WKWebView: Implemented recoverable SSL interstitials.

ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "ios/web/web_state/ui/crw_wk_web_view_web_controller.h"
 
 #import <WebKit/WebKit.h>
 
+#include "base/containers/mru_cache.h"
 #include "base/ios/ios_util.h"
 #include "base/ios/weak_nsobject.h"
 #include "base/json/json_reader.h"
 #import "base/mac/scoped_nsobject.h"
 #include "base/macros.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/values.h"
 #import "ios/net/http_response_headers_util.h"
 #import "ios/web/crw_network_activity_indicator_manager.h"
 #import "ios/web/navigation/crw_session_controller.h"
 #import "ios/web/navigation/crw_session_entry.h"
 #include "ios/web/navigation/navigation_item_impl.h"
 #include "ios/web/navigation/web_load_params.h"
+#include "ios/web/net/cert_host_pair.h"
 #import "ios/web/net/crw_cert_verification_controller.h"
 #include "ios/web/public/cert_store.h"
 #include "ios/web/public/navigation_item.h"
 #include "ios/web/public/ssl_status.h"
 #include "ios/web/public/web_client.h"
 #import "ios/web/public/web_state/js/crw_js_injection_manager.h"
 #import "ios/web/public/web_state/ui/crw_native_content_provider.h"
 #import "ios/web/public/web_state/ui/crw_web_view_content_view.h"
 #import "ios/web/ui_web_view_util.h"
 #include "ios/web/web_state/blocked_popup_info.h"
 #import "ios/web/web_state/error_translation_util.h"
 #include "ios/web/web_state/frame_info.h"
 #import "ios/web/web_state/js/crw_js_window_id_manager.h"
 #import "ios/web/web_state/ui/crw_web_controller+protected.h"
 #import "ios/web/web_state/ui/crw_wk_script_message_router.h"
 #import "ios/web/web_state/ui/crw_wk_web_view_crash_detector.h"
 #import "ios/web/web_state/ui/web_view_js_utils.h"
 #import "ios/web/web_state/ui/wk_back_forward_list_item_holder.h"
 #import "ios/web/web_state/ui/wk_web_view_configuration_provider.h"
 #import "ios/web/web_state/web_state_impl.h"
 #import "ios/web/web_state/web_view_internal_creation_util.h"
 #import "ios/web/web_state/wk_web_view_security_util.h"
 #import "ios/web/webui/crw_web_ui_manager.h"
+#import "net/base/mac/url_conversions.h"
 #include "net/cert/x509_certificate.h"
-#import "net/base/mac/url_conversions.h"
 #include "net/ssl/ssl_info.h"
 #include "url/url_constants.h"
 
 namespace {
+
+// Represents cert verification error, which happened inside
+// |webView:didReceiveAuthenticationChallenge:completionHandler:| and should
+// be checked inside |webView:didFailProvisionalNavigation:withError:|.
+struct CertVerificationError {
+  CertVerificationError(BOOL is_recoverable, net::CertStatus status)
+      : is_recoverable(is_recoverable), status(status) {}
+
+  BOOL is_recoverable;
+  net::CertStatus status;
+};
+
+// Type of Cache object for storing cert verification errors.
+typedef base::MRUCache<web::CertHostPair, CertVerificationError>
+    CertVerificationErrorsCacheType;
+
+// Maximum number of errors to store in cert verification errors cache.
+// Cache holds errors only for pending navigations, so the actual number of
+// stored errors is not expected to be high.
+const CertVerificationErrorsCacheType::size_type kMaxCertErrorsCount = 100;
+
 // Extracts Referer value from WKNavigationAction request header.
 NSString* GetRefererFromNavigationAction(WKNavigationAction* action) {
   return [action.request valueForHTTPHeaderField:@"Referer"];
 }
 
 NSString* const kScriptMessageName = @"crwebinvoke";
 NSString* const kScriptImmediateName = @"crwebinvokeimmediate";
 
 // Utility functions for storing the source of NSErrors received by WKWebViews:
 // - Errors received by |-webView:didFailProvisionalNavigation:withError:| are
@@ skipping 75 matching lines @@
   // bad SSL cert, presenting SSL interstitials and determining SSL status for
   // Navigation Items.
   base::scoped_nsobject<CRWCertVerificationController>
       _certVerificationController;
 
