components/security_state/core/security_state.cc - Issue 2616553002: Remove obsolete SHA-1 UX elements

Side by Side Diff: components/security_state/core/security_state.cc

Issue 2616553002: Remove obsolete SHA-1 UX elements (Closed)

Patch Set: Address Emily's feedback Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« components/security_state/core/security_state.h ('K') | « components/security_state/core/security_state.h ('k') | components/security_state/core/security_state_unittest.cc » ('j') | components/security_state/core/security_state_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "components/security_state/core/security_state.h"	5 #include "components/security_state/core/security_state.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include "base/command_line.h"	9 #include "base/command_line.h"

10 #include "base/metrics/field_trial.h"	10 #include "base/metrics/field_trial.h"

(...skipping 66 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
77 // nonsecure defaults to neutral.	77 // nonsecure defaults to neutral.

78 status = NEUTRAL;	78 status = NEUTRAL;

79 level = NONE;	79 level = NONE;

80 }	80 }

81 }	81 }

82	82

83 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS);	83 UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS);

84 return level;	84 return level;

85 }	85 }

86	86

87 SHA1DeprecationStatus GetSHA1DeprecationStatus(	87 bool GetSHA1InChain(const VisibleSecurityState& visible_security_state) {

88 const VisibleSecurityState& visible_security_state) {

89 if (!visible_security_state.certificate \|\|	88 if (!visible_security_state.certificate \|\|

90 !(visible_security_state.cert_status &	89 !(visible_security_state.cert_status &

91 net::CERT_STATUS_SHA1_SIGNATURE_PRESENT))	90 net::CERT_STATUS_SHA1_SIGNATURE_PRESENT))

92 return NO_DEPRECATED_SHA1;	91 return false;

93	92

94 // The internal representation of the dates for UI treatment of SHA-1.	93 return true;
	estark 2017/01/08 16:39:58 nit: could simplify as return visible_security_st nit: could simplify as return visible_security_state.certificate && (visible_security_state.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT); Also I'd probably just inline this in the one callsite below and not split it out into a separate function. elawrence 2017/01/09 18:13:11 Done. Show quoted text On 2017/01/08 16:39:58, estark (slow thru Jan 6) wrote: > nit: could simplify as > > return visible_security_state.certificate && (visible_security_state.cert_status > & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT); > > Also I'd probably just inline this in the one callsite below and not split it > out into a separate function. Done.
95 // See http://crbug.com/401365 for details.

96 static const int64_t kJanuary2017 = INT64_C(13127702400000000);

97 if (visible_security_state.certificate->valid_expiry() >=

98 base::Time::FromInternalValue(kJanuary2017))

99 return DEPRECATED_SHA1_MAJOR;

100 static const int64_t kJanuary2016 = INT64_C(13096080000000000);

101 if (visible_security_state.certificate->valid_expiry() >=

102 base::Time::FromInternalValue(kJanuary2016))

103 return DEPRECATED_SHA1_MINOR;

104

105 return NO_DEPRECATED_SHA1;

106 }	94 }

107	95

108 ContentStatus GetContentStatus(bool displayed, bool ran) {	96 ContentStatus GetContentStatus(bool displayed, bool ran) {

109 if (ran && displayed)	97 if (ran && displayed)

110 return CONTENT_STATUS_DISPLAYED_AND_RAN;	98 return CONTENT_STATUS_DISPLAYED_AND_RAN;

111 if (ran)	99 if (ran)

112 return CONTENT_STATUS_RAN;	100 return CONTENT_STATUS_RAN;

113 if (displayed)	101 if (displayed)

114 return CONTENT_STATUS_DISPLAYED;	102 return CONTENT_STATUS_DISPLAYED;

115 return CONTENT_STATUS_NONE;	103 return CONTENT_STATUS_NONE;

116 }	104 }

117	105

118 SecurityLevel GetSecurityLevelForRequest(	106 SecurityLevel GetSecurityLevelForRequest(

119 const VisibleSecurityState& visible_security_state,	107 const VisibleSecurityState& visible_security_state,

120 bool used_policy_installed_certificate,	108 bool used_policy_installed_certificate,

121 const IsOriginSecureCallback& is_origin_secure_callback,	109 const IsOriginSecureCallback& is_origin_secure_callback,

122 SHA1DeprecationStatus sha1_status,	110 bool sha1_in_chain,

123 ContentStatus mixed_content_status,	111 ContentStatus mixed_content_status,

124 ContentStatus content_with_cert_errors_status) {	112 ContentStatus content_with_cert_errors_status) {

125 DCHECK(visible_security_state.connection_info_initialized \|\|	113 DCHECK(visible_security_state.connection_info_initialized \|\|

126 visible_security_state.malicious_content_status !=	114 visible_security_state.malicious_content_status !=

127 MALICIOUS_CONTENT_STATUS_NONE);	115 MALICIOUS_CONTENT_STATUS_NONE);

128	116

129 // Override the connection security information if the website failed the	117 // Override the connection security information if the website failed the

130 // browser's malware checks.	118 // browser's malware checks.

