OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/metrics/field_trial.h" | 8 #include "base/metrics/field_trial.h" |
9 #include "base/metrics/histogram_macros.h" | 9 #include "base/metrics/histogram_macros.h" |
| 10 #include "base/strings/utf_string_conversions.h" |
10 #include "build/build_config.h" | 11 #include "build/build_config.h" |
11 #include "chrome/browser/chromeos/policy/policy_cert_service.h" | 12 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
12 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" | 13 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
13 #include "chrome/browser/profiles/profile.h" | 14 #include "chrome/browser/profiles/profile.h" |
| 15 #include "chrome/grit/generated_resources.h" |
14 #include "content/public/browser/cert_store.h" | 16 #include "content/public/browser/cert_store.h" |
15 #include "content/public/browser/navigation_entry.h" | 17 #include "content/public/browser/navigation_entry.h" |
| 18 #include "content/public/browser/security_style_explanation.h" |
| 19 #include "content/public/browser/security_style_explanations.h" |
16 #include "content/public/browser/web_contents.h" | 20 #include "content/public/browser/web_contents.h" |
17 #include "content/public/common/origin_util.h" | 21 #include "content/public/common/origin_util.h" |
18 #include "content/public/common/ssl_status.h" | 22 #include "content/public/common/ssl_status.h" |
| 23 #include "net/base/net_errors.h" |
19 #include "net/cert/x509_certificate.h" | 24 #include "net/cert/x509_certificate.h" |
| 25 #include "ui/base/l10n/l10n_util.h" |
20 | 26 |
21 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient); | 27 DEFINE_WEB_CONTENTS_USER_DATA_KEY(ChromeSecurityStateModelClient); |
22 | 28 |
23 using security_state::SecurityStateModel; | 29 using security_state::SecurityStateModel; |
24 | 30 |
25 namespace { | 31 namespace { |
26 | 32 |
27 // Converts a content::SecurityStyle (an indicator of a request's | 33 // Converts a content::SecurityStyle (an indicator of a request's |
28 // overall security level computed by //content) into a | 34 // overall security level computed by //content) into a |
29 // SecurityStateModel::SecurityLevel (a finer-grained SecurityStateModel | 35 // SecurityStateModel::SecurityLevel (a finer-grained SecurityStateModel |
(...skipping 12 matching lines...) Expand all Loading... |
42 case content::SECURITY_STYLE_WARNING: | 48 case content::SECURITY_STYLE_WARNING: |
43 // content currently doesn't use this style. | 49 // content currently doesn't use this style. |
44 NOTREACHED(); | 50 NOTREACHED(); |
45 return SecurityStateModel::SECURITY_WARNING; | 51 return SecurityStateModel::SECURITY_WARNING; |
46 case content::SECURITY_STYLE_AUTHENTICATED: | 52 case content::SECURITY_STYLE_AUTHENTICATED: |
47 return SecurityStateModel::SECURE; | 53 return SecurityStateModel::SECURE; |
48 } | 54 } |
49 return SecurityStateModel::NONE; | 55 return SecurityStateModel::NONE; |
50 } | 56 } |
51 | 57 |
| 58 // Note: This is a lossy operation. Not all of the policies that can be |
| 59 // expressed by a SecurityLevel (a //chrome concept) can be expressed by |
| 60 // a content::SecurityStyle. |
| 61 content::SecurityStyle SecurityLevelToSecurityStyle( |
| 62 SecurityStateModel::SecurityLevel security_level) { |
| 63 switch (security_level) { |
| 64 case SecurityStateModel::NONE: |
| 65 return content::SECURITY_STYLE_UNAUTHENTICATED; |
| 66 case SecurityStateModel::SECURITY_WARNING: |
| 67 case SecurityStateModel::SECURITY_POLICY_WARNING: |
| 68 return content::SECURITY_STYLE_WARNING; |
