OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
10 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
11 #include "base/metrics/histogram_macros.h" | 11 #include "base/metrics/histogram_macros.h" |
12 #include "base/strings/string16.h" | 12 #include "base/strings/string16.h" |
13 #include "base/strings/utf_string_conversions.h" | 13 #include "base/strings/utf_string_conversions.h" |
14 #include "build/build_config.h" | 14 #include "build/build_config.h" |
15 #include "chrome/browser/browser_process.h" | 15 #include "chrome/browser/browser_process.h" |
16 #include "chrome/browser/chromeos/policy/policy_cert_service.h" | 16 #include "chrome/browser/chromeos/policy/policy_cert_service.h" |
17 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" | 17 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" |
18 #include "chrome/browser/profiles/profile.h" | 18 #include "chrome/browser/profiles/profile.h" |
19 #include "chrome/browser/safe_browsing/safe_browsing_service.h" | 19 #include "chrome/browser/safe_browsing/safe_browsing_service.h" |
20 #include "chrome/browser/safe_browsing/ui_manager.h" | 20 #include "chrome/browser/safe_browsing/ui_manager.h" |
21 #include "chrome/grit/generated_resources.h" | 21 #include "chrome/grit/generated_resources.h" |
22 #include "content/public/browser/cert_store.h" | |
23 #include "content/public/browser/navigation_entry.h" | 22 #include "content/public/browser/navigation_entry.h" |
24 #include "content/public/browser/security_style_explanation.h" | 23 #include "content/public/browser/security_style_explanation.h" |
25 #include "content/public/browser/security_style_explanations.h" | 24 #include "content/public/browser/security_style_explanations.h" |
26 #include "content/public/browser/web_contents.h" | 25 #include "content/public/browser/web_contents.h" |
27 #include "content/public/common/origin_util.h" | 26 #include "content/public/common/origin_util.h" |
28 #include "content/public/common/ssl_status.h" | 27 #include "content/public/common/ssl_status.h" |
29 #include "net/base/net_errors.h" | 28 #include "net/base/net_errors.h" |
30 #include "net/cert/x509_certificate.h" | 29 #include "net/cert/x509_certificate.h" |
31 #include "net/ssl/ssl_cipher_suite_names.h" | 30 #include "net/ssl/ssl_cipher_suite_names.h" |
32 #include "net/ssl/ssl_connection_status_flags.h" | 31 #include "net/ssl/ssl_connection_status_flags.h" |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
85 NOTREACHED(); | 84 NOTREACHED(); |
86 return content::SECURITY_STYLE_UNKNOWN; | 85 return content::SECURITY_STYLE_UNKNOWN; |
87 } | 86 } |
88 | 87 |
89 void AddConnectionExplanation( | 88 void AddConnectionExplanation( |
90 const security_state::SecurityStateModel::SecurityInfo& security_info, | 89 const security_state::SecurityStateModel::SecurityInfo& security_info, |
91 content::SecurityStyleExplanations* security_style_explanations) { | 90 content::SecurityStyleExplanations* security_style_explanations) { |
92 | 91 |
93 // Avoid showing TLS details when we couldn't even establish a TLS connection | 92 // Avoid showing TLS details when we couldn't even establish a TLS connection |
94 // (e.g. for net errors) or if there was no real connection (some tests). We | 93 // (e.g. for net errors) or if there was no real connection (some tests). We |
95 // check the |cert_id| to see if there was a connection. | 94 // check the |certificate| to see if there was a connection. |
96 if (security_info.cert_id == 0 || security_info.connection_status == 0) { | 95 if (!security_info.certificate || security_info.connection_status == 0) { |
97 return; | 96 return; |
98 } | 97 } |
99 | 98 |
100 int ssl_version = | 99 int ssl_version = |
