WKWebView: Added cert verification API to web controller.

ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

Index: ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm b/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
index 2ece2f9c3284e0fda828defa09a1c8dab4ed8b6c..ae33e177ff03246a2e1e77c5cc0499f5039e4d44 100644
--- a/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
+++ b/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
@@ -9,8 +9,10 @@
 #include "base/ios/ios_util.h"
 #include "base/ios/weak_nsobject.h"
 #include "base/json/json_reader.h"
+#include "base/mac/bind_objc_block.h"
 #import "base/mac/scoped_nsobject.h"
 #include "base/macros.h"
+#import "base/memory/scoped_ptr.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/values.h"
 #import "ios/net/http_response_headers_util.h"
@@ -19,7 +21,10 @@
 #import "ios/web/navigation/crw_session_entry.h"
 #include "ios/web/navigation/navigation_item_impl.h"
 #include "ios/web/navigation/web_load_params.h"
+#include "ios/web/net/cert_verifier_block_adapter.h"
+#include "ios/web/public/browser_state.h"
 #include "ios/web/public/web_client.h"
+#include "ios/web/public/web_thread.h"
 #import "ios/web/public/web_state/js/crw_js_injection_manager.h"
 #import "ios/web/public/web_state/ui/crw_native_content_provider.h"
 #import "ios/web/public/web_state/ui/crw_web_view_content_view.h"
@@ -38,6 +43,9 @@
 #import "ios/web/web_state/web_view_internal_creation_util.h"
 #import "ios/web/webui/crw_web_ui_manager.h"
 #import "net/base/mac/url_conversions.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/ssl/ssl_config_service.h"
+#include "net/url_request/url_request_context.h"
 #include "url/url_constants.h"
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
@@ -135,6 +143,13 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 
   // CRWWebUIManager object for loading WebUI pages.
   base::scoped_nsobject<CRWWebUIManager> _webUIManager;
+
+  // Cert verification object which wraps |net::CertVerifier|. Must be created,
+  // used and destroyed on IO Thread.
+  scoped_ptr<web::CertVerifierBlockAdapter> _certVerifier;
+
+  // URLRequestContextGetter for obtaining net layer objects.
+  net::URLRequestContextGetter* _contextGetter;
 }
 
 // Response's MIME type of the last known navigation.
@@ -159,6 +174,12 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 @property(nonatomic, readonly) int certGroupID;
 #endif  // #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
+// Cert verification flags. Must be used on IO Thread.
+@property(nonatomic, readonly) int certVerifyFlags;
+
+// Creates _certVerifier object on IO thread.
+- (void)createCertVerifier;
+
 // Returns the WKWebViewConfigurationProvider associated with the web
 // controller's BrowserState.
 - (web::WKWebViewConfigurationProvider&)webViewConfigurationProvider;
@@ -254,6 +275,13 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 // Attempts to handle a script message. Returns YES on success, NO otherwise.
 - (BOOL)respondToWKScriptMessage:(WKScriptMessage*)scriptMessage;
 
+// Verifies the given |cert| for the given |host| and calls |completionHandler|
+// on completion. |completionHandler| cannot be null and will be called
+// asynchronously on IO thread.
+- (void)verifyCert:(const scoped_refptr<net::X509Certificate>&)cert
+              forHost:(NSString*)host
+    completionHandler:(void (^)(net::CertVerifyResult, int))completionHandler;
+
 // Used to decide whether a load that generates errors with the
 // NSURLErrorCancelled code should be cancelled.
 - (BOOL)shouldAbortLoadForCancelledError:(NSError*)error;
@@ -283,7 +311,14 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 #pragma mark CRWWebController public methods
 
 - (instancetype)initWithWebState:(scoped_ptr<web::WebStateImpl>)webState {
-  return [super initWithWebState:webState.Pass()];
+  DCHECK(webState);
+  web::BrowserState* browserState = webState->GetBrowserState();
+  self = [super initWithWebState:webState.Pass()];
+  if (self) {
+    _contextGetter = browserState->GetRequestContext();
+    [self createCertVerifier];
+  }
+  return self;
 }
 
 - (BOOL)keyboardDisplayRequiresUserAction {
@@ -325,6 +360,20 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
   [super setPageDialogOpenPolicy:policy];
 }
 
+- (void)close {
+  // _certVerifier must be accessed only on IO thread.
+  web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{
+    _certVerifier.reset();
+    // This block will be destroyed on IO thread, so make sure that self is
+    // deallocated on the main thread.
+    [self retain];
+    dispatch_async(dispatch_get_main_queue(), ^{
+      [self release];
+    });

[davidben, 2015/08/24 21:23:02]

I don't think this works. The block itself retains a reference. There's no
guarantee that the function will return before the UI thread runs [self release]
and returns from its block.

There's a similar kind of problem with the verifyCert code below.

I think the only way to avoid deleting this on the wrong thread is to ensure no
other threads ever hold a reference to it. That means getting all the IO stuff
out of this class and into something smaller that can be deleted anywhere
because everything is so pervasively reference-counted.

This sort of mess is why Chromium tries not to have objects span threads so
much. And why we avoid reference-counting and use base::WeakPtr for everything.
This way you can easily ensure that stray references don't cause your objects to
be deleted on weird threads.

