Add new certificateProvider extension API.
[chromium-blink-merge.git] / chrome / browser / ssl / ssl_error_info.cc
blob9b36fb7cd1c7d1da7c511dcad22558e3caa897ac
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/ssl/ssl_error_info.h"
7 #include "base/i18n/message_formatter.h"
8 #include "base/strings/utf_string_conversions.h"
9 #include "chrome/grit/chromium_strings.h"
10 #include "chrome/grit/generated_resources.h"
11 #include "content/public/browser/cert_store.h"
12 #include "net/base/escape.h"
13 #include "net/base/net_errors.h"
14 #include "net/cert/cert_status_flags.h"
15 #include "net/ssl/ssl_info.h"
16 #include "ui/base/l10n/l10n_util.h"
17 #include "url/gurl.h"
19 using base::UTF8ToUTF16;
21 SSLErrorInfo::SSLErrorInfo(const base::string16& details,
22 const base::string16& short_description)
23 : details_(details),
24 short_description_(short_description) {
27 // static
28 SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
29 net::X509Certificate* cert,
30 const GURL& request_url) {
31 base::string16 details, short_description;
32 switch (error_type) {
33 case CERT_COMMON_NAME_INVALID: {
34 // If the certificate contains multiple DNS names, we choose the most
35 // representative one -- either the DNS name that's also in the subject
36 // field, or the first one. If this heuristic turns out to be
37 // inadequate, we can consider choosing the DNS name that is the
38 // "closest match" to the host name in the request URL, or listing all
39 // the DNS names with an HTML <ul>.
40 std::vector<std::string> dns_names;
41 cert->GetDNSNames(&dns_names);
42 DCHECK(!dns_names.empty());
43 size_t i = 0;
44 for (; i < dns_names.size(); ++i) {
45 if (dns_names[i] == cert->subject().common_name)
46 break;
48 if (i == dns_names.size())
49 i = 0;
50 details =
51 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS,
52 UTF8ToUTF16(request_url.host()),
53 net::EscapeForHTML(
54 UTF8ToUTF16(dns_names[i])));
55 short_description = l10n_util::GetStringUTF16(
56 IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION);
57 break;
59 case CERT_DATE_INVALID:
60 if (cert->HasExpired()) {
61 // Make sure to round up to the smallest integer value not less than
62 // the expiration value (https://crbug.com/476758).
63 int expiration_value =
64 (base::Time::Now() - cert->valid_expiry()).InDays() + 1;
65 details = base::i18n::MessageFormatter::FormatWithNumberedArgs(
66 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DETAILS),
67 request_url.host(), expiration_value, base::Time::Now());
68 short_description =
69 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION);
70 } else if (base::Time::Now() < cert->valid_start()) {
71 details = base::i18n::MessageFormatter::FormatWithNumberedArgs(
72 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DETAILS),
73 request_url.host(),
74 (cert->valid_start() - base::Time::Now()).InDays());
75 short_description =
76 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION);
77 } else {
78 // Two possibilities: (1) an intermediate or root certificate has
79 // expired, or (2) the certificate has become valid since the error
80 // occurred. Both are probably rare cases. To avoid giving the wrong
81 // date, remove the information.
82 details = l10n_util::GetStringFUTF16(
83 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DETAILS,
84 UTF8ToUTF16(request_url.host()));
85 short_description = l10n_util::GetStringUTF16(
86 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DESCRIPTION);
88 break;
89 case CERT_AUTHORITY_INVALID:
90 details = l10n_util::GetStringFUTF16(
91 IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS,
92 UTF8ToUTF16(request_url.host()));
93 short_description = l10n_util::GetStringUTF16(
94 IDS_CERT_ERROR_AUTHORITY_INVALID_DESCRIPTION);
95 break;
96 case CERT_CONTAINS_ERRORS:
97 details = l10n_util::GetStringFUTF16(
98 IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS,
99 UTF8ToUTF16(request_url.host()));
100 short_description =
101 l10n_util::GetStringUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DESCRIPTION);
102 break;
103 case CERT_NO_REVOCATION_MECHANISM:
104 details = l10n_util::GetStringUTF16(
105 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DETAILS);
106 short_description = l10n_util::GetStringUTF16(
107 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION);
108 break;
109 case CERT_REVOKED:
110 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_REVOKED_CERT_DETAILS,
111 UTF8ToUTF16(request_url.host()));
112 short_description =
113 l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_DESCRIPTION);
114 break;
115 case CERT_INVALID:
116 details = l10n_util::GetStringFUTF16(
117 IDS_CERT_ERROR_INVALID_CERT_DETAILS,
118 UTF8ToUTF16(request_url.host()));
119 short_description =
120 l10n_util::GetStringUTF16(IDS_CERT_ERROR_INVALID_CERT_DESCRIPTION);
121 break;
122 case CERT_WEAK_SIGNATURE_ALGORITHM:
123 details = l10n_util::GetStringFUTF16(
124 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS,
125 UTF8ToUTF16(request_url.host()));
126 short_description = l10n_util::GetStringUTF16(
127 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION);
128 break;
129 case CERT_WEAK_KEY:
130 details = l10n_util::GetStringFUTF16(
131 IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
132 short_description = l10n_util::GetStringUTF16(
133 IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
134 break;
135 case CERT_WEAK_KEY_DH:
136 details = l10n_util::GetStringFUTF16(
137 IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
138 short_description = l10n_util::GetStringUTF16(
139 IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
140 case CERT_NAME_CONSTRAINT_VIOLATION:
141 details = l10n_util::GetStringFUTF16(
142 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DETAILS,
143 UTF8ToUTF16(request_url.host()));
144 short_description = l10n_util::GetStringUTF16(
145 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION);
146 break;
147 case CERT_VALIDITY_TOO_LONG:
148 details =
149 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DETAILS,
150 UTF8ToUTF16(request_url.host()));
151 short_description = l10n_util::GetStringUTF16(
152 IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION);
153 break;
154 case CERT_PINNED_KEY_MISSING:
155 details = l10n_util::GetStringUTF16(
156 IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
157 short_description = l10n_util::GetStringUTF16(
158 IDS_ERRORPAGES_DETAILS_PINNING_FAILURE);
159 break;
160 case UNKNOWN:
161 details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
162 short_description =
163 l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DESCRIPTION);
164 break;
165 case CERT_UNABLE_TO_CHECK_REVOCATION: // Deprecated.