101 net::SSLConnectionStatusToVersion(security_info.connection_status); | 100 net::SSLConnectionStatusToVersion(security_info.connection_status); |
102 const char* protocol; | 101 const char* protocol; |
103 net::SSLVersionToString(&protocol, ssl_version); | 102 net::SSLVersionToString(&protocol, ssl_version); |
104 const char* key_exchange; | 103 const char* key_exchange; |
105 const char* cipher; | 104 const char* cipher; |
106 const char* mac; | 105 const char* mac; |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
208 if (!security_info.scheme_is_cryptographic) { | 207 if (!security_info.scheme_is_cryptographic) { |
209 return security_style; | 208 return security_style; |
210 } | 209 } |
211 | 210 |
212 if (security_info.sha1_deprecation_status == | 211 if (security_info.sha1_deprecation_status == |
213 SecurityStateModel::DEPRECATED_SHA1_MAJOR) { | 212 SecurityStateModel::DEPRECATED_SHA1_MAJOR) { |
214 security_style_explanations->broken_explanations.push_back( | 213 security_style_explanations->broken_explanations.push_back( |
215 content::SecurityStyleExplanation( | 214 content::SecurityStyleExplanation( |
216 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1), | 215 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1), |
217 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1_DESCRIPTION), | 216 l10n_util::GetStringUTF8(IDS_MAJOR_SHA1_DESCRIPTION), |
218 security_info.cert_id)); | 217 !!security_info.certificate)); |
219 } else if (security_info.sha1_deprecation_status == | 218 } else if (security_info.sha1_deprecation_status == |
220 SecurityStateModel::DEPRECATED_SHA1_MINOR) { | 219 SecurityStateModel::DEPRECATED_SHA1_MINOR) { |
221 security_style_explanations->unauthenticated_explanations.push_back( | 220 security_style_explanations->unauthenticated_explanations.push_back( |
222 content::SecurityStyleExplanation( | 221 content::SecurityStyleExplanation( |
223 l10n_util::GetStringUTF8(IDS_MINOR_SHA1), | 222 l10n_util::GetStringUTF8(IDS_MINOR_SHA1), |
224 l10n_util::GetStringUTF8(IDS_MINOR_SHA1_DESCRIPTION), | 223 l10n_util::GetStringUTF8(IDS_MINOR_SHA1_DESCRIPTION), |
225 security_info.cert_id)); | 224 !!security_info.certificate)); |
226 } | 225 } |
227 | 226 |
228 // Record the presence of mixed content (HTTP subresources on an HTTPS | 227 // Record the presence of mixed content (HTTP subresources on an HTTPS |
229 // page). | 228 // page). |
230 security_style_explanations->ran_mixed_content = | 229 security_style_explanations->ran_mixed_content = |
231 security_info.mixed_content_status == | 230 security_info.mixed_content_status == |
232 SecurityStateModel::CONTENT_STATUS_RAN || | 231 SecurityStateModel::CONTENT_STATUS_RAN || |
233 security_info.mixed_content_status == | 232 security_info.mixed_content_status == |
234 SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN; | 233 SecurityStateModel::CONTENT_STATUS_DISPLAYED_AND_RAN; |
235 security_style_explanations->displayed_mixed_content = | 234 security_style_explanations->displayed_mixed_content = |
(...skipping 26 matching lines...) Expand all Loading... |
262 } | 261 } |
263 | 262 |
264 if (is_cert_status_error) { | 263 if (is_cert_status_error) { |
265 base::string16 error_string = base::UTF8ToUTF16(net::ErrorToString( | 264 base::string16 error_string = base::UTF8ToUTF16(net::ErrorToString( |
266 net::MapCertStatusToNetError(security_info.cert_status))); | 265 net::MapCertStatusToNetError(security_info.cert_status))); |
267 | 266 |
268 content::SecurityStyleExplanation explanation( | 267 content::SecurityStyleExplanation explanation( |
269 l10n_util::GetStringUTF8(IDS_CERTIFICATE_CHAIN_ERROR), | 268 l10n_util::GetStringUTF8(IDS_CERTIFICATE_CHAIN_ERROR), |
