Merge pull request #3344 from deepak1556/certificate_verifier_api_patch
session: api to allow handling certificate verification
This commit is contained in:
commit
24f573eceb
12 changed files with 436 additions and 17 deletions
|
@ -62,21 +62,6 @@ struct Converter<Browser::UserTask> {
|
|||
};
|
||||
#endif
|
||||
|
||||
template<>
|
||||
struct Converter<scoped_refptr<net::X509Certificate>> {
|
||||
static v8::Local<v8::Value> ToV8(
|
||||
v8::Isolate* isolate,
|
||||
const scoped_refptr<net::X509Certificate>& val) {
|
||||
mate::Dictionary dict(isolate, v8::Object::New(isolate));
|
||||
std::string encoded_data;
|
||||
net::X509Certificate::GetPEMEncoded(
|
||||
val->os_cert_handle(), &encoded_data);
|
||||
dict.Set("data", encoded_data);
|
||||
dict.Set("issuerName", val->issuer().GetDisplayName());
|
||||
return dict.GetHandle();
|
||||
}
|
||||
};
|
||||
|
||||
} // namespace mate
|
||||
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
#include "atom/common/native_mate_converters/callback.h"
|
||||
#include "atom/common/native_mate_converters/gurl_converter.h"
|
||||
#include "atom/common/native_mate_converters/file_path_converter.h"
|
||||
#include "atom/common/native_mate_converters/net_converter.h"
|
||||
#include "atom/common/node_includes.h"
|
||||
#include "base/files/file_path.h"
|
||||
#include "base/prefs/pref_service.h"
|
||||
|
@ -237,11 +238,21 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
|
|||
RunCallbackInUI(callback);
|
||||
}
|
||||
|
||||
void PassVerificationResult(
|
||||
scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
|
||||
bool success) {
|
||||
int result = net::OK;
|
||||
if (!success)
|
||||
result = net::ERR_FAILED;
|
||||
request->ContinueWithResult(result);
|
||||
}
|
||||
|
||||
} // namespace
|
||||
|
||||
Session::Session(AtomBrowserContext* browser_context)
|
||||
: browser_context_(browser_context) {
|
||||
AttachAsUserData(browser_context);
|
||||
browser_context->cert_verifier()->SetDelegate(this);
|
||||
|
||||
// Observe DownloadManger to get download notifications.
|
||||
content::BrowserContext::GetDownloadManager(browser_context)->
|
||||
|
@ -254,6 +265,18 @@ Session::~Session() {
|
|||
Destroy();
|
||||
}
|
||||
|
||||
void Session::RequestCertVerification(
|
||||
const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
|
||||
bool prevent_default = Emit(
|
||||
"verify-certificate",
|
||||
request->hostname(),
|
||||
request->certificate(),
|
||||
base::Bind(&PassVerificationResult, request));
|
||||
|
||||
if (!prevent_default)
|
||||
request->ContinueWithResult(net::ERR_IO_PENDING);
|
||||
}
|
||||
|
||||
void Session::OnDownloadCreated(content::DownloadManager* manager,
|
||||
content::DownloadItem* item) {
|
||||
auto web_contents = item->GetWebContents();
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
#include <string>
|
||||
|
||||
#include "atom/browser/api/trackable_object.h"
|
||||
#include "atom/browser/atom_cert_verifier.h"
|
||||
#include "content/public/browser/download_manager.h"
|
||||
#include "native_mate/handle.h"
|
||||
#include "net/base/completion_callback.h"
|
||||
|
@ -34,6 +35,7 @@ class AtomBrowserContext;
|
|||
namespace api {
|
||||
|
||||
class Session: public mate::TrackableObject<Session>,
|
||||
public AtomCertVerifier::Delegate,
|
||||
public content::DownloadManager::Observer {
|
||||
public:
