Chromium Code Reviews Chromium Code Reviews
Issue 1465513002:
[ios] Removed CRLSets usage for WKWebView. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #import "ios/web/net/crw_cert_verification_controller.h" | 5 #import "ios/web/net/crw_cert_verification_controller.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "base/mac/bind_objc_block.h" | 8 #include "base/mac/bind_objc_block.h" |
| 9 #import "base/memory/ref_counted.h" | 9 #import "base/memory/ref_counted.h" |
| 10 #import "base/memory/scoped_ptr.h" | 10 #import "base/memory/scoped_ptr.h" |
| 11 #include "base/metrics/histogram_macros.h" | 11 #include "base/metrics/histogram_macros.h" |
| 12 #include "base/rand_util.h" | 12 #include "base/rand_util.h" |
| 13 #include "base/strings/sys_string_conversions.h" | 13 #include "base/strings/sys_string_conversions.h" |
| 14 #include "base/threading/worker_pool.h" | 14 #include "base/threading/worker_pool.h" |
| 15 #include "ios/web/net/cert_verifier_block_adapter.h" | 15 #include "ios/web/net/cert_verifier_block_adapter.h" |
| 16 #include "ios/web/public/browser_state.h" | 16 #include "ios/web/public/browser_state.h" |
| 17 #include "ios/web/public/certificate_policy_cache.h" | 17 #include "ios/web/public/certificate_policy_cache.h" |
| 18 #include "ios/web/public/web_thread.h" | 18 #include "ios/web/public/web_thread.h" |
| 19 #import "ios/web/web_state/wk_web_view_security_util.h" | 19 #import "ios/web/web_state/wk_web_view_security_util.h" |
| 20 #include "net/cert/cert_verify_result.h" | 20 #include "net/cert/cert_verify_result.h" |
| 21 #include "net/ssl/ssl_config_service.h" | |
| 22 #include "net/url_request/url_request_context.h" | 21 #include "net/url_request/url_request_context.h" |
| 23 #include "net/url_request/url_request_context_getter.h" | 22 #include "net/url_request/url_request_context_getter.h" |
| 24 | 23 |
| 25 namespace { | 24 namespace { |
| 26 | 25 |
| 27 // Enum for Web.CertVerifyAgreement UMA metric to report certificate | 26 // Enum for Web.CertVerifyAgreement UMA metric to report certificate |
| 28 // verification mismatch between SecTrust API and CertVerifier. SecTrust API is | 27 // verification mismatch between SecTrust API and CertVerifier. SecTrust API is |
| 29 // used for making load/no-load decision and CertVerifier is used for getting | 28 // used for making load/no-load decision and CertVerifier is used for getting |
| 30 // the reason of verification failure. It is expected that mismatches will | 29 // the reason of verification failure. It is expected that mismatches will |
| 31 // happen for those 2 approaches (e.g. SecTrust API accepts the cert but | 30 // happen for those 2 approaches (e.g. SecTrust API accepts the cert but |
| (...skipping 391 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 423 // WeakNSObject does not work across different threads, hence this block | 422 // WeakNSObject does not work across different threads, hence this block |
| 424 // retains self. | 423 // retains self. |
| 425 if (!_certVerifier) { | 424 if (!_certVerifier) { |
| 426 completionHandler(net::CertVerifyResult(), net::ERR_FAILED); | 425 completionHandler(net::CertVerifyResult(), net::ERR_FAILED); |
| 427 return; | 426 return; |
| 428 } | 427 } |
| 429 | 428 |
| 430 web::CertVerifierBlockAdapter::Params params( | 429 web::CertVerifierBlockAdapter::Params params( |
| 431 blockCert.Pass(), base::SysNSStringToUTF8(host)); | 430 blockCert.Pass(), base::SysNSStringToUTF8(host)); |
| 432 params.flags = self.certVerifyFlags; | 431 params.flags = self.certVerifyFlags; |
| 433 params.crl_set = net::SSLConfigService::GetCRLSet(); | |
| 434 // OCSP response is not provided by iOS API. | 432 // OCSP response is not provided by iOS API. |
| 433 // CRLSets are not used for getting the reason of rejection, because | |
| 434 // of low benefits and high cost of storing CRLSet on the disk. | |
|
Ryan Sleevi
2015/11/23 22:26:12
Reword:
// CRLSets are not used, as the OS is used
Eugene But (OOO till 7-30)
2015/11/23 22:36:00
Done.
| |
| 435 _certVerifier->Verify(params, ^(net::CertVerifyResult result, int) { | 435 _certVerifier->Verify(params, ^(net::CertVerifyResult result, int) { |
| 436 completionHandler(result, YES); | 436 completionHandler(result, YES); |
| 437 }); | 437 }); |
| 438 })); | 438 })); |
| 439 | 439 |
| 440 if (!dispatched) { | 440 if (!dispatched) { |
| 441 completionHandler(net::CertVerifyResult(), NO); | 441 completionHandler(net::CertVerifyResult(), NO); |
| 442 } | 442 } |
| 443 } | 443 } |
| 444 | 444 |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 484 web::CertPolicy::Judgment judgment = _certPolicyCache->QueryPolicy( | 484 web::CertPolicy::Judgment judgment = _certPolicyCache->QueryPolicy( |
| 485 leafCert.get(), base::SysNSStringToUTF8(host), | 485 leafCert.get(), base::SysNSStringToUTF8(host), |
| 486 certVerifierResult.cert_status); | 486 certVerifierResult.cert_status); |
| 487 | 487 |
| 488 return (judgment == web::CertPolicy::ALLOWED) | 488 return (judgment == web::CertPolicy::ALLOWED) |
| 489 ? web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER | 489 ? web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER |
| 490 : web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER; | 490 : web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER; |
| 491 } | 491 } |
| 492 | 492 |
| 493 @end | 493 @end |
| OLD | NEW |
