ios/web/net/crw_cert_verification_controller.h - Issue 1357773002: WKWebView: Implemented recoverable SSL interstitials.

Side by Side Diff: ios/web/net/crw_cert_verification_controller.h

Issue 1357773002: WKWebView: Implemented recoverable SSL interstitials. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@lock_coloring

Patch Set: Resolved Stuart's review comments Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef IOS_WEB_NET_CRW_CERT_VERIFICATION_CONTROLLER_H_	5 #ifndef IOS_WEB_NET_CRW_CERT_VERIFICATION_CONTROLLER_H_

6 #define IOS_WEB_NET_CRW_CERT_VERIFICATION_CONTROLLER_H_	6 #define IOS_WEB_NET_CRW_CERT_VERIFICATION_CONTROLLER_H_

7	7

8 #import <Foundation/Foundation.h>	8 #import <Foundation/Foundation.h>

9	9

10 #import "base/memory/ref_counted.h"	10 #import "base/memory/ref_counted.h"

11 #include "ios/web/public/security_style.h"	11 #include "ios/web/public/security_style.h"

12 #include "net/cert/cert_status_flags.h"	12 #include "net/cert/cert_status_flags.h"

13	13

14 namespace net {	14 namespace net {

15 class X509Certificate;	15 class X509Certificate;

16 }	16 }

17	17

18 namespace web {	18 namespace web {

19	19

20 class BrowserState;	20 class BrowserState;

21	21

22 // Accept policy for valid or invalid SSL cert.	22 // Accept policy for valid or invalid SSL cert.

23 typedef NS_ENUM(NSInteger, CertAcceptPolicy) {	23 typedef NS_ENUM(NSInteger, CertAcceptPolicy) {

24 // Cert status can't be determined due to an error. Caller should not proceed	24 // Cert status can't be determined due to an error. Caller should not proceed

25 // with the load, but show net error page instead.	25 // with the load, but show net error page instead.

26 CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR = 0,	26 CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR = 0,

27 // Cert is not valid. Caller may present SSL warning and ask user if they	27 // Cert is not valid. Caller may present SSL warning and ask user if they

28 // want to proceed with the load.	28 // want to proceed with the load.

29 CERT_ACCEPT_POLICY_RECOVERABLE_ERROR,	29 CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_NOT_ACCEPTED_BY_USER,

	30 // Cert is not valid. However caller should proceed with the load, because

	31 // user has decided to proceed with this invalid cert.
	Ryan Sleevi 2015/09/24 22:48:39 // Cert is not valid. However, caller should proce // Cert is not valid. However, caller should proceed with the load, because ... (extra ,) Eugene But (OOO till 7-30) 2015/09/25 21:24:23 Done. Show quoted text On 2015/09/24 22:48:39, Ryan Sleevi wrote: > // Cert is not valid. However, caller should proceed with the load, because ... > > (extra ,) Done.
	32 CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER,

30 // Cert is valid. Caller should proceed with the load.	33 // Cert is valid. Caller should proceed with the load.

31 CERT_ACCEPT_POLICY_ALLOW,	34 CERT_ACCEPT_POLICY_ALLOW,

32 };	35 };

33	36

34 // Completion handler called by decidePolicyForCert:host:completionHandler:.	37 // Completion handler called by decideLoadPolicyForTrust:host:completionHandler.

35 typedef void (^PolicyDecisionHandler)(web::CertAcceptPolicy, net::CertStatus);	38 typedef void (^PolicyDecisionHandler)(web::CertAcceptPolicy, net::CertStatus);

36 // Completion handler called by decidePolicyForCert:host:completionHandler:.	39 // Completion handler called by decidePolicyForCert:host:completionHandler:.

37 typedef void (^StatusQueryHandler)(web::SecurityStyle, net::CertStatus);	40 typedef void (^StatusQueryHandler)(web::SecurityStyle, net::CertStatus);

38	41

39 } // namespace web	42 } // namespace web

40	43

41 // Provides various cert verification API that can be used for blocking requests	44 // Provides various cert verification API that can be used for blocking requests

42 // with bad SSL cert, presenting SSL interstitials and determining SSL status	45 // with bad SSL cert, presenting SSL interstitials and determining SSL status

43 // for Navigation Items. Must be used on UI thread.	46 // for Navigation Items. Must be used on UI thread.