270 l10n_util::GetStringFUTF8( | 269 l10n_util::GetStringFUTF8( |
271 IDS_CERTIFICATE_CHAIN_ERROR_DESCRIPTION_FORMAT, error_string), | 270 IDS_CERTIFICATE_CHAIN_ERROR_DESCRIPTION_FORMAT, error_string), |
272 security_info.cert_id); | 271 !!security_info.certificate); |
273 | 272 |
274 if (is_cert_status_minor_error) { | 273 if (is_cert_status_minor_error) { |
275 security_style_explanations->unauthenticated_explanations.push_back( | 274 security_style_explanations->unauthenticated_explanations.push_back( |
276 explanation); | 275 explanation); |
277 } else { | 276 } else { |
278 security_style_explanations->broken_explanations.push_back(explanation); | 277 security_style_explanations->broken_explanations.push_back(explanation); |
279 } | 278 } |
280 } else { | 279 } else { |
281 // If the certificate does not have errors and is not using | 280 // If the certificate does not have errors and is not using |
282 // deprecated SHA1, then add an explanation that the certificate is | 281 // deprecated SHA1, then add an explanation that the certificate is |
283 // valid. | 282 // valid. |
284 if (security_info.sha1_deprecation_status == | 283 if (security_info.sha1_deprecation_status == |
285 SecurityStateModel::NO_DEPRECATED_SHA1) { | 284 SecurityStateModel::NO_DEPRECATED_SHA1) { |
286 security_style_explanations->secure_explanations.push_back( | 285 security_style_explanations->secure_explanations.push_back( |
287 content::SecurityStyleExplanation( | 286 content::SecurityStyleExplanation( |
288 l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE), | 287 l10n_util::GetStringUTF8(IDS_VALID_SERVER_CERTIFICATE), |
289 l10n_util::GetStringUTF8( | 288 l10n_util::GetStringUTF8( |
290 IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION), | 289 IDS_VALID_SERVER_CERTIFICATE_DESCRIPTION), |
291 security_info.cert_id)); | 290 !!security_info.certificate)); |
292 } | 291 } |
293 } | 292 } |
294 | 293 |
295 AddConnectionExplanation(security_info, security_style_explanations); | 294 AddConnectionExplanation(security_info, security_style_explanations); |
296 | 295 |
297 security_style_explanations->pkp_bypassed = security_info.pkp_bypassed; | 296 security_style_explanations->pkp_bypassed = security_info.pkp_bypassed; |
298 if (security_info.pkp_bypassed) { | 297 if (security_info.pkp_bypassed) { |
299 security_style_explanations->info_explanations.push_back( | 298 security_style_explanations->info_explanations.push_back( |
300 content::SecurityStyleExplanation( | 299 content::SecurityStyleExplanation( |
301 "Public-Key Pinning Bypassed", | 300 "Public-Key Pinning Bypassed", |
302 "Public-key pinning was bypassed by a local root certificate.")); | 301 "Public-key pinning was bypassed by a local root certificate.")); |
303 } | 302 } |
304 | 303 |
305 return security_style; | 304 return security_style; |
306 } | 305 } |
307 | 306 |
308 const SecurityStateModel::SecurityInfo& | 307 const SecurityStateModel::SecurityInfo& |
309 ChromeSecurityStateModelClient::GetSecurityInfo() const { | 308 ChromeSecurityStateModelClient::GetSecurityInfo() const { |
310 return security_state_model_->GetSecurityInfo(); | 309 return security_state_model_->GetSecurityInfo(); |
311 } | 310 } |
312 | 311 |
313 bool ChromeSecurityStateModelClient::RetrieveCert( | 312 bool ChromeSecurityStateModelClient::RetrieveCert( |
314 scoped_refptr<net::X509Certificate>* cert) { | 313 scoped_refptr<net::X509Certificate>* cert) { |
315 content::NavigationEntry* entry = | 314 content::NavigationEntry* entry = |
316 web_contents_->GetController().GetVisibleEntry(); | 315 web_contents_->GetController().GetVisibleEntry(); |
317 if (!entry) | 316 if (!entry || !entry->GetSSL().certificate) |
