Commit 4f801272 authored by rsleevi's avatar rsleevi Committed by Commit bot

Mark SHA-1 as deprecated

BUG=401365

Review URL: https://codereview.chromium.org/508823009

Cr-Commit-Position: refs/heads/master@{#297331}
parent 92ee4a3c
...@@ -670,6 +670,7 @@ IDS_PAGEINFO_PARTIAL_ADDRESS ...@@ -670,6 +670,7 @@ IDS_PAGEINFO_PARTIAL_ADDRESS
IDS_PAGE_INFO_HELP_CENTER_LINK IDS_PAGE_INFO_HELP_CENTER_LINK
IDS_PAGE_INFO_INTERNAL_PAGE IDS_PAGE_INFO_INTERNAL_PAGE
IDS_PAGE_INFO_SECURITY_BUTTON_ACCESSIBILITY_LABEL IDS_PAGE_INFO_SECURITY_BUTTON_ACCESSIBILITY_LABEL
IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM
IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT
IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR
IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING
......
...@@ -613,6 +613,10 @@ Chromium is unable to recover your settings. ...@@ -613,6 +613,10 @@ Chromium is unable to recover your settings.
<message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page info bubble when the page you are on is a chrome:// page or about:something."> <message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page info bubble when the page you are on is a chrome:// page or about:something.">
You are viewing a secure Chromium page. You are viewing a secure Chromium page.
</message> </message>
<message name="IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM" desc="The text of the identity section when the site is using a certificate that will stop working in future versions of Chrome.">
The site is using outdated security settings that may prevent future versions of Chromium from being able to safely access it.
</message>
<!-- Print Preview --> <!-- Print Preview -->
<message name="IDS_PRINT_PREVIEW_NO_PLUGIN" desc="Message to display when the PDF viewer is missing."> <message name="IDS_PRINT_PREVIEW_NO_PLUGIN" desc="Message to display when the PDF viewer is missing.">
Chromium does not include the PDF viewer which is required for Print Preview to function. Chromium does not include the PDF viewer which is required for Print Preview to function.
......
...@@ -537,6 +537,10 @@ Google Chrome is unable to recover your settings. ...@@ -537,6 +537,10 @@ Google Chrome is unable to recover your settings.
<message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page info bubble when the page you are on is a chrome:// page or about:something."> <message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page info bubble when the page you are on is a chrome:// page or about:something.">
You are viewing a secure Google Chrome page. You are viewing a secure Google Chrome page.
</message> </message>
<message name="IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM" desc="The text of the identity section when the site is using a certificate that will stop working in future versions of Chrome.">
The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.
</message>
<!-- Print Preview --> <!-- Print Preview -->
<message name="IDS_PRINT_PREVIEW_NO_PLUGIN" desc="Message to display when the PDF viewer is missing."> <message name="IDS_PRINT_PREVIEW_NO_PLUGIN" desc="Message to display when the PDF viewer is missing.">
Google Chrome cannot show the print preview when the built-in PDF viewer is missing. Google Chrome cannot show the print preview when the built-in PDF viewer is missing.
......
...@@ -150,6 +150,7 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type, ...@@ -150,6 +150,7 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE); IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
short_description = l10n_util::GetStringUTF16( short_description = l10n_util::GetStringUTF16(
IDS_ERRORPAGES_DETAILS_PINNING_FAILURE); IDS_ERRORPAGES_DETAILS_PINNING_FAILURE);
break;
case UNKNOWN: case UNKNOWN:
details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS); details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
short_description = short_description =
......
...@@ -5,8 +5,10 @@ ...@@ -5,8 +5,10 @@
#include "chrome/browser/ui/toolbar/toolbar_model_impl.h" #include "chrome/browser/ui/toolbar/toolbar_model_impl.h"
#include "base/command_line.h" #include "base/command_line.h"
#include "base/metrics/field_trial.h"
#include "base/prefs/pref_service.h" #include "base/prefs/pref_service.h"
#include "base/strings/utf_string_conversions.h" #include "base/strings/utf_string_conversions.h"
#include "base/time/time.h"
#include "chrome/browser/autocomplete/autocomplete_classifier.h" #include "chrome/browser/autocomplete/autocomplete_classifier.h"
#include "chrome/browser/autocomplete/autocomplete_classifier_factory.h" #include "chrome/browser/autocomplete/autocomplete_classifier_factory.h"
#include "chrome/browser/autocomplete/chrome_autocomplete_scheme_classifier.h" #include "chrome/browser/autocomplete/chrome_autocomplete_scheme_classifier.h"
...@@ -46,6 +48,24 @@ using content::NavigationEntry; ...@@ -46,6 +48,24 @@ using content::NavigationEntry;
using content::SSLStatus; using content::SSLStatus;
using content::WebContents; using content::WebContents;
namespace {
// Converts a SHA-1 field trial group into the appropriate SecurityLevel.
