Add website settings backend v 0.1

This is the second CL in a row of CLs to land the first version of Website settings. This CL adds a bare minimum website settings backend that only provides site identity and connection information. History and cookies infos will be added next.

CLs:
First CL: https://chromiumcodereview.appspot.com/9383005/
Second CL: UI Backend (this CL)
Third CL: GTK UI ((WIP)https://chromiumcodereview.appspot.com/9379016/)

BUG=113688
TEST=none

 

Review URL: http://codereview.chromium.org/9378014

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@122772 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 616 insertions, 0 deletions

diff --git a/chrome/browser/website_settings_model.cc b/chrome/browser/website_settings_model.cc
new file mode 100644
index 0000000..1adcead
--- /dev/null
+++ b/chrome/browser/website_settings_model.cc
@@ -0,0 +1,262 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/website_settings_model.h"
+
+#include <string>
+#include <vector>
+
+#include "base/string_number_conversions.h"
+#include "base/utf_string_conversions.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ssl/ssl_error_info.h"
+#include "content/browser/cert_store.h"
+#include "content/public/common/ssl_status.h"
+#include "content/public/common/url_constants.h"
+#include "grit/chromium_strings.h"
+#include "grit/generated_resources.h"
+#include "net/base/cert_status_flags.h"
+#include "net/base/ssl_cipher_suite_names.h"
+#include "net/base/ssl_connection_status_flags.h"
+#include "net/base/x509_certificate.h"
+#include "ui/base/l10n/l10n_util.h"
+#include "ui/base/resource/resource_bundle.h"
+
+WebsiteSettingsModel::WebsiteSettingsModel(Profile* profile,
+                                           const GURL& url,
+                                           const content::SSLStatus& ssl)
+    : site_identity_status_(SITE_IDENTITY_STATUS_UNKNOWN),
+      site_connection_status_(SITE_CONNECTION_STATUS_UNKNOWN) {
+  Init(profile, url, ssl);
+  // After initialization the status about the site's connection
+  // and it's identity must be available.
+  DCHECK_NE(site_identity_status_, SITE_IDENTITY_STATUS_UNKNOWN);
+  DCHECK_NE(site_connection_status_, SITE_CONNECTION_STATUS_UNKNOWN);
+}
+
+WebsiteSettingsModel::~WebsiteSettingsModel() {
+}
+
+void WebsiteSettingsModel::Init(Profile* profile,
+                                const GURL& url,
+                                const content::SSLStatus& ssl) {
+  if (url.SchemeIs(chrome::kChromeUIScheme)) {
+    site_identity_status_ = SITE_IDENTITY_STATUS_INTERNAL_PAGE;
+    site_identity_details_ =
+        l10n_util::GetStringUTF16(IDS_PAGE_INFO_INTERNAL_PAGE);
+    site_connection_status_ = SITE_CONNECTION_STATUS_INTERNAL_PAGE;
+    return;
+  }
+
+  scoped_refptr<net::X509Certificate> cert;
+
+  // Identity section.
+  string16 subject_name(UTF8ToUTF16(url.host()));
+  bool empty_subject_name = false;
+  if (subject_name.empty()) {
+    subject_name.assign(
+        l10n_util::GetStringUTF16(IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
+    empty_subject_name = true;
+  }
+
+  if (ssl.cert_id &&
+      CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert) &&
+      (!net::IsCertStatusError(ssl.cert_status) ||
+       net::IsCertStatusMinorError(ssl.cert_status))) {
+    // There are no major errors. Check for minor errors.
+    if (net::IsCertStatusMinorError(ssl.cert_status)) {
+      site_identity_status_ = SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN;
+      string16 issuer_name(UTF8ToUTF16(cert->issuer().GetDisplayName()));
+      if (issuer_name.empty()) {
+        issuer_name.assign(l10n_util::GetStringUTF16(
+            IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
+      }
+      site_identity_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY, issuer_name));
+
+      site_identity_details_ += ASCIIToUTF16("\n\n");
+      if (ssl.cert_status & net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION) {
+        site_identity_details_ += l10n_util::GetStringUTF16(
+            IDS_PAGE_INFO_SECURITY_TAB_UNABLE_TO_CHECK_REVOCATION);
+      } else if (ssl.cert_status & net::CERT_STATUS_NO_REVOCATION_MECHANISM) {
+        site_identity_details_ += l10n_util::GetStringUTF16(
+            IDS_PAGE_INFO_SECURITY_TAB_NO_REVOCATION_MECHANISM);
+      } else {
+        NOTREACHED() << "Need to specify string for this warning";
+      }
+    } else if (ssl.cert_status & net::CERT_STATUS_IS_EV) {
+      // EV HTTPS page.
