Mark SHA-1 as deprecated

BUG=401365 Review URL: https://codereview.chromium.org/508823009 Cr-Commit-Position: refs/heads/master@{#297331}

Mark SHA-1 as deprecated
BUG=401365 Review URL: https://codereview.chromium.org/508823009 Cr-Commit-Position: refs/heads/master@{#297331}
4f801272 · rsleevi · Commit bot · 92ee4a3c · 4f801272 · 4f801272
Commit 4f801272 authored Sep 29, 2014 by rsleevi Committed by Commit bot Sep 30, 2014
13 changed files
--- a/build/ios/grit_whitelist.txt
+++ b/build/ios/grit_whitelist.txt
@@ -670,6 +670,7 @@ IDS_PAGEINFO_PARTIAL_ADDRESS
 IDS_PAGE_INFO_HELP_CENTER_LINK
 IDS_PAGE_INFO_INTERNAL_PAGE
 IDS_PAGE_INFO_SECURITY_BUTTON_ACCESSIBILITY_LABEL
+IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM
 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT
 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR
 IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING

--- a/chrome/app/chromium_strings.grd
+++ b/chrome/app/chromium_strings.grd
@@ -613,6 +613,10 @@ Chromium is unable to recover your settings.
      <message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page info bubble when the page you are on is a chrome:// page or about:something.">
        You are viewing a secure Chromium page.
      </message>
+      <message name="IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM" desc="The text of the identity section when the site is using a certificate that will stop working in future versions of Chrome.">
+        The site is using outdated security settings that may prevent future versions of Chromium from being able to safely access it.
+      </message>
      <!-- Print Preview -->
      <message name="IDS_PRINT_PREVIEW_NO_PLUGIN" desc="Message to display when the PDF viewer is missing.">
        Chromium does not include the PDF viewer which is required for Print Preview to function.

--- a/chrome/app/google_chrome_strings.grd
+++ b/chrome/app/google_chrome_strings.grd
@@ -537,6 +537,10 @@ Google Chrome is unable to recover your settings.
      <message name="IDS_PAGE_INFO_INTERNAL_PAGE" desc="Message to display in the page info bubble when the page you are on is a chrome:// page or about:something.">
        You are viewing a secure Google Chrome page.
      </message>
+      <message name="IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM" desc="The text of the identity section when the site is using a certificate that will stop working in future versions of Chrome.">
+        The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.
+      </message>
      <!-- Print Preview -->
      <message name="IDS_PRINT_PREVIEW_NO_PLUGIN" desc="Message to display when the PDF viewer is missing.">
        Google Chrome cannot show the print preview when the built-in PDF viewer is missing.

--- a/chrome/browser/ssl/ssl_error_info.cc
+++ b/chrome/browser/ssl/ssl_error_info.cc
@@ -150,6 +150,7 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
          IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
      short_description = l10n_util::GetStringUTF16(
          IDS_ERRORPAGES_DETAILS_PINNING_FAILURE);
+      break;
    case UNKNOWN:
      details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
      short_description =

