ios/web/net/cert_verifier_block_adapter.cc - Issue 1230033005: WKWebView: Added cert verification API to web controller.

Side by Side Diff: ios/web/net/cert_verifier_block_adapter.cc

Issue 1230033005: WKWebView: Added cert verification API to web controller. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Minor cleanup. Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« ios/web/net/cert_verifier_block_adapter.h ('K') | « ios/web/net/cert_verifier_block_adapter.h ('k') | ios/web/net/cert_verifier_block_adapter_unittest.cc » ('j') | ios/web/net/cert_verifier_block_adapter_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "ios/web/net/cert_verifier_block_adapter.h"	5 #include "ios/web/net/cert_verifier_block_adapter.h"

6	6

7 #include "base/mac/bind_objc_block.h"	7 #include "base/mac/bind_objc_block.h"

8 #include "net/base/net_errors.h"	8 #include "net/base/net_errors.h"

9 #include "net/cert/cert_verify_result.h"

10 #include "net/cert/crl_set.h"	9 #include "net/cert/crl_set.h"

11 #include "net/cert/x509_certificate.h"	10 #include "net/cert/x509_certificate.h"

12	11

13 namespace net {	12 namespace net {

14	13

15 namespace {	14 namespace {

16	15

17 // Resource manager which keeps CertVerifier::Request, CertVerifyResult and	16 // Resource manager which keeps CertVerifyResult and X509Certificate alive until

18 // X509Certificate alive until verification is completed.	17 // verification is completed. Also holds unowned pointer to

19 struct VerificationContext : public base::RefCounted<VerificationContext> {	18 // \|CertVerifier::Request\|.

20 VerificationContext(scoped_refptr<net::X509Certificate> cert) : cert(cert) {	19 struct VerificationContext

21 result.cert_status = CERT_STATUS_INVALID;	20 : public base::RefCountedThreadSafe<VerificationContext> {

22 }	21 explicit VerificationContext(scoped_refptr<net::X509Certificate> cert)

23 // Verification request. Must be alive until verification is completed,	22 : request(nullptr), cert(cert) {}

24 // otherwise it will be cancelled.	23 // Unowned verification request.

25 scoped_ptr<CertVerifier::Request> request;	24 CertVerifier::Request* request;

26 // The result of certificate verification.	25 // The result of certificate verification.

27 CertVerifyResult result;	26 CertVerifyResult result;

28 // Certificate being verificated.	27 // Certificate being verificated.

29 scoped_refptr<net::X509Certificate> cert;	28 scoped_refptr<net::X509Certificate> cert;

30	29

31 // Copies CertVerifyResult and wraps it into a scoped_ptr.

32 scoped_ptr<CertVerifyResult> scoped_result() {

33 scoped_ptr<CertVerifyResult> scoped_result(new CertVerifyResult());

34 scoped_result->CopyFrom(result);

35 return scoped_result.Pass();

36 }

37

38 private:	30 private:

39 VerificationContext() = delete;	31 VerificationContext() = delete;

40 // Required by base::RefCounted.	32 // Required by base::RefCounted.

41 friend class base::RefCounted<VerificationContext>;	33 friend class base::RefCountedThreadSafe<VerificationContext>;

42 ~VerificationContext() {}	34 ~VerificationContext() {}

43 };	35 };

44 }	36 }

45	37

46 CertVerifierBlockAdapter::CertVerifierBlockAdapter()	38 CertVerifierBlockAdapter::CertVerifierBlockAdapter(CertVerifier* cert_verifier,

47 : CertVerifierBlockAdapter(	39 NetLog* net_log)

48 scoped_ptr<CertVerifier>(CertVerifier::CreateDefault())) {	40 : cert_verifier_(cert_verifier),