+      site_identity_status_ = SITE_IDENTITY_STATUS_EV_CERT;
+      DCHECK(!cert->subject().organization_names.empty());
+      organization_name_ = UTF8ToUTF16(cert->subject().organization_names[0]);
+      // An EV Cert is required to have a city (localityName) and country but
+      // state is "if any".
+      DCHECK(!cert->subject().locality_name.empty());
+      DCHECK(!cert->subject().country_name.empty());
+      string16 locality;
+      if (!cert->subject().state_or_province_name.empty()) {
+        locality = l10n_util::GetStringFUTF16(
+            IDS_PAGEINFO_ADDRESS,
+            UTF8ToUTF16(cert->subject().locality_name),
+            UTF8ToUTF16(cert->subject().state_or_province_name),
+            UTF8ToUTF16(cert->subject().country_name));
+      } else {
+        locality = l10n_util::GetStringFUTF16(
+            IDS_PAGEINFO_PARTIAL_ADDRESS,
+            UTF8ToUTF16(cert->subject().locality_name),
+            UTF8ToUTF16(cert->subject().country_name));
+      }
+      DCHECK(!cert->subject().organization_names.empty());
+      site_identity_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY_EV,
+          UTF8ToUTF16(cert->subject().organization_names[0]),
+          locality,
+          UTF8ToUTF16(cert->issuer().GetDisplayName())));
+    } else if (ssl.cert_status & net::CERT_STATUS_IS_DNSSEC) {
+      // DNSSEC authenticated page.
+      site_identity_status_ = SITE_IDENTITY_STATUS_DNSSEC_CERT;
+      site_identity_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY, UTF8ToUTF16("DNSSEC")));
+    } else {
+      // Non-EV OK HTTPS page.
+      site_identity_status_ = SITE_IDENTITY_STATUS_CERT;
+      string16 issuer_name(UTF8ToUTF16(cert->issuer().GetDisplayName()));
+      if (issuer_name.empty()) {
+        issuer_name.assign(l10n_util::GetStringUTF16(
+            IDS_PAGE_INFO_SECURITY_TAB_UNKNOWN_PARTY));
+      }
+      site_identity_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_SECURE_IDENTITY, issuer_name));
+    }
+  } else {
+    // HTTP or HTTPS with errors (not warnings).
+    site_identity_details_.assign(l10n_util::GetStringUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_INSECURE_IDENTITY));
+    if (ssl.security_style == content::SECURITY_STYLE_UNAUTHENTICATED)
+      site_identity_status_ = SITE_IDENTITY_STATUS_NO_CERT;
+    else
+      site_identity_status_ = SITE_IDENTITY_STATUS_ERROR;
+
+    const string16 bullet = UTF8ToUTF16("\n • ");
+    std::vector<SSLErrorInfo> errors;
+    SSLErrorInfo::GetErrorsForCertStatus(ssl.cert_id, ssl.cert_status,
+                                         url, &errors);
+    for (size_t i = 0; i < errors.size(); ++i) {
+      site_identity_details_ += bullet;
+      site_identity_details_ += errors[i].short_description();
+    }
+
+    if (ssl.cert_status & net::CERT_STATUS_NON_UNIQUE_NAME) {
+      site_identity_details_ += ASCIIToUTF16("\n\n");
+      site_identity_details_ += l10n_util::GetStringUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_NON_UNIQUE_NAME);
+    }
+  }
+
+  // Site Connection
+  // We consider anything less than 80 bits encryption to be weak encryption.
+  // TODO(wtc): Bug 1198735: report mixed/unsafe content for unencrypted and
+  // weakly encrypted connections.
+  site_connection_status_ = SITE_CONNECTION_STATUS_UNKNOWN;
+
+  if (!ssl.cert_id) {
+    // Not HTTPS.
+    DCHECK_EQ(ssl.security_style, content::SECURITY_STYLE_UNAUTHENTICATED);
+    if (ssl.security_style == content::SECURITY_STYLE_UNAUTHENTICATED)
+      site_connection_status_ = SITE_CONNECTION_STATUS_UNENCRYPTED;
+    else
+      site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
+
+    site_connection_details_.assign(l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT,
+        subject_name));
+  } else if (ssl.security_bits < 0) {
+    // Security strength is unknown.  Say nothing.