bool GetSecurityLevelForFieldTrialGroup(const std::string& group,
ToolbarModel::SecurityLevel* level) {
if (group == "Error")
*level = ToolbarModel::SECURITY_ERROR;
else if (group == "Warning")
*level = ToolbarModel::SECURITY_WARNING;
else if (group == "HTTP")
*level = ToolbarModel::NONE;
else
return false;
return true;
}
} // namespace
ToolbarModelImpl::ToolbarModelImpl(ToolbarModelDelegate* delegate) ToolbarModelImpl::ToolbarModelImpl(ToolbarModelDelegate* delegate)
: delegate_(delegate) { : delegate_(delegate) {
} }
...@@ -82,12 +102,48 @@ ToolbarModel::SecurityLevel ToolbarModelImpl::GetSecurityLevelForWebContents( ...@@ -82,12 +102,48 @@ ToolbarModel::SecurityLevel ToolbarModelImpl::GetSecurityLevelForWebContents(
#endif #endif
if (!!(ssl.content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT)) if (!!(ssl.content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT))
return SECURITY_WARNING; return SECURITY_WARNING;
scoped_refptr<net::X509Certificate> cert;
if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) &&
(ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) {
// The internal representation of the dates for UI treatment of SHA-1.
// See http://crbug.com/401365 for details
static const int64_t kJanuary2017 = INT64_C(13127702400000000);
static const int64_t kJune2016 = INT64_C(13109213000000000);
static const int64_t kJanuary2016 = INT64_C(13096080000000000);
ToolbarModel::SecurityLevel security_level = NONE;
// Gated behind a field trial, so that it is possible to adjust the
// UI treatment (to be more or less severe, as necessary) over the
// course of multiple releases.
// See http://crbug.com/401365 for the timeline, with the end state
// being that > kJanuary2017 = Error, and > kJanuary2016 =
// Warning, and kJune2016 disappearing entirely.
if (cert->valid_expiry() >=
base::Time::FromInternalValue(kJanuary2017) &&
GetSecurityLevelForFieldTrialGroup(
base::FieldTrialList::FindFullName("SHA1ToolbarUIJanuary2017"),
&security_level)) {
return security_level;
}
if (cert->valid_expiry() >= base::Time::FromInternalValue(kJune2016) &&
GetSecurityLevelForFieldTrialGroup(
base::FieldTrialList::FindFullName("SHA1ToolbarUIJune2016"),
&security_level)) {
return security_level;
}
if (cert->valid_expiry() >=
base::Time::FromInternalValue(kJanuary2016) &&
GetSecurityLevelForFieldTrialGroup(
base::FieldTrialList::FindFullName("SHA1ToolbarUIJanuary2016"),
&security_level)) {
return security_level;
}
}
if (net::IsCertStatusError(ssl.cert_status)) { if (net::IsCertStatusError(ssl.cert_status)) {
DCHECK(net::IsCertStatusMinorError(ssl.cert_status)); DCHECK(net::IsCertStatusMinorError(ssl.cert_status));
return SECURITY_WARNING; return SECURITY_WARNING;
} }
if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert.get())
content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, NULL))
return EV_SECURE; return EV_SECURE;
return SECURE; return SECURE;
} }
......