[stuartmorgan, 2015/08/24 21:29:43]

Ugh, right. Someday I hope to actually learn to reason correctly about threads
:P

It may even be slightly worse, because I'm not sure there's any guarantee that
the block is cleaned up immediately, vs. deferred slightly.

[davidben, 2015/08/24 21:33:42]

And that's why we //net folks are so allergic to reference-counting and
multi-threaded objects! :-)

How does the iOS code typically deal with threads? Reference-counting is
slightly harder to avoid in ObjC. The only thing I can think of is to eschew all
ObjC at thread-boundaries and write scoped_ptr- and WeakPtr-style code.

[stuartmorgan, 2015/08/24 22:44:02]

A common pattern for us is explicit teardowns that do thread-specific work,
called from a known thread, so that the dealloc thread doesn't matter. For
instance, that's exactly why we have -close in WebController in the first place.

There's a certain amount of finding things that should be there the hard way,
unfortunately.

+  }));
+  [super close];
+}
+
 #pragma mark -
 #pragma mark Testing-Only Methods
 
@@ -592,6 +641,29 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 }
 #endif
 
+- (int)certVerifyFlags {
+  DCHECK(web::WebThread::CurrentlyOn(web::WebThread::IO));
+  DCHECK(_contextGetter);
+  // Context Getter's life time is expected to be at least the same or longer
+  // than |BrowserState| lifetime in which case it is safe to assume that
+  // _contextGetter is alive at least until -close is called.

[stuartmorgan, 2015/08/24 20:34:24]

DCHECK(_certVerifier) so that the requirement that close hasn't been called is
checked?

[Eugene But (OOO till 7-30), 2015/08/24 21:18:07]

Sure.

+  net::URLRequestContext* context = _contextGetter->GetURLRequestContext();
+  DCHECK(context);
+  net::SSLConfigService* SSLConfigService = context->ssl_config_service();
+  DCHECK(SSLConfigService);
+  net::SSLConfig config;
+  SSLConfigService->GetSSLConfig(&config);
+  return config.GetCertVerifyFlags();
+}
+
+- (void)createCertVerifier {
+  web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{
+    net::URLRequestContext* context = _contextGetter->GetURLRequestContext();
+    _certVerifier.reset(new web::CertVerifierBlockAdapter(
+        context->cert_verifier(), context->net_log()));
+  }));
+}
+
 - (web::WKWebViewConfigurationProvider&)webViewConfigurationProvider {
   DCHECK(self.webStateImpl);
   web::BrowserState* browserState = self.webStateImpl->GetBrowserState();
@@ -963,6 +1035,29 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
              : [super selectorToHandleJavaScriptCommand:command];
 }
 
+- (void)verifyCert:(const scoped_refptr<net::X509Certificate>&)cert
+              forHost:(NSString*)host
+    completionHandler:(void (^)(net::CertVerifyResult, int))completionHandler {
+  DCHECK(completionHandler);
+  __block scoped_refptr<net::X509Certificate> blockCert = cert;
+  web::WebThread::PostTask(
+      web::WebThread::IO, FROM_HERE, base::BindBlock(^{
+        // WeakNSObject does not work across different threads, hence this block
+        // retains self.
+        if (!_certVerifier) {
+          completionHandler(net::CertVerifyResult(), net::ERR_FAILED);
+          return;
+        }
+
+        web::CertVerifierBlockAdapter::Params params(
+            blockCert.Pass(), base::SysNSStringToUTF8(host));
+        params.flags = self.certVerifyFlags;
+        params.crl_set = net::SSLConfigService::GetCRLSet();
+        // OCSP response is not provided by iOS API.
+        _certVerifier->Verify(params, completionHandler);
+      }));
+}
+
 - (BOOL)shouldAbortLoadForCancelledError:(NSError*)error {
   DCHECK_EQ(error.code, NSURLErrorCancelled);
   // Do not abort the load if it is for an app specific URL, as such errors
@@ -1308,8 +1403,28 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
                     completionHandler:
         (void (^)(NSURLSessionAuthChallengeDisposition disposition,
                   NSURLCredential *credential))completionHandler {
-  NOTIMPLEMENTED();
-  completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+  if (![challenge.protectionSpace.authenticationMethod
+          isEqual:NSURLAuthenticationMethodServerTrust]) {
+    completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
+    return;
+  }
+
+  SecTrustRef trust = challenge.protectionSpace.serverTrust;
+  scoped_refptr<net::X509Certificate> cert = web::CreateCertFromTrust(trust);
+  [self verifyCert:cert
+                forHost:challenge.protectionSpace.host
+      completionHandler:^(net::CertVerifyResult, int error) {
+        dispatch_async(dispatch_get_main_queue(), ^{
+          if (error == net::OK) {
+            // Cert is valid.
+          } else {
+            // Cert is invalid or its state is unknown.
+          }
+          NOTIMPLEMENTED();
+          completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace,
+                            nil);
+        });
+      }];
 }
 
 - (void)webViewWebContentProcessDidTerminate:(WKWebView*)webView {