xref: /external/chromium_org/chrome/browser/ssl/ssl_error_info.cc

// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/ssl/ssl_error_info.h"

#include "base/i18n/time_formatting.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/utf_string_conversions.h"
#include "content/public/browser/cert_store.h"
#include "grit/chromium_strings.h"
#include "grit/generated_resources.h"
#include "net/base/escape.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_status_flags.h"
#include "net/ssl/ssl_info.h"
#include "ui/base/l10n/l10n_util.h"
#include "url/gurl.h"

using base::UTF8ToUTF16;

SSLErrorInfo::SSLErrorInfo(const base::string16& title,
                           const base::string16& details,
                           const base::string16& short_description,
                           const std::vector<base::string16>& extra_info)
    : title_(title),
      details_(details),
      short_description_(short_description),
      extra_information_(extra_info) {
}

// static
SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
                                       net::X509Certificate* cert,
                                       const GURL& request_url) {
  base::string16 title, details, short_description;
  std::vector<base::string16> extra_info;
  switch (error_type) {
    case CERT_COMMON_NAME_INVALID: {
      title =
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_COMMON_NAME_INVALID_TITLE);
      // If the certificate contains multiple DNS names, we choose the most
      // representative one -- either the DNS name that's also in the subject
      // field, or the first one.  If this heuristic turns out to be
      // inadequate, we can consider choosing the DNS name that is the
      // "closest match" to the host name in the request URL, or listing all
      // the DNS names with an HTML <ul>.
      std::vector<std::string> dns_names;
      cert->GetDNSNames(&dns_names);
      DCHECK(!dns_names.empty());
      size_t i = 0;
      for (; i < dns_names.size(); ++i) {
        if (dns_names[i] == cert->subject().common_name)
          break;
      }
      if (i == dns_names.size())
        i = 0;
      details =
          l10n_util::GetStringFUTF16(IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS,
                                     UTF8ToUTF16(request_url.host()),
                                     net::EscapeForHTML(
                                         UTF8ToUTF16(dns_names[i])));
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(
          l10n_util::GetStringFUTF16(
              IDS_CERT_ERROR_COMMON_NAME_INVALID_EXTRA_INFO_2,
              net::EscapeForHTML(UTF8ToUTF16(cert->subject().common_name)),
              UTF8ToUTF16(request_url.host())));
      break;
    }
    case CERT_DATE_INVALID:
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      if (cert->HasExpired()) {
        title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_TITLE);
        details = l10n_util::GetStringFUTF16(
            IDS_CERT_ERROR_EXPIRED_DETAILS,
            UTF8ToUTF16(request_url.host()),
            base::IntToString16(
                (base::Time::Now() - cert->valid_expiry()).InDays()),
            base::TimeFormatFriendlyDate(base::Time::Now()));
        short_description =
            l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION);
        extra_info.push_back(l10n_util::GetStringUTF16(
            IDS_CERT_ERROR_EXPIRED_DETAILS_EXTRA_INFO_2));
      } else {
        // Then it must be not yet valid.  We don't check that it is not yet
        // valid as there is still a very unlikely chance that the cert might
        // have become valid since the error occurred.
        title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_TITLE);
        details = l10n_util::GetStringFUTF16(
            IDS_CERT_ERROR_NOT_YET_VALID_DETAILS,
            UTF8ToUTF16(request_url.host()),
            base::IntToString16(
                (cert->valid_start() - base::Time::Now()).InDays()));
        short_description =
            l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION);
        extra_info.push_back(
            l10n_util::GetStringUTF16(
                IDS_CERT_ERROR_NOT_YET_VALID_DETAILS_EXTRA_INFO_2));
      }
      break;
    case CERT_AUTHORITY_INVALID:
      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_AUTHORITY_INVALID_TITLE);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS,
          UTF8ToUTF16(request_url.host()));
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_AUTHORITY_INVALID_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_AUTHORITY_INVALID_EXTRA_INFO_2,
          UTF8ToUTF16(request_url.host()),
          UTF8ToUTF16(request_url.host())));
#if !defined(OS_IOS)
      // The third paragraph advises users to install a private trust anchor,
      // but that is not possible in Chrome for iOS at this time.
      extra_info.push_back(l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_AUTHORITY_INVALID_EXTRA_INFO_3));
#endif
      break;
    case CERT_CONTAINS_ERRORS:
      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_TITLE);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS,
          UTF8ToUTF16(request_url.host()));
      short_description =
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_CONTAINS_ERRORS_EXTRA_INFO_2));
      break;
    case CERT_NO_REVOCATION_MECHANISM:
      title = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_TITLE);
      details = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DETAILS);
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION);
      break;
    case CERT_UNABLE_TO_CHECK_REVOCATION:
      // TODO(felt): Hasn't this been deprecated?
      title = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_TITLE,
          UTF8ToUTF16(request_url.host()));
      details = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DETAILS);
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DESCRIPTION);
      break;
    case CERT_REVOKED:
      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_TITLE);
      details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_REVOKED_CERT_DETAILS,
                                           UTF8ToUTF16(request_url.host()));
      short_description =
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_EXTRA_INFO_2));
      break;
    case CERT_INVALID:
      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_INVALID_CERT_TITLE);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_INVALID_CERT_DETAILS,
          UTF8ToUTF16(request_url.host()));
      short_description =
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_INVALID_CERT_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_INVALID_CERT_EXTRA_INFO_2));
      break;
    case CERT_WEAK_SIGNATURE_ALGORITHM:
      title = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_TITLE);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS,
          UTF8ToUTF16(request_url.host()));
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(
          l10n_util::GetStringUTF16(
              IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_EXTRA_INFO_2));
      break;
    case CERT_WEAK_KEY:
      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_WEAK_KEY_TITLE);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_1));
      extra_info.push_back(
          l10n_util::GetStringUTF16(
              IDS_CERT_ERROR_WEAK_KEY_EXTRA_INFO_2));
      break;
    case CERT_WEAK_KEY_DH:
      title = l10n_util::GetStringUTF16(
          IDS_ERRORPAGES_HEADING_WEAK_SERVER_EPHEMERAL_DH_KEY);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_WEAK_KEY_DETAILS, UTF8ToUTF16(request_url.host()));
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
      extra_info.push_back(
          l10n_util::GetStringUTF16(
              IDS_ERRORPAGES_SUMMARY_WEAK_SERVER_EPHEMERAL_DH_KEY));
    case CERT_NAME_CONSTRAINT_VIOLATION:
      title = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_TITLE);
      details = l10n_util::GetStringFUTF16(
          IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DETAILS,
          UTF8ToUTF16(request_url.host()));
      short_description = l10n_util::GetStringUTF16(
          IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION);
      break;
    case CERT_PINNED_KEY_MISSING:
      title = l10n_util::GetStringUTF16(
          IDS_ERRORPAGES_HEADING_PINNING_FAILURE);
      details = l10n_util::GetStringUTF16(
          IDS_ERRORPAGES_SUMMARY_PINNING_FAILURE);
      short_description = l10n_util::GetStringUTF16(
          IDS_ERRORPAGES_DETAILS_PINNING_FAILURE);
    case UNKNOWN:
      title = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_TITLE);
      details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
      short_description =
          l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DESCRIPTION);
      break;
    default:
      NOTREACHED();
  }
  return SSLErrorInfo(title, details, short_description, extra_info);
}