...@@ -401,50 +401,68 @@ void WebsiteSettings::Init(Profile* profile, ...@@ -401,50 +401,68 @@ void WebsiteSettings::Init(Profile* profile,
} else { } else {
NOTREACHED() << "Need to specify string for this warning"; NOTREACHED() << "Need to specify string for this warning";
} }
} else if (ssl.cert_status & net::CERT_STATUS_IS_EV) { } else {
// EV HTTPS page. if (ssl.cert_status & net::CERT_STATUS_IS_EV) {
site_identity_status_ = GetSiteIdentityStatusByCTInfo( // EV HTTPS page.
ssl.signed_certificate_timestamp_ids, true); site_identity_status_ = GetSiteIdentityStatusByCTInfo(
DCHECK(!cert->subject().organization_names.empty()); ssl.signed_certificate_timestamp_ids, true);
organization_name_ = UTF8ToUTF16(cert->subject().organization_names[0]); DCHECK(!cert->subject().organization_names.empty());
// An EV Cert is required to have a city (localityName) and country but organization_name_ = UTF8ToUTF16(cert->subject().organization_names[0]);
// state is "if any". // An EV Cert is required to have a city (localityName) and country but
DCHECK(!cert->subject().locality_name.empty()); // state is "if any".
DCHECK(!cert->subject().country_name.empty()); DCHECK(!cert->subject().locality_name.empty());
base::string16 locality; DCHECK(!cert->subject().country_name.empty());
if (!cert->subject().state_or_province_name.empty()) { base::string16 locality;
locality = l10n_util::GetStringFUTF16( if (!cert->subject().state_or_province_name.empty()) {
IDS_PAGEINFO_ADDRESS, locality = l10n_util::GetStringFUTF16(
UTF8ToUTF16(cert->subject().locality_name), IDS_PAGEINFO_ADDRESS,
UTF8ToUTF16(cert->subject().state_or_province_name), UTF8ToUTF16(cert->subject().locality_name),
UTF8ToUTF16(cert->subject().country_name)); UTF8ToUTF16(cert->subject().state_or_province_name),
UTF8ToUTF16(cert->subject().country_name));
} else {
locality = l10n_util::GetStringFUTF16(
IDS_PAGEINFO_PARTIAL_ADDRESS,
UTF8ToUTF16(cert->subject().locality_name),
UTF8ToUTF16(cert->subject().country_name));
}
DCHECK(!cert->subject().organization_names.empty());
site_identity_details_.assign(l10n_util::GetStringFUTF16(
GetSiteIdentityDetailsMessageByCTInfo(
ssl.signed_certificate_timestamp_ids, true /* is EV */),
UTF8ToUTF16(cert->subject().organization_names[0]),
locality,
UTF8ToUTF16(cert->issuer().GetDisplayName())));
} else { } else {
locality = l10n_util::GetStringFUTF16( // Non-EV OK HTTPS page.
IDS_PAGEINFO_PARTIAL_ADDRESS, site_identity_status_ = GetSiteIdentityStatusByCTInfo(
UTF8ToUTF16(cert->subject().locality_name), ssl.signed_certificate_timestamp_ids, false);
UTF8ToUTF16(cert->subject().country_name)); base::string16 issuer_name(
UTF8ToUTF16(cert->issuer().GetDisplayName()));
if (issuer_name.empty()) {
issuer_name.assign(l10n_util::GetStringUTF16(
IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
}
site_identity_details_.assign(l10n_util::GetStringFUTF16(
GetSiteIdentityDetailsMessageByCTInfo(
ssl.signed_certificate_timestamp_ids, false /* not EV */),
issuer_name));
} }
DCHECK(!cert->subject().organization_names.empty()); // The date after which no new SHA-1 certificates may be issued.
site_identity_details_.assign(l10n_util::GetStringFUTF16( // 2016-01-01 00:00:00 UTC
GetSiteIdentityDetailsMessageByCTInfo( static const int64_t kSHA1LastIssuanceDate = INT64_C(13096080000000000);
ssl.signed_certificate_timestamp_ids, true /* is EV */), if ((ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT) &&
UTF8ToUTF16(cert->subject().organization_names[0]), cert->valid_expiry() >
locality, base::Time::FromInternalValue(kSHA1LastIssuanceDate) &&
UTF8ToUTF16(cert->issuer().GetDisplayName()))); base::FieldTrialList::FindFullName("SHA1IdentityUIWarning") ==
} else { "Enabled") {
// Non-EV OK HTTPS page. site_identity_status_ =
site_identity_status_ = GetSiteIdentityStatusByCTInfo( SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM;
ssl.signed_certificate_timestamp_ids, false); site_identity_details_ +=
base::string16 issuer_name(UTF8ToUTF16(cert->issuer().GetDisplayName())); UTF8ToUTF16("\n\n") +
if (issuer_name.empty()) { l10n_util::GetStringUTF16(
issuer_name.assign(l10n_util::GetStringUTF16( IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM);
IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
} }
site_identity_details_.assign(l10n_util::GetStringFUTF16(
GetSiteIdentityDetailsMessageByCTInfo(
ssl.signed_certificate_timestamp_ids, false /* not EV */),
issuer_name));
} }
} else { } else {
// HTTP or HTTPS with errors (not warnings). // HTTP or HTTPS with errors (not warnings).
