1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/ssl_errors/error_info.h"
6
7 #include <stddef.h>
8
9 #include "base/i18n/message_formatter.h"
10 #include "base/stl_util.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "components/strings/grit/components_strings.h"
13 #include "net/base/escape.h"
14 #include "net/base/net_errors.h"
15 #include "net/cert/cert_status_flags.h"
16 #include "net/ssl/ssl_info.h"
17 #include "ui/base/l10n/l10n_util.h"
18 #include "url/gurl.h"
19
20 using base::UTF8ToUTF16;
21
22 namespace ssl_errors {
23
ErrorInfo(const base::string16 & details,const base::string16 & short_description)24 ErrorInfo::ErrorInfo(const base::string16& details,
25 const base::string16& short_description)
26 : details_(details), short_description_(short_description) {}
27
28 // static
CreateError(ErrorType error_type,net::X509Certificate * cert,const GURL & request_url)29 ErrorInfo ErrorInfo::CreateError(ErrorType error_type,
30 net::X509Certificate* cert,
31 const GURL& request_url) {
32 base::string16 details, short_description;
33 switch (error_type) {
34 case CERT_COMMON_NAME_INVALID: {
35 std::vector<std::string> dns_names;
36 cert->GetSubjectAltName(&dns_names, nullptr);
37
38 size_t i = 0;
39 if (dns_names.empty()) {
40 // The certificate had no DNS names, display an explanatory string.
41 details = l10n_util::GetStringFUTF16(
42 IDS_CERT_ERROR_NO_SUBJECT_ALTERNATIVE_NAMES_DETAILS,
43 UTF8ToUTF16(request_url.host()));
44 } else {
45 // If the certificate contains multiple DNS names, we choose the most
46 // representative one -- either the DNS name that's also in the subject
47 // field, or the first one. If this heuristic turns out to be
48 // inadequate, we can consider choosing the DNS name that is the
49 // "closest match" to the host name in the request URL, or listing all
50 // the DNS names with an HTML <ul>.
51 for (; i < dns_names.size(); ++i) {
52 if (dns_names[i] == cert->subject().common_name)
53 break;
54 }
55 if (i == dns_names.size())
56 i = 0;
57
58 details = l10n_util::GetStringFUTF16(
59 IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS,
60 UTF8ToUTF16(request_url.host()),
61 net::EscapeForHTML(UTF8ToUTF16(dns_names[i])));
62 }
63
64 short_description = l10n_util::GetStringUTF16(
65 IDS_CERT_ERROR_COMMON_NAME_INVALID_DESCRIPTION);
66 break;
67 }
68 case CERT_DATE_INVALID:
69 if (cert->HasExpired()) {
70 // Make sure to round up to the smallest integer value not less than
71 // the expiration value (https://crbug.com/476758).
72 int expiration_value =
73 (base::Time::Now() - cert->valid_expiry()).InDays() + 1;
74 details = base::i18n::MessageFormatter::FormatWithNumberedArgs(
75 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DETAILS),
76 request_url.host(), expiration_value, base::Time::Now());
77 short_description =
78 l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION);
79 } else if (base::Time::Now() < cert->valid_start()) {
80 details = base::i18n::MessageFormatter::FormatWithNumberedArgs(
81 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DETAILS),
82 request_url.host(),
83 (cert->valid_start() - base::Time::Now()).InDays());
84 short_description =
85 l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION);
86 } else {
87 // Two possibilities: (1) an intermediate or root certificate has
88 // expired, or (2) the certificate has become valid since the error
89 // occurred. Both are probably rare cases. To avoid giving the wrong
90 // date, remove the information.
