Chromium Code Reviews Chromium Code Reviews
Issue 1322193003:
WKWebView(iOS9): correctly update SSL status for current navigation item (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@reland_cert_verification| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #import "ios/web/web_state/wk_web_view_security_util.h" | 5 #import "ios/web/web_state/wk_web_view_security_util.h" |
| 6 | 6 |
| 7 #include "base/mac/scoped_cftyperef.h" | 7 #include "base/mac/scoped_cftyperef.h" |
| 8 #include "base/strings/sys_string_conversions.h" | 8 #include "base/strings/sys_string_conversions.h" |
| 9 #include "net/cert/x509_certificate.h" | 9 #include "net/cert/x509_certificate.h" |
| 10 #include "net/ssl/ssl_info.h" | 10 #include "net/ssl/ssl_info.h" |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 87 } | 87 } |
| 88 | 88 |
| 89 net::X509Certificate::OSCertHandles intermediates; | 89 net::X509Certificate::OSCertHandles intermediates; |
| 90 for (CFIndex i = 1; i < cert_count; i++) { | 90 for (CFIndex i = 1; i < cert_count; i++) { |
| 91 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i)); | 91 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i)); |
| 92 } | 92 } |
| 93 return net::X509Certificate::CreateFromHandle( | 93 return net::X509Certificate::CreateFromHandle( |
| 94 SecTrustGetCertificateAtIndex(trust, 0), intermediates); | 94 SecTrustGetCertificateAtIndex(trust, 0), intermediates); |
| 95 } | 95 } |
| 96 | 96 |
| 97 base::ScopedCFTypeRef<SecTrustRef> CreateServerTrustFromChain(NSArray* certs, | |
| 98 NSString* host) { | |
| 99 if (certs.count == 0) | |
| 100 return base::ScopedCFTypeRef<SecTrustRef>(); | |
| 101 | |
| 102 base::ScopedCFTypeRef<SecPolicyRef> policy( | |
| 103 SecPolicyCreateSSL(TRUE, static_cast<CFStringRef>(host))); | |
| 104 SecTrustRef result = nullptr; | |
| 105 if (SecTrustCreateWithCertificates(certs, policy, &result) == errSecSuccess) { | |
| 106 return base::ScopedCFTypeRef<SecTrustRef>(result); | |
| 107 } | |
| 108 return base::ScopedCFTypeRef<SecTrustRef>(); | |
| 109 } | |
| 110 | |
| 97 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) { | 111 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) { |
| 98 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust)); | 112 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust)); |
| 99 SecTrustSetExceptions(trust, exceptions); | 113 SecTrustSetExceptions(trust, exceptions); |
| 100 } | 114 } |
| 101 | 115 |
| 102 BOOL IsWKWebViewSSLError(NSError* error) { | 116 BOOL IsWKWebViewSSLError(NSError* error) { |
| 103 // SSL errors range is (-2000..-1200], represented by kCFURLError constants: | 117 // SSL errors range is (-2000..-1200], represented by kCFURLError constants: |
| 104 // (kCFURLErrorCannotLoadFromNetwork..kCFURLErrorSecureConnectionFailed]. | 118 // (kCFURLErrorCannotLoadFromNetwork..kCFURLErrorSecureConnectionFailed]. |
| 105 // It's reasonable to expect that all SSL errors will have the error code | 119 // It's reasonable to expect that all SSL errors will have the error code |
| 106 // less or equal to NSURLErrorSecureConnectionFailed but greater than | 120 // less or equal to NSURLErrorSecureConnectionFailed but greater than |
| 107 // NSURLErrorCannotLoadFromNetwork. | 121 // NSURLErrorCannotLoadFromNetwork. |
| 108 return [error.domain isEqualToString:NSURLErrorDomain] && | 122 return [error.domain isEqualToString:NSURLErrorDomain] && |
| 109 (error.code <= NSURLErrorSecureConnectionFailed && | 123 (error.code <= NSURLErrorSecureConnectionFailed && |
| 110 NSURLErrorCannotLoadFromNetwork < error.code); | 124 NSURLErrorCannotLoadFromNetwork < error.code); |
| 111 } | 125 } |
| 112 | 126 |
| 113 void GetSSLInfoFromWKWebViewSSLError(NSError* error, net::SSLInfo* ssl_info) { | 127 void GetSSLInfoFromWKWebViewSSLError(NSError* error, net::SSLInfo* ssl_info) { |
| 114 DCHECK(IsWKWebViewSSLError(error)); | 128 DCHECK(IsWKWebViewSSLError(error)); |
| 115 ssl_info->cert_status = GetCertStatusFromNSErrorCode(error.code); | 129 ssl_info->cert_status = GetCertStatusFromNSErrorCode(error.code); |
| 116 ssl_info->cert = CreateCertFromSSLError(error); | 130 ssl_info->cert = CreateCertFromSSLError(error); |
| 117 } | 131 } |
| 118 | 132 |
| 133 SecurityStyle GetSecurityStyleFromTrustResult(SecTrustResultType result) { | |
| 134 switch (result) { | |
| 135 case kSecTrustResultInvalid: | |
| 136 return SECURITY_STYLE_UNKNOWN; | |
| 137 case kSecTrustResultProceed: | |
| 138 case kSecTrustResultUnspecified: | |
|
felt
2015/09/15 22:39:11
^ I'm surprised that "unspecified" ends up being t
Eugene But (OOO till 7-30)
2015/09/15 23:04:43
Yeah, I understand confusion, but this is actual r
| |
| 139 return SECURITY_STYLE_AUTHENTICATED; | |
| 140 case kSecTrustResultDeny: | |
| 141 case kSecTrustResultRecoverableTrustFailure: | |
| 142 case kSecTrustResultFatalTrustFailure: | |
| 143 case kSecTrustResultOtherError: | |
| 144 return SECURITY_STYLE_AUTHENTICATION_BROKEN; | |
| 145 } | |
| 146 NOTREACHED(); | |
| 147 return SECURITY_STYLE_UNKNOWN; | |
| 148 } | |
| 149 | |
| 119 } // namespace web | 150 } // namespace web |
| OLD | NEW |
