OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #import "ios/web/net/crw_cert_verification_controller.h" | |
6 | |
7 #include "base/mac/bind_objc_block.h" | |
8 #import "base/memory/scoped_ptr.h" | |
9 #include "base/strings/sys_string_conversions.h" | |
10 #include "ios/web/net/cert_verifier_block_adapter.h" | |
11 #include "ios/web/public/browser_state.h" | |
12 #include "ios/web/public/web_thread.h" | |
13 #include "net/cert/cert_verify_result.h" | |
14 #include "net/ssl/ssl_config_service.h" | |
15 #include "net/url_request/url_request_context.h" | |
16 #include "net/url_request/url_request_context_getter.h" | |
17 | |
18 @interface CRWCertVerificationController () { | |
19 // Cert verification object which wraps |net::CertVerifier|. Must be created, | |
20 // used and destroyed on IO Thread. | |
21 scoped_ptr<web::CertVerifierBlockAdapter> _certVerifier; | |
22 | |
23 // URLRequestContextGetter for obtaining net layer objects. | |
24 net::URLRequestContextGetter* _contextGetter; | |
25 } | |
26 | |
27 // Cert verification flags. Must be used on IO Thread. | |
28 @property(nonatomic, readonly) int certVerifyFlags; | |
29 | |
30 // Creates _certVerifier object on IO thread. | |
31 - (void)createCertVerifier; | |
32 | |
33 // Verifies the given |cert| for the given |host| and calls |completionHandler| | |
34 // on completion. |completionHandler| cannot be null and will be called | |
35 // synchronously or asynchronously on IO thread. | |
36 - (void)verifyCert:(const scoped_refptr<net::X509Certificate>&)cert | |
37 forHost:(NSString*)host | |
38 completionHandler:(void (^)(net::CertVerifyResult, int))completionHandler; | |
39 | |
40 @end | |
41 | |
42 @implementation CRWCertVerificationController | |
43 | |
44 #pragma mark - Superclass | |
45 | |
46 - (void)dealloc { | |
47 DCHECK(!_certVerifier); // This is not a thread safe check. | |
48 [super dealloc]; | |
49 } | |
50 | |
51 #pragma mark - Public | |
52 | |
53 - (instancetype)initWithBrowserState:(web::BrowserState*)browserState { | |
54 DCHECK(browserState); | |
55 DCHECK_CURRENTLY_ON_WEB_THREAD(web::WebThread::UI); | |
56 self = [super init]; | |
57 if (self) { | |
58 _contextGetter = browserState->GetRequestContext(); | |
59 DCHECK(_contextGetter); | |
60 [self createCertVerifier]; | |
61 } | |
62 return self; | |
63 } | |
64 | |
65 - (void)decidePolicyForCert:(const scoped_refptr<net::X509Certificate>&)cert | |
66 host:(NSString*)host | |
67 completionHandler:(void (^)(web::CertAcceptPolicy))handler { | |
68 DCHECK_CURRENTLY_ON_WEB_THREAD(web::WebThread::UI); | |
69 [self verifyCert:cert | |
70 forHost:host | |
71 completionHandler:^(net::CertVerifyResult result, int error) { | |
72 web::CertAcceptPolicy policy = web::CERT_ACCEPT_POLICY_UNKNOWN; | |
73 if (error == net::OK) { | |
74 policy = web::CERT_ACCEPT_POLICY_ALLOW; | |
75 } else if (net::IsCertStatusError(result.cert_status)) { | |
Eugene But (OOO till 7-30)
2015/08/25 18:05:54
David, could you please confirm that the logic is
davidben
2015/08/26 20:19:09
I would maybe UNKNOWN -> ERROR to make it clear th
Eugene But (OOO till 7-30)
2015/08/26 21:12:48
Done.
Ryan Sleevi
2015/09/03 21:56:04
Right, I don't think it's correct :) error can be
Eugene But (OOO till 7-30)
2015/09/03 22:26:37
Hm... not sure if I understand this...