...@@ -598,7 +616,9 @@ void WebsiteSettings::Init(Profile* profile, ...@@ -598,7 +616,9 @@ void WebsiteSettings::Init(Profile* profile,
site_connection_status_ == SITE_CONNECTION_STATUS_MIXED_CONTENT || site_connection_status_ == SITE_CONNECTION_STATUS_MIXED_CONTENT ||
site_identity_status_ == SITE_IDENTITY_STATUS_ERROR || site_identity_status_ == SITE_IDENTITY_STATUS_ERROR ||
site_identity_status_ == SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN || site_identity_status_ == SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN ||
site_identity_status_ == SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT) site_identity_status_ == SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT ||
site_identity_status_ ==
SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM)
tab_id = WebsiteSettingsUI::TAB_ID_CONNECTION; tab_id = WebsiteSettingsUI::TAB_ID_CONNECTION;
ui_->SetSelectedTab(tab_id); ui_->SetSelectedTab(tab_id);
} }
......
...@@ -66,6 +66,9 @@ class WebsiteSettings : public TabSpecificContentSettings::SiteDataObserver { ...@@ -66,6 +66,9 @@ class WebsiteSettings : public TabSpecificContentSettings::SiteDataObserver {
// The profile has accessed data using an administrator-provided // The profile has accessed data using an administrator-provided
// certificate, so the site might be able to intercept data. // certificate, so the site might be able to intercept data.
SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT, SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT,
// The website provided a valid certificate, but the certificate or chain
// is using a deprecated signature algorithm.
SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM,
}; };
// Creates a WebsiteSettings for the passed |url| using the given |ssl| status // Creates a WebsiteSettings for the passed |url| using the given |ssl| status
......
...@@ -273,6 +273,9 @@ int WebsiteSettingsUI::GetIdentityIconID( ...@@ -273,6 +273,9 @@ int WebsiteSettingsUI::GetIdentityIconID(
case WebsiteSettings::SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT: case WebsiteSettings::SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT:
resource_id = IDR_PAGEINFO_ENTERPRISE_MANAGED; resource_id = IDR_PAGEINFO_ENTERPRISE_MANAGED;
break; break;
case WebsiteSettings::SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM:
resource_id = IDR_PAGEINFO_WARNING_MINOR;
break;
default: default:
NOTREACHED(); NOTREACHED();
break; break;
......
...@@ -138,6 +138,60 @@ const double kMaxRequestsPerProcessRatio = 0.45; ...@@ -138,6 +138,60 @@ const double kMaxRequestsPerProcessRatio = 0.45;
// same resource (see bugs 46104 and 31014). // same resource (see bugs 46104 and 31014).
const int kDefaultDetachableCancelDelayMs = 30000; const int kDefaultDetachableCancelDelayMs = 30000;
enum SHA1HistogramTypes {
// SHA-1 is not present in the certificate chain.
SHA1_NOT_PRESENT = 0,
// SHA-1 is present in the certificate chain, and the leaf expires on or
// after January 1, 2017.
SHA1_EXPIRES_AFTER_JANUARY_2017 = 1,
// SHA-1 is present in the certificate chain, and the leaf expires on or
// after June 1, 2016.
SHA1_EXPIRES_AFTER_JUNE_2016 = 2,
// SHA-1 is present in the certificate chain, and the leaf expires on or
// after January 1, 2016.