   // Whether the pending navigation has been directly cancelled in
   // |decidePolicyForNavigationAction| or |decidePolicyForNavigationResponse|.
   // Cancelled navigations should be simply discarded without handling any
   // specific error.
   BOOL _pendingNavigationCancelled;
+
+  // CertVerification errors which happened inside
+  // |webView:didReceiveAuthenticationChallenge:completionHandler:|.
+  // Key is leaf-cert/host pair. This storage is used to carry calculated
+  // cert status from |didReceiveAuthenticationChallenge:| to
+  // |didFailProvisionalNavigation:| delegate method.
+  scoped_ptr<CertVerificationErrorsCacheType> _certVerificationErrors;
 }
 
 // Response's MIME type of the last known navigation.
 @property(nonatomic, copy) NSString* documentMIMEType;
 
 // Dictionary where keys are the names of WKWebView properties and values are
 // selector names which should be called when a corresponding property has
 // changed. e.g. @{ @"URL" : @"webViewURLDidChange" } means that
 // -[self webViewURLDidChange] must be called every time when WKWebView.URL is
 // changed.
@@ skipping 107 matching lines @@
 // updates current navigation item. Before scheduling update changes SSLStatus'
 // cert_status and security_style to default.
 - (void)scheduleSSLStatusUpdateUsingCertChain:(NSArray*)chain
                                          host:(NSString*)host;
 
 // Updates SSL status for the current navigation item based on the information
 // provided by web view.
 - (void)updateSSLStatusForCurrentNavigationItem;
 #endif
 
+// Used in webView:didReceiveAuthenticationChallenge:completionHandler: to reply
+// with NSURLSessionAuthChallengeDisposition and credentials.
+- (void)processAuthChallenge:(NSURLAuthenticationChallenge*)challenge
+         forCertAcceptPolicy:(web::CertAcceptPolicy)policy
+                  certStatus:(net::CertStatus)certStatus
+           completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition,
+                                       NSURLCredential*))completionHandler;
+
 // Registers load request with empty referrer and link or client redirect
 // transition based on user interaction state.
 - (void)registerLoadRequest:(const GURL&)url;
 
 // Called when a non-document-changing URL change occurs. Updates the
 // _documentURL, and informs the superclass of the change.
 - (void)URLDidChangeWithoutDocumentChange:(const GURL&)URL;
 
 // Called when web controller receives a new message from the web page.
 - (void)didReceiveScriptMessage:(WKScriptMessage*)message;
@@ skipping 29 matching lines @@
 
 #pragma mark CRWWebController public methods
 
 - (instancetype)initWithWebState:(scoped_ptr<web::WebStateImpl>)webState {
   DCHECK(webState);
   web::BrowserState* browserState = webState->GetBrowserState();
   self = [super initWithWebState:webState.Pass()];
   if (self) {
     _certVerificationController.reset([[CRWCertVerificationController alloc]
         initWithBrowserState:browserState]);
+    _certVerificationErrors.reset(
+        new CertVerificationErrorsCacheType(kMaxCertErrorsCount));
   }
   return self;
 }
 
 - (BOOL)keyboardDisplayRequiresUserAction {
   // TODO(stuartmorgan): Find out whether YES or NO is correct; see comment
   // in protected header.
   NOTIMPLEMENTED();
   return NO;
 }
@@ skipping 226 matching lines @@
   }
   return [super URLForHistoryNavigationFromItem:fromItem toItem:toItem];
 }
 
 - (void)setPageChangeProbability:(web::PageChangeProbability)probability {
   // Nothing to do; no polling timer.
 }
 
 - (void)abortWebLoad {
   [_wkWebView stopLoading];
+  _certVerificationErrors->Clear();
 }
 
 - (void)resetLoadState {
   // Nothing to do.
 }
 
 - (void)setSuppressDialogsWithHelperScript:(NSString*)script {
   [self evaluateJavaScript:script stringResultHandler:nil];
 }
 
@@ skipping 278 matching lines @@
                                sourceURL:sourceURL
                           referrerPolicy:base::SysNSStringToUTF8(policy)];
       }];
   });
 }
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 - (void)handleSSLCertError:(NSError*)error {
   DCHECK(web::IsWKWebViewSSLCertError(error));
 
-  net::SSLInfo sslInfo;
-  web::GetSSLInfoFromWKWebViewSSLCertError(error, &sslInfo);
+  net::SSLInfo info;
+  web::GetSSLInfoFromWKWebViewSSLCertError(error, &info);
 
-  web::SSLStatus sslStatus;
-  sslStatus.security_style = web::SECURITY_STYLE_AUTHENTICATION_BROKEN;
-  sslStatus.cert_status = sslInfo.cert_status;
-  sslStatus.cert_id = web::CertStore::GetInstance()->StoreCert(
-      sslInfo.cert.get(), self.certGroupID);
+  web::SSLStatus status;
+  status.security_style = web::SECURITY_STYLE_AUTHENTICATION_BROKEN;
+  status.cert_status = info.cert_status;
+  status.cert_id = web::CertStore::GetInstance()->StoreCert(
+      info.cert.get(), self.certGroupID);
 
