Revert 170813 due to compilation errors in M24

> Merge 170083 to M24.
> 
> BUG=163227
> > net: add special case errors for certificates.
> > 
> > Over thanksgiving I tried adding a public key used by some malware to the
> > CRLSet. However, the malware appears to be fairly wide spread and a number of
> > users, reasonably, were somewhat confused by the message.
> > 
> > In the future it seems that we probably want to be able to set a URL and
> > message in the CRLSet so that we can provide better direction.
> > 
> > This change adds the infrasture for that but, temporarily, hardcodes the
> > specific malware case. Unfortunately, interstitial pages cannot navigate, open
> > new windows nor load iframes without lots of work in content/. Therefore the
> > URL (which is intended to provided a translated message for the user) has to be
> > copied and pasted. Hopefully can be pursude one of the content folks to improve
> > this for the future.
> > 
> > BUG=none
> > 
> > Review URL: https://codereview.chromium.org/11413169
> 
> TBR=agl@chromium.org
> Review URL: https://codereview.chromium.org/11316313

TBR=agl@chromium.org
Review URL: https://codereview.chromium.org/11416331

git-svn-id: svn://svn.chromium.org/chrome/branches/1312/src@170839 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 23 insertions, 112 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index ce20bc8..286fc31 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -3314,14 +3314,6 @@ Psst! Incognito mode <ph name="SHORTCUT_KEY">$1<ex>(Ctrl+Shift+N)</ex></ph> may
         The server certificate contains a weak cryptographic key.
       </message>
 
-      <message name="IDS_CERT_ERROR_SPECIAL_CASE_TITLE" desc="Title of the error page for a certificate with a special case exception (i.e. we know that the user is infected with malware)">
-        Special case exception found for received certificate.
-      </message>
-
-      <message name="IDS_CERT_ERROR_SPECIAL_CASE_DETAILS" desc="Description of the error page for a certificate with a special case exception (i.e. we know that the user is infected with malware)">
-        The certificate received has been flagged as erroneous. Please see $1 for more details.
-      </message>
-
       <message name="IDS_CERT_ERROR_UNKNOWN_ERROR_TITLE" desc="Title of the error page for an unknown ssl error">
         Unknown server certificate error
       </message>
diff --git a/chrome/browser/ssl/ssl_blocking_page.cc b/chrome/browser/ssl/ssl_blocking_page.cc
index d75a4ba..e5bc81d 100644
--- a/chrome/browser/ssl/ssl_blocking_page.cc
+++ b/chrome/browser/ssl/ssl_blocking_page.cc
@@ -6,11 +6,9 @@
 
 #include "base/i18n/rtl.h"
 #include "base/metrics/histogram.h"
-#include "base/sha1.h"
 #include "base/string_piece.h"
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
-#include "chrome/browser/google/google_util.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/renderer_preferences_util.h"
 #include "chrome/browser/ssl/ssl_error_info.h"
@@ -37,54 +35,6 @@ using content::NavigationEntry;
 
 namespace {
 
-// kMalware1 is the SHA1 SPKI hash of a key used by a piece of malware that MS
-// Security Essentials identifies as Win32/Sirefef.gen!C.
-const uint8 kMalware1[base::kSHA1Length] = {
-  0xa4, 0xf5, 0x6e, 0x9e, 0x1d, 0x9a, 0x3b, 0x7b, 0x1a, 0xc3,
-  0x31, 0xcf, 0x64, 0xfc, 0x76, 0x2c, 0xd0, 0x51, 0xfb, 0xa4,
-};
-
-// IsSpecialCaseCertError returns true if the public key hashes in |ssl_info|
-// indicate that this is a special case error. If so, a URL with more
-// information will be returned in |out_url| and an (untranslated) message in
-// |out_message|.
-bool IsSpecialCaseCertError(const net::SSLInfo& ssl_info,
-                            std::string* out_url,
-                            std::string* out_message) {
-  for (net::HashValueVector::const_iterator i =
-       ssl_info.public_key_hashes.begin();
-       i != ssl_info.public_key_hashes.end(); ++i) {
-    if (i->tag != net::HASH_VALUE_SHA1 ||
-        0 != memcmp(i->data(), kMalware1, base::kSHA1Length)) {
-      continue;
-    }
-
-    // In the future this information will come from the CRLSet. Until then
-    // this case is hardcoded.
-    *out_url = "http://support.google.com/chrome/?p=e_malware_Sirefef";
-    *out_message =
-      "<p>The certificate received indicates that this computer is infected"
-      " with Sirefef.gen!C.</p>"
-
-      "<p>Sirefef.gen!C is a computer virus that intercepts secure web"
-      " connections and can steal passwords and other sensitive data.</p>"
-
-      "<p>Chrome recognises this virus, but it affects all software on the"
-      " computer. Other browsers and software may continue to work but"
-      " they are also affected and rendered insecure.</p>"
-
-      "<p>Microsoft Security Essentials can reportedly remove this virus."
-      " When the virus is removed, the warnings in Chrome will stop.</p>"
-
-      "<p>Microsoft Security Essentials is freely available from Microsoft "
-      " at "
-      "http://windows.microsoft.com/en-US/windows/security-essentials-download";
-    return true;
-  }
-
-  return false;
-}
-
 enum SSLBlockingPageEvent {
   SHOW,
   PROCEED,
@@ -132,44 +82,16 @@ SSLBlockingPage::~SSLBlockingPage() {
 std::string SSLBlockingPage::GetHTMLContents() {
   // Let's build the html error page.
   DictionaryValue strings;
+  SSLErrorInfo error_info = SSLErrorInfo::CreateError(
+      SSLErrorInfo::NetErrorToErrorType(cert_error_), ssl_info_.cert,
+      request_url_);
 
