5 files changed, 42 insertions, 8 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index e2026c3..62860a8 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -1927,6 +1927,19 @@ each locale. -->
         Server's certificate is invalid
       </message>
 
+      <message name="IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_TITLE" desc="Title of the error page for a certificate signed using a weak signature algorithm">
+        The site's security certificate is signed using a weak signature algorithm!
+      </message>
+      <message name="IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS" desc="Details of the error page for a certificate signed using a weak signature algorithm">
+        You attempted to reach &lt;strong&gt;<ph name="DOMAIN">$1<ex>paypal.com</ex></ph>&lt;/strong&gt;, but the server presented a certificate signed using a weak signature algorithm. This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker). You should not proceed.
+      </message>
+      <message name="IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_EXTRA_INFO_2" desc="2nd paragraph of extra information for a X509 certificate signed using a weak signature algorithm">
+        In this case, the server certificate or an intermediate CA certificate presented to your browser is signed using a weak signature algorithm such as RSA-MD2. Recent research by computer scientists showed the signature algorithm is weaker than previously believed, and the signature algorithm is rarely used by trustworthy websites today. This certificate could have been forged. You should not proceed past this point.
+      </message>
+      <message name="IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION" desc="Description of the error page for a certificate signed using a weak signature algorithm">
+        Server's certificate is signed using a weak signature algorithm
+      </message>
+
       <message name="IDS_CERT_ERROR_UNKNOWN_ERROR_TITLE" desc="Title of the error page for an unknown ssl error">
         Unknown server certificate error
       </message>
diff --git a/chrome/browser/ssl/ssl_error_info.cc b/chrome/browser/ssl/ssl_error_info.cc
index d47529a..fd54bd4 100644
--- a/chrome/browser/ssl/ssl_error_info.cc
+++ b/chrome/browser/ssl/ssl_error_info.cc
@@ -153,6 +153,20 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
       short_description =
           l10n_util::GetString(IDS_CERT_ERROR_INVALID_CERT_DESCRIPTION);
       break;
+    case CERT_WEAK_SIGNATURE_ALGORITHM:
+      title =
+          l10n_util::GetString(IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_TITLE);
+      details = l10n_util::GetStringF(
+          IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DETAILS,
+          UTF8ToWide(request_url.host()));
+      short_description = l10n_util::GetString(
+          IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_DESCRIPTION);
+      extra_info.push_back(
+          l10n_util::GetString(IDS_CERT_ERROR_EXTRA_INFO_1));
+      extra_info.push_back(
+          l10n_util::GetString(
+              IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_EXTRA_INFO_2));
+      break;
     case MIXED_CONTENTS:
       title = l10n_util::GetString(IDS_SSL_MIXED_CONTENT_TITLE);
       details = l10n_util::GetString(IDS_SSL_MIXED_CONTENT_DETAILS);
@@ -199,6 +213,8 @@ SSLErrorInfo::ErrorType SSLErrorInfo::NetErrorToErrorType(int net_error) {
       return CERT_REVOKED;
     case net::ERR_CERT_INVALID:
       return CERT_INVALID;
+    case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
+      return CERT_WEAK_SIGNATURE_ALGORITHM;
     default:
       NOTREACHED();
       return UNKNOWN;
@@ -217,7 +233,8 @@ int SSLErrorInfo::GetErrorsForCertStatus(int cert_id,
     net::CERT_STATUS_NO_REVOCATION_MECHANISM,
     net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION,
     net::CERT_STATUS_REVOKED,
-    net::CERT_STATUS_INVALID
+    net::CERT_STATUS_INVALID,
+    net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM
   };
 
   const ErrorType kErrorTypes[] = {
@@ -227,7 +244,8 @@ int SSLErrorInfo::GetErrorsForCertStatus(int cert_id,
     CERT_NO_REVOCATION_MECHANISM,
     CERT_UNABLE_TO_CHECK_REVOCATION,
     CERT_REVOKED,
-    CERT_INVALID
+    CERT_INVALID,
+    CERT_WEAK_SIGNATURE_ALGORITHM
   };
   DCHECK(arraysize(kErrorFlags) == arraysize(kErrorTypes));
 
diff --git a/chrome/browser/ssl/ssl_error_info.h b/chrome/browser/ssl/ssl_error_info.h
index d11fc0d..c3f9b63 100644
--- a/chrome/browser/ssl/ssl_error_info.h
+++ b/chrome/browser/ssl/ssl_error_info.h
@@ -1,9 +1,9 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_SSL_ERROR_INFO_H__
-#define CHROME_BROWSER_SSL_ERROR_INFO_H__
+#ifndef CHROME_BROWSER_SSL_SSL_ERROR_INFO_H_
+#define CHROME_BROWSER_SSL_SSL_ERROR_INFO_H_
 
 #include <string>
 #include <vector>
@@ -27,6 +27,7 @@ class SSLErrorInfo {
     CERT_UNABLE_TO_CHECK_REVOCATION,
     CERT_REVOKED,
     CERT_INVALID,
+    CERT_WEAK_SIGNATURE_ALGORITHM,
     MIXED_CONTENTS,
     UNSAFE_CONTENTS,
     UNKNOWN
@@ -64,7 +65,7 @@ class SSLErrorInfo {
     return extra_information_;
   }
 
-private:
+ private:
   SSLErrorInfo(const std::wstring& title,
                const std::wstring& details,
                const std::wstring& short_description,
@@ -78,4 +79,4 @@ private:
   std::vector<std::wstring> extra_information_;
 };
 
-#endif  // CHROME_BROWSER_SSL_ERROR_INFO_H__
+#endif  // CHROME_BROWSER_SSL_SSL_ERROR_INFO_H_
diff --git a/chrome/browser/ssl/ssl_policy.cc b/chrome/browser/ssl/ssl_policy.cc
index 4efad66..cbef647 100644
--- a/chrome/browser/ssl/ssl_policy.cc
+++ b/chrome/browser/ssl/ssl_policy.cc
@@ -84,10 +84,11 @@ void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) {
   // For now we handle the DENIED as the UNKNOWN, which means a blocking
   // page is shown to the user every time he comes back to the page.
 
-  switch(handler->cert_error()) {
+  switch (handler->cert_error()) {
     case net::ERR_CERT_COMMON_NAME_INVALID:
     case net::ERR_CERT_DATE_INVALID:
     case net::ERR_CERT_AUTHORITY_INVALID:
+    case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
       OnOverridableCertError(handler);
       break;
     case net::ERR_CERT_NO_REVOCATION_MECHANISM:
diff --git a/chrome/common/security_filter_peer.cc b/chrome/common/security_filter_peer.cc
index 5369199..79256e7 100644
--- a/chrome/common/security_filter_peer.cc
+++ b/chrome/common/security_filter_peer.cc
@@ -75,6 +75,7 @@ SecurityFilterPeer*
     case net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION:
     case net::ERR_CERT_REVOKED:
     case net::ERR_CERT_INVALID:
+    case net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
     case net::ERR_INSECURE_RESPONSE:
       if (ResourceType::IsFrame(resource_type))
         return CreateSecurityFilterPeerForFrame(peer, os_error);