SHA1_EXPIRES_AFTER_JANUARY_2016 = 3,
// SHA-1 is present in the certificate chain, but the leaf expires before
// January 1, 2016
SHA1_PRESENT = 4,
// Always keep this at the end.
SHA1_HISTOGRAM_TYPES_MAX,
};
void RecordCertificateHistograms(const net::SSLInfo& ssl_info,
ResourceType resource_type) {
// The internal representation of the dates for UI treatment of SHA-1.
// See http://crbug.com/401365 for details
static const int64_t kJanuary2017 = INT64_C(13127702400000000);
static const int64_t kJune2016 = INT64_C(13109213000000000);
static const int64_t kJanuary2016 = INT64_C(13096080000000000);
SHA1HistogramTypes sha1_histogram = SHA1_NOT_PRESENT;
if (ssl_info.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT) {
DCHECK(ssl_info.cert.get());
if (ssl_info.cert->valid_expiry() >=
base::Time::FromInternalValue(kJanuary2017)) {
sha1_histogram = SHA1_EXPIRES_AFTER_JANUARY_2017;
} else if (ssl_info.cert->valid_expiry() >=
base::Time::FromInternalValue(kJune2016)) {
sha1_histogram = SHA1_EXPIRES_AFTER_JUNE_2016;
} else if (ssl_info.cert->valid_expiry() >=
base::Time::FromInternalValue(kJanuary2016)) {
sha1_histogram = SHA1_EXPIRES_AFTER_JANUARY_2016;
} else {
sha1_histogram = SHA1_PRESENT;
}
}
if (resource_type == RESOURCE_TYPE_MAIN_FRAME) {
UMA_HISTOGRAM_ENUMERATION("Net.Certificate.SHA1.MainFrame",
sha1_histogram,
SHA1_HISTOGRAM_TYPES_MAX);
} else {
UMA_HISTOGRAM_ENUMERATION("Net.Certificate.SHA1.Subresource",
sha1_histogram,
SHA1_HISTOGRAM_TYPES_MAX);
}
}
bool IsDetachableResourceType(ResourceType type) { bool IsDetachableResourceType(ResourceType type) {
switch (type) { switch (type) {
case RESOURCE_TYPE_PREFETCH: case RESOURCE_TYPE_PREFETCH:
...@@ -801,6 +855,11 @@ void ResourceDispatcherHostImpl::DidFinishLoading(ResourceLoader* loader) { ...@@ -801,6 +855,11 @@ void ResourceDispatcherHostImpl::DidFinishLoading(ResourceLoader* loader) {
-loader->request()->status().error()); -loader->request()->status().error());
} }
if (loader->request()->url().SchemeIsSecure()) {
RecordCertificateHistograms(loader->request()->ssl_info(),
info->GetResourceType());
}
if (delegate_) if (delegate_)
delegate_->RequestComplete(loader->request()); delegate_->RequestComplete(loader->request());
......
...@@ -29,3 +29,4 @@ CERT_STATUS_FLAG(NAME_CONSTRAINT_VIOLATION, 1 << 14) ...@@ -29,3 +29,4 @@ CERT_STATUS_FLAG(NAME_CONSTRAINT_VIOLATION, 1 << 14)
CERT_STATUS_FLAG(IS_EV, 1 << 16) CERT_STATUS_FLAG(IS_EV, 1 << 16)
CERT_STATUS_FLAG(REV_CHECKING_ENABLED, 1 << 17) CERT_STATUS_FLAG(REV_CHECKING_ENABLED, 1 << 17)
// Bit 18 was CERT_STATUS_IS_DNSSEC // Bit 18 was CERT_STATUS_IS_DNSSEC
CERT_STATUS_FLAG(SHA1_SIGNATURE_PRESENT, 1 << 19)
...@@ -262,6 +262,9 @@ int CertVerifyProc::Verify(X509Certificate* cert, ...@@ -262,6 +262,9 @@ int CertVerifyProc::Verify(X509Certificate* cert,
rv = MapCertStatusToNetError(verify_result->cert_status); rv = MapCertStatusToNetError(verify_result->cert_status);
} }
if (verify_result->has_sha1)
verify_result->cert_status |= CERT_STATUS_SHA1_SIGNATURE_PRESENT;
// Flag certificates from publicly-trusted CAs that are issued to intranet // Flag certificates from publicly-trusted CAs that are issued to intranet
// hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
// these to be issued until 1 November 2015, they represent a real risk for // these to be issued until 1 November 2015, they represent a real risk for
......