-  // ERR_CERT_REVOKED handles both online (OCSP, CRL) and offline (CRLSet)
-  // revocation. If the certificate was revoked for being in a CRLSet, see if
-  // there is a user-friendly error message or link to direct them to that may
-  // explain why it was revoked. In the future, these messages will be
-  // contained within the CRLSet itself and they will be loaded from there, but
-  // for now, this is a hardcoded list.
-  std::string url, message;
-  if (cert_error_ == net::ERR_CERT_REVOKED &&
-      IsSpecialCaseCertError(ssl_info_, &url, &message)) {
-    strings.SetString("headLine", l10n_util::GetStringUTF16(
-        IDS_CERT_ERROR_SPECIAL_CASE_TITLE));
-
-    string16 details = l10n_util::GetStringFUTF16(
-        IDS_CERT_ERROR_SPECIAL_CASE_DETAILS,
-        UTF8ToUTF16(google_util::StringAppendGoogleLocaleParam(url)));
-    details += UTF8ToUTF16("<br><br>") + UTF8ToUTF16(message);
-    strings.SetString("description", details);
-
-    // If this is the only error for the site, then the user can override.
-    if ((ssl_info_.cert_status & net::CERT_STATUS_ALL_ERRORS) ==
-        net::CERT_STATUS_REVOKED) {
-      overridable_ = true;
-      strict_enforcement_ = false;
-    }
-  } else {
-    SSLErrorInfo error_info = SSLErrorInfo::CreateError(
-        SSLErrorInfo::NetErrorToErrorType(cert_error_), ssl_info_.cert,
-        request_url_);
-
-    strings.SetString("headLine", error_info.title());
-    strings.SetString("description", error_info.details());
-
-    SetExtraInfo(&strings, error_info.extra_information());
-  }
+  strings.SetString("headLine", error_info.title());
+  strings.SetString("description", error_info.details());
 
   strings.SetString("moreInfoTitle",
                     l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXTRA_INFO_TITLE));
+  SetExtraInfo(&strings, error_info.extra_information());
 
   int resource_id;
   if (overridable_ && !strict_enforcement_) {
diff --git a/net/base/cert_verify_proc_mac.cc b/net/base/cert_verify_proc_mac.cc
index 16c2ace..9b6e287 100644
--- a/net/base/cert_verify_proc_mac.cc
+++ b/net/base/cert_verify_proc_mac.cc
@@ -541,9 +541,6 @@ int CertVerifyProcMac::VerifyInternal(X509Certificate* cert,
   // compatible with WinHTTP, which doesn't report this error (bug 3004).
   verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
 
-  AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
-  verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
-
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
@@ -586,6 +583,9 @@ int CertVerifyProcMac::VerifyInternal(X509Certificate* cert,
     }
   }
 
+  AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
+  verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
+
   return OK;
 }
 
diff --git a/net/base/cert_verify_proc_nss.cc b/net/base/cert_verify_proc_nss.cc
index 630e23f..ca3981f 100644
--- a/net/base/cert_verify_proc_nss.cc
+++ b/net/base/cert_verify_proc_nss.cc
@@ -754,19 +754,6 @@ int CertVerifyProcNSS::VerifyInternal(X509Certificate* cert,
   status = PKIXVerifyCert(cert_handle, check_revocation, cert_io_enabled,
                           NULL, 0, cvout);
 
-  if (status == SECSuccess) {
-    AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
-                          cvout[cvout_trust_anchor_index].value.pointer.cert,
-                          &verify_result->public_key_hashes);
-
-    verify_result->is_issued_by_known_root =
-        IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
-
-    GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
-                     cvout[cvout_trust_anchor_index].value.pointer.cert,
-                     verify_result);
-  }
-
   if (crl_set) {
     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
         cvout[cvout_cert_list_index].value.pointer.chain,
@@ -796,9 +783,19 @@ int CertVerifyProcNSS::VerifyInternal(X509Certificate* cert,
     return MapSecurityError(err);
   }
 
+  GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
+                   cvout[cvout_trust_anchor_index].value.pointer.cert,
+                   verify_result);
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
+  AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
+                        cvout[cvout_trust_anchor_index].value.pointer.cert,
+                        &verify_result->public_key_hashes);
+
+  verify_result->is_issued_by_known_root =
+      IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
+
   if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate &&
       VerifyEV(cert_handle, flags, crl_set, metadata, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
diff --git a/net/base/cert_verify_proc_openssl.cc b/net/base/cert_verify_proc_openssl.cc
index 47aa5ea..a43fa5b 100644
--- a/net/base/cert_verify_proc_openssl.cc
+++ b/net/base/cert_verify_proc_openssl.cc
@@ -267,9 +267,9 @@ int CertVerifyProcOpenSSL::VerifyInternal(X509Certificate* cert,
     }
 
     GetCertChainInfo(ctx.get(), verify_result);
-    AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
     if (IsCertStatusError(verify_result->cert_status))
       return MapCertStatusToNetError(verify_result->cert_status);
+    AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
   }
 
   // Currently we only ues OpenSSL's default root CA paths, so treat all
diff --git a/net/base/cert_verify_proc_win.cc b/net/base/cert_verify_proc_win.cc
index 390498c..9a3233f 100644
--- a/net/base/cert_verify_proc_win.cc
+++ b/net/base/cert_verify_proc_win.cc
@@ -737,12 +737,12 @@ int CertVerifyProcWin::VerifyInternal(X509Certificate* cert,
     verify_result->cert_status &= ~CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
   }
 
-  AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes);
-  verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
-
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);
 
+  AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes);
+  verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
+
   if (ev_policy_oid &&
       CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;