ios/web/web_state/ui/crw_wk_web_view_web_controller.mm - Issue 1230033005: WKWebView: Added cert verification API to web controller.

Unified Diff: ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

Issue 1230033005: WKWebView: Added cert verification API to web controller. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressed review comments Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

diff --git a/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm b/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

index aa42be96a8bc1bbc14992c58d5130a30df9f8eae..a64f9ebe6aff7cdddbe936dbb4288b0a7140454c 100644

--- a/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

+++ b/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

@@ -9,15 +9,20 @@

#include "base/ios/ios_util.h"

#include "base/ios/weak_nsobject.h"

#include "base/json/json_reader.h"

+#include "base/mac/bind_objc_block.h"

#import "base/mac/scoped_nsobject.h"

#include "base/macros.h"

+#import "base/memory/scoped_ptr.h"

#include "base/strings/sys_string_conversions.h"

#include "base/values.h"

#import "ios/net/http_response_headers_util.h"

#import "ios/web/crw_network_activity_indicator_manager.h"

#import "ios/web/navigation/crw_session_controller.h"

#include "ios/web/navigation/web_load_params.h"

+#include "ios/web/net/cert_verifier_block_adapter.h"

+#include "ios/web/public/browser_state.h"

#include "ios/web/public/web_client.h"

+#include "ios/web/public/web_thread.h"

#import "ios/web/public/web_state/js/crw_js_injection_manager.h"

#import "ios/web/public/web_state/ui/crw_native_content_provider.h"

#import "ios/web/public/web_state/ui/crw_web_view_content_view.h"

@@ -35,6 +40,9 @@

#import "ios/web/web_state/web_view_internal_creation_util.h"

#import "ios/web/webui/crw_web_ui_manager.h"

#import "net/base/mac/url_conversions.h"

+#include "net/cert/cert_verify_result.h"

+#include "net/ssl/ssl_config_service.h"

+#include "net/url_request/url_request_context.h"

#if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)

#include "ios/web/public/cert_store.h"

@@ -51,6 +59,14 @@ NSString* GetRefererFromNavigationAction(WKNavigationAction* action) {

return [action.request valueForHTTPHeaderField:@"Referer"];

}

+// Returns net::URLRequestContext obtained from the given |webState|.

+net::URLRequestContext* GetURLRequestContext(web::WebState* webState) {

+ DCHECK(webState);

+ auto contextGetter = webState->GetBrowserState()->GetRequestContext();

Ryan Sleevi 2015/08/06 03:07:09 This is not a valid (Chromium) use of auto See th

Eugene But (OOO till 7-30) 2015/08/07 02:27:20 I used auto to avoid a linebreak. But I'm not very

+ DCHECK(contextGetter);

+ return contextGetter->GetURLRequestContext();

NSString* const kScriptMessageName = @"crwebinvoke";

NSString* const kScriptImmediateName = @"crwebinvokeimmediate";

@@ -131,6 +147,9 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {

// CRWWebUIManager object for loading WebUI pages.

base::scoped_nsobject<CRWWebUIManager> _webUIManager;

+ // Backs up property with the same name.

+ scoped_ptr<net::CertVerifierBlockAdapter> _certVerifier;

}

// Response's MIME type of the last known navigation.

@@ -151,6 +170,13 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {

@property(nonatomic, readonly) int certGroupID;

#endif // #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)

+// Cert verification flags. Must be called on IO Thread.

+@property(nonatomic, readonly) net::CertVerifier::VerifyFlags certVerifyFlags;

+// Cert verification object which wraps net::CertVerifier. Must be called on

+// IO Thread.

+@property(nonatomic, readonly) net::CertVerifierBlockAdapter* certVerifier;

// Returns the WKWebViewConfigurationProvider associated with the web

// controller's BrowserState.

- (web::WKWebViewConfigurationProvider&)webViewConfigurationProvider;

@@ -240,6 +266,13 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {

// Attempts to handle a script message. Returns YES on success, NO otherwise.

- (BOOL)respondToWKScriptMessage:(WKScriptMessage*)scriptMessage;

+// completion. |block| can not be null and will be called asynchronously on the

+// main thread.

+- (void)verifyCert:(scoped_refptr<net::X509Certificate>)cert

+ forHost:(NSString*)host

+ completionHandler:(void (^)(net::CertVerifyResult, int))block;

// Used to decide whether a load that generates errors with the

// NSURLErrorCancelled code should be cancelled.

