Bug 1068949 - Send SHA-1 deprecation warnings in to the web console. r=mcmanus

browser/devtools/webconsole/webconsole.js

@@ -44,6 +44,8 @@ const INSECURE_PASSWORDS_LEARN_MORE = "https://developer.mozilla.org/docs/Securi
 
 const STRICT_TRANSPORT_SECURITY_LEARN_MORE = "https://developer.mozilla.org/docs/Security/HTTP_Strict_Transport_Security";
 
+const WEAK_SIGNATURE_ALGORITHM_LEARN_MORE = "https://developer.mozilla.org/docs/Security/Weak_Signature_Algorithm";
+
 const HELP_URL = "https://developer.mozilla.org/docs/Tools/Web_Console/Helpers";
 
 const VARIABLES_VIEW_URL = "chrome://browser/content/devtools/widgets/VariablesView.xul";
@@ -1597,6 +1599,9 @@ WebConsoleFrame.prototype = {
      case "Invalid HSTS Headers":
       url = STRICT_TRANSPORT_SECURITY_LEARN_MORE;
      break;
+     case "SHA-1 Signature":
+      url = WEAK_SIGNATURE_ALGORITHM_LEARN_MORE;
+     break;
      default:
       // Unknown category. Return without adding more info node.
       return;
@@ -4689,6 +4694,7 @@ var Utils = {
       case "CSP":
       case "Invalid HSTS Headers":
       case "Invalid HPKP Headers":
+      case "SHA-1 Signature":
       case "Insecure Password Field":
       case "SSL":
       case "CORS":

dom/locales/en-US/chrome/security/security.properties

@@ -10,6 +10,8 @@ CrossSiteRequestBlocked=Cross-Origin Request Blocked: The Same Origin Policy dis
 InvalidSTSHeaders=The site specified an invalid Strict-Transport-Security header.
 # LOCALIZATION NOTE: Do not translate "Public-Key-Pins or HPKP"
 InvalidPKPHeaders=The site specified an invalid Public-Key-Pins header.
+# LOCALIZATION NOTE: Do not translate "SHA-1"
+SHA1Sig=This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
 InsecurePasswordsPresentOnPage=Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.
 InsecureFormActionPasswordsPresent=Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.
 InsecurePasswordsPresentOnIframe=Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.

netwerk/protocol/http/nsHttpChannel.cpp

@@ -69,6 +69,8 @@
 #include "AlternateServices.h"
 #include "InterceptedChannel.h"
 #include "nsIHttpPushListener.h"
+#include "nsIX509Cert.h"
+#include "ScopedNSSTypes.h"
 
 namespace mozilla { namespace net {
 
@@ -1214,6 +1216,29 @@ nsHttpChannel::ProcessSSLInformation()
     if (!sslstat)
         return;
 
+    // Send (SHA-1) signature algorithm errors to the web console
+    nsCOMPtr<nsIX509Cert> cert;
+    sslstat->GetServerCert(getter_AddRefs(cert));
+    if (cert) {
+        ScopedCERTCertificate nssCert(cert->GetCert());
+        if (nssCert) {
+            SECOidTag tag = SECOID_GetAlgorithmTag(&nssCert->signature);
+            LOG(("Checking certificate signature: The OID tag is %i [this=%p]\n", tag, this));
+            // Check to see if the signature is sha-1 based.
+            // Not including checks for SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE
+            // from http://tools.ietf.org/html/rfc2437#section-8 since I
+            // can't see reference to it outside this spec
+            if (tag == SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION ||
+                tag == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST ||
+                tag == SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE) {
+                nsString consoleErrorTag = NS_LITERAL_STRING("SHA1Sig");
+                nsString consoleErrorMessage
+                        = NS_LITERAL_STRING("SHA-1 Signature");
+                AddSecurityMessage(consoleErrorTag, consoleErrorMessage);
+            }
+        }
+    }
+
     // If certificate exceptions are being used don't record this information
     // in the permission manager.
     bool trustCheck;