Reject certificates that are valid for too long.

chrome/browser/ssl/ssl_error_info.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/ssl_error_info.h"
 
 #include "base/i18n/time_formatting.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chrome/common/time_format.h"
 #include "content/public/browser/cert_store.h"
@@ skipping 181 matching lines @@
       details = l10n_util::GetStringFUTF16(
           IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
       short_description = l10n_util::GetStringUTF16(
           IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
       extra_info.push_back(
           l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
       extra_info.push_back(
           l10n_util::GetStringUTF16(
               IDS_CERT_ERROR_WEAK_KEY_EXTRA_INFO_2));
       break;
+    case CERT_TOO_LONG_VALIDITY:
+      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_TOO_LONG_VALIDITY_TITLE);
+      details = l10n_util::GetStringFUTF16(
+          IDS_CERT_ERROR_TOO_LONG_VALIDITY_DETAILS,
+          UTF8ToUTF16(request_url.host()));
+      short_description = l10n_util::GetStringUTF16(
+          IDS_CERT_ERROR_TOO_LONG_VALIDITY_DESCRIPTION);
+      extra_info.push_back(
+          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
+      extra_info.push_back(
+          l10n_util::GetStringUTF16(
+              IDS_CERT_ERROR_TOO_LONG_VALIDITY_EXTRA_INFO_2));
+      break;
     case UNKNOWN:
       title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_TITLE);
       details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
       short_description =
           l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DESCRIPTION);
       break;
     default:
       NOTREACHED();
   }
   return SSLErrorInfo(title, details, short_description, extra_info);
@@ skipping 38 matching lines @@
                                          std::vector<SSLErrorInfo>* errors) {
   const net::CertStatus kErrorFlags[] = {
     net::CERT_STATUS_COMMON_NAME_INVALID,
     net::CERT_STATUS_DATE_INVALID,
     net::CERT_STATUS_AUTHORITY_INVALID,
     net::CERT_STATUS_NO_REVOCATION_MECHANISM,
     net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
     net::CERT_STATUS_REVOKED,
     net::CERT_STATUS_INVALID,
     net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
-    net::CERT_STATUS_WEAK_KEY
+    net::CERT_STATUS_WEAK_KEY,
+    net::CERT_STATUS_TOO_LONG_VALIDITY
   };
 
   const ErrorType kErrorTypes[] = {
     CERT_COMMON_NAME_INVALID,
     CERT_DATE_INVALID,
     CERT_AUTHORITY_INVALID,
     CERT_NO_REVOCATION_MECHANISM,
     CERT_UNABLE_TO_CHECK_REVOCATION,
     CERT_REVOKED,
     CERT_INVALID,
     CERT_WEAK_SIGNATURE_ALGORITHM,
-    CERT_WEAK_KEY
+    CERT_WEAK_KEY,
+    CERT_TOO_LONG_VALIDITY
   };
   DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes));
 
   scoped_refptr<net::X509Certificate> cert = NULL;
   int count = 0;
   for (size_t i = 0; i < arraysize(kErrorFlags); ++i) {
     if (cert_status & kErrorFlags[i]) {
       count++;
       if (!cert.get()) {
         bool r = content::CertStore::GetInstance()->RetrieveCert(
             cert_id, &cert);
         DCHECK(r);
       }
-      if (errors)
+      if (errors) {
         errors->push_back(
             SSLErrorInfo::CreateError(kErrorTypes[i], cert.get(), url));
+      }
     }
   }
   return count;
 }