Add checkbox for reporting invalid TLS/SSL cert chains

chrome/browser/ssl/ssl_blocking_page.cc

Index: chrome/browser/ssl/ssl_blocking_page.cc
diff --git a/chrome/browser/ssl/ssl_blocking_page.cc b/chrome/browser/ssl/ssl_blocking_page.cc
index ecf70291056c8b47e64f534c76b29a09aad97083..f23e187867762305407e57e3ead9ecda8f786f78 100644
--- a/chrome/browser/ssl/ssl_blocking_page.cc
+++ b/chrome/browser/ssl/ssl_blocking_page.cc
@@ -10,6 +10,7 @@
 #include "base/i18n/time_formatting.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
+#include "base/prefs/pref_service.h"
 #include "base/process/launch.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
@@ -25,6 +26,7 @@
 #include "chrome/browser/ssl/ssl_error_classification.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/pref_names.h"
 #include "chrome/grit/chromium_strings.h"
 #include "chrome/grit/generated_resources.h"
 #include "components/google/core/browser/google_util.h"
@@ -43,6 +45,9 @@
 #include "net/base/hash_value.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
+#include "net/url_request/fraudulent_certificate_reporter.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_getter.h"
 #include "ui/base/l10n/l10n_util.h"
 
 #if defined(OS_WIN)
@@ -430,6 +435,8 @@ void SSLBlockingPage::PopulateInterstitialStrings(
   std::vector<std::string> encoded_chain;
   ssl_info_.cert->GetPEMEncodedChain(&encoded_chain);
   load_time_data->SetString("pem", JoinString(encoded_chain, std::string()));
+
+  PopulateExtendedReportingOption(load_time_data);
 }
 
 void SSLBlockingPage::OverrideEntry(NavigationEntry* entry) {
@@ -462,6 +469,14 @@ void SSLBlockingPage::CommandReceived(const std::string& command) {
       }
       break;
     }
+    case CMD_DO_REPORT: {
+      SetReportingPreference(true);
+      break;
+    }
+    case CMD_DONT_REPORT: {
+      SetReportingPreference(false);
+      break;
+    }
     case CMD_MORE: {
       metrics_helper_->RecordUserInteraction(
           SecurityInterstitialMetricsHelper::SHOW_ADVANCED);
@@ -506,6 +521,11 @@ void SSLBlockingPage::OverrideRendererPrefs(
 void SSLBlockingPage::OnProceed() {
   metrics_helper_->RecordUserDecision(
       SecurityInterstitialMetricsHelper::PROCEED);
+
+  // Finish collection information about invalid certificates, if the
+  // user opted in to.
+  FinishCertCollection();
+
   RecordSSLExpirationPageEventState(
       expired_but_previously_allowed_, true, overridable_);
   // Accepting the certificate resumes the loading of the page.
@@ -515,11 +535,43 @@ void SSLBlockingPage::OnProceed() {
 void SSLBlockingPage::OnDontProceed() {
   metrics_helper_->RecordUserDecision(
       SecurityInterstitialMetricsHelper::DONT_PROCEED);
+
+  // Finish collection information about invalid certificates, if the
+  // user opted in to.
+  FinishCertCollection();
+
   RecordSSLExpirationPageEventState(
       expired_but_previously_allowed_, false, overridable_);
   NotifyDenyCertificate();
 }
 
+void SSLBlockingPage::FinishCertCollection() {
+  // Certificates that would be valid expect for the inaccurate client
+  // clock are not very interesting.
+  if (interstitial_reason_ == SSL_REASON_BAD_CLOCK)
+    return;
+
+  if (!base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableInvalidCertCollection))
+    return;
+
+  const bool enabled =
+      IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled);
+  UMA_HISTOGRAM_BOOLEAN("SB2.ExtendedReportingIsEnabled", enabled);
+
+  if (enabled) {
+    net::URLRequestContext* request_context = web_contents()
+                                                  ->GetBrowserContext()
+                                                  ->GetRequestContext()
+                                                  ->GetURLRequestContext();
+    net::FraudulentCertificateReporter* reporter =
+        request_context->fraudulent_certificate_reporter();
+    reporter->SendReport(
+        net::FraudulentCertificateReporter::REPORT_TYPE_EXTENDED_REPORTING,
+        request_url().host(), ssl_info_);
+  }
+}
+
 void SSLBlockingPage::NotifyDenyCertificate() {
   // It's possible that callback_ may not exist if the user clicks "Proceed"
   // followed by pressing the back button before the interstitial is hidden.
@@ -567,3 +619,32 @@ bool SSLBlockingPage::IsOptionsOverridable(int options_mask) {
   return (options_mask & SSLBlockingPage::OVERRIDABLE) &&
          !(options_mask & SSLBlockingPage::STRICT_ENFORCEMENT);
 }
+
+void SSLBlockingPage::PopulateExtendedReportingOption(
+    base::DictionaryValue* load_time_data) {
+  // The checkbox should be shown if the error is not due to a bad
+  // client clock (such a certificate chain is not very
+  // interesting). Also hide the checkbox for incognito and if the
+  // command-line switch is not enabled.
+  const bool show = interstitial_reason_ != SSL_REASON_BAD_CLOCK &&
+                    !web_contents()->GetBrowserContext()->IsOffTheRecord() &&
+                    base::CommandLine::ForCurrentProcess()->HasSwitch(
+                        switches::kEnableInvalidCertCollection);
+
+  load_time_data->SetBoolean(interstitials::kDisplayCheckBox, show);
+  if (!show)
+    return;
+
+  load_time_data->SetBoolean(
+      interstitials::kBoxChecked,
+      IsPrefEnabled(prefs::kSafeBrowsingExtendedReportingEnabled));
+
+  const std::string privacy_link = base::StringPrintf(
+      interstitials::kPrivacyLinkHtml,
+      l10n_util::GetStringUTF8(IDS_SAFE_BROWSING_PRIVACY_POLICY_PAGE).c_str());
+
+  load_time_data->SetString(
+      "optInLink",
+      l10n_util::GetStringFUTF16(IDS_SAFE_BROWSING_MALWARE_REPORTING_AGREE,

[felt, 2015/02/24 01:57:53]

note: in a future CL you should probably rename these strings now that they're
being used for a more general interstitial opt-in

[estark, 2015/02/24 18:47:09]

added to my list

+                                 base::UTF8ToUTF16(privacy_link)));
+}