+    site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
+  } else if (ssl.security_bits == 0) {
+    DCHECK_NE(ssl.security_style, content::SECURITY_STYLE_UNAUTHENTICATED);
+    site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
+    site_connection_details_.assign(l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_NOT_ENCRYPTED_CONNECTION_TEXT,
+        subject_name));
+  } else if (ssl.security_bits < 80) {
+    site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED_ERROR;
+    site_connection_details_.assign(l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_WEAK_ENCRYPTION_CONNECTION_TEXT,
+        subject_name));
+  } else {
+    site_connection_status_ = SITE_CONNECTION_STATUS_ENCRYPTED;
+    site_connection_details_.assign(l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_CONNECTION_TEXT,
+        subject_name,
+        base::IntToString16(ssl.security_bits)));
+    if (ssl.content_status) {
+      bool ran_insecure_content =
+          !!(ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT);
+      site_connection_status_ = ran_insecure_content ?
+          SITE_CONNECTION_STATUS_ENCRYPTED_ERROR
+          : SITE_CONNECTION_STATUS_MIXED_CONTENT;
+      site_connection_details_.assign(l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_SENTENCE_LINK,
+          site_connection_details_,
+          l10n_util::GetStringUTF16(ran_insecure_content ?
+              IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_ERROR :
+              IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTED_INSECURE_CONTENT_WARNING)));
+    }
+  }
+
+  uint16 cipher_suite =
+      net::SSLConnectionStatusToCipherSuite(ssl.connection_status);
+  if (ssl.security_bits > 0 && cipher_suite) {
+    int ssl_version =
+        net::SSLConnectionStatusToVersion(ssl.connection_status);
+    const char* ssl_version_str;
+    net::SSLVersionToString(&ssl_version_str, ssl_version);
+    site_connection_details_ += ASCIIToUTF16("\n\n");
+    site_connection_details_ += l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_SSL_VERSION,
+        ASCIIToUTF16(ssl_version_str));
+
+    bool did_fallback = (ssl.connection_status &
+                         net::SSL_CONNECTION_SSL3_FALLBACK) != 0;
+    bool no_renegotiation =
+        (ssl.connection_status &
+        net::SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION) != 0;
+    const char *key_exchange, *cipher, *mac;
+    net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, cipher_suite);
+
+    site_connection_details_ += ASCIIToUTF16("\n\n");
+    site_connection_details_ += l10n_util::GetStringFUTF16(
+        IDS_PAGE_INFO_SECURITY_TAB_ENCRYPTION_DETAILS,
+        ASCIIToUTF16(cipher), ASCIIToUTF16(mac), ASCIIToUTF16(key_exchange));
+
+    site_connection_details_ += ASCIIToUTF16("\n\n");
+    uint8 compression_id =
+        net::SSLConnectionStatusToCompression(ssl.connection_status);
+    if (compression_id) {
+      const char* compression;
+      net::SSLCompressionToString(&compression, compression_id);
+      site_connection_details_ += l10n_util::GetStringFUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_COMPRESSION_DETAILS,
+          ASCIIToUTF16(compression));
+    } else {
+      site_connection_details_ += l10n_util::GetStringUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_NO_COMPRESSION);
+    }
+
+    if (did_fallback) {
+      // For now, only SSLv3 fallback will trigger a warning icon.
+      if (site_connection_status_ < SITE_CONNECTION_STATUS_MIXED_CONTENT)
+        site_connection_status_ = SITE_CONNECTION_STATUS_MIXED_CONTENT;
+      site_connection_details_ += ASCIIToUTF16("\n\n");
+      site_connection_details_ += l10n_util::GetStringUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_FALLBACK_MESSAGE);
+    }
+    if (no_renegotiation) {
+      site_connection_details_ += ASCIIToUTF16("\n\n");
+      site_connection_details_ += l10n_util::GetStringUTF16(
+          IDS_PAGE_INFO_SECURITY_TAB_RENEGOTIATION_MESSAGE);
+    }
+  }
+}
diff --git a/chrome/browser/website_settings_model.h b/chrome/browser/website_settings_model.h
new file mode 100644
index 0000000..3377e05
--- /dev/null
+++ b/chrome/browser/website_settings_model.h
@@ -0,0 +1,113 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_WEBSITE_SETTINGS_MODEL_H_
+#define CHROME_BROWSER_WEBSITE_SETTINGS_MODEL_H_
+
+#include "base/string16.h"
+#include "googleurl/src/gurl.h"
+
+namespace content {
+struct SSLStatus;
+}
+
+class Profile;
+class TabContentsWrapper;
+
+// The |WebsiteSettingsModel| provides information about the connection and the
+// identity of a website. The |WebsiteSettingsModel| is the backend for the
+// WebsiteSettingsUI which displays this information.
