OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #import "ios/web/web_state/wk_web_view_security_util.h" | 5 #import "ios/web/web_state/wk_web_view_security_util.h" |
6 | 6 |
7 #include "base/mac/scoped_cftyperef.h" | 7 #include "base/mac/scoped_cftyperef.h" |
8 #include "base/strings/sys_string_conversions.h" | 8 #include "base/strings/sys_string_conversions.h" |
9 #include "net/cert/x509_certificate.h" | 9 #include "net/cert/x509_certificate.h" |
10 #include "net/cert/x509_util_ios.h" | 10 #include "net/cert/x509_util_ios.h" |
11 #include "net/ssl/ssl_info.h" | 11 #include "net/ssl/ssl_info.h" |
12 | 12 |
| 13 #if !defined(__has_feature) || !__has_feature(objc_arc) |
| 14 #error "This file requires ARC support." |
| 15 #endif |
| 16 |
13 namespace web { | 17 namespace web { |
14 | 18 |
15 // These keys were determined by inspecting userInfo dict of an SSL error. | 19 // These keys were determined by inspecting userInfo dict of an SSL error. |
16 NSString* const kNSErrorPeerCertificateChainKey = | 20 NSString* const kNSErrorPeerCertificateChainKey = |
17 @"NSErrorPeerCertificateChainKey"; | 21 @"NSErrorPeerCertificateChainKey"; |
18 NSString* const kNSErrorFailingURLKey = @"NSErrorFailingURLKey"; | 22 NSString* const kNSErrorFailingURLKey = @"NSErrorFailingURLKey"; |
19 } | 23 } |
20 | 24 |
21 namespace { | 25 namespace { |
22 | 26 |
(...skipping 20 matching lines...) Expand all Loading... |
43 } // namespace | 47 } // namespace |
44 | 48 |
45 | 49 |
46 namespace web { | 50 namespace web { |
47 | 51 |
48 scoped_refptr<net::X509Certificate> CreateCertFromChain(NSArray* certs) { | 52 scoped_refptr<net::X509Certificate> CreateCertFromChain(NSArray* certs) { |
49 if (certs.count == 0) | 53 if (certs.count == 0) |
50 return nullptr; | 54 return nullptr; |
51 std::vector<SecCertificateRef> intermediates; | 55 std::vector<SecCertificateRef> intermediates; |
52 for (NSUInteger i = 1; i < certs.count; i++) { | 56 for (NSUInteger i = 1; i < certs.count; i++) { |
53 intermediates.push_back(reinterpret_cast<SecCertificateRef>(certs[i])); | 57 SecCertificateRef cert = (__bridge SecCertificateRef)certs[i]; |
| 58 intermediates.push_back(cert); |
54 } | 59 } |
| 60 SecCertificateRef initialCert = (__bridge SecCertificateRef)certs[0]; |
55 return net::x509_util::CreateX509CertificateFromSecCertificate( | 61 return net::x509_util::CreateX509CertificateFromSecCertificate( |
56 reinterpret_cast<SecCertificateRef>(certs[0]), intermediates); | 62 reinterpret_cast<SecCertificateRef>(initialCert), intermediates); |
57 } | 63 } |
58 | 64 |
59 scoped_refptr<net::X509Certificate> CreateCertFromTrust(SecTrustRef trust) { | 65 scoped_refptr<net::X509Certificate> CreateCertFromTrust(SecTrustRef trust) { |
60 if (!trust) | 66 if (!trust) |
61 return nullptr; | 67 return nullptr; |
62 | 68 |
63 CFIndex cert_count = SecTrustGetCertificateCount(trust); | 69 CFIndex cert_count = SecTrustGetCertificateCount(trust); |
64 if (cert_count == 0) { | 70 if (cert_count == 0) { |
65 // At the moment there is no API which allows trust creation w/o certs. | 71 // At the moment there is no API which allows trust creation w/o certs. |
66 return nullptr; | 72 return nullptr; |
67 } | 73 } |
68 | 74 |
69 std::vector<SecCertificateRef> intermediates; | 75 std::vector<SecCertificateRef> intermediates; |
70 for (CFIndex i = 1; i < cert_count; i++) { | 76 for (CFIndex i = 1; i < cert_count; i++) { |
71 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i)); | 77 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i)); |
72 } | 78 } |
73 return net::x509_util::CreateX509CertificateFromSecCertificate( | 79 return net::x509_util::CreateX509CertificateFromSecCertificate( |
74 SecTrustGetCertificateAtIndex(trust, 0), intermediates); | 80 SecTrustGetCertificateAtIndex(trust, 0), intermediates); |
75 } | 81 } |
76 | 82 |
77 base::ScopedCFTypeRef<SecTrustRef> CreateServerTrustFromChain(NSArray* certs, | 83 base::ScopedCFTypeRef<SecTrustRef> CreateServerTrustFromChain(NSArray* certs, |
78 NSString* host) { | 84 NSString* host) { |
79 base::ScopedCFTypeRef<SecTrustRef> scoped_result; | 85 base::ScopedCFTypeRef<SecTrustRef> scoped_result; |
80 if (certs.count == 0) | 86 if (certs.count == 0) |
81 return scoped_result; | 87 return scoped_result; |
82 | 88 |
83 base::ScopedCFTypeRef<SecPolicyRef> policy( | 89 base::ScopedCFTypeRef<SecPolicyRef> policy( |
84 SecPolicyCreateSSL(TRUE, static_cast<CFStringRef>(host))); | 90 SecPolicyCreateSSL(TRUE, static_cast<CFStringRef>(host))); |
85 SecTrustRef ref_result = nullptr; | 91 SecTrustRef ref_result = nullptr; |
86 if (SecTrustCreateWithCertificates(certs, policy, &ref_result) == | 92 CFArrayRef certificatesArray = (__bridge CFArrayRef)certs; |
| 93 if (SecTrustCreateWithCertificates(certificatesArray, policy, &ref_result) == |
87 errSecSuccess) { | 94 errSecSuccess) { |
88 scoped_result.reset(ref_result); | 95 scoped_result.reset(ref_result); |
89 } | 96 } |
90 return scoped_result; | 97 return scoped_result; |
91 } | 98 } |
92 | 99 |
93 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) { | 100 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) { |
94 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust)); | 101 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust)); |
95 SecTrustSetExceptions(trust, exceptions); | 102 SecTrustSetExceptions(trust, exceptions); |
96 } | 103 } |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
145 // kSecTrustResultConfirm was deprecated in iOS7, but leads to a compile | 152 // kSecTrustResultConfirm was deprecated in iOS7, but leads to a compile |
146 // error if used with newer SDKs. Remove the default clause once this | 153 // error if used with newer SDKs. Remove the default clause once this |
147 // switch statement successfully compiles without kSecTrustResultConfirm. | 154 // switch statement successfully compiles without kSecTrustResultConfirm. |
148 default: | 155 default: |
149 NOTREACHED(); | 156 NOTREACHED(); |
150 return SECURITY_STYLE_UNKNOWN; | 157 return SECURITY_STYLE_UNKNOWN; |
151 } | 158 } |
152 } | 159 } |
153 | 160 |
154 } // namespace web | 161 } // namespace web |
OLD | NEW |