44 @interface CRWCertVerificationController : NSObject	47 @interface CRWCertVerificationController : NSObject

45	48

46 - (instancetype)init NS_UNAVAILABLE;	49 - (instancetype)init NS_UNAVAILABLE;

47	50

48 // Initializes CRWCertVerificationController with the given \|browserState\| which	51 // Initializes CRWCertVerificationController with the given \|browserState\| which

49 // cannot be null and must outlive CRWCertVerificationController.	52 // cannot be null and must outlive CRWCertVerificationController.

50 - (instancetype)initWithBrowserState:(web::BrowserState*)browserState	53 - (instancetype)initWithBrowserState:(web::BrowserState*)browserState

51 NS_DESIGNATED_INITIALIZER;	54 NS_DESIGNATED_INITIALIZER;

52	55

53 // TODO(eugenebut): add API for:	56 // Decides the policy for the given \|serverTrust\| and the given \|host\| and calls

54 // - accepting bad SSL cert using CertPolicyCache	57 // \|completionHandler\| on completion. \|host\| should be in DNS form

55

56 // Decides the policy for the given \|cert\| for the given \|host\| and calls

57 // \|completionHandler\| on completion. \|host\| should be in DNS form

58 // (f.e. for "http://名がドメイン.com", it should be "xn--v8jxj3d1dzdz08w.com").	58 // (f.e. for "http://名がドメイン.com", it should be "xn--v8jxj3d1dzdz08w.com").

59 // \|completionHandler\| cannot be null and will be called synchronously or	59 // \|completionHandler\| cannot be null and will be called synchronously or

60 // asynchronously on the UI thread.	60 // asynchronously on the UI thread.

61 - (void)decidePolicyForCert:(const scoped_refptr<net::X509Certificate>&)cert	61 - (void)decideLoadPolicyForTrust:(SecTrustRef)serverTrust

62 host:(NSString*)host	62 host:(NSString*)host

63 completionHandler:(web::PolicyDecisionHandler)completionHandler;	63 completionHandler:(web::PolicyDecisionHandler)completionHandler;

64	64

65 // Asynchronously returns web::SecurityStyle and net::CertStatus for the given	65 // Asynchronously returns web::SecurityStyle and net::CertStatus for the given

66 // \|certificateChain\| (an NSArray of SecSertificateRef objects) and \|host\|.	66 // \|certificateChain\| (an NSArray of SecSertificateRef objects) and \|host\|.

67 // \|certificateChain\| cannot be null or empty. \|host\| should be in DNS form.	67 // \|certificateChain\| cannot be null or empty. \|host\| should be in DNS form.

68 - (void)querySSLStatusForCertChain:(NSArray*)certChain	68 - (void)querySSLStatusForCertChain:(NSArray*)certChain

69 host:(NSString*)host	69 host:(NSString*)host

70 completionHandler:(web::StatusQueryHandler)completionHandler;	70 completionHandler:(web::StatusQueryHandler)completionHandler;

71	71

	72 // Records that \|leafCert\| is permitted to be used for \|host\| in the future.