+class WebsiteSettingsModel {
+ public:
+  // Status of a connection to a website.
+  enum SiteConnectionStatus {
+    SITE_CONNECTION_STATUS_UNKNOWN = 0,      // No status available.
+    SITE_CONNECTION_STATUS_ENCRYPTED,        // Connection is encrypted.
+    SITE_CONNECTION_STATUS_MIXED_CONTENT,    // Site has unencrypted content.
+    SITE_CONNECTION_STATUS_UNENCRYPTED,      // Connection is not encrypted.
+    SITE_CONNECTION_STATUS_ENCRYPTED_ERROR,  // Connection error occured.
+    SITE_CONNECTION_STATUS_INTERNAL_PAGE,    // Internal site.
+  };
+
+  // Validation status of a website's identity.
+  enum SiteIdentityStatus {
+    // No status about the website's identity available.
+    SITE_IDENTITY_STATUS_UNKNOWN = 0,
+    // The website provided a valid certificate.
+    SITE_IDENTITY_STATUS_CERT,
+    // The website provided a valid EV certificate.
+    SITE_IDENTITY_STATUS_EV_CERT,
+    // The website provided a valid DNSSEC certificate.
+    SITE_IDENTITY_STATUS_DNSSEC_CERT,
+    // The website provided a valid certificate but no revocation check could be
+    // performed.
+    SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN,
+    // Site identity could not be verified because the site did not provide a
+    // certificate. This is the expected state for HTTP connections.
+    SITE_IDENTITY_STATUS_NO_CERT,
+    // An error occured while verifying the site identity.
+    SITE_IDENTITY_STATUS_ERROR,
+    // The site is a trusted internal chrome page.
+    SITE_IDENTITY_STATUS_INTERNAL_PAGE,
+  };
+
+  // Creates a WebsiteSettingsModel for the passed |url| using the given |ssl|
+  // status object to determine the status of the site's connection.
+  WebsiteSettingsModel(Profile* profile,
+                       const GURL& url,
+                       const content::SSLStatus& ssl);
+
+  virtual ~WebsiteSettingsModel();
+
+  // Accessors.
+  SiteConnectionStatus site_connection_status() const {
+    return site_connection_status_;
+  }
+
+  SiteIdentityStatus site_identity_status() const {
+    return site_identity_status_;
+  }
+
+  string16 site_connection_details() const {
+    return site_connection_details_;
+  }
+
+  string16 site_identity_details() const {
+    return site_identity_details_;
+  }
+
+  string16 organization_name() const {
+    return organization_name_;
+  }
+
+ private:
+  // Initializes the |WebsiteSettingsModel|.
+  void Init(Profile* profile,
+            const GURL& url,
+            const content::SSLStatus& ssl);
+
+  // Status of the website's identity verification check.
+  SiteIdentityStatus site_identity_status_;
+
+  // Status of the connection to the website.
+  SiteConnectionStatus site_connection_status_;
+
+  // Details about the website's identity. If the website's identity has been
+  // verified then |site_identity_details_| contains who verified the identity.
+  string16 site_identity_details_;
+
+  // Details about the connection to the website. In case of an encrypted
+  // connection |site_connection_details_| contains encryption details, like
+  // encryption strength and ssl protocol version.
+  string16 site_connection_details_;
+
+  // For websites that provided an EV certificate |orgainization_name_| contains
+  // the organization name of the certificate. In all other cases
+  // |organization_name| is an empty string.
+  string16 organization_name_;
+
+  DISALLOW_COPY_AND_ASSIGN(WebsiteSettingsModel);
+};
+
+#endif  // CHROME_BROWSER_WEBSITE_SETTINGS_MODEL_H_
diff --git a/chrome/browser/website_settings_model_unittest.cc b/chrome/browser/website_settings_model_unittest.cc
new file mode 100644
index 0000000..eec5065
--- /dev/null
+++ b/chrome/browser/website_settings_model_unittest.cc
@@ -0,0 +1,238 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/website_settings_model.h"
+
+#include "base/utf_string_conversions.h"
+#include "chrome/test/base/testing_profile.h"
+#include "content/browser/cert_store.h"
+#include "content/public/common/ssl_status.h"
+#include "net/base/cert_status_flags.h"
+#include "net/base/ssl_connection_status_flags.h"
+#include "net/base/test_certificate_data.h"
+#include "net/base/x509_certificate.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using content::SSLStatus;
+
+namespace {
+
+// SSL cipher suite like specified in RFC5246 Appendix A.5. "The Cipher Suite".