--- a/chrome/browser/ui/toolbar/toolbar_model_impl.cc
+++ b/chrome/browser/ui/toolbar/toolbar_model_impl.cc
@@ -5,8 +5,10 @@
 #include "chrome/browser/ui/toolbar/toolbar_model_impl.h"
 #include "base/command_line.h"
+#include "base/metrics/field_trial.h"
 #include "base/prefs/pref_service.h"
 #include "base/strings/utf_string_conversions.h"
+#include "base/time/time.h"
 #include "chrome/browser/autocomplete/autocomplete_classifier.h"
 #include "chrome/browser/autocomplete/autocomplete_classifier_factory.h"
 #include "chrome/browser/autocomplete/chrome_autocomplete_scheme_classifier.h"
@@ -46,6 +48,24 @@ using content::NavigationEntry;
 using content::SSLStatus;
 using content::WebContents;
+namespace {
+// Converts a SHA-1 field trial group into the appropriate SecurityLevel.
+bool GetSecurityLevelForFieldTrialGroup(const std::string& group,
+                                        ToolbarModel::SecurityLevel* level) {
+  if (group == "Error")
+    *level = ToolbarModel::SECURITY_ERROR;
+  else if (group == "Warning")
+    *level = ToolbarModel::SECURITY_WARNING;
+  else if (group == "HTTP")
+    *level = ToolbarModel::NONE;
+  else
+    return false;
+  return true;
+}
+}  // namespace
 ToolbarModelImpl::ToolbarModelImpl(ToolbarModelDelegate* delegate)
    : delegate_(delegate) {
 }
@@ -82,12 +102,48 @@ ToolbarModel::SecurityLevel ToolbarModelImpl::GetSecurityLevelForWebContents(
 #endif
      if (!!(ssl.content_status & SSLStatus::DISPLAYED_INSECURE_CONTENT))
        return SECURITY_WARNING;
+      scoped_refptr<net::X509Certificate> cert;
+      if (content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) &&
+          (ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT)) {
+        // The internal representation of the dates for UI treatment of SHA-1.
+        // See http://crbug.com/401365 for details
+        static const int64_t kJanuary2017 = INT64_C(13127702400000000);
+        static const int64_t kJune2016 = INT64_C(13109213000000000);
+        static const int64_t kJanuary2016 = INT64_C(13096080000000000);
+        ToolbarModel::SecurityLevel security_level = NONE;
+        // Gated behind a field trial, so that it is possible to adjust the
+        // UI treatment (to be more or less severe, as necessary) over the
+        // course of multiple releases.
+        // See http://crbug.com/401365 for the timeline, with the end state
+        // being that > kJanuary2017 = Error, and > kJanuary2016 =
+        // Warning, and kJune2016 disappearing entirely.
+        if (cert->valid_expiry() >=
+                base::Time::FromInternalValue(kJanuary2017) &&
+            GetSecurityLevelForFieldTrialGroup(
+                base::FieldTrialList::FindFullName("SHA1ToolbarUIJanuary2017"),
+                &security_level)) {
+          return security_level;
+        }
+        if (cert->valid_expiry() >= base::Time::FromInternalValue(kJune2016) &&
+            GetSecurityLevelForFieldTrialGroup(
+                base::FieldTrialList::FindFullName("SHA1ToolbarUIJune2016"),
+                &security_level)) {
+          return security_level;
+        }
+        if (cert->valid_expiry() >=
+                base::Time::FromInternalValue(kJanuary2016) &&
+            GetSecurityLevelForFieldTrialGroup(
+                base::FieldTrialList::FindFullName("SHA1ToolbarUIJanuary2016"),
+                &security_level)) {
+          return security_level;
+        }
+      }
      if (net::IsCertStatusError(ssl.cert_status)) {
        DCHECK(net::IsCertStatusMinorError(ssl.cert_status));
        return SECURITY_WARNING;
      }
-      if ((ssl.cert_status & net::CERT_STATUS_IS_EV) &&
+      if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert.get())
-          content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, NULL))
        return EV_SECURE;
      return SECURE;
    }