131 if (visible_security_state.malicious_content_status !=	119 if (visible_security_state.malicious_content_status !=

132 MALICIOUS_CONTENT_STATUS_NONE) {	120 MALICIOUS_CONTENT_STATUS_NONE) {

(...skipping 32 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
165	153

166 // Report if there is a policy cert first, before reporting any other	154 // Report if there is a policy cert first, before reporting any other

167 // authenticated-but-with-errors cases. A policy cert is a strong	155 // authenticated-but-with-errors cases. A policy cert is a strong

168 // indicator of a MITM being present (the enterprise), while the	156 // indicator of a MITM being present (the enterprise), while the

169 // other authenticated-but-with-errors indicate something may	157 // other authenticated-but-with-errors indicate something may

170 // be wrong, or may be wrong in the future, but is unclear now.	158 // be wrong, or may be wrong in the future, but is unclear now.

171 if (used_policy_installed_certificate)	159 if (used_policy_installed_certificate)

172 return SECURE_WITH_POLICY_INSTALLED_CERT;	160 return SECURE_WITH_POLICY_INSTALLED_CERT;

173	161

174 // In most cases, SHA1 use is treated as a certificate error, in which case	162 // In most cases, SHA1 use is treated as a certificate error, in which case

175 // DANGEROUS will have been returned above. If SHA1 is permitted, we downgrade	163 // DANGEROUS will have been returned above. If SHA1 was permitted by policy,

176 // the security level to Neutral or Dangerous depending on policy.	164 // downgrade the security level to Neutral.

177 if (sha1_status == DEPRECATED_SHA1_MAJOR \|\|	165 if (sha1_in_chain)

178 sha1_status == DEPRECATED_SHA1_MINOR) {	166 return NONE;

179 return (visible_security_state.display_sha1_from_local_anchors_as_neutral)

180 ? NONE

181 : DANGEROUS;

182 }

183	167

184 // Active mixed content is handled above.	168 // Active mixed content is handled above.

185 DCHECK_NE(CONTENT_STATUS_RAN, mixed_content_status);	169 DCHECK_NE(CONTENT_STATUS_RAN, mixed_content_status);

186 DCHECK_NE(CONTENT_STATUS_DISPLAYED_AND_RAN, mixed_content_status);	170 DCHECK_NE(CONTENT_STATUS_DISPLAYED_AND_RAN, mixed_content_status);

187	171

188 if (mixed_content_status == CONTENT_STATUS_DISPLAYED \|\|	172 if (mixed_content_status == CONTENT_STATUS_DISPLAYED \|\|

189 content_with_cert_errors_status == CONTENT_STATUS_DISPLAYED) {	173 content_with_cert_errors_status == CONTENT_STATUS_DISPLAYED) {

190 return kDisplayedInsecureContentLevel;	174 return kDisplayedInsecureContentLevel;

191 }	175 }

192	176

(...skipping 16 matching lines...) Expand all Loading...
209 const IsOriginSecureCallback& is_origin_secure_callback,	193 const IsOriginSecureCallback& is_origin_secure_callback,

210 SecurityInfo* security_info) {	194 SecurityInfo* security_info) {

211 if (!visible_security_state.connection_info_initialized) {	195 if (!visible_security_state.connection_info_initialized) {

212 *security_info = SecurityInfo();	196 *security_info = SecurityInfo();

213 security_info->malicious_content_status =	197 security_info->malicious_content_status =

214 visible_security_state.malicious_content_status;	198 visible_security_state.malicious_content_status;

215 if (security_info->malicious_content_status !=	199 if (security_info->malicious_content_status !=

216 MALICIOUS_CONTENT_STATUS_NONE) {	200 MALICIOUS_CONTENT_STATUS_NONE) {

217 security_info->security_level = GetSecurityLevelForRequest(	201 security_info->security_level = GetSecurityLevelForRequest(

218 visible_security_state, used_policy_installed_certificate,	202 visible_security_state, used_policy_installed_certificate,

