WKWebView(iOS9): correctly update SSL status for current navigation item

ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

Index: ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm b/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
index de61cdcfb1938699a0ff67479dba4d6c19fa20b2..aa607dd44ecf20797f4d767f4a0624b9bbdc4877 100644
--- a/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
+++ b/ios/web/web_state/ui/crw_wk_web_view_web_controller.mm
@@ -241,6 +241,11 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 // Clears all activity indicator tasks for this web controller.
 - (void)clearActivityIndicatorTasks;
 
+// Obtains SSL status from given |certChain| and updates it for navigation items
+// with given |certID|.
+- (void)updateSSLStatusForNavigationItemsWithCertID:(int)certID
+                                     usingCertChain:(NSArray*)certChain;
+
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 // Updates SSL status for the current navigation item based on the information
 // provided by web view.
@@ -841,12 +846,52 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
       clearNetworkTasksForGroup:[self activityIndicatorGroupID]];
 }
 
+- (void)updateSSLStatusForNavigationItemsWithCertID:(int)certID
+                                     usingCertChain:(NSArray*)certChain {
+  base::WeakNSObject<CRWWKWebViewWebController> weakSelf(self);
+  void (^SSLStatusResponse)(web::SecurityStyle, net::CertStatus) =
+      ^(web::SecurityStyle style, net::CertStatus certStatus) {
+        base::scoped_nsobject<CRWWKWebViewWebController> strongSelf(
+            [weakSelf retain]);
+        if (!strongSelf || [strongSelf isBeingDestroyed]) {
+          return;
+        }
+
+        web::NavigationManagerImpl& navigationManager =
+            [strongSelf webStateImpl]->GetNavigationManagerImpl();
+
+        bool updated = false;

[stuartmorgan, 2015/09/10 22:26:18]

updatedCurrentItem?

[Eugene But (OOO till 7-30), 2015/09/14 23:20:30]

Done.

+        for (int i = 0; i < navigationManager.GetEntryCount(); i++) {
+          web::NavigationItem* item = navigationManager.GetItemAtIndex(i);
+          DCHECK(item);
+          web::SSLStatus previousSSLStatus = item->GetSSL();

[stuartmorgan, 2015/09/10 22:26:18]

This should be inside the if; currently you're copying the status for every
single item in history, even if only one matches.

[Eugene But (OOO till 7-30), 2015/09/14 23:20:30]

Done.

+          web::SSLStatus& SSLStatus = item->GetSSL();
+          if (SSLStatus.cert_id == certID) {
+            SSLStatus.cert_status = certStatus;
+            SSLStatus.security_style = style;
+            if (navigationManager.GetCurrentEntryIndex() == i &&

[stuartmorgan, 2015/09/10 22:26:18]

The current index could be called outside the loop, since it won't change.

(Optional, but seems like a good time to create a public GetCurrentItemIndex,
since the Entry form was just a temporary facade helper.)

[Eugene But (OOO till 7-30), 2015/09/14 23:20:30]

Done.

+                !previousSSLStatus.Equals(SSLStatus)) {
+              updated = true;
+            }
+          }
+        }
+
+        if (updated) {
+          [strongSelf didUpdateSSLStatusForCurrentNavigationItem];
+        }
+      };
+
+  [_certVerificationController querySSLStatusForCertChain:certChain
+                                                     host:[_wkWebView URL].host
+                                        completionHandler:SSLStatusResponse];
+}
+
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
+
 - (void)updateSSLStatusForCurrentNavigationItem {
   if ([self isBeingDestroyed])
     return;
 
-  DCHECK(self.webStateImpl);
   web::NavigationItem* item =
       self.webStateImpl->GetNavigationManagerImpl().GetLastCommittedItem();
   if (!item)
@@ -854,34 +899,49 @@ WKWebViewErrorSource WKWebViewErrorSourceFromError(NSError* error) {
 
   web::SSLStatus previousSSLStatus = item->GetSSL();
   web::SSLStatus& SSLStatus = item->GetSSL();
-  if (item->GetURL().SchemeIsCryptographic()) {
-    // TODO(eugenebut): Do not set security style to authenticated once
-    // proceeding with bad ssl cert is implemented.
-    SSLStatus.security_style = web::SECURITY_STYLE_AUTHENTICATED;
-    SSLStatus.content_status = [_wkWebView hasOnlySecureContent]
-                                   ? web::SSLStatus::NORMAL_CONTENT
-                                   : web::SSLStatus::DISPLAYED_INSECURE_CONTENT;
-
-    if (base::ios::IsRunningOnIOS9OrLater()) {
-      scoped_refptr<net::X509Certificate> cert(web::CreateCertFromChain(
-          [_wkWebView performSelector:@selector(certificateChain)]));
-      if (cert) {
-        SSLStatus.cert_id = web::CertStore::GetInstance()->StoreCert(
-            cert.get(), self.certGroupID);
-      } else {
-        SSLStatus.security_style = web::SECURITY_STYLE_UNAUTHENTICATED;
-        SSLStatus.cert_id = 0;
-      }
-    }
+
+  // Starting from iOS9 WKWebView blocks active mixed content, so if
+  // |hasOnlySecureContent| returns NO it means passive content.
+  // On iOS8 there is no way to determine if web view has active mixed content.
+  SSLStatus.content_status = [_wkWebView hasOnlySecureContent]
+                                 ? web::SSLStatus::NORMAL_CONTENT
+                                 : web::SSLStatus::DISPLAYED_INSECURE_CONTENT;
+
+  // Retrieve top level frame certificate.
+  NSArray* chain = nil;
+  scoped_refptr<net::X509Certificate> cert;
+  if (base::ios::IsRunningOnIOS9OrLater() &&
+      item->GetURL().SchemeIsCryptographic()) {
+    chain = [_wkWebView performSelector:@selector(certificateChain)];
+    cert = web::CreateCertFromChain(chain);
+  }
+
+  if (cert) {
+    SSLStatus.cert_id =
+        web::CertStore::GetInstance()->StoreCert(cert.get(), self.certGroupID);
+    [self updateSSLStatusForNavigationItemsWithCertID:SSLStatus.cert_id
+                                       usingCertChain:chain];
   } else {
-    SSLStatus.security_style = web::SECURITY_STYLE_UNAUTHENTICATED;
     SSLStatus.cert_id = 0;
+    if (!item->GetURL().SchemeIsCryptographic()) {
+      // HTTP or other non-secure connection.
+      SSLStatus.security_style = web::SECURITY_STYLE_UNAUTHENTICATED;
+    } else if (base::ios::IsRunningOnIOS9OrLater()) {
+      // HTTPS, iOS9 and no certificate (this use-case has not been observed).
+      // TODO(eugenebut): Add UMA action for this anomaly (crbug.com/528668).
+      SSLStatus.security_style = web::SECURITY_STYLE_UNKNOWN;
+    } else {
+      // HTTPS, iOS8.
+      // iOS8 cannot load unauthentificated HTTPS content.

[stuartmorgan, 2015/09/10 22:26:18]

s/ificated/icated/

[Eugene But (OOO till 7-30), 2015/09/14 23:20:30]

Done.

+      SSLStatus.security_style = web::SECURITY_STYLE_AUTHENTICATED;
+    }
   }
 
   if (!previousSSLStatus.Equals(SSLStatus)) {
     [self didUpdateSSLStatusForCurrentNavigationItem];
   }
 }
+
 #endif  // !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
 - (void)registerLoadRequest:(const GURL&)url {