+static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3D;
+
+int SetSSLVersion(int connection_status, int version) {
+  // Clear SSL version bits (Bits 20, 21 and 22).
+  connection_status &=
+      ~(net::SSL_CONNECTION_VERSION_MASK << net::SSL_CONNECTION_VERSION_SHIFT);
+  int bitmask = version << net::SSL_CONNECTION_VERSION_SHIFT;
+  return bitmask | connection_status;
+}
+
+int SetSSLCipherSuite(int connection_status, int cipher_suite) {
+  // Clear cipher suite bits (the 16 lowest bits).
+  connection_status &= ~net::SSL_CONNECTION_CIPHERSUITE_MASK;
+  return cipher_suite | connection_status;
+}
+
+}  // namespace
+
+class WebsiteSettingsModelTest : public testing::Test {
+ public:
+  WebsiteSettingsModelTest() : profile_(new TestingProfile()),
+                               cert_id_(0),
+                               ev_cert_id_(0),
+                               bad_cert_id_(0) {
+    InitCertStore();
+  }
+
+  void InitCertStore() {
+    // TODO(markusheintz): I wish there was an easy way to create a mock
+    // CertStore.
+    int render_process_host_id = 1;
+    base::Time start_date = base::Time::Now();
+    base::Time expiration_date = base::Time::FromInternalValue(
+        start_date.ToInternalValue() + base::Time::kMicrosecondsPerWeek);
+
+    net::X509Certificate* cert =
+        new net::X509Certificate("subject",
+                                 "issuer",
+                                 start_date,
+                                 expiration_date);
+    cert_id_ = CertStore::GetInstance()->StoreCert(cert,
+                                                   render_process_host_id);
+    cert = net::X509Certificate::CreateFromBytes(
+        reinterpret_cast<const char*>(google_der), sizeof(google_der));
+    ev_cert_id_ = CertStore::GetInstance()->StoreCert(cert,
+                                                      render_process_host_id);
+    cert = new net::X509Certificate("subject",
+                                    "issuer",
+                                    base::Time(),
+                                    base::Time());
+    bad_cert_id_ = CertStore::GetInstance()->StoreCert(cert,
+                                                       render_process_host_id);
+  }
+
+  int cert_id() const { return cert_id_; }
+
+  int ev_cert_id() const { return ev_cert_id_; }
+
+  int bad_cert_id() const { return bad_cert_id_; }
+
+  Profile* profile() const { return profile_.get(); }
+
+ private:
+  scoped_ptr<Profile> profile_;
+  int cert_id_;
+  int ev_cert_id_;
+  int bad_cert_id_;
+};
+
+TEST_F(WebsiteSettingsModelTest, HTTPConnection) {
+  GURL url = GURL("http://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_UNAUTHENTICATED;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_UNENCRYPTED,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_NO_CERT,
+            model->site_identity_status());
+  EXPECT_EQ(string16(), model->organization_name());
+}
+
+TEST_F(WebsiteSettingsModelTest, HTTPSConnection) {
+  GURL url = GURL("https://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_AUTHENTICATED;
+  ssl.cert_id = cert_id();
+  ssl.cert_status = 0;
+  ssl.security_bits = 81;  // No error if > 80.
+  int status = 0;
+  status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
+  status = SetSSLCipherSuite(status, TLS_RSA_WITH_AES_256_CBC_SHA256);
+  ssl.connection_status = status;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_ENCRYPTED,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_CERT,
+            model->site_identity_status());
+  EXPECT_EQ(string16(), model->organization_name());
+}
+
+TEST_F(WebsiteSettingsModelTest, HTTPSMixedContent) {
+  GURL url = GURL("https://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_AUTHENTICATED;
+  ssl.cert_id = cert_id();
+  ssl.cert_status = 0;
+  ssl.security_bits = 81;  // No error if > 80.