--- a/chrome/browser/ui/website_settings/website_settings.cc
+++ b/chrome/browser/ui/website_settings/website_settings.cc
@@ -401,50 +401,68 @@ void WebsiteSettings::Init(Profile* profile,
      } else {
        NOTREACHED() << "Need to specify string for this warning";
      }
-    } else if (ssl.cert_status & net::CERT_STATUS_IS_EV) {
+    } else {
-      // EV HTTPS page.
+      if (ssl.cert_status & net::CERT_STATUS_IS_EV) {
-      site_identity_status_ = GetSiteIdentityStatusByCTInfo(
+        // EV HTTPS page.
-          ssl.signed_certificate_timestamp_ids, true);
+        site_identity_status_ = GetSiteIdentityStatusByCTInfo(
-      DCHECK(!cert->subject().organization_names.empty());
+            ssl.signed_certificate_timestamp_ids, true);
-      organization_name_ = UTF8ToUTF16(cert->subject().organization_names[0]);
+        DCHECK(!cert->subject().organization_names.empty());
-      // An EV Cert is required to have a city (localityName) and country but
+        organization_name_ = UTF8ToUTF16(cert->subject().organization_names[0]);
-      // state is "if any".
+        // An EV Cert is required to have a city (localityName) and country but
-      DCHECK(!cert->subject().locality_name.empty());
+        // state is "if any".
-      DCHECK(!cert->subject().country_name.empty());
+        DCHECK(!cert->subject().locality_name.empty());
-      base::string16 locality;
+        DCHECK(!cert->subject().country_name.empty());
-      if (!cert->subject().state_or_province_name.empty()) {
+        base::string16 locality;
-        locality = l10n_util::GetStringFUTF16(
+        if (!cert->subject().state_or_province_name.empty()) {
-            IDS_PAGEINFO_ADDRESS,
+          locality = l10n_util::GetStringFUTF16(
-            UTF8ToUTF16(cert->subject().locality_name),
+              IDS_PAGEINFO_ADDRESS,
-            UTF8ToUTF16(cert->subject().state_or_province_name),
+              UTF8ToUTF16(cert->subject().locality_name),
-            UTF8ToUTF16(cert->subject().country_name));
+              UTF8ToUTF16(cert->subject().state_or_province_name),
+              UTF8ToUTF16(cert->subject().country_name));
+        } else {
+          locality = l10n_util::GetStringFUTF16(
+              IDS_PAGEINFO_PARTIAL_ADDRESS,
+              UTF8ToUTF16(cert->subject().locality_name),
+              UTF8ToUTF16(cert->subject().country_name));
+        }
+        DCHECK(!cert->subject().organization_names.empty());
+        site_identity_details_.assign(l10n_util::GetStringFUTF16(
+            GetSiteIdentityDetailsMessageByCTInfo(
+                ssl.signed_certificate_timestamp_ids, true /* is EV */),
+            UTF8ToUTF16(cert->subject().organization_names[0]),
+            locality,
+            UTF8ToUTF16(cert->issuer().GetDisplayName())));
      } else {
-        locality = l10n_util::GetStringFUTF16(
+        // Non-EV OK HTTPS page.
-            IDS_PAGEINFO_PARTIAL_ADDRESS,
+        site_identity_status_ = GetSiteIdentityStatusByCTInfo(
-            UTF8ToUTF16(cert->subject().locality_name),
+            ssl.signed_certificate_timestamp_ids, false);
-            UTF8ToUTF16(cert->subject().country_name));
+        base::string16 issuer_name(
+            UTF8ToUTF16(cert->issuer().GetDisplayName()));
+        if (issuer_name.empty()) {
+          issuer_name.assign(l10n_util::GetStringUTF16(
+              IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
+        }
+        site_identity_details_.assign(l10n_util::GetStringFUTF16(
+            GetSiteIdentityDetailsMessageByCTInfo(
+                ssl.signed_certificate_timestamp_ids, false /* not EV */),
+            issuer_name));
      }
-      DCHECK(!cert->subject().organization_names.empty());
+      // The date after which no new SHA-1 certificates may be issued.
-      site_identity_details_.assign(l10n_util::GetStringFUTF16(
+      // 2016-01-01 00:00:00 UTC
-          GetSiteIdentityDetailsMessageByCTInfo(
+      static const int64_t kSHA1LastIssuanceDate = INT64_C(13096080000000000);
-              ssl.signed_certificate_timestamp_ids, true /* is EV */),
+      if ((ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT) &&
-          UTF8ToUTF16(cert->subject().organization_names[0]),
+          cert->valid_expiry() >
-          locality,
+              base::Time::FromInternalValue(kSHA1LastIssuanceDate) &&
-          UTF8ToUTF16(cert->issuer().GetDisplayName())));
+          base::FieldTrialList::FindFullName("SHA1IdentityUIWarning") ==
-    } else {
+              "Enabled") {
-      // Non-EV OK HTTPS page.
+        site_identity_status_ =
-      site_identity_status_ = GetSiteIdentityStatusByCTInfo(
+            SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM;
-          ssl.signed_certificate_timestamp_ids, false);
+        site_identity_details_ +=
-      base::string16 issuer_name(UTF8ToUTF16(cert->issuer().GetDisplayName()));
+            UTF8ToUTF16("\n\n") +
-      if (issuer_name.empty()) {
+            l10n_util::GetStringUTF16(
-        issuer_name.assign(l10n_util::GetStringUTF16(
+                IDS_PAGE_INFO_SECURITY_TAB_DEPRECATED_SIGNATURE_ALGORITHM);
-            IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
      }
-      site_identity_details_.assign(l10n_util::GetStringFUTF16(
-          GetSiteIdentityDetailsMessageByCTInfo(
-              ssl.signed_certificate_timestamp_ids, false /* not EV */),
-          issuer_name));
    }
  } else {
    // HTTP or HTTPS with errors (not warnings).
@@ -598,7 +616,9 @@ void WebsiteSettings::Init(Profile* profile,
      site_connection_status_ == SITE_CONNECTION_STATUS_MIXED_CONTENT ||
      site_identity_status_ == SITE_IDENTITY_STATUS_ERROR ||
      site_identity_status_ == SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN ||
-      site_identity_status_ == SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT)
+      site_identity_status_ == SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT ||
+      site_identity_status_ ==
+          SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM)
    tab_id = WebsiteSettingsUI::TAB_ID_CONNECTION;
  ui_->SetSelectedTab(tab_id);
 }

