OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/metrics/field_trial.h" | 8 #include "base/metrics/field_trial.h" |
9 #include "base/metrics/histogram_macros.h" | 9 #include "base/metrics/histogram_macros.h" |
10 #include "base/strings/utf_string_conversions.h" | |
10 #include "build/build_config.h" | 11 #include "build/build_config.h" |
11 #include "chrome/browser/chromeos/policy/policy_cert_service.h" | 12 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
12 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" | 13 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
13 #include "chrome/browser/profiles/profile.h" | 14 #include "chrome/browser/profiles/profile.h" |
15 #include "chrome/grit/generated_resources.h" | |
14 #include "content/public/browser/cert_store.h" | 16 #include "content/public/browser/cert_store.h" |
15 #include "content/public/browser/navigation_entry.h" | 17 #include "content/public/browser/navigation_entry.h" |
18 #include "content/public/browser/security_style_explanation.h" | |
19 #include "content/public/browser/security_style_explanations.h" | |
16 #include "content/public/browser/web_contents.h" | 20 #include "content/public/browser/web_contents.h" |
17 #include "content/public/common/origin_util.h" | 21 #include "content/public/common/origin_util.h" |
18 #include "content/public/common/ssl_status.h" | 22 #include "content/public/common/ssl_status.h" |
23 #include "net/base/net_errors.h" | |
19 #include "net/cert/x509_certificate.h" | 24 #include "net/cert/x509_certificate.h" |
25 #include "ui/base/l10n/l10n_util.h" | |
20 | 26 |
21 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient); | 27 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient); |
22 | 28 |
23 using security_state::SecurityStateModel; | 29 using security_state::SecurityStateModel; |
24 | 30 |
25 namespace { | 31 namespace { |
26 | 32 |
27 // Converts a content::SecurityStyle (an indicator of a request's | 33 // Converts a content::SecurityStyle (an indicator of a request's |
28 // overall security level computed by //content) into a | 34 // overall security level computed by //content) into a |
29 // SecurityStateModel::SecurityLevel (a finer-grained SecurityStateModel | 35 // SecurityStateModel::SecurityLevel (a finer-grained SecurityStateModel |
(...skipping 12 matching lines...) Expand all Loading... | |
42 case content::SECURITY_STYLE_WARNING: | 48 case content::SECURITY_STYLE_WARNING: |
43 // content currently doesn't use this style. | 49 // content currently doesn't use this style. |
44 NOTREACHED(); | 50 NOTREACHED(); |
45 return SecurityStateModel::SECURITY_WARNING; | 51 return SecurityStateModel::SECURITY_WARNING; |
46 case content::SECURITY_STYLE_AUTHENTICATED: | 52 case content::SECURITY_STYLE_AUTHENTICATED: |
47 return SecurityStateModel::SECURE; | 53 return SecurityStateModel::SECURE; |
48 } | 54 } |
49 return SecurityStateModel::NONE; | 55 return SecurityStateModel::NONE; |
50 } | 56 } |
51 | 57 |
58 // Note: This is a lossy operation. Not all of the policies that can be | |
59 // expressed by a SecurityLevel (a //chrome concept) can be expressed by | |
60 // a content::SecurityStyle. | |
61 content::SecurityStyle SecurityLevelToSecurityStyle( | |
62 SecurityStateModel::SecurityLevel security_level) { | |
63 switch (security_level) { | |
64 case SecurityStateModel::NONE: | |
65 return content::SECURITY_STYLE_UNAUTHENTICATED; | |
66 case SecurityStateModel::SECURITY_WARNING: | |
67 case SecurityStateModel::SECURITY_POLICY_WARNING: | |
68 return content::SECURITY_STYLE_WARNING; | |
69 case SecurityStateModel::EV_SECURE: | |
70 case SecurityStateModel::SECURE: | |
71 return content::SECURITY_STYLE_AUTHENTICATED; | |
72 case SecurityStateModel::SECURITY_ERROR: | |
73 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN; | |
74 } | |
75 | |
76 NOTREACHED(); | |
77 return content::SECURITY_STYLE_UNKNOWN; | |
78 } | |
79 | |
52 } // namespace | 80 } // namespace |
53 | 81 |
54 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient( | 82 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient( |
55 content::WebContents* web_contents) | 83 content::WebContents* web_contents) |
56 : web_contents_(web_contents), | 84 : web_contents_(web_contents), |
57 security_state_model_(new SecurityStateModel()) { | 85 security_state_model_(new SecurityStateModel()) { |
58 security_state_model_->SetClient(this); | 86 security_state_model_->SetClient(this); |
59 } | 87 } |
60 | 88 |
61 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {} | 89 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {} |
62 | 90 |
91 content::SecurityStyle ChromeSecurityStateModelClient::GetSecurityStyle( | |
92 content::WebContents* web_contents, | |
msw
2016/05/18 17:20:24
nit: remove |web_contents| if it isn't used (use |
estark
2016/05/20 22:12:09
Done.
| |
93 content::SecurityStyleExplanations* security_style_explanations) { | |
94 const SecurityStateModel::SecurityInfo& security_info = GetSecurityInfo(); | |
msw
2016/05/18 17:20:24
optional nit: If this is the only instance data ne
estark
2016/05/20 22:12:09
Done.