219 is_origin_secure_callback, UNKNOWN_SHA1, CONTENT_STATUS_UNKNOWN,	203 is_origin_secure_callback, false, CONTENT_STATUS_UNKNOWN,

220 CONTENT_STATUS_UNKNOWN);	204 CONTENT_STATUS_UNKNOWN);

221 }	205 }

222 return;	206 return;

223 }	207 }

224 security_info->certificate = visible_security_state.certificate;	208 security_info->certificate = visible_security_state.certificate;

225 security_info->sha1_deprecation_status =	209 security_info->sha1_in_chain = GetSHA1InChain(visible_security_state);

226 GetSHA1DeprecationStatus(visible_security_state);

227 security_info->mixed_content_status =	210 security_info->mixed_content_status =

228 GetContentStatus(visible_security_state.displayed_mixed_content,	211 GetContentStatus(visible_security_state.displayed_mixed_content,

229 visible_security_state.ran_mixed_content);	212 visible_security_state.ran_mixed_content);

230 security_info->content_with_cert_errors_status = GetContentStatus(	213 security_info->content_with_cert_errors_status = GetContentStatus(

231 visible_security_state.displayed_content_with_cert_errors,	214 visible_security_state.displayed_content_with_cert_errors,

232 visible_security_state.ran_content_with_cert_errors);	215 visible_security_state.ran_content_with_cert_errors);

233 security_info->security_bits = visible_security_state.security_bits;	216 security_info->security_bits = visible_security_state.security_bits;

234 security_info->connection_status = visible_security_state.connection_status;	217 security_info->connection_status = visible_security_state.connection_status;

235 security_info->key_exchange_group = visible_security_state.key_exchange_group;	218 security_info->key_exchange_group = visible_security_state.key_exchange_group;

236 security_info->cert_status = visible_security_state.cert_status;	219 security_info->cert_status = visible_security_state.cert_status;

237 security_info->scheme_is_cryptographic =	220 security_info->scheme_is_cryptographic =

238 visible_security_state.url.SchemeIsCryptographic();	221 visible_security_state.url.SchemeIsCryptographic();

239 security_info->obsolete_ssl_status =	222 security_info->obsolete_ssl_status =

240 net::ObsoleteSSLStatus(security_info->connection_status);	223 net::ObsoleteSSLStatus(security_info->connection_status);

241 security_info->pkp_bypassed = visible_security_state.pkp_bypassed;	224 security_info->pkp_bypassed = visible_security_state.pkp_bypassed;

242 security_info->sct_verify_statuses =	225 security_info->sct_verify_statuses =

243 visible_security_state.sct_verify_statuses;	226 visible_security_state.sct_verify_statuses;

244	227

245 security_info->malicious_content_status =	228 security_info->malicious_content_status =

246 visible_security_state.malicious_content_status;	229 visible_security_state.malicious_content_status;

247	230

248 security_info->displayed_password_field_on_http =	231 security_info->displayed_password_field_on_http =

249 visible_security_state.displayed_password_field_on_http;	232 visible_security_state.displayed_password_field_on_http;

250 security_info->displayed_credit_card_field_on_http =	233 security_info->displayed_credit_card_field_on_http =

251 visible_security_state.displayed_credit_card_field_on_http;	234 visible_security_state.displayed_credit_card_field_on_http;

252	235

253 security_info->security_level = GetSecurityLevelForRequest(	236 security_info->security_level = GetSecurityLevelForRequest(

254 visible_security_state, used_policy_installed_certificate,	237 visible_security_state, used_policy_installed_certificate,

255 is_origin_secure_callback, security_info->sha1_deprecation_status,	238 is_origin_secure_callback, security_info->sha1_in_chain,

256 security_info->mixed_content_status,	239 security_info->mixed_content_status,

257 security_info->content_with_cert_errors_status);	240 security_info->content_with_cert_errors_status);

258 }	241 }

259	242

260 } // namespace	243 } // namespace

261	244

262 const base::Feature kHttpFormWarningFeature{"HttpFormWarning",	245 const base::Feature kHttpFormWarningFeature{"HttpFormWarning",

263 base::FEATURE_DISABLED_BY_DEFAULT};	246 base::FEATURE_DISABLED_BY_DEFAULT};

264	247

265 SecurityInfo::SecurityInfo()	248 SecurityInfo::SecurityInfo()

266 : security_level(NONE),	249 : security_level(NONE),

267 malicious_content_status(MALICIOUS_CONTENT_STATUS_NONE),	250 malicious_content_status(MALICIOUS_CONTENT_STATUS_NONE),