--- a/chrome/browser/ui/website_settings/website_settings.h
+++ b/chrome/browser/ui/website_settings/website_settings.h
@@ -66,6 +66,9 @@ class WebsiteSettings : public TabSpecificContentSettings::SiteDataObserver {
    // The profile has accessed data using an administrator-provided
    // certificate, so the site might be able to intercept data.
    SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT,
+    // The website provided a valid certificate, but the certificate or chain
+    // is using a deprecated signature algorithm.
+    SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM,
  };
  // Creates a WebsiteSettings for the passed |url| using the given |ssl| status

--- a/chrome/browser/ui/website_settings/website_settings_ui.cc
+++ b/chrome/browser/ui/website_settings/website_settings_ui.cc
@@ -273,6 +273,9 @@ int WebsiteSettingsUI::GetIdentityIconID(
    case WebsiteSettings::SITE_IDENTITY_STATUS_ADMIN_PROVIDED_CERT:
      resource_id = IDR_PAGEINFO_ENTERPRISE_MANAGED;
      break;
+    case WebsiteSettings::SITE_IDENTITY_STATUS_DEPRECATED_SIGNATURE_ALGORITHM:
+      resource_id = IDR_PAGEINFO_WARNING_MINOR;
+      break;
    default:
      NOTREACHED();
      break;

--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -138,6 +138,60 @@ const double kMaxRequestsPerProcessRatio = 0.45;
 // same resource (see bugs 46104 and 31014).
 const int kDefaultDetachableCancelDelayMs = 30000;
+enum SHA1HistogramTypes {
+  // SHA-1 is not present in the certificate chain.
+  SHA1_NOT_PRESENT = 0,
+  // SHA-1 is present in the certificate chain, and the leaf expires on or
+  // after January 1, 2017.
+  SHA1_EXPIRES_AFTER_JANUARY_2017 = 1,
+  // SHA-1 is present in the certificate chain, and the leaf expires on or
+  // after June 1, 2016.
+  SHA1_EXPIRES_AFTER_JUNE_2016 = 2,
+  // SHA-1 is present in the certificate chain, and the leaf expires on or
+  // after January 1, 2016.
+  SHA1_EXPIRES_AFTER_JANUARY_2016 = 3,
+  // SHA-1 is present in the certificate chain, but the leaf expires before
+  // January 1, 2016
+  SHA1_PRESENT = 4,
+  // Always keep this at the end.
+  SHA1_HISTOGRAM_TYPES_MAX,
+};
+void RecordCertificateHistograms(const net::SSLInfo& ssl_info,
+                                 ResourceType resource_type) {
+  // The internal representation of the dates for UI treatment of SHA-1.
+  // See http://crbug.com/401365 for details
+  static const int64_t kJanuary2017 = INT64_C(13127702400000000);
+  static const int64_t kJune2016 = INT64_C(13109213000000000);
+  static const int64_t kJanuary2016 = INT64_C(13096080000000000);
+  SHA1HistogramTypes sha1_histogram = SHA1_NOT_PRESENT;
+  if (ssl_info.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT) {
+    DCHECK(ssl_info.cert.get());
+    if (ssl_info.cert->valid_expiry() >=
+        base::Time::FromInternalValue(kJanuary2017)) {
+      sha1_histogram = SHA1_EXPIRES_AFTER_JANUARY_2017;
+    } else if (ssl_info.cert->valid_expiry() >=
+               base::Time::FromInternalValue(kJune2016)) {
+      sha1_histogram = SHA1_EXPIRES_AFTER_JUNE_2016;
+    } else if (ssl_info.cert->valid_expiry() >=
+               base::Time::FromInternalValue(kJanuary2016)) {
+      sha1_histogram = SHA1_EXPIRES_AFTER_JANUARY_2016;
+    } else {
+      sha1_histogram = SHA1_PRESENT;
+    }
+  }
+  if (resource_type == RESOURCE_TYPE_MAIN_FRAME) {
+    UMA_HISTOGRAM_ENUMERATION("Net.Certificate.SHA1.MainFrame",
+                              sha1_histogram,
+                              SHA1_HISTOGRAM_TYPES_MAX);
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("Net.Certificate.SHA1.Subresource",
+                              sha1_histogram,
+                              SHA1_HISTOGRAM_TYPES_MAX);
+  }
+}
 bool IsDetachableResourceType(ResourceType type) {
  switch (type) {
    case RESOURCE_TYPE_PREFETCH:
@@ -801,6 +855,11 @@ void ResourceDispatcherHostImpl::DidFinishLoading(ResourceLoader* loader) {
        -loader->request()->status().error());
  }
+  if (loader->request()->url().SchemeIsSecure()) {
+    RecordCertificateHistograms(loader->request()->ssl_info(),
+                                info->GetResourceType());
+  }
  if (delegate_)
    delegate_->RequestComplete(loader->request());