If cert ce
| |
76 // TODO(eugenebut): Check CertPolicyCache for user's decision. | |
77 policy = net::IsCertStatusMinorError(result.cert_status) | |
78 ? web::CERT_ACCEPT_POLICY_ALLOW | |
79 : web::CERT_ACCEPT_POLICY_DENY; | |
80 } | |
81 | |
82 dispatch_async(dispatch_get_main_queue(), ^{ | |
83 handler(policy); | |
davidben
2015/08/26 20:19:09
Hrm. I think we *still* have the threading problem
Eugene But (OOO till 7-30)
2015/08/26 21:12:48
You are right, this very block (Line 83) retains,
davidben
2015/08/26 21:20:46
The outer block must retain |handler| so that it m
Eugene But (OOO till 7-30)
2015/08/26 21:56:29
Oh, right, I reproduced the case you described and
Eugene But (OOO till 7-30)
2015/08/27 15:57:33
Alright, |handler| is not retained by the blocks a
| |
84 }); | |
85 }]; | |
86 } | |
87 | |
88 - (void)shutDown { | |
89 DCHECK_CURRENTLY_ON_WEB_THREAD(web::WebThread::UI); | |
90 web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{ | |
91 // This block captures |self| delaying its deallocation and possible causing | |
92 // dealloc to happen on IO thread (which is fine for this class). | |
93 _certVerifier.reset(); | |
94 })); | |
95 } | |
96 | |
97 #pragma mark - Private | |
98 | |
99 - (int)certVerifyFlags { | |
100 DCHECK(web::WebThread::CurrentlyOn(web::WebThread::IO)); | |
101 DCHECK(_contextGetter); | |
102 // |net::URLRequestContextGetter| lifetime is expected to be at least the same | |
103 // or longer than |BrowserState| lifetime. | |
104 net::URLRequestContext* context = _contextGetter->GetURLRequestContext(); | |
105 DCHECK(context); | |
106 net::SSLConfigService* SSLConfigService = context->ssl_config_service(); | |
107 DCHECK(SSLConfigService); | |
108 net::SSLConfig config; | |
109 SSLConfigService->GetSSLConfig(&config); | |
110 return config.GetCertVerifyFlags(); | |
111 } | |
112 | |
113 - (void)createCertVerifier { | |
114 web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{ | |
115 net::URLRequestContext* context = _contextGetter->GetURLRequestContext(); | |
116 _certVerifier.reset(new web::CertVerifierBlockAdapter( | |
117 context->cert_verifier(), context->net_log())); | |
118 })); | |
119 } | |
120 | |
121 - (void)verifyCert:(const scoped_refptr<net::X509Certificate>&)cert | |
122 forHost:(NSString*)host | |
123 completionHandler:(void (^)(net::CertVerifyResult, int))completionHandler { | |
124 DCHECK(completionHandler); | |
125 __block scoped_refptr<net::X509Certificate> blockCert = cert; | |
126 web::WebThread::PostTask( | |
127 web::WebThread::IO, FROM_HERE, base::BindBlock(^{ | |
128 // WeakNSObject does not work across different threads, hence this block | |
129 // retains self. | |
130 if (!_certVerifier) { | |
131 completionHandler(net::CertVerifyResult(), net::ERR_FAILED); | |
132 return; | |
133 } | |
134 | |
135 web::CertVerifierBlockAdapter::Params params( | |
136 blockCert.Pass(), base::SysNSStringToUTF8(host)); | |
137 params.flags = self.certVerifyFlags; | |
138 params.crl_set = net::SSLConfigService::GetCRLSet(); | |
139 // OCSP response is not provided by iOS API. | |
140 _certVerifier->Verify(params, completionHandler); | |
141 })); | |
142 } | |
143 | |
144 @end | |
OLD | NEW |