49 }	41 net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_URL_REQUEST)) {
	Eugene But (OOO till 7-30) 2015/08/07 02:27:20 Not sure if SOURCE_URL_REQUEST is ok here, or I sh Not sure if SOURCE_URL_REQUEST is ok here, or I should create a separate SOURCE_CERT_VERIFICATION Ryan Sleevi 2015/08/07 21:52:12 I don't understand why you're creating it, versus Show quoted text On 2015/08/07 02:27:20, eugenebut wrote: > Not sure if SOURCE_URL_REQUEST is ok here, or I should create a separate > SOURCE_CERT_VERIFICATION I don't understand why you're creating it, versus taking it from the context of the caller. Is this because it's not compatible with the Block adapter? Then we should fix that, because you really want to use the BoundNetLog that is the callers, since that will contextually be associated with the right URLRequest flow. Of course, for WKWebView, not using //net, we have to decide how we want NetLog to behave. I don't know what's been done by the iOS team in this respect, but having a NetLog with any information you can get from the WKWebView seems _extremely_ valuable for diagnostics and debugging in the field. When using Chrome's network stack, the NetLog comes from the Socket ( https://code.google.com/p/chromium/codesearch#chromium/src/net/socket/ssl_cli... / https://code.google.com/p/chromium/codesearch#chromium/src/net/socket/ssl_cli... ), which is setup here - https://code.google.com/p/chromium/codesearch#chromium/src/net/socket/tcp_soc... Although I'll readily admit, I'm not sure the full implications of how this should look for iOS, so I'm gonna tag in mmenke@ for this. Eugene But (OOO till 7-30) 2015/08/12 22:00:38 Caller (Web Controller) does not have BoundNetLog, Show quoted text > I don't understand why you're creating it, versus taking it from the context of > the caller. > > Is this because it's not compatible with the Block adapter? Caller (Web Controller) does not have BoundNetLog, but it has NetLog, so I passed \|NetLog\| here. There is no value in sharing BoundNetLog between multiple WebViews, because MultiThreaderCertVerifier will recreate BoundNet log anyway: https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/multi_thr... Per discussion with mmenke@ I will create one BoundNetLog per CertVerifier::Verify invocation, rather than share them. BoundNetLog just groups related events together, and we don't want events from a bunch of different verify invocations all to be lumped together without being sorted.
50

51 CertVerifierBlockAdapter::CertVerifierBlockAdapter(

52 scoped_ptr<CertVerifier> cert_verifier)

53 : cert_verifier_(cert_verifier.Pass()) {

54 DCHECK(cert_verifier_);	42 DCHECK(cert_verifier_);

55 }	43 }

56	44

57 CertVerifierBlockAdapter::~CertVerifierBlockAdapter() {	45 CertVerifierBlockAdapter::~CertVerifierBlockAdapter() {

58 }	46 }

59	47

60 CertVerifierBlockAdapter::Params::Params(scoped_refptr<X509Certificate> cert,	48 CertVerifierBlockAdapter::Params::Params(scoped_refptr<X509Certificate> cert,

61 const std::string& hostname)	49 const std::string& hostname)

62 : cert(cert),	50 : cert(cert), hostname(hostname), flags(0) {}

63 hostname(hostname),

64 flags(static_cast<CertVerifier::VerifyFlags>(0)) {

65 }

66	51

67 CertVerifierBlockAdapter::Params::~Params() {	52 CertVerifierBlockAdapter::Params::~Params() {

68 }	53 }

69	54

70 void CertVerifierBlockAdapter::Verify(	55 void CertVerifierBlockAdapter::Verify(
	Ryan Sleevi 2015/08/07 21:52:12 To confirm: This method will always and only be ca To confirm: This method will always and only be called on the IO thread, correct? Eugene But (OOO till 7-30) 2015/08/12 22:00:38 Technically it can be called on any thread, as l Show quoted text On 2015/08/07 21:52:12, Ryan Sleevi wrote: > To confirm: This method will always and only be called on the IO thread, > correct? Technically it can be called on any thread, as long as if its the same thread where CertVerifier was created. In unit tests it is called on main thread, but in web controller it will always be called on IO thread.
71 const Params& params,	56 const Params& params,