--- a/net/cert/cert_status_flags_list.h
+++ b/net/cert/cert_status_flags_list.h
@@ -29,3 +29,4 @@ CERT_STATUS_FLAG(NAME_CONSTRAINT_VIOLATION, 1 << 14)
 CERT_STATUS_FLAG(IS_EV, 1 << 16)
 CERT_STATUS_FLAG(REV_CHECKING_ENABLED, 1 << 17)
 // Bit 18 was CERT_STATUS_IS_DNSSEC
+CERT_STATUS_FLAG(SHA1_SIGNATURE_PRESENT, 1 << 19)
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -262,6 +262,9 @@ int CertVerifyProc::Verify(X509Certificate* cert,
      rv = MapCertStatusToNetError(verify_result->cert_status);
  }
+  if (verify_result->has_sha1)
+    verify_result->cert_status |= CERT_STATUS_SHA1_SIGNATURE_PRESENT;
  // Flag certificates from publicly-trusted CAs that are issued to intranet
  // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
  // these to be issued until 1 November 2015, they represent a real risk for

--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -644,7 +644,7 @@ TEST_F(CertVerifyProcTest, TestKnownRoot) {
                     empty_cert_list_,
                     &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
@@ -678,7 +678,7 @@ TEST_F(CertVerifyProcTest, PublicKeyHashes) {
                     empty_cert_list_,
                     &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  ASSERT_LE(2U, verify_result.public_key_hashes.size());
  HashValueVector sha1_hashes;
@@ -1076,7 +1076,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
                     empty_cert_list_,
                     &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  // Attempt to verify with the first known cross-certified intermediate
  // provided.
@@ -1099,7 +1099,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
                 empty_cert_list_,
                 &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  // Attempt to verify with the second known cross-certified intermediate
  // provided.
@@ -1122,7 +1122,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
                 empty_cert_list_,
                 &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  // Attempt to verify when both a cross-certified intermediate AND
  // the legacy GTE root are provided.
@@ -1142,7 +1142,7 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
                 empty_cert_list_,
                 &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  TestRootCerts::GetInstance()->Clear();
  EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
@@ -1240,7 +1240,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
                     empty_cert_list_,
                     &verify_result);
  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
+  EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
  // Test revocation by serial number of a certificate not under the root.
  scoped_refptr<CRLSet> crl_set;

--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -14554,6 +14554,22 @@ Therefore, the affected-histogram name has to have at least one dot in it.
  </summary>
 </histogram>
+<histogram name="Net.Certificate.SHA1.MainFrame" enum="SHA1Status">
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether or not SHA-1 was present in a resource fetched for the main frame,
+    and if so, what its maximum validity period was.
+  </summary>
+</histogram>
+<histogram name="Net.Certificate.SHA1.Subresource" enum="SHA1Status">
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether or not SHA-1 was present in a subresource fetch, and if so, what its
+    maximum validity period was.
+  </summary>
+</histogram>
 <histogram name="Net.CertificatePinSuccess" enum="BooleanSuccess">
  <obsolete>
    Renamed to Net.PublicKeyPinSuccess 28 Oct 2011.
@@ -50657,6 +50673,18 @@ To add a new entry, add it with any value and run test to compute valid value.
  </int>
 </enum>
+<enum name="SHA1Status" type="int">
+  <summary>
+    Whether or not SHA-1 was present in a certificate chain and, if it was, when
+    the leaf certificate expired.
+  </summary>
+  <int value="0" label="Not present"/>
+  <int value="1" label="Expires after Jan 1, 2017"/>
+  <int value="2" label="Expires between Jun 1, 2016 and Jan 1, 2017"/>
+  <int value="3" label="Expires between Jan 1, 2016 and Jun 1, 2016"/>
+  <int value="4" label="Expires before Jan 1, 2016"/>
+</enum>
 <enum name="ShelfAlignmentValue" type="int">
  <summary>
    The alignment of the shelf area (see ash/launcher/launcher_view.cc).