1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/ssl/connection_security.h"
7 #include "base/command_line.h"
8 #include "base/metrics/field_trial.h"
9 #include "base/metrics/histogram_macros.h"
10 #include "base/prefs/pref_service.h"
11 #include "chrome/browser/profiles/profile.h"
12 #include "chrome/browser/ssl/ssl_error_info.h"
13 #include "chrome/common/chrome_constants.h"
14 #include "chrome/common/chrome_switches.h"
15 #include "chrome/common/pref_names.h"
16 #include "content/public/browser/cert_store.h"
17 #include "content/public/browser/navigation_controller.h"
18 #include "content/public/browser/navigation_entry.h"
19 #include "content/public/browser/web_contents.h"
20 #include "content/public/common/origin_util.h"
21 #include "content/public/common/ssl_status.h"
22 #include "net/base/net_util.h"
23 #include "net/cert/cert_status_flags.h"
24 #include "net/cert/x509_certificate.h"
25 #include "net/ssl/ssl_connection_status_flags.h"
27 #if defined(OS_CHROMEOS)
28 #include "chrome/browser/chromeos/policy/policy_cert_service.h"
29 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
34 connection_security::SecurityLevel
GetSecurityLevelForNonSecureFieldTrial() {
36 base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
37 switches::kMarkNonSecureAs
);
38 std::string group
= base::FieldTrialList::FindFullName("MarkNonSecureAs");
40 // Do not change this enum. It is used in the histogram.
41 enum MarkNonSecureStatus
{ NEUTRAL
, DUBIOUS
, NON_SECURE
, LAST_STATUS
};
42 const char kEnumeration
[] = "MarkNonSecureAs";
44 connection_security::SecurityLevel level
;
45 MarkNonSecureStatus status
;
47 if (choice
== switches::kMarkNonSecureAsNeutral
) {
49 level
= connection_security::NONE
;
50 } else if (choice
== switches::kMarkNonSecureAsDubious
) {
52 level
= connection_security::SECURITY_WARNING
;
53 } else if (choice
== switches::kMarkNonSecureAsNonSecure
) {
55 level
= connection_security::SECURITY_ERROR
;
56 } else if (group
== switches::kMarkNonSecureAsNeutral
) {
58 level
= connection_security::NONE
;
59 } else if (group
== switches::kMarkNonSecureAsDubious
) {
61 level
= connection_security::SECURITY_WARNING
;
62 } else if (group
== switches::kMarkNonSecureAsNonSecure
) {
64 level
= connection_security::SECURITY_ERROR
;
67 level
= connection_security::NONE
;
70 UMA_HISTOGRAM_ENUMERATION(kEnumeration
, status
, LAST_STATUS
);
74 scoped_refptr
<net::X509Certificate
> GetCertForSSLStatus(
75 const content::SSLStatus
& ssl
) {
76 scoped_refptr
<net::X509Certificate
> cert
;
77 return content::CertStore::GetInstance()->RetrieveCert(ssl
.cert_id
, &cert
)
82 connection_security::SHA1DeprecationStatus
GetSHA1DeprecationStatus(
83 scoped_refptr
<net::X509Certificate
> cert
,
84 const content::SSLStatus
& ssl
) {
85 if (!cert
|| !(ssl
.cert_status
& net::CERT_STATUS_SHA1_SIGNATURE_PRESENT
))
86 return connection_security::NO_DEPRECATED_SHA1
;
88 // The internal representation of the dates for UI treatment of SHA-1.
89 // See http://crbug.com/401365 for details.
90 static const int64_t kJanuary2017
= INT64_C(13127702400000000);
91 if (cert
->valid_expiry() >= base::Time::FromInternalValue(kJanuary2017
))
92 return connection_security::DEPRECATED_SHA1_BROKEN
;
93 // kJanuary2016 needs to be kept in sync with
94 // ToolbarModelAndroid::IsDeprecatedSHA1Present().
95 static const int64_t kJanuary2016
= INT64_C(13096080000000000);
96 if (cert
->valid_expiry() >= base::Time::FromInternalValue(kJanuary2016
))
97 return connection_security::DEPRECATED_SHA1_WARNING
;
99 return connection_security::NO_DEPRECATED_SHA1
;
102 connection_security::MixedContentStatus
GetMixedContentStatus(
103 const content::SSLStatus
& ssl
) {
104 if (ssl
.content_status
& content::SSLStatus::RAN_INSECURE_CONTENT
)
105 return connection_security::RAN_MIXED_CONTENT
;
106 if (ssl
.content_status
& content::SSLStatus::DISPLAYED_INSECURE_CONTENT
)
107 return connection_security::DISPLAYED_MIXED_CONTENT
;
108 return connection_security::NO_MIXED_CONTENT
;
113 namespace connection_security
{
115 SecurityLevel
GetSecurityLevelForWebContents(
116 const content::WebContents
* web_contents
) {
120 content::NavigationEntry
* entry
=
121 web_contents
->GetController().GetVisibleEntry();
125 const content::SSLStatus
& ssl
= entry
->GetSSL();
126 switch (ssl
.security_style
) {
127 case content::SECURITY_STYLE_UNKNOWN
:
130 case content::SECURITY_STYLE_UNAUTHENTICATED
: {
131 const GURL
& url
= entry
->GetURL();
132 if (!content::IsOriginSecure(url
))
133 return GetSecurityLevelForNonSecureFieldTrial();
137 case content::SECURITY_STYLE_AUTHENTICATION_BROKEN
:
138 return SECURITY_ERROR
;
140 case content::SECURITY_STYLE_AUTHENTICATED
: {
141 #if defined(OS_CHROMEOS)
142 // Report if there is a policy cert first, before reporting any other
143 // authenticated-but-with-errors cases. A policy cert is a strong
144 // indicator of a MITM being present (the enterprise), while the
145 // other authenticated-but-with-errors indicate something may
146 // be wrong, or may be wrong in the future, but is unclear now.
147 policy::PolicyCertService
* service
=
148 policy::PolicyCertServiceFactory::GetForProfile(
149 Profile::FromBrowserContext(web_contents
->GetBrowserContext()));
150 if (service
&& service
->UsedPolicyCertificates())
151 return SECURITY_POLICY_WARNING
;
154 scoped_refptr
<net::X509Certificate
> cert
= GetCertForSSLStatus(ssl
);
155 SHA1DeprecationStatus sha1_status
= GetSHA1DeprecationStatus(cert
, ssl
);
156 if (sha1_status
== DEPRECATED_SHA1_BROKEN
)
157 return SECURITY_ERROR
;
158 if (sha1_status
== DEPRECATED_SHA1_WARNING
)
159 return SECURITY_WARNING
;
161 MixedContentStatus mixed_content_status
= GetMixedContentStatus(ssl
);
162 // Active mixed content is downgraded to the BROKEN style and
164 DCHECK_NE(RAN_MIXED_CONTENT
, mixed_content_status
);
165 if (mixed_content_status
== DISPLAYED_MIXED_CONTENT
)
166 return SECURITY_WARNING
;
168 if (net::IsCertStatusError(ssl
.cert_status
)) {
169 DCHECK(net::IsCertStatusMinorError(ssl
.cert_status
));
170 return SECURITY_WARNING
;
172 if (net::SSLConnectionStatusToVersion(ssl
.connection_status
) ==
173 net::SSL_CONNECTION_VERSION_SSL3
) {
174 // SSLv3 will be removed in the future.
175 return SECURITY_WARNING
;
177 if ((ssl
.cert_status
& net::CERT_STATUS_IS_EV
) && cert
)
188 void GetSecurityInfoForWebContents(const content::WebContents
* web_contents
,
189 SecurityInfo
* security_info
) {
190 content::NavigationEntry
* entry
=
191 web_contents
? web_contents
->GetController().GetVisibleEntry() : nullptr;
193 security_info
->security_style
= content::SECURITY_STYLE_UNKNOWN
;
197 SecurityLevel security_level
= GetSecurityLevelForWebContents(web_contents
);
198 switch (security_level
) {
200 security_info
->security_style
= content::SECURITY_STYLE_UNAUTHENTICATED
;
204 security_info
->security_style
= content::SECURITY_STYLE_AUTHENTICATED
;
206 case SECURITY_WARNING
:
207 case SECURITY_POLICY_WARNING
:
208 security_info
->security_style
= content::SECURITY_STYLE_WARNING
;
211 security_info
->security_style
=
212 content::SECURITY_STYLE_AUTHENTICATION_BROKEN
;
216 const content::SSLStatus
& ssl
= entry
->GetSSL();
217 scoped_refptr
<net::X509Certificate
> cert
= GetCertForSSLStatus(ssl
);
218 security_info
->sha1_deprecation_status
= GetSHA1DeprecationStatus(cert
, ssl
);
219 security_info
->mixed_content_status
= GetMixedContentStatus(ssl
);
220 security_info
->cert_status
= ssl
.cert_status
;
223 } // namespace connection_security