+  ssl.content_status = SSLStatus::DISPLAYED_INSECURE_CONTENT;
+  int status = 0;
+  status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
+  status = SetSSLCipherSuite(status, TLS_RSA_WITH_AES_256_CBC_SHA256);
+  ssl.connection_status = status;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_MIXED_CONTENT,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_CERT,
+            model->site_identity_status());
+  EXPECT_EQ(string16(), model->organization_name());
+}
+
+TEST_F(WebsiteSettingsModelTest, HTTPSEVCert) {
+  GURL url = GURL("https://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_AUTHENTICATED;
+  ssl.cert_id = ev_cert_id();
+  ssl.cert_status = net::CERT_STATUS_IS_EV;
+  ssl.security_bits = 81;  // No error if > 80.
+  ssl.content_status = SSLStatus::DISPLAYED_INSECURE_CONTENT;
+  int status = 0;
+  status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
+  status = SetSSLCipherSuite(status, TLS_RSA_WITH_AES_256_CBC_SHA256);
+  ssl.connection_status = status;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_MIXED_CONTENT,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_EV_CERT,
+            model->site_identity_status());
+  EXPECT_EQ(UTF8ToUTF16("Google Inc"), model->organization_name());
+}
+
+TEST_F(WebsiteSettingsModelTest, HTTPSBadCertificate) {
+  GURL url = GURL("https://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_AUTHENTICATED;
+  ssl.cert_id = bad_cert_id();
+  ssl.cert_status = net::CERT_STATUS_DATE_INVALID;
+  ssl.security_bits = 81;  // No error if > 80.
+  int status = 0;
+  status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
+  status = SetSSLCipherSuite(status, TLS_RSA_WITH_AES_256_CBC_SHA256);
+  ssl.connection_status = status;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_ENCRYPTED,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_ERROR,
+            model->site_identity_status());
+  EXPECT_EQ(string16(), model->organization_name());
+}
+
+TEST_F(WebsiteSettingsModelTest, HTTPSRevocationError) {
+  GURL url = GURL("https://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_AUTHENTICATED;
+  ssl.cert_id = cert_id();
+  ssl.cert_status = net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
+  ssl.security_bits = 81;  // No error if > 80.
+  int status = 0;
+  status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
+  status = SetSSLCipherSuite(status, TLS_RSA_WITH_AES_256_CBC_SHA256);
+  ssl.connection_status = status;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_ENCRYPTED,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_CERT_REVOCATION_UNKNOWN,
+            model->site_identity_status());
+  EXPECT_EQ(string16(), model->organization_name());
+}
+
+TEST_F(WebsiteSettingsModelTest, HTTPSConnectionError) {
+  GURL url = GURL("https://www.example.com");
+
+  SSLStatus ssl;
+  ssl.security_style = content::SECURITY_STYLE_AUTHENTICATED;
+  ssl.cert_id = cert_id();
+  ssl.cert_status = 0;
+  ssl.security_bits = 1;
+  int status = 0;
+  status = SetSSLVersion(status, net::SSL_CONNECTION_VERSION_TLS1);
+  status = SetSSLCipherSuite(status, TLS_RSA_WITH_AES_256_CBC_SHA256);
+  ssl.connection_status = status;
+
+  scoped_ptr<WebsiteSettingsModel> model(
+      new WebsiteSettingsModel(profile(), url, ssl));
+  EXPECT_EQ(WebsiteSettingsModel::SITE_CONNECTION_STATUS_ENCRYPTED_ERROR,
+            model->site_connection_status());
+  EXPECT_EQ(WebsiteSettingsModel::SITE_IDENTITY_STATUS_CERT,
+            model->site_identity_status());
+  EXPECT_EQ(string16(), model->organization_name());
+}
diff --git a/chrome/chrome_browser.gypi b/chrome/chrome_browser.gypi
index 3593258..3ab3de2 100644
--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -4285,6 +4285,8 @@
         'browser/webdata/web_database_table.h',
         'browser/webdata/web_intents_table.cc',
         'browser/webdata/web_intents_table.h',
+        'browser/website_settings_model.cc',
+        'browser/website_settings_model.h',
 
         # These files are generated by GRIT.
         '<(grit_out_dir)/grit/component_extension_resources_map.cc',
diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi
index 2d0f6d3..d85338c 100644
--- a/chrome/chrome_tests.gypi
+++ b/chrome/chrome_tests.gypi
@@ -2016,6 +2016,7 @@
         'browser/webdata/web_data_service_unittest.cc',
         'browser/webdata/web_database_migration_unittest.cc',
         'browser/webdata/web_intents_table_unittest.cc',
+        'browser/website_settings_model_unittest.cc',
         'common/bzip2_unittest.cc',
         'common/child_process_logging_mac_unittest.mm',
         'common/chrome_paths_unittest.cc',