Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(223)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: ios/web/net/crw_cert_verification_controller.mm

Issue 1322193003: WKWebView(iOS9): correctly update SSL status for current navigation item (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@reland_cert_verification
Patch Set: Clear all non-error bits for valid certs. Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « ios/web/net/crw_cert_verification_controller.h ('k') | ios/web/net/crw_cert_verification_controller_unittest.mm » ('j') | ios/web/web_state/ui/crw_wk_web_view_web_controller.mm » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: ios/web/net/crw_cert_verification_controller.mm
diff --git a/ios/web/net/crw_cert_verification_controller.mm b/ios/web/net/crw_cert_verification_controller.mm
index b8dba8fa106811aa2c53aeffbe5539587ea8f301..615d077f4f70751d0860d566925b52b353bf4ac4 100644
--- a/ios/web/net/crw_cert_verification_controller.mm
+++ b/ios/web/net/crw_cert_verification_controller.mm
@@ -11,6 +11,7 @@
#include "ios/web/net/cert_verifier_block_adapter.h"
#include "ios/web/public/browser_state.h"
#include "ios/web/public/web_thread.h"
+#import "ios/web/web_state/wk_web_view_security_util.h"
#include "net/cert/cert_verify_result.h"
#include "net/ssl/ssl_config_service.h"
#include "net/url_request/url_request_context.h"
@@ -106,16 +107,16 @@ class BlockHolder : public base::RefCountedThreadSafe<BlockHolder<T>> {
- (void)decidePolicyForCert:(const scoped_refptr<net::X509Certificate>&)cert
host:(NSString*)host
- completionHandler:(web::PolicyDecisionHandler)handler {
+ completionHandler:(web::PolicyDecisionHandler)completionHandler {
DCHECK_CURRENTLY_ON_WEB_THREAD(web::WebThread::UI);
// completionHandler of |verifyCert:forHost:completionHandler:| is called on
// IO thread and then bounces back to UI thread. As a result all objects
// captured by completionHandler may be released on either UI or IO thread.
- // Since |handler| can potentially capture multiple thread unsafe objects
- // (like Web Controller) |handler| itself should never be released on
- // background thread and |BlockHolder| ensures that.
+ // Since |completionHandler| can potentially capture multiple thread unsafe
+ // objects (like Web Controller) |completionHandler| itself should never be
+ // released on background thread and |BlockHolder| ensures that.
__block scoped_refptr<BlockHolder<web::PolicyDecisionHandler>> handlerHolder(
- new BlockHolder<web::PolicyDecisionHandler>(handler));
+ new BlockHolder<web::PolicyDecisionHandler>(completionHandler));
[self verifyCert:cert
forHost:host
completionHandler:^(net::CertVerifyResult result, int error) {
@@ -135,6 +136,45 @@ class BlockHolder : public base::RefCountedThreadSafe<BlockHolder<T>> {
}];
}
+- (void)querySSLStatusForCertChain:(NSArray*)certChain
+ host:(NSString*)host
+ completionHandler:(web::StatusQueryHandler)completionHandler {
+ DCHECK_CURRENTLY_ON_WEB_THREAD(web::WebThread::UI);
+ DCHECK(certChain.count);
+
+ // Completion handler of |verifyCert:forHost:completionHandler:| will be
+ // deallocated on IO thread. |completionHandler| itself should never be
+ // released on background thread and |BlockHolder| ensures that.
+ __block scoped_refptr<BlockHolder<web::StatusQueryHandler>> handlerHolder(
+ new BlockHolder<web::StatusQueryHandler>(completionHandler));
+ scoped_refptr<net::X509Certificate> cert(web::CreateCertFromChain(certChain));
+ // Knowing net::CertStatus is necessry even for valid certs in order to
felt 2015/09/15 22:39:11 nit: "necessry" -> "necessary"
Eugene But (OOO till 7-30) 2015/09/15 23:04:43 Done.
+ // support SHA-1 deprecation.
+ [self verifyCert:cert
+ forHost:host
+ completionHandler:^(net::CertVerifyResult certVerifierResult, int) {
+ base::ScopedCFTypeRef<SecTrustRef> trust(
+ web::CreateServerTrustFromChain(certChain, host));
+
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+ SecTrustEvaluate(trust.get(), &trustResult);
+
+ // For certs, which considered valid by Sec Trust API, discard all
+ // error bits from net::CertStatus. This will leave cert in a valid
+ // state, but will keep important information, like SHA-1 presense.
jww 2015/09/15 22:26:25 nit: "presense" -> "presence"
Eugene But (OOO till 7-30) 2015/09/15 23:04:43 Done.
+ web::SecurityStyle security_style =
+ web::GetSecurityStyleFromTrustResult(trustResult);
+ net::CertStatus cert_status = certVerifierResult.cert_status;
+ if (security_style == web::SECURITY_STYLE_AUTHENTICATED) {
+ cert_status &= net::CERT_STATUS_NON_ERROR_STATUSES;
+ }
+
+ dispatch_async(dispatch_get_main_queue(), ^{
+ handlerHolder->call(security_style, cert_status);
+ });
+ }];
+}
+
- (void)shutDown {
DCHECK_CURRENTLY_ON_WEB_THREAD(web::WebThread::UI);
web::WebThread::PostTask(web::WebThread::IO, FROM_HERE, base::BindBlock(^{
« no previous file with comments | « ios/web/net/crw_cert_verification_controller.h ('k') | ios/web/net/crw_cert_verification_controller_unittest.mm » ('j') | ios/web/web_state/ui/crw_wk_web_view_web_controller.mm » ('J')

Powered by Google App Engine
This is Rietveld 408576698