Mark SHA-1 as deprecated

chrome/browser/ui/toolbar/toolbar_model_impl.cc

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/toolbar/toolbar_model_impl.h"
 
 #include "base/command_line.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/time/time.h"
 #include "chrome/browser/autocomplete/autocomplete_classifier.h"
 #include "chrome/browser/autocomplete/autocomplete_classifier_factory.h"
 #include "chrome/browser/autocomplete/chrome_autocomplete_scheme_classifier.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/search/search.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
 #include "chrome/browser/ui/toolbar/toolbar_model_delegate.h"
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
@@ skipping 19 matching lines @@
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #endif
 
 using content::NavigationController;
 using content::NavigationEntry;
 using content::SSLStatus;
 using content::WebContents;
 
+namespace {
+
+// Obtain the SecurityLevel for a good (content::SECURITY_STYLE_AUTHENTICATED)
+// connection that has minor errors (as determined by
+// net::IsCertStatusMinorError).
+// Returns true if a specific policy applies, updating |*effective_level|, or
+// returns false if the minor error can safely be ignored.
+bool GetSecurityLevelForMinorCertError(
+    net::CertStatus cert_status,
+    const net::X509Certificate* cert,
+    ToolbarModel::SecurityLevel* effective_level) {
+  DCHECK(cert);
+  if ((cert_status & net::CERT_STATUS_ALL_ERRORS) !=
+      net::CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM) {
+    // Any other minor errors cause the general warning. Only fall through if
+    // the ONLY issue is the use of a deprecated algorithm.
+    *effective_level = ToolbarModel::SECURITY_WARNING;
+    return true;
+  }
+  // Enforce Chrome-specific policies regarding deprecated signature
+  // algorithms. See http://crbug.com/401365
+
+  // The date to show user-visible UI in the toolbar. This date - and the
+  // related UI treatment - will increase in subsequent versions.

[palmer, 2014/09/26 19:15:04]

Don't you mean "decrease"?

+  // 2017-01-01 00:00:00 UTC
+  static const int64_t kSHA1WarningDate = INT64_C(13127702400000000);
+  if (cert->valid_expiry() >= base::Time::FromInternalValue(kSHA1WarningDate)) {
+    *effective_level = ToolbarModel::SECURITY_WARNING;
+    return true;
+  }
+
+  // No specific policies apply. Don't show any special UI, and allow the
+  // existing treatment (e.g. EV vs non-EV) apply.
+  return false;
+}
+
+}  // namespace
+
 ToolbarModelImpl::ToolbarModelImpl(ToolbarModelDelegate* delegate)
     : delegate_(delegate) {
 }
 
 ToolbarModelImpl::~ToolbarModelImpl() {
 }
 
 // static
 ToolbarModel::SecurityLevel ToolbarModelImpl::GetSecurityLevelForWebContents(
       content::WebContents* web_contents) {
@@ skipping 18 matching lines @@
       policy::PolicyCertService* service =
           policy::PolicyCertServiceFactory::GetForProfile(
               Profile::FromBrowserContext(web_contents->GetBrowserContext()));
       if (service && service->UsedPolicyCertificates())
         return SECURITY_POLICY_WARNING;
 #endif
       if (!!(ssl.content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT))
         return SECURITY_WARNING;
       if (net::IsCertStatusError(ssl.cert_status)) {
         DCHECK(net::IsCertStatusMinorError(ssl.cert_status));
-        return SECURITY_WARNING;
+        scoped_refptr<net::X509Certificate> cert;
+        if (!content::CertStore::GetInstance()
+                 ->RetrieveCert(ssl.cert_id, &cert)) {
+          return SECURITY_ERROR;
+        }
+        ToolbarModel::SecurityLevel level = NONE;
+        if (GetSecurityLevelForMinorCertError(
+                ssl.cert_status, cert.get(), &level)) {
+          return level;
+        }
       }
       if ((ssl.cert_status & net::CERT_STATUS_IS_EV) &&
           content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, NULL))
         return EV_SECURE;
       return SECURE;
     }
     default:
       NOTREACHED();
       return NONE;
   }
@@ skipping 231 matching lines @@
   if (entry &&
       google_util::StartsWithCommandLineGoogleBaseURL(entry->GetVirtualURL()))
     return search_terms;
 
   // Otherwise, extract search terms for HTTPS pages that do not have a security
   // error.
   ToolbarModel::SecurityLevel security_level = GetSecurityLevel(ignore_editing);
   return ((security_level == NONE) || (security_level == SECURITY_ERROR)) ?
       base::string16() : search_terms;
 }