268 sha1_deprecation_status(NO_DEPRECATED_SHA1),	251 sha1_in_chain(false),

269 mixed_content_status(CONTENT_STATUS_NONE),	252 mixed_content_status(CONTENT_STATUS_NONE),

270 content_with_cert_errors_status(CONTENT_STATUS_NONE),	253 content_with_cert_errors_status(CONTENT_STATUS_NONE),

271 scheme_is_cryptographic(false),	254 scheme_is_cryptographic(false),

272 cert_status(0),	255 cert_status(0),

273 security_bits(-1),	256 security_bits(-1),

274 connection_status(0),	257 connection_status(0),

275 key_exchange_group(0),	258 key_exchange_group(0),

276 obsolete_ssl_status(net::OBSOLETE_SSL_NONE),	259 obsolete_ssl_status(net::OBSOLETE_SSL_NONE),

277 pkp_bypassed(false),	260 pkp_bypassed(false),

278 displayed_password_field_on_http(false),	261 displayed_password_field_on_http(false),

(...skipping 21 matching lines...) Expand all Loading...
300 cert_status(0),	283 cert_status(0),

301 connection_status(0),	284 connection_status(0),

302 key_exchange_group(0),	285 key_exchange_group(0),

303 security_bits(-1),	286 security_bits(-1),

304 displayed_mixed_content(false),	287 displayed_mixed_content(false),

305 ran_mixed_content(false),	288 ran_mixed_content(false),

306 displayed_content_with_cert_errors(false),	289 displayed_content_with_cert_errors(false),

307 ran_content_with_cert_errors(false),	290 ran_content_with_cert_errors(false),

308 pkp_bypassed(false),	291 pkp_bypassed(false),

309 displayed_password_field_on_http(false),	292 displayed_password_field_on_http(false),

310 displayed_credit_card_field_on_http(false),	293 displayed_credit_card_field_on_http(false) {}

311 display_sha1_from_local_anchors_as_neutral(false) {}

312	294

313 VisibleSecurityState::~VisibleSecurityState() {}	295 VisibleSecurityState::~VisibleSecurityState() {}

314	296

315 bool VisibleSecurityState::operator==(const VisibleSecurityState& other) const {	297 bool VisibleSecurityState::operator==(const VisibleSecurityState& other) const {

316 return (url == other.url &&	298 return (url == other.url &&

317 malicious_content_status == other.malicious_content_status &&	299 malicious_content_status == other.malicious_content_status &&

318 !!certificate == !!other.certificate &&	300 !!certificate == !!other.certificate &&

319 (certificate ? certificate->Equals(other.certificate.get()) : true) &&	301 (certificate ? certificate->Equals(other.certificate.get()) : true) &&

320 connection_status == other.connection_status &&	302 connection_status == other.connection_status &&

321 key_exchange_group == other.key_exchange_group &&	303 key_exchange_group == other.key_exchange_group &&

322 security_bits == other.security_bits &&	304 security_bits == other.security_bits &&

323 sct_verify_statuses == other.sct_verify_statuses &&	305 sct_verify_statuses == other.sct_verify_statuses &&

324 displayed_mixed_content == other.displayed_mixed_content &&	306 displayed_mixed_content == other.displayed_mixed_content &&

325 ran_mixed_content == other.ran_mixed_content &&	307 ran_mixed_content == other.ran_mixed_content &&

326 displayed_content_with_cert_errors ==	308 displayed_content_with_cert_errors ==

327 other.displayed_content_with_cert_errors &&	309 other.displayed_content_with_cert_errors &&

328 ran_content_with_cert_errors == other.ran_content_with_cert_errors &&	310 ran_content_with_cert_errors == other.ran_content_with_cert_errors &&

329 pkp_bypassed == other.pkp_bypassed &&	311 pkp_bypassed == other.pkp_bypassed &&

330 displayed_password_field_on_http ==	312 displayed_password_field_on_http ==

331 other.displayed_password_field_on_http &&	313 other.displayed_password_field_on_http &&

332 displayed_credit_card_field_on_http ==	314 displayed_credit_card_field_on_http ==

333 other.displayed_credit_card_field_on_http &&	315 other.displayed_credit_card_field_on_http);

334 display_sha1_from_local_anchors_as_neutral ==

335 other.display_sha1_from_local_anchors_as_neutral);

336 }	316 }

337	317

338 } // namespace security_state	318 } // namespace security_state

OLD	NEW