| |
95 | |
96 const content::SecurityStyle security_style = | |
97 SecurityLevelToSecurityStyle(security_info.security_level); | |
98 | |
99 security_style_explanations->ran_insecure_content_style = | |
100 SecurityLevelToSecurityStyle( | |
101 SecurityStateModel::kRanInsecureContentLevel); | |
102 security_style_explanations->displayed_insecure_content_style = | |
103 SecurityLevelToSecurityStyle( | |
104 SecurityStateModel::kDisplayedInsecureContentLevel); | |
105 | |
106 // Check if the page is HTTP; if so, no explanations are needed. Note | |
107 // that SECURITY_STYLE_UNAUTHENTICATED does not necessarily mean that | |
108 // the page is loaded over HTTP, because the security style merely | |
109 // represents how the embedder wishes to display the security state of | |
110 // the page, and the embedder can choose to display HTTPS page as HTTP | |
111 // if it wants to (for example, displaying deprecated crypto | |
112 // algorithms with the same UI treatment as HTTP pages). | |
113 security_style_explanations->scheme_is_cryptographic = | |
114 security_info.scheme_is_cryptographic; | |
115 if (!security_info.scheme_is_cryptographic) { | |
116 return security_style; | |
117 } | |
118 | |
119 if (security_info.sha1_deprecation_status == | |
120 SecurityStateModel::DEPRECATED_SHA1_MAJOR) { | |
121 security_style_explanations->broken_explanations.push_back( | |
122 content::SecurityStyleExplanation( | |
123 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1), | |
124 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1_DESCRIPTION), | |
125 security_info.cert_id)); | |
126 } else if (security_info.sha1_deprecation_status == | |
127 SecurityStateModel::DEPRECATED_SHA1_MINOR) { | |
128 security_style_explanations->unauthenticated_explanations.push_back( | |
129 content::SecurityStyleExplanation( | |
130 l10n_util::GetStringUTF8(IDS_MINOR_SHA1), | |
131 l10n_util::GetStringUTF8(IDS_MINOR_SHA1_DESCRIPTION), | |
132 security_info.cert_id)); | |
133 } | |
134 | |
135 security_style_explanations->ran_insecure_content = | |
136 security_info.mixed_content_status == | |
137 SecurityStateModel::RAN_MIXED_CONTENT || | |
138 security_info.mixed_content_status == | |
139 SecurityStateModel::RAN_AND_DISPLAYED_MIXED_CONTENT; | |
140 security_style_explanations->displayed_insecure_content = | |
141 security_info.mixed_content_status == | |
142 SecurityStateModel::DISPLAYED_MIXED_CONTENT || | |
143 security_info.mixed_content_status == | |
144 SecurityStateModel::RAN_AND_DISPLAYED_MIXED_CONTENT; | |
145 | |
146 if (net::IsCertStatusError(security_info.cert_status)) { | |
147 base::string16 error_string = base::UTF8ToUTF16(net::ErrorToString( | |
148 net::MapCertStatusToNetError(security_info.cert_status))); | |
149 | |
150 content::SecurityStyleExplanation explanation( | |
151 l10n_util::GetStringUTF8(IDS_CERTIFICATE_CHAIN_ERROR), | |
152 l10n_util::GetStringFUTF8( | |
153 IDS_CERTIFICATE_CHAIN_ERROR_DESCRIPTION_FORMAT, error_string), | |
154 security_info.cert_id); | |
155 | |
156 if (net::IsCertStatusMinorError(security_info.cert_status)) | |
157 security_style_explanations->unauthenticated_explanations.push_back( | |
158 explanation); | |
159 else | |
160 security_style_explanations->broken_explanations.push_back(explanation); | |
161 } else { | |
162 // If the certificate does not have errors and is not using | |
163 // deprecated SHA1, then add an explanation that the certificate is | |
164 // valid. | |
165 if (security_info.sha1_deprecation_status == | |
166 SecurityStateModel::NO_DEPRECATED_SHA1) { | |
167 security_style_explanations->secure_explanations.push_back( | |
168 content::SecurityStyleExplanation( | |
169 l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE), | |
170 l10n_util::GetStringUTF8( | |
171 IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION), | |
172 security_info.cert_id)); | |
173 } | |
174 } | |
175 | |
176 if (security_info.is_secure_protocol_and_ciphersuite) { | |
177 security_style_explanations->secure_explanations.push_back( | |
178 content::SecurityStyleExplanation( | |
179 l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | |
180 l10n_util::GetStringUTF8( | |
181 IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION))); | |
182 } | |
183 | |
184 return security_style; | |
185 } | |
186 | |
63 const SecurityStateModel::SecurityInfo& | 187 const SecurityStateModel::SecurityInfo& |
64 ChromeSecurityStateModelClient::GetSecurityInfo() const { | 188 ChromeSecurityStateModelClient::GetSecurityInfo() const { |
65 return security_state_model_->GetSecurityInfo(); | 189 return security_state_model_->GetSecurityInfo(); |
66 } | 190 } |
67 | 191 |
68 bool ChromeSecurityStateModelClient::RetrieveCert( | 192 bool ChromeSecurityStateModelClient::RetrieveCert( |
69 scoped_refptr<net::X509Certificate>* cert) { | 193 scoped_refptr<net::X509Certificate>* cert) { |
70 content::NavigationEntry* entry = | 194 content::NavigationEntry* entry = |
71 web_contents_->GetController().GetVisibleEntry(); | 195 web_contents_->GetController().GetVisibleEntry(); |
72 if (!entry) | 196 if (!entry) |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
113 for (const auto& sct : ssl.signed_certificate_timestamp_ids) | 237 for (const auto& sct : ssl.signed_certificate_timestamp_ids) |
114 state->sct_verify_statuses.push_back(sct.status); | 238 state->sct_verify_statuses.push_back(sct.status); |
115 state->displayed_mixed_content = | 239 state->displayed_mixed_content = |
116 (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) | 240 (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) |
117 ? true | 241 ? true |
118 : false; | 242 : false; |
119 state->ran_mixed_content = | 243 state->ran_mixed_content = |
120 (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT) ? true | 244 (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT) ? true |
121 : false; | 245 : false; |
122 } | 246 } |
OLD | NEW |