72 void (^completion_handler)(scoped_ptr<CertVerifyResult>, int)) {	57 void (^completion_handler)(CertVerifyResult, int)) {

73 DCHECK(completion_handler);	58 DCHECK(completion_handler);

	59 if (!params.cert \|\| params.hostname.empty()) {

	60 completion_handler(CertVerifyResult(), ERR_INVALID_ARGUMENT);

	61 return;

	62 }

74	63

75 scoped_refptr<VerificationContext> context(	64 scoped_refptr<VerificationContext> context(

76 new VerificationContext(params.cert));	65 new VerificationContext(params.cert));

77 CompletionCallback callback = base::BindBlock(^(int) {	66 CompletionCallback callback = base::BindBlock(^(int status) {

78 completion_handler(context->scoped_result(), 0);	67 completion_handler(context->result, status);
	Ryan Sleevi 2015/08/07 21:52:12 BUG? In //net, callbacks are always the terminal BUG? In //net, callbacks are always the terminal state for a return; this allows callbacks to delete the relevant objects, if appropriate, for example. The implications of this is that invoking a callback should always be the final state of the function. I believe you want to delete the pending request _prior_ to invoking the completion_handler. Note: It's perfectly OK to delete context->request in the CompletionCallback of Verify(), as CertVerifier::Verify() adheres to this contract (that is, that CompletionCallback is the last thing called and all state is cleaned up) Eugene But (OOO till 7-30) 2015/08/12 22:00:38 Done. Show quoted text On 2015/08/07 21:52:12, Ryan Sleevi wrote: > BUG? > > In //net, callbacks are always the terminal state for a return; this allows > callbacks to delete the relevant objects, if appropriate, for example. > > The implications of this is that invoking a callback should always be the final > state of the function. I believe you want to delete the pending request _prior_ > to invoking the completion_handler. > > Note: It's perfectly OK to delete context->request in the CompletionCallback of > Verify(), as CertVerifier::Verify() adheres to this contract (that is, that > CompletionCallback is the last thing called and all state is cleaned up) Done.
	68 // Remove pending request.

	69 auto request_iterator = std::find(

	70 pending_requests_.begin(), pending_requests_.end(), context->request);

	71 DCHECK(pending_requests_.end() != request_iterator);

	72 pending_requests_.erase(request_iterator);

79 });	73 });

80 int status = cert_verifier_->Verify(params.cert.get(), params.hostname,	74 scoped_ptr<CertVerifier::Request> request(new CertVerifier::Request);

81 params.ocsp_response, params.flags,	75 int status = cert_verifier_->Verify(

82 params.crl_set.get(), &(context->result),	76 params.cert.get(), params.hostname, params.ocsp_response, params.flags,

83 callback, &(context->request), net_log_);	77 params.crl_set.get(), &(context->result), callback, &request, net_log_);

84

85 if (status == ERR_IO_PENDING) {	78 if (status == ERR_IO_PENDING) {

	79 // Make sure that \|CertVerifier::Request\| is alive until either verification

	80 // is completed or CertVerifierBlockAdapter is destroyed.

	81 pending_requests_.push_back(request.Pass());

	82 context->request = pending_requests_.back();

86 // Completion handler will be called from \|callback\| when verification	83 // Completion handler will be called from \|callback\| when verification

87 // request is completed.	84 // request is completed.

88 return;	85 return;

89 }	86 }

90	87

91 // Verification has either failed or result was retrieved from the cache.	88 // Verification has either failed or result was retrieved from the cache.

92 completion_handler(status ? nullptr : context->scoped_result(), status);	89 completion_handler(context->result, status);

93 }	90 }

94	91

95 } // net	92 } // net

OLD	NEW