WKWebView: Added cert verification API to web controller.

ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "ios/web/web_state/ui/crw_wk_web_view_web_controller.h"
 
 #import <WebKit/WebKit.h>
 
 #include "base/ios/ios_util.h"
 #include "base/ios/weak_nsobject.h"
 #include "base/json/json_reader.h"
 #import "base/mac/scoped_nsobject.h"
 #include "base/macros.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/values.h"
 #import "ios/net/http_response_headers_util.h"
 #import "ios/web/crw_network_activity_indicator_manager.h"
 #import "ios/web/navigation/crw_session_controller.h"
 #include "ios/web/navigation/web_load_params.h"
+#include "ios/web/net/cert_verifier_block_adapter.h"
 #include "ios/web/public/web_client.h"
 #import "ios/web/public/web_state/js/crw_js_injection_manager.h"
 #import "ios/web/public/web_state/ui/crw_native_content_provider.h"
 #import "ios/web/public/web_state/ui/crw_web_view_content_view.h"
 #import "ios/web/ui_web_view_util.h"
 #include "ios/web/web_state/blocked_popup_info.h"
 #import "ios/web/web_state/error_translation_util.h"
 #include "ios/web/web_state/frame_info.h"
 #import "ios/web/web_state/js/crw_js_window_id_manager.h"
 #import "ios/web/web_state/js/page_script_util.h"
 #import "ios/web/web_state/ui/crw_web_controller+protected.h"
 #import "ios/web/web_state/ui/crw_wk_web_view_crash_detector.h"
 #import "ios/web/web_state/ui/web_view_js_utils.h"
 #import "ios/web/web_state/ui/wk_web_view_configuration_provider.h"
 #import "ios/web/web_state/web_state_impl.h"
 #import "ios/web/web_state/web_view_internal_creation_util.h"
 #import "ios/web/webui/crw_web_ui_manager.h"
 #import "net/base/mac/url_conversions.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/ssl/ssl_config_service.h"
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 #include "ios/web/public/cert_store.h"
 #include "ios/web/public/navigation_item.h"
 #include "ios/web/public/ssl_status.h"
 #import "ios/web/web_state/wk_web_view_security_util.h"
 #include "net/ssl/ssl_info.h"
 #endif
 
 namespace {
@@ skipping 69 matching lines @@
   base::scoped_nsobject<NSString> _documentMIMEType;
 
   // Whether the web page is currently performing window.history.pushState or
   // window.history.replaceState
   // Set to YES on window.history.willChangeState message. To NO on
   // window.history.didPushState or window.history.didReplaceState.
   BOOL _changingHistoryState;
 
   // CRWWebUIManager object for loading WebUI pages.
   base::scoped_nsobject<CRWWebUIManager> _webUIManager;
+
+  // Cert verification object which wraps net::CertVerifier.
+  net::CertVerifierBlockAdapter _certVerifier;
 }
 
 // Response's MIME type of the last known navigation.
 @property(nonatomic, copy) NSString* documentMIMEType;
 
 // Dictionary where keys are the names of WKWebView properties and values are
 // selector names which should be called when a corresponding property has
 // changed. e.g. @{ @"URL" : @"webViewURLDidChange" } means that
 // -[self webViewURLDidChange] must be called every time when WKWebView.URL is
 // changed.
@@ skipping 82 matching lines @@
 // _documentURL, and informs the superclass of the change.
 - (void)URLDidChangeWithoutDocumentChange:(const GURL&)URL;
 
 // Returns new autoreleased instance of WKUserContentController which has
 // early page script.
 - (WKUserContentController*)createUserContentController;
 
 // Attempts to handle a script message. Returns YES on success, NO otherwise.
 - (BOOL)respondToWKScriptMessage:(WKScriptMessage*)scriptMessage;
 