-  [self.delegate presentSSLError:sslInfo
-                    forSSLStatus:sslStatus
-                     recoverable:NO
-                        callback:nullptr];
+  // Retrieve verification results from _certVerificationErrors cache to avoid
+  // unnecessary recalculations. Verification results are cached for the leaf
+  // cert, because the cert chain in |didReceiveAuthenticationChallenge:| is
+  // the OS constructed chain, while |chain| is the chain from the server.
+  NSArray* chain = error.userInfo[web::kNSErrorPeerCertificateChainKey];
+  NSString* host = [error.userInfo[web::kNSErrorFailingURLKey] host];
+  scoped_refptr<net::X509Certificate> leafCert;
+  BOOL recoverable = NO;
+  if (chain.count && host.length) {
+    // The complete cert chain may not be available, so the leaf cert is used
+    // as a key to retrieve _certVerificationErrors, as well as for storing the
+    // cert decision.
+    leafCert = web::CreateCertFromChain(@[ chain.firstObject ]);
+    if (leafCert) {
+      auto error = _certVerificationErrors->Get(
+          {leafCert, base::SysNSStringToUTF8(host)});
+      if (error != _certVerificationErrors->end()) {
+        status.cert_status = error->second.status;
+        recoverable = error->second.is_recoverable;
+      } else {
+        // TODO(eugenebut): Report UMA with cache size (crbug.com/541736).
+      }
+    }
+  }
+
+  // Present SSL interstitial.
+  [self.delegate presentSSLError:info
+                    forSSLStatus:status
+                     recoverable:recoverable
+                        callback:^(BOOL proceed) {
+                          if (proceed) {
+                            // The interstitial will be removed during reload.
+                            [_certVerificationController
+                                allowCert:leafCert
+                                  forHost:host
+                                   status:status.cert_status];
+                            [self loadCurrentURL];
+                          }
+                        }];
 }
 #endif  // #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
 - (void)addActivityIndicatorTask {
   [[CRWNetworkActivityIndicatorManager sharedInstance]
       startNetworkTaskForGroup:[self activityIndicatorGroupID]];
 }
 
 - (void)clearActivityIndicatorTasks {
   [[CRWNetworkActivityIndicatorManager sharedInstance]
@@ skipping 122 matching lines @@
     }
   }
 
   if (!previousSSLStatus.Equals(item->GetSSL())) {
     [self didUpdateSSLStatusForCurrentNavigationItem];
   }
 }
 
 #endif  // !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
+- (void)processAuthChallenge:(NSURLAuthenticationChallenge*)challenge
+         forCertAcceptPolicy:(web::CertAcceptPolicy)policy
+                  certStatus:(net::CertStatus)certStatus
+           completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition,
+                                       NSURLCredential*))completionHandler {
+  SecTrustRef trust = challenge.protectionSpace.serverTrust;
+  if (policy == web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER) {
+    // Cert is invalid, but user agreed to proceed, override default behavior.
+    completionHandler(NSURLSessionAuthChallengeUseCredential,
+                      [NSURLCredential credentialForTrust:trust]);
+    return;
+  }
+
+  if (policy != web::CERT_ACCEPT_POLICY_ALLOW &&
+      SecTrustGetCertificateCount(trust)) {
+    // The cert is invalid and the user has not agreed to proceed. Cache the
+    // cert verification result in |_certVerificationErrors|, so that it can
+    // later be reused inside |didFailProvisionalNavigation:|.
+    // The leaf cert is used as the key, because the chain provided by
+    // |didFailProvisionalNavigation:| will differ (it is the server-supplied
+    // chain), thus if intermediates were considered, the keys would mismatch.
+    scoped_refptr<net::X509Certificate> leafCert =
+        net::X509Certificate::CreateFromHandle(
+            SecTrustGetCertificateAtIndex(trust, 0),
+            net::X509Certificate::OSCertHandles());
+    if (leafCert) {
+      BOOL is_recoverable =
+          policy == web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER;
+      std::string host =
+          base::SysNSStringToUTF8(challenge.protectionSpace.host);
+      _certVerificationErrors->Put(
+          web::CertHostPair(leafCert, host),
+          CertVerificationError(is_recoverable, certStatus));
+    }
+  }
+  completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+}
+
 - (void)registerLoadRequest:(const GURL&)url {
   // If load request is registered via WKWebViewWebController, assume transition
   // is link or client redirect as other transitions will already be registered
   // by web controller or delegates.
   // TODO(stuartmorgan): Remove guesswork and replace with information from
   // decidePolicyForNavigationAction:.
   ui::PageTransition transition = self.userInteractionRegistered
                                       ? ui::PAGE_TRANSITION_LINK
                                       : ui::PAGE_TRANSITION_CLIENT_REDIRECT;
   // The referrer is not known yet, and will be updated later.
@@ skipping 392 matching lines @@
 #endif  // defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
   if (web::IsWKWebViewSSLCertError(error))
     [self handleSSLCertError:error];
   else
 #endif
     [self handleLoadError:error inMainFrame:YES];
 