| 69 case SecurityStateModel::EV_SECURE: |
| 70 case SecurityStateModel::SECURE: |
| 71 return content::SECURITY_STYLE_AUTHENTICATED; |
| 72 case SecurityStateModel::SECURITY_ERROR: |
| 73 return content::SECURITY_STYLE_AUTHENTICATION_BROKEN; |
| 74 } |
| 75 |
| 76 NOTREACHED(); |
| 77 return content::SECURITY_STYLE_UNKNOWN; |
| 78 } |
| 79 |
52 } // namespace | 80 } // namespace |
53 | 81 |
54 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient( | 82 ChromeSecurityStateModelClient::ChromeSecurityStateModelClient( |
55 content::WebContents* web_contents) | 83 content::WebContents* web_contents) |
56 : web_contents_(web_contents), | 84 : web_contents_(web_contents), |
57 security_state_model_(new SecurityStateModel()) { | 85 security_state_model_(new SecurityStateModel()) { |
58 security_state_model_->SetClient(this); | 86 security_state_model_->SetClient(this); |
59 } | 87 } |
60 | 88 |
61 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {} | 89 ChromeSecurityStateModelClient::~ChromeSecurityStateModelClient() {} |
62 | 90 |
| 91 // static |
| 92 content::SecurityStyle ChromeSecurityStateModelClient::GetSecurityStyle( |
| 93 const security_state::SecurityStateModel::SecurityInfo& security_info, |
| 94 content::SecurityStyleExplanations* security_style_explanations) { |
| 95 const content::SecurityStyle security_style = |
| 96 SecurityLevelToSecurityStyle(security_info.security_level); |
| 97 |
| 98 security_style_explanations->ran_insecure_content_style = |
| 99 SecurityLevelToSecurityStyle( |
| 100 SecurityStateModel::kRanInsecureContentLevel); |
| 101 security_style_explanations->displayed_insecure_content_style = |
| 102 SecurityLevelToSecurityStyle( |
| 103 SecurityStateModel::kDisplayedInsecureContentLevel); |
| 104 |
| 105 // Check if the page is HTTP; if so, no explanations are needed. Note |
| 106 // that SECURITY_STYLE_UNAUTHENTICATED does not necessarily mean that |
| 107 // the page is loaded over HTTP, because the security style merely |
| 108 // represents how the embedder wishes to display the security state of |
| 109 // the page, and the embedder can choose to display HTTPS page as HTTP |
| 110 // if it wants to (for example, displaying deprecated crypto |
| 111 // algorithms with the same UI treatment as HTTP pages). |
| 112 security_style_explanations->scheme_is_cryptographic = |
| 113 security_info.scheme_is_cryptographic; |
| 114 if (!security_info.scheme_is_cryptographic) { |
| 115 return security_style; |
| 116 } |
| 117 |
| 118 if (security_info.sha1_deprecation_status == |
| 119 SecurityStateModel::DEPRECATED_SHA1_MAJOR) { |
| 120 security_style_explanations->broken_explanations.push_back( |
| 121 content::SecurityStyleExplanation( |
| 122 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1), |
| 123 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1_DESCRIPTION), |
| 124 security_info.cert_id)); |
| 125 } else if (security_info.sha1_deprecation_status == |
| 126 SecurityStateModel::DEPRECATED_SHA1_MINOR) { |
| 127 security_style_explanations->unauthenticated_explanations.push_back( |
| 128 content::SecurityStyleExplanation( |
| 129 l10n_util::GetStringUTF8(IDS_MINOR_SHA1), |
| 130 l10n_util::GetStringUTF8(IDS_MINOR_SHA1_DESCRIPTION), |
| 131 security_info.cert_id)); |
| 132 } |
| 133 |
| 134 security_style_explanations->ran_insecure_content = |
| 135 security_info.mixed_content_status == |
| 136 SecurityStateModel::RAN_MIXED_CONTENT || |
| 137 security_info.mixed_content_status == |
| 138 SecurityStateModel::RAN_AND_DISPLAYED_MIXED_CONTENT; |
| 139 security_style_explanations->displayed_insecure_content = |