166 default:
167 NOTREACHED();
169 return SSLErrorInfo(details, short_description);
172 SSLErrorInfo::~SSLErrorInfo() {
175 // static
176 SSLErrorInfo::ErrorType SSLErrorInfo::NetErrorToErrorType(int net_error) {
177 switch (net_error) {
178 case net::ERR_CERT_COMMON_NAME_INVALID:
179 return CERT_COMMON_NAME_INVALID;
180 case net::ERR_CERT_DATE_INVALID:
181 return CERT_DATE_INVALID;
182 case net::ERR_CERT_AUTHORITY_INVALID:
183 return CERT_AUTHORITY_INVALID;
184 case net::ERR_CERT_CONTAINS_ERRORS:
185 return CERT_CONTAINS_ERRORS;
186 case net::ERR_CERT_NO_REVOCATION_MECHANISM:
187 return CERT_NO_REVOCATION_MECHANISM;
188 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
189 return CERT_UNABLE_TO_CHECK_REVOCATION;
190 case net::ERR_CERT_REVOKED:
191 return CERT_REVOKED;
192 case net::ERR_CERT_INVALID:
193 return CERT_INVALID;
194 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
195 return CERT_WEAK_SIGNATURE_ALGORITHM;
196 case net::ERR_CERT_WEAK_KEY:
197 return CERT_WEAK_KEY;
198 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
199 return CERT_NAME_CONSTRAINT_VIOLATION;
200 case net::ERR_CERT_VALIDITY_TOO_LONG:
201 return CERT_VALIDITY_TOO_LONG;
202 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
203 return CERT_WEAK_KEY_DH;
204 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
205 return CERT_PINNED_KEY_MISSING;
206 default:
207 NOTREACHED();
208 return UNKNOWN;
212 // static
213 void SSLErrorInfo::GetErrorsForCertStatus(int cert_id,
214 net::CertStatus cert_status,
215 const GURL& url,
216 std::vector<SSLErrorInfo>* errors) {
217 const net::CertStatus kErrorFlags[] = {
218 net::CERT_STATUS_COMMON_NAME_INVALID,
219 net::CERT_STATUS_DATE_INVALID,
220 net::CERT_STATUS_AUTHORITY_INVALID,
221 net::CERT_STATUS_NO_REVOCATION_MECHANISM,
222 net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
223 net::CERT_STATUS_REVOKED,
224 net::CERT_STATUS_INVALID,
225 net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
226 net::CERT_STATUS_WEAK_KEY,
227 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
228 net::CERT_STATUS_VALIDITY_TOO_LONG,
231 const ErrorType kErrorTypes[] = {
232 CERT_COMMON_NAME_INVALID,
233 CERT_DATE_INVALID,
234 CERT_AUTHORITY_INVALID,
235 CERT_NO_REVOCATION_MECHANISM,
236 CERT_UNABLE_TO_CHECK_REVOCATION,
237 CERT_REVOKED,
238 CERT_INVALID,
239 CERT_WEAK_SIGNATURE_ALGORITHM,
240 CERT_WEAK_KEY,
241 CERT_NAME_CONSTRAINT_VIOLATION,
242 CERT_VALIDITY_TOO_LONG,
244 DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes));
246 scoped_refptr<net::X509Certificate> cert = NULL;
247 for (size_t i = 0; i < arraysize(kErrorFlags); ++i) {
248 if (cert_status & kErrorFlags[i]) {
249 if (!cert.get()) {
250 bool r = content::CertStore::GetInstance()->RetrieveCert(
251 cert_id, &cert);
252 DCHECK(r);
254 if (errors) {
255 errors->push_back(
256 SSLErrorInfo::CreateError(kErrorTypes[i], cert.get(), url));