318 return false; | 317 return false; |
319 return content::CertStore::GetInstance()->RetrieveCert( | 318 *cert = entry->GetSSL().certificate; |
320 entry->GetSSL().cert_id, cert); | 319 return true; |
321 } | 320 } |
322 | 321 |
323 bool ChromeSecurityStateModelClient::UsedPolicyInstalledCertificate() { | 322 bool ChromeSecurityStateModelClient::UsedPolicyInstalledCertificate() { |
324 #if defined(OS_CHROMEOS) | 323 #if defined(OS_CHROMEOS) |
325 policy::PolicyCertService* service = | 324 policy::PolicyCertService* service = |
326 policy::PolicyCertServiceFactory::GetForProfile( | 325 policy::PolicyCertServiceFactory::GetForProfile( |
327 Profile::FromBrowserContext(web_contents_->GetBrowserContext())); | 326 Profile::FromBrowserContext(web_contents_->GetBrowserContext())); |
328 if (service && service->UsedPolicyCertificates()) | 327 if (service && service->UsedPolicyCertificates()) |
329 return true; | 328 return true; |
330 #endif | 329 #endif |
(...skipping 19 matching lines...) Expand all Loading... |
350 // status might already be known. | 349 // status might already be known. |
351 CheckSafeBrowsingStatus(entry, web_contents_, state); | 350 CheckSafeBrowsingStatus(entry, web_contents_, state); |
352 return; | 351 return; |
353 } | 352 } |
354 | 353 |
355 state->connection_info_initialized = true; | 354 state->connection_info_initialized = true; |
356 state->url = entry->GetURL(); | 355 state->url = entry->GetURL(); |
357 const content::SSLStatus& ssl = entry->GetSSL(); | 356 const content::SSLStatus& ssl = entry->GetSSL(); |
358 state->initial_security_level = | 357 state->initial_security_level = |
359 GetSecurityLevelForSecurityStyle(ssl.security_style); | 358 GetSecurityLevelForSecurityStyle(ssl.security_style); |
360 state->cert_id = ssl.cert_id; | 359 state->certificate = ssl.certificate; |
361 state->cert_status = ssl.cert_status; | 360 state->cert_status = ssl.cert_status; |
362 state->connection_status = ssl.connection_status; | 361 state->connection_status = ssl.connection_status; |
363 state->security_bits = ssl.security_bits; | 362 state->security_bits = ssl.security_bits; |
364 state->pkp_bypassed = ssl.pkp_bypassed; | 363 state->pkp_bypassed = ssl.pkp_bypassed; |
365 state->sct_verify_statuses.clear(); | 364 state->sct_verify_statuses.clear(); |
366 state->sct_verify_statuses.insert(state->sct_verify_statuses.begin(), | 365 state->sct_verify_statuses.insert(state->sct_verify_statuses.begin(), |
367 ssl.sct_statuses.begin(), | 366 ssl.sct_statuses.begin(), |
368 ssl.sct_statuses.end()); | 367 ssl.sct_statuses.end()); |
369 state->displayed_mixed_content = | 368 state->displayed_mixed_content = |
370 !!(ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT); | 369 !!(ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT); |
371 state->ran_mixed_content = | 370 state->ran_mixed_content = |
372 !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT); | 371 !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT); |
373 state->displayed_content_with_cert_errors = | 372 state->displayed_content_with_cert_errors = |
374 !!(ssl.content_status & | 373 !!(ssl.content_status & |
375 content::SSLStatus::DISPLAYED_CONTENT_WITH_CERT_ERRORS); | 374 content::SSLStatus::DISPLAYED_CONTENT_WITH_CERT_ERRORS); |
376 state->ran_content_with_cert_errors = | 375 state->ran_content_with_cert_errors = |
377 !!(ssl.content_status & content::SSLStatus::RAN_CONTENT_WITH_CERT_ERRORS); | 376 !!(ssl.content_status & content::SSLStatus::RAN_CONTENT_WITH_CERT_ERRORS); |
378 | 377 |
379 CheckSafeBrowsingStatus(entry, web_contents_, state); | 378 CheckSafeBrowsingStatus(entry, web_contents_, state); |
380 } | 379 } |
OLD | NEW |