+// Verifies the given |cert| for the given |host| and calls |block| on
+// completion. |block| can not be null and may be called either synchronously or
+// asynchronously.
+- (void)verifyCert:(scoped_refptr<net::X509Certificate>)cert
+              forHost:(NSString*)host
+    completionHandler:(void (^)(scoped_ptr<net::CertVerifyResult>, int))block;
+
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 // Called when WKWebView estimatedProgress has been changed.
 - (void)webViewEstimatedProgressDidChange;
 
 // Called when WKWebView hasOnlySecureContent property has changed.
 - (void)webViewContentSecurityDidChange;
 #endif  // !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
 // Called when WKWebView loading state has been changed.
 - (void)webViewLoadingStateDidChange;
@@ skipping 562 matching lines @@
     (*handlers)["window.history.willChangeState"] =
         @selector(handleWindowHistoryWillChangeStateMessage:context:);
   });
   DCHECK(handlers);
   auto iter = handlers->find(command);
   return iter != handlers->end()
              ? iter->second
              : [super selectorToHandleJavaScriptCommand:command];
 }
 
+- (void)verifyCert:(scoped_refptr<net::X509Certificate>)cert
+              forHost:(NSString*)host
+    completionHandler:(void (^)(scoped_ptr<net::CertVerifyResult>, int))block {
+  DCHECK(block);
+  std::string hostname = base::SysNSStringToUTF8(host);
+  net::CertVerifierBlockAdapter::Params params(cert, hostname);
+  params.ocsp_response == "";  // Not provided by iOS API.
+  params.flags = net::CertVerifier::VERIFY_CERT_IO_ENABLED;
+  params.crl_set = net::SSLConfigService::GetCRLSet().Pass();
+  _certVerifier.Verify(params, block);
+}
+
 #pragma mark -
 #pragma mark JavaScript message handlers
 
 - (BOOL)handleWindowHistoryWillChangeStateMessage:
     (base::DictionaryValue*)message
                                           context:(NSDictionary*)context {
   _changingHistoryState = YES;
   return
       [super handleWindowHistoryWillChangeStateMessage:message context:context];
 }
@@ skipping 286 matching lines @@
             withError:(NSError *)error {
   [self handleLoadError:WKWebViewErrorWithSource(error, NAVIGATION)
             inMainFrame:YES];
 }
 
 - (void)webView:(WKWebView *)webView
     didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
                     completionHandler:
         (void (^)(NSURLSessionAuthChallengeDisposition disposition,
                   NSURLCredential *credential))completionHandler {
-  NOTIMPLEMENTED();
-  completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+  SecTrustRef trust = challenge.protectionSpace.serverTrust;
+  scoped_refptr<net::X509Certificate> cert = web::CreateCertFromTrust(trust);
+  [self verifyCert:cert

[Eugene But (OOO till 7-30), 2015/07/10 19:42:02]

At the moment CertVerifier DCHECKs on null cert or empty hostname. This will be
gracefully handled after the following CL landed:
https://codereview.chromium.org/1231783003/

[Eugene But (OOO till 7-30), 2015/07/13 16:49:51]

Please ignore this comment. cl/1231783003 has landed.

+                forHost:challenge.protectionSpace.host
+      completionHandler:^(scoped_ptr<net::CertVerifyResult> result,
+                          int status) {
+        DCHECK(result || status);
+        if (result && !net::IsCertStatusError(result->cert_status)) {
+          // Cert is valid.
+        } else {
+          // Cert is invalid.
+        }
+        NOTIMPLEMENTED();
+        completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+      }];
 }
 
 - (void)webViewWebContentProcessDidTerminate:(WKWebView*)webView {
   [self webViewWebProcessDidCrash];
 }
 
 #pragma mark WKUIDelegate Methods
 
 - (WKWebView*)webView:(WKWebView*)webView
     createWebViewWithConfiguration:(WKWebViewConfiguration*)configuration
@@ skipping 78 matching lines @@
                               placeholderText:defaultText
                                    requestURL:
             net::GURLWithNSURL(frame.request.URL)
                             completionHandler:completionHandler];
   } else if (completionHandler) {
     completionHandler(nil);
   }
 }
 
 @end