEAK_KEY_DETAILS, | |
| 133 UTF8ToUTF16(request_url.host())); | |
| 134 short_description = | |
| 135 l10n_util::GetStringUTF16(IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION); | |
| 136 case CERT_NAME_CONSTRAINT_VIOLATION: | |
| 137 details = l10n_util::GetStringFUTF16( | |
| 138 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DETAILS, | |
| 139 UTF8ToUTF16(request_url.host())); | |
| 140 short_description = l10n_util::GetStringUTF16( | |
| 141 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION); | |
| 142 break; | |
| 143 case CERT_VALIDITY_TOO_LONG: | |
| 144 details = | |
| 145 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DETAILS, | |
| 146 UTF8ToUTF16(request_url.host())); | |
| 147 short_description = l10n_util::GetStringUTF16( | |
| 148 IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION); | |
| 149 break; | |
| 150 case CERT_PINNED_KEY_MISSING: | |
| 151 details = l10n_util::GetStringUTF16( | |
| 152 IDS_CERT_ERROR_SUMMARY_PINNING_FAILURE_DETAILS); | |
| 153 short_description = l10n_util::GetStringUTF16( | |
| 154 IDS_CERT_ERROR_SUMMARY_PINNING_FAILURE_DESCRIPTION); | |
| 155 break; | |
| 156 case CERT_UNABLE_TO_CHECK_REVOCATION: | |
| 157 details = l10n_util::GetStringUTF16( | |
| 158 IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DETAILS); | |
| 159 short_description = l10n_util::GetStringUTF16( | |
| 160 IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DESCRIPTION); | |
| 161 break; | |
| 162 case UNKNOWN: | |
| 163 details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS); | |
| 164 short_description = | |
| 165 l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DESCRIPTION); | |
| 166 break; | |
| 167 default: | |
| 168 NOTREACHED(); | |
| 169 } | |
| 170 return ErrorInfo(details, short_description); | |
| 171 } | |
| 172 | |
| 173 ErrorInfo::~ErrorInfo() {} | |
| 174 | |
| 175 // static | |
| 176 ErrorInfo::ErrorType ErrorInfo::NetErrorToErrorType(int net_error) { | |
| 177 switch (net_error) { | |
| 178 case net::ERR_CERT_COMMON_NAME_INVALID: | |
| 179 return CERT_COMMON_NAME_INVALID; | |
| 180 case net::ERR_CERT_DATE_INVALID: | |
| 181 return CERT_DATE_INVALID; | |
| 182 case net::ERR_CERT_AUTHORITY_INVALID: | |
| 183 return CERT_AUTHORITY_INVALID; | |
| 184 case net::ERR_CERT_CONTAINS_ERRORS: | |
| 185 return CERT_CONTAINS_ERRORS; | |
| 186 case net::ERR_CERT_NO_REVOCATION_MECHANISM: | |
| 187 return CERT_NO_REVOCATION_MECHANISM; | |
| 188 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION: | |
| 189 return CERT_UNABLE_TO_CHECK_REVOCATION; | |
| 190 case net::ERR_CERT_REVOKED: | |
| 191 return CERT_REVOKED; | |
| 192 case net::ERR_CERT_INVALID: | |
| 193 return CERT_INVALID; | |
| 194 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: | |
| 195 return CERT_WEAK_SIGNATURE_ALGORITHM; | |
| 196 case net::ERR_CERT_WEAK_KEY: | |
| 197 return CERT_WEAK_KEY; | |
| 198 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION: | |
| 199 return CERT_NAME_CONSTRAINT_VIOLATION; | |
| 200 case net::ERR_CERT_VALIDITY_TOO_LONG: | |
| 201 return CERT_VALIDITY_TOO_LONG; | |
| 202 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: | |
| 203 return CERT_WEAK_KEY_DH; | |
| 204 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN: | |
| 205 return CERT_PINNED_KEY_MISSING; | |
| 206 default: | |
| 207 NOTREACHED(); | |
| 208 return UNKNOWN; | |
| 209 } | |
| 210 } | |
| 211 | |
| 212 // static | |
| 213 void ErrorInfo::GetErrorsForCertStatus( | |
| 214 const scoped_refptr<net::X509Certificate>& cert, | |
| 215 net::CertStatus cert_status, | |
| 216 const GURL& url, | |
| 217 std::vector<ErrorInfo>* errors) { | |
| 218 const net::CertStatus kErrorFlags[] = { | |
| 219 net::CERT_STATUS_COMMON_NAME_INVALID, | |
| 220 net::CERT_STATUS_DATE_INVALID, | |
| 221 net::CERT_STATUS_AUTHORITY_INVALID, | |
| 222 net::CERT_STATUS_NO_REVOCATION_MECHANISM, | |
| 223 net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, | |
| 224 net::CERT_STATUS_REVOKED, | |
| 225 net::CERT_STATUS_INVALID, | |
| 226 net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, | |
| 227 net::CERT_STATUS_WEAK_KEY, | |
| 228 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION, | |
| 229 net::CERT_STATUS_VALIDITY_TOO_LONG, | |
| 230 }; | |
| 231 | |
| 232 const ErrorType kErrorTypes[] = { | |
| 233 CERT_COMMON_NAME_INVALID, | |
| 234 CERT_DATE_INVALID, | |
| 235 CERT_AUTHORITY_INVALID, | |
| 236 CERT_NO_REVOCATION_MECHANISM, | |
| 237 CERT_UNABLE_TO_CHECK_REVOCATION, | |
| 238 CERT_REVOKED, | |
| 239 CERT_INVALID, | |
| 240 CERT_WEAK_SIGNATURE_ALGORITHM, | |
| 241 CERT_WEAK_KEY, | |
| 242 CERT_NAME_CONSTRAINT_VIOLATION, | |
| 243 CERT_VALIDITY_TOO_LONG, | |
| 244 }; | |
| 245 DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes)); | |
| 246 | |
| 247 for (size_t i = 0; i < arraysize(kErrorFlags); ++i) { | |
| 248 if ((cert_status & kErrorFlags[i]) && errors) { | |
| 249 errors->push_back( | |
| 250 ErrorInfo::CreateError(kErrorTypes[i], cert.get(), url)); | |
| 251 } | |
| 252 } | |
| 253 } | |
| 254 | |
| 255 } // namespace ssl_errors | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1351773002:
Revert "Create a component for SSL error handling" (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master