- (BOOL)shouldAbortLoadForCancelledError:(NSError*)error;

@@ -503,6 +536,27 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {

}

#endif

+- (net::CertVerifier::VerifyFlags)certVerifyFlags {

+ net::URLRequestContext* context = GetURLRequestContext(self.webState);

+ DCHECK(context);

+ net::SSLConfigService* SSLConfigService = context->ssl_config_service();

+ DCHECK(SSLConfigService);

+ net::SSLConfig config;

+ SSLConfigService->GetSSLConfig(&config);

+ return static_cast<net::CertVerifier::VerifyFlags>(

+ config.GetCertVerifyFlags());

+- (net::CertVerifierBlockAdapter*)certVerifier {

+ if (!_certVerifier) {

Ryan Sleevi 2015/08/06 03:07:09 Why do you lazily create this?

Eugene But (OOO till 7-30) 2015/08/07 02:27:20 I can't create this in -init, because GetURLReques

+ net::URLRequestContext* context = GetURLRequestContext(self.webState);

+ DCHECK(context);

+ _certVerifier.reset(

+ new net::CertVerifierBlockAdapter(context->cert_verifier()));

+ }

+ return _certVerifier.get();

- (web::WKWebViewConfigurationProvider&)webViewConfigurationProvider {

DCHECK(self.webStateImpl);

web::BrowserState* browserState = self.webStateImpl->GetBrowserState();

@@ -852,6 +906,34 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {

: [super selectorToHandleJavaScriptCommand:command];

}

+- (void)verifyCert:(scoped_refptr<net::X509Certificate>)cert

+ forHost:(NSString*)host

+ completionHandler:(void (^)(net::CertVerifyResult, int))completionHandler {

+ DCHECK(completionHandler);

+ base::WeakNSObject<CRWWKWebViewWebController> weakSelf(self);

+ web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{

+ // WeakNSObject does not work across different threads, hence this block

+ // retains self.

+ if ([self isBeingDestroyed]) {

+ completionHandler(net::CertVerifyResult(), net::ERR_FAILED);

+ return;

+ }

+ std::string hostname = base::SysNSStringToUTF8(host);

+ net::CertVerifierBlockAdapter::Params params(cert, hostname);

+ params.ocsp_response = ""; // Not provided by iOS API.

+ params.flags = self.certVerifyFlags;

+ params.crl_set = net::SSLConfigService::GetCRLSet().Pass();

+ self.certVerifier->Verify(

+ params, ^(net::CertVerifyResult result, int status) {

+ dispatch_async(dispatch_get_main_queue(), ^{

+ completionHandler(result, status);

+ });

+ }));

- (BOOL)shouldAbortLoadForCancelledError:(NSError*)error {

DCHECK_EQ(error.code, NSURLErrorCancelled);

// Do not abort the load if it is for an app specific URL, as such errors

@@ -1188,8 +1270,28 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {

completionHandler:

(void (^)(NSURLSessionAuthChallengeDisposition disposition,

NSURLCredential *credential))completionHandler {

- NOTIMPLEMENTED();

- completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);

+ if (![challenge.protectionSpace.authenticationMethod

+ isEqual:NSURLAuthenticationMethodServerTrust]) {

+ completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);

+ return;

+ }

+ SecTrustRef trust = challenge.protectionSpace.serverTrust;

+ scoped_refptr<net::X509Certificate> cert = web::CreateCertFromTrust(trust);

+ [self verifyCert:cert

+ forHost:challenge.protectionSpace.host

+ completionHandler:^(net::CertVerifyResult result, int status) {

+ bool isCertValid = status == net::OK &&

+ !net::IsCertStatusError(result.cert_status) &&

+ !net::IsCertStatusMinorError(result.cert_status);

+ if (isCertValid) {

+ // Cert is valid.

+ } else {

+ // Cert is invalid.

+ }

+ NOTIMPLEMENTED();

+ completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);

+ }];

}

- (void)webViewWebContentProcessDidTerminate:(WKWebView*)webView {

« ios/web/net/cert_verifier_block_adapter.cc ('K') | « ios/web/net/cert_verifier_block_adapter_unittest.cc ('k') | no next file » | no next file with comments »