Chromium Code Reviews Chromium Code Reviews
Issue 508823009:
Mark SHA-1 as deprecated (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_verify_result_sha1| Index: chrome/browser/ui/toolbar/toolbar_model_impl.cc |
| diff --git a/chrome/browser/ui/toolbar/toolbar_model_impl.cc b/chrome/browser/ui/toolbar/toolbar_model_impl.cc |
| index c80a147ba526bac036d30ee3b2f04ac3d9c4f9e3..7a5e1841ebfad580ddc5b2f0e086c32adc127f4f 100644 |
| --- a/chrome/browser/ui/toolbar/toolbar_model_impl.cc |
| +++ b/chrome/browser/ui/toolbar/toolbar_model_impl.cc |
| @@ -7,6 +7,7 @@ |
| #include "base/command_line.h" |
| #include "base/prefs/pref_service.h" |
| #include "base/strings/utf_string_conversions.h" |
| +#include "base/time/time.h" |
| #include "chrome/browser/autocomplete/autocomplete_classifier.h" |
| #include "chrome/browser/autocomplete/autocomplete_classifier_factory.h" |
| #include "chrome/browser/autocomplete/chrome_autocomplete_scheme_classifier.h" |
| @@ -46,6 +47,44 @@ using content::NavigationEntry; |
| using content::SSLStatus; |
| using content::WebContents; |
| +namespace { |
| + |
| +// Obtain the SecurityLevel for a good (content::SECURITY_STYLE_AUTHENTICATED) |
| +// connection that has minor errors (as determined by |
| +// net::IsCertStatusMinorError). |
| +// Returns true if a specific policy applies, updating |*effective_level|, or |
| +// returns false if the minor error can safely be ignored. |
| +bool GetSecurityLevelForMinorCertError( |
| + net::CertStatus cert_status, |
| + const net::X509Certificate* cert, |
| + ToolbarModel::SecurityLevel* effective_level) { |
| + DCHECK(cert); |
| + if ((cert_status & net::CERT_STATUS_ALL_ERRORS) != |
| + net::CERT_STATUS_DEPRECATED_SIGNATURE_ALGORITHM) { |
| + // Any other minor errors cause the general warning. Only fall through if |
| + // the ONLY issue is the use of a deprecated algorithm. |
| + *effective_level = ToolbarModel::SECURITY_WARNING; |
| + return true; |
| + } |
| + // Enforce Chrome-specific policies regarding deprecated signature |
| + // algorithms. See http://crbug.com/401365 |
| + |
| + // The date to show user-visible UI in the toolbar. This date - and the |
| + // related UI treatment - will increase in subsequent versions. |
|
palmer
2014/09/26 19:15:04
Don't you mean "decrease"?
|
| + // 2017-01-01 00:00:00 UTC |
| + static const int64_t kSHA1WarningDate = INT64_C(13127702400000000); |
| + if (cert->valid_expiry() >= base::Time::FromInternalValue(kSHA1WarningDate)) { |
| + *effective_level = ToolbarModel::SECURITY_WARNING; |
| + return true; |
| + } |
| + |
| + // No specific policies apply. Don't show any special UI, and allow the |
| + // existing treatment (e.g. EV vs non-EV) apply. |
| + return false; |
| +} |
| + |
| +} // namespace |
| + |
| ToolbarModelImpl::ToolbarModelImpl(ToolbarModelDelegate* delegate) |
| : delegate_(delegate) { |
| } |
| @@ -84,7 +123,16 @@ ToolbarModel::SecurityLevel ToolbarModelImpl::GetSecurityLevelForWebContents( |
| return SECURITY_WARNING; |
| if (net::IsCertStatusError(ssl.cert_status)) { |
| DCHECK(net::IsCertStatusMinorError(ssl.cert_status)); |
| - return SECURITY_WARNING; |
| + scoped_refptr<net::X509Certificate> cert; |
| + if (!content::CertStore::GetInstance() |
| + ->RetrieveCert(ssl.cert_id, &cert)) { |
| + return SECURITY_ERROR; |
| + } |
| + ToolbarModel::SecurityLevel level = NONE; |
| + if (GetSecurityLevelForMinorCertError( |
| + ssl.cert_status, cert.get(), &level)) { |
| + return level; |
| + } |
| } |
| if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && |
| content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, NULL)) |