| 140 security_info.mixed_content_status == |
| 141 SecurityStateModel::DISPLAYED_MIXED_CONTENT || |
| 142 security_info.mixed_content_status == |
| 143 SecurityStateModel::RAN_AND_DISPLAYED_MIXED_CONTENT; |
| 144 |
| 145 if (net::IsCertStatusError(security_info.cert_status)) { |
| 146 base::string16 error_string = base::UTF8ToUTF16(net::ErrorToString( |
| 147 net::MapCertStatusToNetError(security_info.cert_status))); |
| 148 |
| 149 content::SecurityStyleExplanation explanation( |
| 150 l10n_util::GetStringUTF8(IDS_CERTIFICATE_CHAIN_ERROR), |
| 151 l10n_util::GetStringFUTF8( |
| 152 IDS_CERTIFICATE_CHAIN_ERROR_DESCRIPTION_FORMAT, error_string), |
| 153 security_info.cert_id); |
| 154 |
| 155 if (net::IsCertStatusMinorError(security_info.cert_status)) |
| 156 security_style_explanations->unauthenticated_explanations.push_back( |
| 157 explanation); |
| 158 else |
| 159 security_style_explanations->broken_explanations.push_back(explanation); |
| 160 } else { |
| 161 // If the certificate does not have errors and is not using |
| 162 // deprecated SHA1, then add an explanation that the certificate is |
| 163 // valid. |
| 164 if (security_info.sha1_deprecation_status == |
| 165 SecurityStateModel::NO_DEPRECATED_SHA1) { |
| 166 security_style_explanations->secure_explanations.push_back( |
| 167 content::SecurityStyleExplanation( |
| 168 l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE), |
| 169 l10n_util::GetStringUTF8( |
| 170 IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION), |
| 171 security_info.cert_id)); |
| 172 } |
| 173 } |
| 174 |
| 175 if (security_info.is_secure_protocol_and_ciphersuite) { |
| 176 security_style_explanations->secure_explanations.push_back( |
| 177 content::SecurityStyleExplanation( |
| 178 l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), |
| 179 l10n_util::GetStringUTF8( |
| 180 IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION))); |
| 181 } |
| 182 |
| 183 return security_style; |
| 184 } |
| 185 |
63 const SecurityStateModel::SecurityInfo& | 186 const SecurityStateModel::SecurityInfo& |
64 ChromeSecurityStateModelClient::GetSecurityInfo() const { | 187 ChromeSecurityStateModelClient::GetSecurityInfo() const { |
65 return security_state_model_->GetSecurityInfo(); | 188 return security_state_model_->GetSecurityInfo(); |
66 } | 189 } |
67 | 190 |
68 bool ChromeSecurityStateModelClient::RetrieveCert( | 191 bool ChromeSecurityStateModelClient::RetrieveCert( |
69 scoped_refptr<net::X509Certificate>* cert) { | 192 scoped_refptr<net::X509Certificate>* cert) { |
70 content::NavigationEntry* entry = | 193 content::NavigationEntry* entry = |
71 web_contents_->GetController().GetVisibleEntry(); | 194 web_contents_->GetController().GetVisibleEntry(); |
72 if (!entry) | 195 if (!entry) |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
113 for (const auto& sct : ssl.signed_certificate_timestamp_ids) | 236 for (const auto& sct : ssl.signed_certificate_timestamp_ids) |
114 state->sct_verify_statuses.push_back(sct.status); | 237 state->sct_verify_statuses.push_back(sct.status); |
115 state->displayed_mixed_content = | 238 state->displayed_mixed_content = |
116 (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) | 239 (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT) |
117 ? true | 240 ? true |
118 : false; | 241 : false; |
119 state->ran_mixed_content = | 242 state->ran_mixed_content = |
120 (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT) ? true | 243 (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT) ? true |
121 : false; | 244 : false; |
122 } | 245 } |
OLD | NEW |