91 details = l10n_util::GetStringFUTF16(
92 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DETAILS,
93 UTF8ToUTF16(request_url.host()));
94 short_description = l10n_util::GetStringUTF16(
95 IDS_CERT_ERROR_NOT_VALID_AT_THIS_TIME_DESCRIPTION);
96 }
97 break;
98 case CERT_KNOWN_INTERCEPTION_BLOCKED:
99 case CERT_AUTHORITY_INVALID:
100 case CERT_SYMANTEC_LEGACY:
101 details =
102 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_AUTHORITY_INVALID_DETAILS,
103 UTF8ToUTF16(request_url.host()));
104 short_description = l10n_util::GetStringUTF16(
105 IDS_CERT_ERROR_AUTHORITY_INVALID_DESCRIPTION);
106 break;
107 case CERT_CONTAINS_ERRORS:
108 details =
109 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DETAILS,
110 UTF8ToUTF16(request_url.host()));
111 short_description =
112 l10n_util::GetStringUTF16(IDS_CERT_ERROR_CONTAINS_ERRORS_DESCRIPTION);
113 break;
114 case CERT_NO_REVOCATION_MECHANISM:
115 details = l10n_util::GetStringFUTF16(
116 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DETAILS,
117 UTF8ToUTF16(request_url.host()));
118 short_description = l10n_util::GetStringUTF16(
119 IDS_CERT_ERROR_NO_REVOCATION_MECHANISM_DESCRIPTION);
120 break;
121 case CERT_REVOKED:
122 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_REVOKED_CERT_DETAILS,
123 UTF8ToUTF16(request_url.host()));
124 short_description =
125 l10n_util::GetStringUTF16(IDS_CERT_ERROR_REVOKED_CERT_DESCRIPTION);
126 break;
127 case CERT_INVALID:
128 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_INVALID_CERT_DETAILS,
129 UTF8ToUTF16(request_url.host()));
130 short_description =
131 l10n_util::GetStringUTF16(IDS_CERT_ERROR_INVALID_CERT_DESCRIPTION);
132 break;
133 case CERT_WEAK_SIGNATURE_ALGORITHM:
134 details = l10n_util::GetStringFUTF16(
135 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS,
136 UTF8ToUTF16(request_url.host()));
137 short_description = l10n_util::GetStringUTF16(
138 IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION);
139 break;
140 case CERT_WEAK_KEY:
141 details = l10n_util::GetStringFUTF16(IDS_CERT_ERROR_WEAK_KEY_DETAILS,
142 UTF8ToUTF16(request_url.host()));
143 short_description =
144 l10n_util::GetStringUTF16(IDS_CERT_ERROR_WEAK_KEY_DESCRIPTION);
145 break;
146 case CERT_NAME_CONSTRAINT_VIOLATION:
147 details = l10n_util::GetStringFUTF16(
148 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DETAILS,
149 UTF8ToUTF16(request_url.host()));
150 short_description = l10n_util::GetStringUTF16(
151 IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION);
152 break;
153 case CERT_VALIDITY_TOO_LONG:
154 details =
155 l10n_util::GetStringFUTF16(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DETAILS,
156 UTF8ToUTF16(request_url.host()));
157 short_description = l10n_util::GetStringUTF16(
158 IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION);
159 break;
160 case CERT_PINNED_KEY_MISSING:
161 details = l10n_util::GetStringUTF16(
162 IDS_CERT_ERROR_SUMMARY_PINNING_FAILURE_DETAILS);
163 short_description = l10n_util::GetStringUTF16(
164 IDS_CERT_ERROR_SUMMARY_PINNING_FAILURE_DESCRIPTION);
165 break;
166 case CERT_UNABLE_TO_CHECK_REVOCATION:
167 details = l10n_util::GetStringFUTF16(
168 IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DETAILS,
169 UTF8ToUTF16(request_url.host()));
170 short_description = l10n_util::GetStringUTF16(
171 IDS_CERT_ERROR_UNABLE_TO_CHECK_REVOCATION_DESCRIPTION);
172 break;
173 case CERTIFICATE_TRANSPARENCY_REQUIRED:
174 details = l10n_util::GetStringUTF16(
175 IDS_CERT_ERROR_CERTIFICATE_TRANSPARENCY_REQUIRED_DETAILS);
176 short_description = l10n_util::GetStringUTF16(
177 IDS_CERT_ERROR_CERTIFICATE_TRANSPARENCY_REQUIRED_DESCRIPTION);
178 break;
179 case LEGACY_TLS:
180 details =
181 l10n_util::GetStringUTF16(IDS_SSL_ERROR_OBSOLETE_VERSION_DETAILS);
182 short_description =
183 l10n_util::GetStringUTF16(IDS_SSL_ERROR_OBSOLETE_VERSION_DESCRIPTION);