	73 // \|host\| should be in DNS form. \|leafCert\| must not contain any intermidiate
	Ryan Sleevi 2015/09/24 22:48:39 It's unclear why "\|leafCert\| must not contain any It's unclear why "\|leafCert\| must not contain any intermediate certs" - seems like an unnecessary API constraint? Ryan Sleevi 2015/09/24 22:48:39 same remarks re: DNS form same remarks re: DNS form Ryan Sleevi 2015/09/24 22:48:39 spelling: intermediate spelling: intermediate Eugene But (OOO till 7-30) 2015/09/25 21:24:23 Done. Show quoted text On 2015/09/24 22:48:39, Ryan Sleevi wrote: > spelling: intermediate Done. Eugene But (OOO till 7-30) 2015/09/25 21:24:23 didFailProvisionalNavigation: callback, where deci Show quoted text On 2015/09/24 22:48:39, Ryan Sleevi wrote: > It's unclear why "\|leafCert\| must not contain any intermediate certs" - seems > like an unnecessary API constraint? didFailProvisionalNavigation: callback, where decision is stored may not provide complete/valid cert chain. So per you suggestion CertPolicy::Judgment decision will be stored and read for leaf cert and hostname. This very API constraint is necessary. Otherwise reading CertPolicy::Judgment decision will not work: https://codereview.chromium.org/1357773002/diff/40001/ios/web/net/crw_cert_ve... Does it make sense? Eugene But (OOO till 7-30) 2015/09/25 21:24:23 Done. Show quoted text On 2015/09/24 22:48:39, Ryan Sleevi wrote: > same remarks re: DNS form Done. Ryan Sleevi 2015/09/28 22:46:52 No. It's not clear to me why you impose this const Show quoted text On 2015/09/25 21:24:23, eugenebut wrote: > On 2015/09/24 22:48:39, Ryan Sleevi wrote: > > It's unclear why "\|leafCert\| must not contain any intermediate certs" - seems > > like an unnecessary API constraint? > didFailProvisionalNavigation: callback, where decision is stored may not provide > complete/valid cert chain. So per you suggestion CertPolicy::Judgment decision > will be stored and read for leaf cert and hostname. > > This very API constraint is necessary. Otherwise reading CertPolicy::Judgment > decision will not work: > https://codereview.chromium.org/1357773002/diff/40001/ios/web/net/crw_cert_ve... > > Does it make sense? No. It's not clear to me why you impose this constraint on your callers, rather than 'fixing up' incoming certs to normalize the CertPolicy::Judgement (e.g. stripping off intermediate certificates yourself) That is, I find it weird to force callers to be aware of these semantics, a result of the inconsistency between the two APIs you mentioned (didFailProvisionalNavigation vs interstitials), rather than just fixing it yourself and leaving it as an implementation detail as to why. My understanding is that this method (allowCert) is tightly-coupled to the implementation of decideLoadPolicyForTrust (which I assume is what didFail is calling), but you're forcing callers to be aware of that coupling rather than handling it yourself (e.g. having both allowCert and decideLoadPolicy only consider/store the leaf). By handling it yourself, you provide a strong API contract to callers (these two methods are complementary), without making them worry about the details. Eugene But (OOO till 7-30) 2015/09/29 18:29:07 I see your point. Changed allowCert: to strip inte Show quoted text On 2015/09/28 22:46:52, Ryan Sleevi wrote: > On 2015/09/25 21:24:23, eugenebut wrote: > > On 2015/09/24 22:48:39, Ryan Sleevi wrote: > > > It's unclear why "\|leafCert\| must not contain any intermediate certs" - > seems > > > like an unnecessary API constraint? > > didFailProvisionalNavigation: callback, where decision is stored may not > provide > > complete/valid cert chain. So per you suggestion CertPolicy::Judgment decision > > will be stored and read for leaf cert and hostname. > > > > This very API constraint is necessary. Otherwise reading CertPolicy::Judgment > > decision will not work: > > > https://codereview.chromium.org/1357773002/diff/40001/ios/web/net/crw_cert_ve... > > > > Does it make sense? > > No. It's not clear to me why you impose this constraint on your callers, rather > than 'fixing up' incoming certs to normalize the CertPolicy::Judgement (e.g. > stripping off intermediate certificates yourself) > > That is, I find it weird to force callers to be aware of these semantics, a > result of the inconsistency between the two APIs you mentioned > (didFailProvisionalNavigation vs interstitials), rather than just fixing it > yourself and leaving it as an implementation detail as to why. My understanding > is that this method (allowCert) is tightly-coupled to the implementation of > decideLoadPolicyForTrust (which I assume is what didFail is calling), but you're > forcing callers to be aware of that coupling rather than handling it yourself > (e.g. having both allowCert and decideLoadPolicy only consider/store the leaf). > By handling it yourself, you provide a strong API contract to callers (these two > methods are complementary), without making them worry about the details. I see your point. Changed allowCert: to strip intermediate certs.
	74 // certs.

	75 - (void)allowCert:(scoped_refptr<net::X509Certificate>)leafCert

	76 forHost:(NSString*)host

	77 status:(net::CertStatus)status;

	78

72 // Cancels all pending verification requests. Completion handlers will not be	79 // Cancels all pending verification requests. Completion handlers will not be

73 // called after \|shutDown\| call. Must always be called before object's	80 // called after \|shutDown\| call. Must always be called before object's

74 // deallocation.	81 // deallocation.

75 - (void)shutDown;	82 - (void)shutDown;

76	83

77 @end	84 @end

78	85

79 #endif // IOS_WEB_NET_CRW_CERT_VERIFICATION_CONTROLLER_H_	86 #endif // IOS_WEB_NET_CRW_CERT_VERIFICATION_CONTROLLER_H_

OLD	NEW