...@@ -644,7 +644,7 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) { ...@@ -644,7 +644,7 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
EXPECT_TRUE(verify_result.is_issued_by_known_root); EXPECT_TRUE(verify_result.is_issued_by_known_root);
} }
...@@ -678,7 +678,7 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) { ...@@ -678,7 +678,7 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
ASSERT_LE(2U, verify_result.public_key_hashes.size()); ASSERT_LE(2U, verify_result.public_key_hashes.size());
HashValueVector sha1_hashes; HashValueVector sha1_hashes;
...@@ -1076,7 +1076,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) { ...@@ -1076,7 +1076,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
// Attempt to verify with the first known cross-certified intermediate // Attempt to verify with the first known cross-certified intermediate
// provided. // provided.
...@@ -1099,7 +1099,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) { ...@@ -1099,7 +1099,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
// Attempt to verify with the second known cross-certified intermediate // Attempt to verify with the second known cross-certified intermediate
// provided. // provided.
...@@ -1122,7 +1122,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) { ...@@ -1122,7 +1122,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
// Attempt to verify when both a cross-certified intermediate AND // Attempt to verify when both a cross-certified intermediate AND
// the legacy GTE root are provided. // the legacy GTE root are provided.
...@@ -1142,7 +1142,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) { ...@@ -1142,7 +1142,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
TestRootCerts::GetInstance()->Clear(); TestRootCerts::GetInstance()->Clear();
EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty()); EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
...@@ -1240,7 +1240,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) { ...@@ -1240,7 +1240,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
EXPECT_EQ(OK, error); EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status); EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
// Test revocation by serial number of a certificate not under the root. // Test revocation by serial number of a certificate not under the root.
scoped_refptr<CRLSet> crl_set; scoped_refptr<CRLSet> crl_set;
......
...@@ -14554,6 +14554,22 @@ Therefore, the affected-histogram name has to have at least one dot in it. ...@@ -14554,6 +14554,22 @@ Therefore, the affected-histogram name has to have at least one dot in it.
</summary> </summary>
</histogram> </histogram>
<histogram name="Net.Certificate.SHA1.MainFrame" enum="SHA1Status">
<owner>rsleevi@chromium.org</owner>
<summary>
Whether or not SHA-1 was present in a resource fetched for the main frame,
and if so, what its maximum validity period was.
</summary>
</histogram>
<histogram name="Net.Certificate.SHA1.Subresource" enum="SHA1Status">
<owner>rsleevi@chromium.org</owner>
<summary>
Whether or not SHA-1 was present in a subresource fetch, and if so, what its
maximum validity period was.
</summary>
</histogram>
<histogram name="Net.CertificatePinSuccess" enum="BooleanSuccess"> <histogram name="Net.CertificatePinSuccess" enum="BooleanSuccess">
<obsolete> <obsolete>
Renamed to Net.PublicKeyPinSuccess 28 Oct 2011. Renamed to Net.PublicKeyPinSuccess 28 Oct 2011.
...@@ -50657,6 +50673,18 @@ To add a new entry, add it with any value and run test to compute valid value. ...@@ -50657,6 +50673,18 @@ To add a new entry, add it with any value and run test to compute valid value.
</int> </int>
</enum> </enum>
<enum name="SHA1Status" type="int">
<summary>
Whether or not SHA-1 was present in a certificate chain and, if it was, when
the leaf certificate expired.
</summary>
<int value="0" label="Not present"/>
<int value="1" label="Expires after Jan 1, 2017"/>
<int value="2" label="Expires between Jun 1, 2016 and Jan 1, 2017"/>
<int value="3" label="Expires between Jan 1, 2016 and Jun 1, 2016"/>
<int value="4" label="Expires before Jan 1, 2016"/>
</enum>
<enum name="ShelfAlignmentValue" type="int"> <enum name="ShelfAlignmentValue" type="int">
<summary> <summary>
The alignment of the shelf area (see ash/launcher/launcher_view.cc). The alignment of the shelf area (see ash/launcher/launcher_view.cc).
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment