search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / chrome / browser / ssl / ssl_error_info.cc
blob00916e8c6326f5f2a7813c26f38a9270d9d97573
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/ssl/ssl_error_info.h"
6
7 #include "base/i18n/time_formatting.h"
8 #include "base/strings/string_number_conversions.h"
9 #include "base/strings/utf_string_conversions.h"
10 #include "chrome/grit/chromium_strings.h"
11 #include "chrome/grit/generated_resources.h"
12 #include "content/public/browser/cert_store.h"
13 #include "net/base/escape.h"
14 #include "net/base/net_errors.h"
15 #include "net/cert/cert_status_flags.h"
16 #include "net/ssl/ssl_info.h"
17 #include "ui/base/l10n/l10n_util.h"
18 #include "url/gurl.h"
19
20 using base::UTF8ToUTF16;
21
22 SSLErrorInfo::SSLErrorInfo(const base::string16& details,
23 const base::string16& short_description)
24 : details_(details),
25 short_description_(short_description) {
26 }
27
28 // static
29 SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
30 net::X509Certificate* cert,
31 const GURL& request_url) {
32 base::string16 details, short_description;
33 switch (error_type) {
34 case CERT_COMMON_NAME_INVALID: {
35 // If the certificate contains multiple DNS names, we choose the most
36 // representative one -- either the DNS name that's also in the subject
37 // field, or the first one. If this heuristic turns out to be
38 // inadequate, we can consider choosing the DNS name that is the
39 // "closest match" to the host name in the request URL, or listing all
40 // the DNS names with an HTML <ul>.
41 std::vector<std::string> dns_names;
42 cert->GetDNSNames(&dns_names);
43 DCHECK(!dns_names.empty());
44 size_t i = 0;
45 for (; i < dns_names.size(); ++i) {
46 if (dns_names[i] == cert->subject().common_name)
47 break;
48 }
49 if (i == dns_names.size())
50 i = 0;
51 details =
52 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS,
53 UTF8ToUTF16(request_url.host()),
54 net::EscapeForHTML(
55 UTF8ToUTF16(dns_names[i])));
56 short_description = l10n_util::GetStringUTF16(
57 IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION);
58 break;
59 }
60 case CERT_DATE_INVALID:
61 if (cert->HasExpired()) {
62 // Make sure to round up to the smallest integer value not less than
63 // the expiration value (https://crbug.com/476758).
64 int expiration_value =
65 (base::Time::Now() - cert->valid_expiry()).InDays() + 1;
66 details = l10n_util::GetStringFUTF16(
67 IDS_CERT_ERROR_EXPIRED_DETAILS, UTF8ToUTF16(request_url.host()),
68 base::IntToString16(expiration_value),
69 base::TimeFormatFriendlyDate(base::Time::Now()));
70 short_description =
71 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION);
72 } else if (base::Time::Now() < cert->valid_start()) {
73 details = l10n_util::GetStringFUTF16(
74 IDS_CERT_ERROR_NOT_YET_VALID_DETAILS,
75 UTF8ToUTF16(request_url.host()),
76 base::IntToString16(
77 (cert->valid_start() - base::Time::Now()).InDays()));
78 short_description =
79 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION);
80 } else {
81 // Two possibilities: (1) an intermediate or root certificate has
82 // expired, or (2) the certificate has become valid since the error
83 // occurred. Both are probably rare cases. To avoid giving the wrong
84 // date, remove the information.
85 details = l10n_util::GetStringFUTF16(
86 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DETAILS,
87 UTF8ToUTF16(request_url.host()));
88 short_description = l10n_util::GetStringUTF16(
89 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DESCRIPTION);
90 }
91 break;
92 case CERT_AUTHORITY_INVALID:
93 details = l10n_util::GetStringFUTF16(
94 IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS,
95 UTF8ToUTF16(request_url.host()));
96 short_description = l10n_util::GetStringUTF16(
97 IDS_CERT_ERROR_AUTHORITY_INVALID_DESCRIPTION);
98 break;
99 case CERT_CONTAINS_ERRORS:
100 details = l10n_util::GetStringFUTF16(
101 IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS,
102 UTF8ToUTF16(request_url.host()));
103 short_description =
104 l10n_util::GetStringUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DESCRIPTION);
105 break;
106 case CERT_NO_REVOCATION_MECHANISM:
107 details = l10n_util::GetStringUTF16(
108 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DETAILS);
109 short_description = l10n_util::GetStringUTF16(
110 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION);
111 break;
112 case CERT_REVOKED:
113 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_REVOKED_CERT_DETAILS,
114 UTF8ToUTF16(request_url.host()));
115 short_description =
116 l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_DESCRIPTION);
117 break;
118 case CERT_INVALID:
119 details = l10n_util::GetStringFUTF16(
120 IDS_CERT_ERROR_INVALID_CERT_DETAILS,
121 UTF8ToUTF16(request_url.host()));
122 short_description =
123 l10n_util::GetStringUTF16(IDS_CERT_ERROR_INVALID_CERT_DESCRIPTION);
124 break;
125 case CERT_WEAK_SIGNATURE_ALGORITHM:
126 details = l10n_util::GetStringFUTF16(
127 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS,
128 UTF8ToUTF16(request_url.host()));
129 short_description = l10n_util::GetStringUTF16(
130 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION);
131 break;
132 case CERT_WEAK_KEY:
133 details = l10n_util::GetStringFUTF16(
134 IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
135 short_description = l10n_util::GetStringUTF16(
136 IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
137 break;
138 case CERT_WEAK_KEY_DH:
139 details = l10n_util::GetStringFUTF16(
140 IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
141 short_description = l10n_util::GetStringUTF16(
142 IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
143 case CERT_NAME_CONSTRAINT_VIOLATION:
144 details = l10n_util::GetStringFUTF16(
145 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DETAILS,
146 UTF8ToUTF16(request_url.host()));
147 short_description = l10n_util::GetStringUTF16(
148 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION);
149 break;
150 case CERT_VALIDITY_TOO_LONG:
151 details =
152 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DETAILS,
153 UTF8ToUTF16(request_url.host()));
154 short_description = l10n_util::GetStringUTF16(
155 IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION);
156 break;
157 case CERT_PINNED_KEY_MISSING:
158 details = l10n_util::GetStringUTF16(
159 IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
160 short_description = l10n_util::GetStringUTF16(
161 IDS_ERRORPAGES_DETAILS_PINNING_FAILURE);
162 break;
163 case UNKNOWN:
164 details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
165 short_description =
166 l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DESCRIPTION);
167 break;
168 case CERT_UNABLE_TO_CHECK_REVOCATION: // Deprecated.
169 default:
170 NOTREACHED();
171 }
172 return SSLErrorInfo(details, short_description);
173 }
174
175 SSLErrorInfo::~SSLErrorInfo() {
176 }
177
178 // static
179 SSLErrorInfo::ErrorType SSLErrorInfo::NetErrorToErrorType(int net_error) {
180 switch (net_error) {
181 case net::ERR_CERT_COMMON_NAME_INVALID:
182 return CERT_COMMON_NAME_INVALID;
183 case net::ERR_CERT_DATE_INVALID:
184 return CERT_DATE_INVALID;
185 case net::ERR_CERT_AUTHORITY_INVALID:
186 return CERT_AUTHORITY_INVALID;
187 case net::ERR_CERT_CONTAINS_ERRORS:
188 return CERT_CONTAINS_ERRORS;
189 case net::ERR_CERT_NO_REVOCATION_MECHANISM:
190 return CERT_NO_REVOCATION_MECHANISM;
191 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
192 return CERT_UNABLE_TO_CHECK_REVOCATION;
193 case net::ERR_CERT_REVOKED:
194 return CERT_REVOKED;
195 case net::ERR_CERT_INVALID:
196 return CERT_INVALID;
197 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
198 return CERT_WEAK_SIGNATURE_ALGORITHM;
199 case net::ERR_CERT_WEAK_KEY:
200 return CERT_WEAK_KEY;
201 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
202 return CERT_NAME_CONSTRAINT_VIOLATION;
203 case net::ERR_CERT_VALIDITY_TOO_LONG:
204 return CERT_VALIDITY_TOO_LONG;
205 case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
206 return CERT_WEAK_KEY_DH;
207 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
208 return CERT_PINNED_KEY_MISSING;
209 default:
210 NOTREACHED();
211 return UNKNOWN;
212 }
213 }
214
215 // static
216 void SSLErrorInfo::GetErrorsForCertStatus(int cert_id,
217 net::CertStatus cert_status,
218 const GURL& url,
219 std::vector<SSLErrorInfo>* errors) {
220 const net::CertStatus kErrorFlags[] = {
221 net::CERT_STATUS_COMMON_NAME_INVALID,
222 net::CERT_STATUS_DATE_INVALID,
223 net::CERT_STATUS_AUTHORITY_INVALID,
224 net::CERT_STATUS_NO_REVOCATION_MECHANISM,
225 net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
226 net::CERT_STATUS_REVOKED,
227 net::CERT_STATUS_INVALID,
228 net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
229 net::CERT_STATUS_WEAK_KEY,
230 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
231 net::CERT_STATUS_VALIDITY_TOO_LONG,
232 };
233
234 const ErrorType kErrorTypes[] = {
235 CERT_COMMON_NAME_INVALID,
236 CERT_DATE_INVALID,
237 CERT_AUTHORITY_INVALID,
238 CERT_NO_REVOCATION_MECHANISM,
239 CERT_UNABLE_TO_CHECK_REVOCATION,
240 CERT_REVOKED,
241 CERT_INVALID,
242 CERT_WEAK_SIGNATURE_ALGORITHM,
243 CERT_WEAK_KEY,
244 CERT_NAME_CONSTRAINT_VIOLATION,
245 CERT_VALIDITY_TOO_LONG,
246 };
247 DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes));
248
249 scoped_refptr<net::X509Certificate> cert = NULL;
250 for (size_t i = 0; i < arraysize(kErrorFlags); ++i) {
251 if (cert_status & kErrorFlags[i]) {
252 if (!cert.get()) {
253 bool r = content::CertStore::GetInstance()->RetrieveCert(
254 cert_id, &cert);
255 DCHECK(r);
256 }
257 if (errors) {
258 errors->push_back(
259 SSLErrorInfo::CreateError(kErrorTypes[i], cert.get(), url));
260 }
261 }
262 }
263 }