   [self discardPendingNavigationTypeForMainFrame];
+  _certVerificationErrors->Clear();
 }
 
 - (void)webView:(WKWebView *)webView
     didCommitNavigation:(WKNavigation *)navigation {
   DCHECK_EQ(_wkWebView, webView);
+  _certVerificationErrors->Clear();
   // This point should closely approximate the document object change, so reset
   // the list of injected scripts to those that are automatically injected.
   _injectedScriptManagers.reset([[NSMutableSet alloc] init]);
   [self injectWindowID];
 
   // The page has changed; commit the pending referrer.
   [self commitPendingReferrerString];
 
   // This is the point where the document's URL has actually changed.
   _documentURL = net::GURLWithNSURL([_wkWebView URL]);
@@ skipping 25 matching lines @@
   web::EvaluateJavaScript(webView,
                           @"__gCrWeb.didFinishNavigation()", nil);
   [self didFinishNavigation];
 }
 
 - (void)webView:(WKWebView *)webView
     didFailNavigation:(WKNavigation *)navigation
             withError:(NSError *)error {
   [self handleLoadError:WKWebViewErrorWithSource(error, NAVIGATION)
             inMainFrame:YES];
+  _certVerificationErrors->Clear();
 }
 
-- (void)webView:(WKWebView *)webView
-    didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
+- (void)webView:(WKWebView*)webView
+    didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge*)challenge
                     completionHandler:
-        (void (^)(NSURLSessionAuthChallengeDisposition disposition,
-                  NSURLCredential *credential))completionHandler {
+                        (void (^)(NSURLSessionAuthChallengeDisposition,
+                                  NSURLCredential*))completionHandler {
   if (![challenge.protectionSpace.authenticationMethod
           isEqual:NSURLAuthenticationMethodServerTrust]) {
     completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
     return;
   }
 
   SecTrustRef trust = challenge.protectionSpace.serverTrust;
-  scoped_refptr<net::X509Certificate> cert = web::CreateCertFromTrust(trust);
-  // TODO(eugenebut): pass SecTrustRef instead of cert.
+  base::ScopedCFTypeRef<SecTrustRef> scopedTrust(trust,
+                                                 base::scoped_policy::RETAIN);
+  base::WeakNSObject<CRWWKWebViewWebController> weakSelf(self);
   [_certVerificationController
-      decidePolicyForCert:cert
-                     host:challenge.protectionSpace.host
-        completionHandler:^(web::CertAcceptPolicy policy,
-                            net::CertStatus status) {
-          completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace,
-                            nil);
-        }];
+      decideLoadPolicyForTrust:scopedTrust
+                          host:challenge.protectionSpace.host
+             completionHandler:^(web::CertAcceptPolicy policy,
+                                 net::CertStatus status) {
+               base::scoped_nsobject<CRWWKWebViewWebController> strongSelf(
+                   [weakSelf retain]);
+               [strongSelf processAuthChallenge:challenge
+                            forCertAcceptPolicy:policy
+                                     certStatus:status
+                              completionHandler:completionHandler];
+             }];
 }
 
 - (void)webViewWebContentProcessDidTerminate:(WKWebView*)webView {
+  _certVerificationErrors->Clear();
   [self webViewWebProcessDidCrash];
 }
 
 #pragma mark WKUIDelegate Methods
 
 - (WKWebView*)webView:(WKWebView*)webView
     createWebViewWithConfiguration:(WKWebViewConfiguration*)configuration
                forNavigationAction:(WKNavigationAction*)navigationAction
                     windowFeatures:(WKWindowFeatures*)windowFeatures {
   GURL requestURL = net::GURLWithNSURL(navigationAction.request.URL);
@@ skipping 75 matching lines @@
                               placeholderText:defaultText
                                    requestURL:
             net::GURLWithNSURL(frame.request.URL)
                             completionHandler:completionHandler];
   } else if (completionHandler) {
     completionHandler(nil);
   }
 }
 
 @end