ios/web/web_state/wk_web_view_security_util.mm - Issue 1322193003: WKWebView(iOS9): correctly update SSL status for current navigation item

Side by Side Diff: ios/web/web_state/wk_web_view_security_util.mm

Issue 1322193003: WKWebView(iOS9): correctly update SSL status for current navigation item (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@reland_cert_verification

Patch Set: Fixed typos Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« ios/web/web_state/ui/crw_wk_web_view_web_controller.mm ('K') | « ios/web/web_state/wk_web_view_security_util.h ('k') | ios/web/web_state/wk_web_view_security_util_unittest.mm » ('j') | net/cert/cert_status_flags.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #import "ios/web/web_state/wk_web_view_security_util.h"	5 #import "ios/web/web_state/wk_web_view_security_util.h"

6	6

7 #include "base/mac/scoped_cftyperef.h"	7 #include "base/mac/scoped_cftyperef.h"

8 #include "base/strings/sys_string_conversions.h"	8 #include "base/strings/sys_string_conversions.h"

9 #include "net/cert/x509_certificate.h"	9 #include "net/cert/x509_certificate.h"

10 #include "net/ssl/ssl_info.h"	10 #include "net/ssl/ssl_info.h"

(...skipping 76 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
87 }	87 }

88	88

89 net::X509Certificate::OSCertHandles intermediates;	89 net::X509Certificate::OSCertHandles intermediates;

90 for (CFIndex i = 1; i < cert_count; i++) {	90 for (CFIndex i = 1; i < cert_count; i++) {

91 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i));	91 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i));

92 }	92 }

93 return net::X509Certificate::CreateFromHandle(	93 return net::X509Certificate::CreateFromHandle(

94 SecTrustGetCertificateAtIndex(trust, 0), intermediates);	94 SecTrustGetCertificateAtIndex(trust, 0), intermediates);

95 }	95 }

96	96

	97 base::ScopedCFTypeRef<SecTrustRef> CreateServerTrustFromChain(NSArray* certs,

	98 NSString* host) {

	99 if (certs.count == 0)

	100 return base::ScopedCFTypeRef<SecTrustRef>();
	Ryan Sleevi 2015/09/19 12:45:38 You're preventing NVRO from helping you here with You're preventing NVRO from helping you here with this approach base::ScopedCFTypeRef<SecTrustRef> result; if (certs.count == 0) return result; base::.... SecTrustRef tempResult = nil; // I presume since this is Obj-C++ we're all about nil over nullptr. if (SecTrust(...)) { result = tempResult; return result; } return result; Note how this replaces all return points to a single named variable, which allows the compiler to do NRVO. It also saves you typing :) Eugene But (OOO till 7-30) 2015/09/21 17:23:40 Done. However I kept nullptr, because nil should b Show quoted text On 2015/09/19 12:45:38, Ryan Sleevi wrote: > You're preventing NVRO from helping you here with this approach > > base::ScopedCFTypeRef<SecTrustRef> result; > > if (certs.count == 0) > return result; > base::.... > SecTrustRef tempResult = nil; // I presume since this is Obj-C++ we're all > about nil over nullptr. > if (SecTrust(...)) { > result = tempResult; > return result; > } > return result; > > Note how this replaces all return points to a single named variable, which > allows the compiler to do NRVO. It also saves you typing :) Done. However I kept nullptr, because nil should be used only for Objective-C object variables.
	101

	102 base::ScopedCFTypeRef<SecPolicyRef> policy(

	103 SecPolicyCreateSSL(TRUE, static_cast<CFStringRef>(host)));

	104 SecTrustRef result = nullptr;

	105 if (SecTrustCreateWithCertificates(certs, policy, &result) == errSecSuccess) {

	106 return base::ScopedCFTypeRef<SecTrustRef>(result);

	107 }

	108 return base::ScopedCFTypeRef<SecTrustRef>();

	109 }

	110

97 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) {	111 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) {

98 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust));	112 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust));

99 SecTrustSetExceptions(trust, exceptions);	113 SecTrustSetExceptions(trust, exceptions);

100 }	114 }

101	115

102 BOOL IsWKWebViewSSLError(NSError* error) {	116 BOOL IsWKWebViewSSLError(NSError* error) {

103 // SSL errors range is (-2000..-1200], represented by kCFURLError constants:	117 // SSL errors range is (-2000..-1200], represented by kCFURLError constants:

104 // (kCFURLErrorCannotLoadFromNetwork..kCFURLErrorSecureConnectionFailed].	118 // (kCFURLErrorCannotLoadFromNetwork..kCFURLErrorSecureConnectionFailed].

105 // It's reasonable to expect that all SSL errors will have the error code	119 // It's reasonable to expect that all SSL errors will have the error code

106 // less or equal to NSURLErrorSecureConnectionFailed but greater than	120 // less or equal to NSURLErrorSecureConnectionFailed but greater than

107 // NSURLErrorCannotLoadFromNetwork.	121 // NSURLErrorCannotLoadFromNetwork.

108 return [error.domain isEqualToString:NSURLErrorDomain] &&	122 return [error.domain isEqualToString:NSURLErrorDomain] &&

109 (error.code <= NSURLErrorSecureConnectionFailed &&	123 (error.code <= NSURLErrorSecureConnectionFailed &&

110 NSURLErrorCannotLoadFromNetwork < error.code);	124 NSURLErrorCannotLoadFromNetwork < error.code);

111 }	125 }

112	126

113 void GetSSLInfoFromWKWebViewSSLError(NSError* error, net::SSLInfo* ssl_info) {	127 void GetSSLInfoFromWKWebViewSSLError(NSError* error, net::SSLInfo* ssl_info) {

114 DCHECK(IsWKWebViewSSLError(error));	128 DCHECK(IsWKWebViewSSLError(error));

115 ssl_info->cert_status = GetCertStatusFromNSErrorCode(error.code);	129 ssl_info->cert_status = GetCertStatusFromNSErrorCode(error.code);

116 ssl_info->cert = CreateCertFromSSLError(error);	130 ssl_info->cert = CreateCertFromSSLError(error);

117 }	131 }

118	132

	133 SecurityStyle GetSecurityStyleFromTrustResult(SecTrustResultType result) {

	134 switch (result) {

	135 case kSecTrustResultInvalid:

	136 return SECURITY_STYLE_UNKNOWN;
	Ryan Sleevi 2015/09/19 12:45:38 Hrm, this implies a more benign result, except it' Hrm, this implies a more benign result, except it's a pretty bad situation to get a kSecTrustResultInvalid Eugene But (OOO till 7-30) 2015/09/21 17:23:40 Acknowledged. Let me know if you expect something Show quoted text On 2015/09/19 12:45:38, Ryan Sleevi wrote: > Hrm, this implies a more benign result, except it's a pretty bad situation to > get a kSecTrustResultInvalid Acknowledged. Let me know if you expect something actionable here.
	137 case kSecTrustResultProceed:

	138 case kSecTrustResultUnspecified:

	139 return SECURITY_STYLE_AUTHENTICATED;

	140 case kSecTrustResultDeny:

	141 case kSecTrustResultRecoverableTrustFailure:

	142 case kSecTrustResultFatalTrustFailure:

	143 case kSecTrustResultOtherError:

	144 return SECURITY_STYLE_AUTHENTICATION_BROKEN;

	145 }

	146 NOTREACHED();

	147 return SECURITY_STYLE_UNKNOWN;

	148 }

	149

119 } // namespace web	150 } // namespace web

OLD	NEW