184 break;
185 case UNKNOWN:
186 details = l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DETAILS);
187 short_description =
188 l10n_util::GetStringUTF16(IDS_CERT_ERROR_UNKNOWN_ERROR_DESCRIPTION);
189 break;
190 default:
191 NOTREACHED();
192 }
193 return ErrorInfo(details, short_description);
194 }
195
~ErrorInfo()196 ErrorInfo::~ErrorInfo() {}
197
198 // static
NetErrorToErrorType(int net_error)199 ErrorInfo::ErrorType ErrorInfo::NetErrorToErrorType(int net_error) {
200 switch (net_error) {
201 case net::ERR_CERT_COMMON_NAME_INVALID:
202 return CERT_COMMON_NAME_INVALID;
203 case net::ERR_CERT_DATE_INVALID:
204 return CERT_DATE_INVALID;
205 case net::ERR_CERT_AUTHORITY_INVALID:
206 return CERT_AUTHORITY_INVALID;
207 case net::ERR_CERT_CONTAINS_ERRORS:
208 return CERT_CONTAINS_ERRORS;
209 case net::ERR_CERT_NO_REVOCATION_MECHANISM:
210 return CERT_NO_REVOCATION_MECHANISM;
211 case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
212 return CERT_UNABLE_TO_CHECK_REVOCATION;
213 case net::ERR_CERT_REVOKED:
214 return CERT_REVOKED;
215 case net::ERR_CERT_INVALID:
216 return CERT_INVALID;
217 case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
218 return CERT_WEAK_SIGNATURE_ALGORITHM;
219 case net::ERR_CERT_WEAK_KEY:
220 return CERT_WEAK_KEY;
221 case net::ERR_CERT_NAME_CONSTRAINT_VIOLATION:
222 return CERT_NAME_CONSTRAINT_VIOLATION;
223 case net::ERR_CERT_VALIDITY_TOO_LONG:
224 return CERT_VALIDITY_TOO_LONG;
225 case net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN:
226 return CERT_PINNED_KEY_MISSING;
227 case net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED:
228 return CERTIFICATE_TRANSPARENCY_REQUIRED;
229 case net::ERR_CERT_SYMANTEC_LEGACY:
230 return CERT_SYMANTEC_LEGACY;
231 case net::ERR_CERT_KNOWN_INTERCEPTION_BLOCKED:
232 return CERT_KNOWN_INTERCEPTION_BLOCKED;
233 case net::ERR_SSL_OBSOLETE_VERSION:
234 return LEGACY_TLS;
235 default:
236 NOTREACHED();
237 return UNKNOWN;
238 }
239 }
240
241 // static
GetErrorsForCertStatus(const scoped_refptr<net::X509Certificate> & cert,net::CertStatus cert_status,const GURL & url,std::vector<ErrorInfo> * errors)242 void ErrorInfo::GetErrorsForCertStatus(
243 const scoped_refptr<net::X509Certificate>& cert,
244 net::CertStatus cert_status,
245 const GURL& url,
246 std::vector<ErrorInfo>* errors) {
247 const net::CertStatus kErrorFlags[] = {
248 net::CERT_STATUS_COMMON_NAME_INVALID,
249 net::CERT_STATUS_DATE_INVALID,
250 net::CERT_STATUS_AUTHORITY_INVALID,
251 net::CERT_STATUS_NO_REVOCATION_MECHANISM,
252 net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
253 net::CERT_STATUS_REVOKED,
254 net::CERT_STATUS_INVALID,
255 net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
256 net::CERT_STATUS_WEAK_KEY,
257 net::CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
258 net::CERT_STATUS_VALIDITY_TOO_LONG,
259 net::CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED,
260 net::CERT_STATUS_SYMANTEC_LEGACY,
261 net::CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED,
262 net::CERT_STATUS_LEGACY_TLS,
263 };
264
265 const ErrorType kErrorTypes[] = {
266 CERT_COMMON_NAME_INVALID,
267 CERT_DATE_INVALID,
268 CERT_AUTHORITY_INVALID,
269 CERT_NO_REVOCATION_MECHANISM,
270 CERT_UNABLE_TO_CHECK_REVOCATION,
271 CERT_REVOKED,
272 CERT_INVALID,
273 CERT_WEAK_SIGNATURE_ALGORITHM,
274 CERT_WEAK_KEY,
275 CERT_NAME_CONSTRAINT_VIOLATION,
276 CERT_VALIDITY_TOO_LONG,
277 CERTIFICATE_TRANSPARENCY_REQUIRED,
278 CERT_SYMANTEC_LEGACY,
279 CERT_KNOWN_INTERCEPTION_BLOCKED,
280 LEGACY_TLS,
281 };
282 DCHECK(base::size(kErrorFlags) == base::size(kErrorTypes));
283
284 for (size_t i = 0; i < base::size(kErrorFlags); ++i) {
285 if ((cert_status & kErrorFlags[i]) && errors) {
286 errors->push_back(
287 ErrorInfo::CreateError(kErrorTypes[i], cert.get(), url));
288 }
289 }
290 }
291
292 } // namespace ssl_errors
293