OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #import "ios/web/web_state/wk_web_view_security_util.h" | 5 #import "ios/web/web_state/wk_web_view_security_util.h" |
6 | 6 |
7 #include "base/mac/scoped_cftyperef.h" | 7 #include "base/mac/scoped_cftyperef.h" |
8 #include "base/strings/sys_string_conversions.h" | 8 #include "base/strings/sys_string_conversions.h" |
9 #include "net/cert/x509_certificate.h" | 9 #include "net/cert/x509_certificate.h" |
10 #include "net/cert/x509_util_ios.h" | 10 #include "net/cert/x509_util_ios.h" |
11 #include "net/ssl/ssl_info.h" | 11 #include "net/ssl/ssl_info.h" |
12 | 12 |
13 #if !defined(__has_feature) || !__has_feature(objc_arc) | |
14 #error "This file requires ARC support." | |
15 #endif | |
16 | |
17 namespace web { | 13 namespace web { |
18 | 14 |
19 // These keys were determined by inspecting userInfo dict of an SSL error. | 15 // These keys were determined by inspecting userInfo dict of an SSL error. |
20 NSString* const kNSErrorPeerCertificateChainKey = | 16 NSString* const kNSErrorPeerCertificateChainKey = |
21 @"NSErrorPeerCertificateChainKey"; | 17 @"NSErrorPeerCertificateChainKey"; |
22 NSString* const kNSErrorFailingURLKey = @"NSErrorFailingURLKey"; | 18 NSString* const kNSErrorFailingURLKey = @"NSErrorFailingURLKey"; |
23 } | 19 } |
24 | 20 |
25 namespace { | 21 namespace { |
26 | 22 |
(...skipping 20 matching lines...) Expand all Loading... |
47 } // namespace | 43 } // namespace |
48 | 44 |
49 | 45 |
50 namespace web { | 46 namespace web { |
51 | 47 |
52 scoped_refptr<net::X509Certificate> CreateCertFromChain(NSArray* certs) { | 48 scoped_refptr<net::X509Certificate> CreateCertFromChain(NSArray* certs) { |
53 if (certs.count == 0) | 49 if (certs.count == 0) |
54 return nullptr; | 50 return nullptr; |
55 std::vector<SecCertificateRef> intermediates; | 51 std::vector<SecCertificateRef> intermediates; |
56 for (NSUInteger i = 1; i < certs.count; i++) { | 52 for (NSUInteger i = 1; i < certs.count; i++) { |
57 SecCertificateRef cert = (__bridge SecCertificateRef)certs[i]; | 53 intermediates.push_back(reinterpret_cast<SecCertificateRef>(certs[i])); |
58 intermediates.push_back(cert); | |
59 } | 54 } |
60 SecCertificateRef root_cert = (__bridge SecCertificateRef)certs[0]; | |
61 return net::x509_util::CreateX509CertificateFromSecCertificate( | 55 return net::x509_util::CreateX509CertificateFromSecCertificate( |
62 reinterpret_cast<SecCertificateRef>(root_cert), intermediates); | 56 reinterpret_cast<SecCertificateRef>(certs[0]), intermediates); |
63 } | 57 } |
64 | 58 |
65 scoped_refptr<net::X509Certificate> CreateCertFromTrust(SecTrustRef trust) { | 59 scoped_refptr<net::X509Certificate> CreateCertFromTrust(SecTrustRef trust) { |
66 if (!trust) | 60 if (!trust) |
67 return nullptr; | 61 return nullptr; |
68 | 62 |
69 CFIndex cert_count = SecTrustGetCertificateCount(trust); | 63 CFIndex cert_count = SecTrustGetCertificateCount(trust); |
70 if (cert_count == 0) { | 64 if (cert_count == 0) { |
71 // At the moment there is no API which allows trust creation w/o certs. | 65 // At the moment there is no API which allows trust creation w/o certs. |
72 return nullptr; | 66 return nullptr; |
73 } | 67 } |
74 | 68 |
75 std::vector<SecCertificateRef> intermediates; | 69 std::vector<SecCertificateRef> intermediates; |
76 for (CFIndex i = 1; i < cert_count; i++) { | 70 for (CFIndex i = 1; i < cert_count; i++) { |
77 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i)); | 71 intermediates.push_back(SecTrustGetCertificateAtIndex(trust, i)); |
78 } | 72 } |
79 return net::x509_util::CreateX509CertificateFromSecCertificate( | 73 return net::x509_util::CreateX509CertificateFromSecCertificate( |
80 SecTrustGetCertificateAtIndex(trust, 0), intermediates); | 74 SecTrustGetCertificateAtIndex(trust, 0), intermediates); |
81 } | 75 } |
82 | 76 |
83 base::ScopedCFTypeRef<SecTrustRef> CreateServerTrustFromChain(NSArray* certs, | 77 base::ScopedCFTypeRef<SecTrustRef> CreateServerTrustFromChain(NSArray* certs, |
84 NSString* host) { | 78 NSString* host) { |
85 base::ScopedCFTypeRef<SecTrustRef> scoped_result; | 79 base::ScopedCFTypeRef<SecTrustRef> scoped_result; |
86 if (certs.count == 0) | 80 if (certs.count == 0) |
87 return scoped_result; | 81 return scoped_result; |
88 | 82 |
89 base::ScopedCFTypeRef<SecPolicyRef> policy( | 83 base::ScopedCFTypeRef<SecPolicyRef> policy( |
90 SecPolicyCreateSSL(TRUE, static_cast<CFStringRef>(host))); | 84 SecPolicyCreateSSL(TRUE, static_cast<CFStringRef>(host))); |
91 SecTrustRef ref_result = nullptr; | 85 SecTrustRef ref_result = nullptr; |
92 if (SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, | 86 if (SecTrustCreateWithCertificates(certs, policy, &ref_result) == |
93 &ref_result) == errSecSuccess) { | 87 errSecSuccess) { |
94 scoped_result.reset(ref_result); | 88 scoped_result.reset(ref_result); |
95 } | 89 } |
96 return scoped_result; | 90 return scoped_result; |
97 } | 91 } |
98 | 92 |
99 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) { | 93 void EnsureFutureTrustEvaluationSucceeds(SecTrustRef trust) { |
100 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust)); | 94 base::ScopedCFTypeRef<CFDataRef> exceptions(SecTrustCopyExceptions(trust)); |
101 SecTrustSetExceptions(trust, exceptions); | 95 SecTrustSetExceptions(trust, exceptions); |
102 } | 96 } |
103 | 97 |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
151 // kSecTrustResultConfirm was deprecated in iOS7, but leads to a compile | 145 // kSecTrustResultConfirm was deprecated in iOS7, but leads to a compile |
152 // error if used with newer SDKs. Remove the default clause once this | 146 // error if used with newer SDKs. Remove the default clause once this |
153 // switch statement successfully compiles without kSecTrustResultConfirm. | 147 // switch statement successfully compiles without kSecTrustResultConfirm. |
154 default: | 148 default: |
155 NOTREACHED(); | 149 NOTREACHED(); |
156 return SECURITY_STYLE_UNKNOWN; | 150 return SECURITY_STYLE_UNKNOWN; |
157 } | 151 } |
158 } | 152 } |
159 | 153 |
160 } // namespace web | 154 } // namespace web |
OLD | NEW |