android_webview/browser/aw_ssl_host_state_delegate.cc - Issue 794023002: Remember user's decisions on SSL errors.

Side by Side Diff: android_webview/browser/aw_ssl_host_state_delegate.cc

Issue 794023002: Remember user's decisions on SSL errors. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Implement with SSLHostStateDelegate Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« android_webview/browser/aw_ssl_host_state_delegate.h ('K') | « android_webview/browser/aw_ssl_host_state_delegate.h ('k') | android_webview/javatests/src/org/chromium/android_webview/test/AwContentsTest.java » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
	jww 2014/12/12 01:48:41 See comment on Copyright in aw_ssl_host_state_dele See comment on Copyright in aw_ssl_host_state_delegate.h. hush (inactive) 2014/12/12 02:42:37 Done. Show quoted text On 2014/12/12 01:48:41, jww wrote: > See comment on Copyright in aw_ssl_host_state_delegate.h. Done.
	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "android_webview/browser/aw_ssl_host_state_delegate.h"

	6

	7 #include "net/base/hash_value.h"

	8

	9 using content::SSLHostStateDelegate;

	10

	11 namespace android_webview {

	12 namespace {

	13 CertPolicy::CertPolicy() {

	14 }

	15

	16 CertPolicy::~CertPolicy() {

	17 }

	18

	19 // For an allowance, we consider a given \|cert\| to be a match to a saved

	20 // allowed cert if the \|error\| is an exact match to or subset of the errors

	21 // in the saved CertStatus.

	22 bool CertPolicy::Check(const net::X509Certificate& cert,

	23 net::CertStatus error) const {

	24 std::map<net::SHA1HashValue, net::CertStatus,

	25 net::SHA1HashValueLessThan>::const_iterator allowed_iter =

	26 allowed_.find(cert.fingerprint());

	27 if ((allowed_iter != allowed_.end()) && (allowed_iter->second & error) &&

	28 !(~(allowed_iter->second & error) ^ ~error)) {

	29 return true;

	30 }

	31

	32 return false;

	33 }

	34

	35 void CertPolicy::Allow(const net::X509Certificate& cert,

	36 net::CertStatus error) {

	37 // If this same cert had already been saved with a different error status,

	38 // this will replace it with the new error status.

	39 allowed_[cert.fingerprint()] = error;
	jww 2014/12/12 01:48:41 This should store the entire chain, not just the e This should store the entire chain, not just the end cert fingerprint. You can use net::X509Certificate::CalculateChainFingerprint256 as shown in https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ssl..., to do this. Actually, you might consider making "GetKey()" from that file into a general utility function somewhere to share the code. hush (inactive) 2014/12/12 02:42:37 I just used "CalculateChainFingerprint256" to get Show quoted text On 2014/12/12 01:48:41, jww wrote: > This should store the entire chain, not just the end cert fingerprint. You can > use net::X509Certificate::CalculateChainFingerprint256 as shown in > https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ssl..., > to do this. Actually, you might consider making "GetKey()" from that file into a > general utility function somewhere to share the code. I just used "CalculateChainFingerprint256" to get the chain fingerprint, then use it as the hashmap key without mixing the error code with it, because in our case here, the error code is the "value" in the \|allowed_\| hashmap. As a result, I don't really have to extract the getKey() from chrome/ to somewhere else. Does this sound good? jww 2014/12/12 02:56:47 Yup, sounds great (And I misspoke in my original c Show quoted text On 2014/12/12 02:42:37, hush wrote: > On 2014/12/12 01:48:41, jww wrote: > > This should store the entire chain, not just the end cert fingerprint. You can > > use net::X509Certificate::CalculateChainFingerprint256 as shown in > > > https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ssl..., > > to do this. Actually, you might consider making "GetKey()" from that file into > a > > general utility function somewhere to share the code. > > I just used "CalculateChainFingerprint256" to get the chain fingerprint, then > use it as the hashmap key without mixing the error code with it, because in our > case here, the error code is the "value" in the \|allowed_\| hashmap. > As a result, I don't really have to extract the getKey() from chrome/ to > somewhere else. > Does this sound good? Yup, sounds great (And I misspoke in my original comment. You clearly don't need to store the entire chain; you just need the hash of the entire chain, which you did).
	40 }

	41 } // namespace

	42

	43 AwSSLHostStateDelegate::AwSSLHostStateDelegate() {
	jww 2014/12/12 01:48:41 Nit: This constructor and destructor be inline in Nit: This constructor and destructor be inline in the header hush (inactive) 2014/12/12 02:42:37 Sorry, I tried to do this. But I got a compiler er Show quoted text On 2014/12/12 01:48:41, jww wrote: > Nit: This constructor and destructor be inline in the header Sorry, I tried to do this. But I got a compiler error: "[chromium-style] Complex constructor has an inlined body." Looking at tools/clang/plugins/FindBadConstructsConsumer.cpp, I guess people just don't want us to inline constructors. jww 2014/12/12 02:56:47 Okay, my bad. Show quoted text On 2014/12/12 02:42:37, hush wrote: > On 2014/12/12 01:48:41, jww wrote: > > Nit: This constructor and destructor be inline in the header > > Sorry, I tried to do this. But I got a compiler error: "[chromium-style] Complex > constructor has an inlined body." > Looking at tools/clang/plugins/FindBadConstructsConsumer.cpp, I guess people > just don't want us to inline constructors. Okay, my bad.
	44 }

	45

	46 AwSSLHostStateDelegate::~AwSSLHostStateDelegate() {

	47 }

	48

	49 void AwSSLHostStateDelegate::HostRanInsecureContent(const std::string& host,

	50 int pid) {

	51 ran_insecure_content_hosts_.insert(BrokenHostEntry(host, pid));

	52 }

	53

	54 bool AwSSLHostStateDelegate::DidHostRunInsecureContent(const std::string& host,

	55 int pid) const {

	56 return !!ran_insecure_content_hosts_.count(BrokenHostEntry(host, pid));

	57 }

	58

	59 void AwSSLHostStateDelegate::AllowCert(const std::string& host,

	60 const net::X509Certificate& cert,

	61 net::CertStatus error) {

	62 cert_policy_for_host_[host].Allow(cert, error);

	63 }

	64

	65 void AwSSLHostStateDelegate::Clear() {

	66 cert_policy_for_host_.clear();

	67 }

	68

	69 SSLHostStateDelegate::CertJudgment AwSSLHostStateDelegate::QueryPolicy(

	70 const std::string& host,

	71 const net::X509Certificate& cert,

	72 net::CertStatus error,

	73 bool* expired_previous_decision) {

	74 return cert_policy_for_host_[host].Check(cert, error)

	75 ? SSLHostStateDelegate::ALLOWED

	76 : SSLHostStateDelegate::DENIED;

	77 }

	78

	79 } // namespace android_webview

OLD	NEW