SSLErrorInfo::~SSLErrorInfo() {
}

// static
SSLErrorInfo::ErrorType SSLErrorInfo::NetErrorToErrorType(int net_error) {
  switch (net_error) {
    case net::ERR_CERT_COMMON_NAME_INVALID:
      return CERT_COMMON_NAME_INVALID;
    case net::ERR_CERT_DATE_INVALID:
      return CERT_DATE_INVALID;
    case net::ERR_CERT_AUTHORITY_INVALID:
      return CERT_AUTHORITY_INVALID;
    case net::ERR_CERT_CONTAINS_ERRORS:
      return CERT_CONTAINS_ERRORS;
    case net::ERR_CERT_NO_REVOCATION_MECHANISM:
      return CERT_NO_REVOCATION_MECHANISM;
    case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
      return CERT_UNABLE_TO_CHECK_REVOCATION;
    case net::ERR_CERT_REVOKED:
      return CERT_REVOKED;
    case net::ERR_CERT_INVALID:
      return CERT_INVALID;
    case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
      return CERT_WEAK_SIGNATURE_ALGORITHM;
    case net::ERR_CERT_WEAK_KEY:
      return CERT_WEAK_KEY;
    case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
      return CERT_NAME_CONSTRAINT_VIOLATION;
    case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY:
      return CERT_WEAK_KEY_DH;
    case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
      return CERT_PINNED_KEY_MISSING;
    default:
      NOTREACHED();
      return UNKNOWN;
    }
}

// static
int SSLErrorInfo::GetErrorsForCertStatus(int cert_id,
                                         net::CertStatus cert_status,
                                         const GURL& url,
                                         std::vector<SSLErrorInfo>* errors) {
  const net::CertStatus kErrorFlags[] = {
    net::CERT_STATUS_COMMON_NAME_INVALID,
    net::CERT_STATUS_DATE_INVALID,
    net::CERT_STATUS_AUTHORITY_INVALID,
    net::CERT_STATUS_NO_REVOCATION_MECHANISM,
    net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
    net::CERT_STATUS_REVOKED,
    net::CERT_STATUS_INVALID,
    net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
    net::CERT_STATUS_WEAK_KEY,
    net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
  };

  const ErrorType kErrorTypes[] = {
    CERT_COMMON_NAME_INVALID,
    CERT_DATE_INVALID,
    CERT_AUTHORITY_INVALID,
    CERT_NO_REVOCATION_MECHANISM,
    CERT_UNABLE_TO_CHECK_REVOCATION,
    CERT_REVOKED,
    CERT_INVALID,
    CERT_WEAK_SIGNATURE_ALGORITHM,
    CERT_WEAK_KEY,
    CERT_NAME_CONSTRAINT_VIOLATION,
  };
  DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes));

  scoped_refptr<net::X509Certificate> cert = NULL;
  int count = 0;
  for (size_t i = 0; i < arraysize(kErrorFlags); ++i) {
    if (cert_status & kErrorFlags[i]) {
      count++;
      if (!cert.get()) {
        bool r = content::CertStore::GetInstance()->RetrieveCert(
            cert_id, &cert);
        DCHECK(r);
      }
      if (errors)
        errors->push_back(
            SSLErrorInfo::CreateError(kErrorTypes[i], cert.get(), url));
    }
  }
  return count;
}