|
||||
using ResolveProxyCallback = base::Callback<void(std::string)>;
|
||||
|
@ -52,6 +54,10 @@ class Session: public mate::TrackableObject<Session>,
|
|||
explicit Session(AtomBrowserContext* browser_context);
|
||||
~Session();
|
||||
|
||||
// AtomCertVerifier::Delegate:
|
||||
void RequestCertVerification(
|
||||
const scoped_refptr<AtomCertVerifier::CertVerifyRequest>&) override;
|
||||
|
||||
// content::DownloadManager::Observer:
|
||||
void OnDownloadCreated(content::DownloadManager* manager,
|
||||
content::DownloadItem* item) override;
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
#include "atom/browser/atom_browser_context.h"
|
||||
|
||||
#include "atom/browser/atom_browser_main_parts.h"
|
||||
#include "atom/browser/atom_cert_verifier.h"
|
||||
#include "atom/browser/atom_download_manager_delegate.h"
|
||||
#include "atom/browser/atom_ssl_config_service.h"
|
||||
#include "atom/browser/browser.h"
|
||||
|
@ -60,6 +61,7 @@ std::string RemoveWhitespace(const std::string& str) {
|
|||
AtomBrowserContext::AtomBrowserContext(const std::string& partition,
|
||||
bool in_memory)
|
||||
: brightray::BrowserContext(partition, in_memory),
|
||||
cert_verifier_(new AtomCertVerifier),
|
||||
job_factory_(new AtomURLRequestJobFactory),
|
||||
allow_ntlm_everywhere_(false) {
|
||||
}
|
||||
|
@ -158,6 +160,10 @@ content::BrowserPluginGuestManager* AtomBrowserContext::GetGuestManager() {
|
|||
return guest_manager_.get();
|
||||
}
|
||||
|
||||
net::CertVerifier* AtomBrowserContext::CreateCertVerifier() {
|
||||
return cert_verifier_;
|
||||
}
|
||||
|
||||
net::SSLConfigService* AtomBrowserContext::CreateSSLConfigService() {
|
||||
return new AtomSSLConfigService;
|
||||
}
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
namespace atom {
|
||||
|
||||
class AtomDownloadManagerDelegate;
|
||||
class AtomCertVerifier;
|
||||
class AtomURLRequestJobFactory;
|
||||
class WebViewManager;
|
||||
|
||||
|
@ -27,6 +28,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
|
|||
content::URLRequestInterceptorScopedVector* interceptors) override;
|
||||
net::HttpCache::BackendFactory* CreateHttpCacheBackendFactory(
|
||||
const base::FilePath& base_path) override;
|
||||
net::CertVerifier* CreateCertVerifier() override;
|
||||
net::SSLConfigService* CreateSSLConfigService() override;
|
||||
bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;
|
||||
|
||||
|
@ -39,6 +41,8 @@ class AtomBrowserContext : public brightray::BrowserContext {
|
|||
|
||||
void AllowNTLMCredentialsForAllDomains(bool should_allow);
|
||||
|
||||
AtomCertVerifier* cert_verifier() const { return cert_verifier_; }
|
||||
|
||||
AtomURLRequestJobFactory* job_factory() const { return job_factory_; }
|
||||
|
||||
private:
|
||||
|
@ -46,6 +50,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
|
|||
scoped_ptr<WebViewManager> guest_manager_;
|
||||
|
||||
// Managed by brightray::BrowserContext.
|
||||
AtomCertVerifier* cert_verifier_;
|
||||
AtomURLRequestJobFactory* job_factory_;
|
||||
|
||||
bool allow_ntlm_everywhere_;
|
||||
|
|
176
atom/browser/atom_cert_verifier.cc
Normal file
176
atom/browser/atom_cert_verifier.cc
Normal file
|
@ -0,0 +1,176 @@
|
|||
// Copyright (c) 2015 GitHub, Inc.
|
||||
// Use of this source code is governed by the MIT license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "atom/browser/atom_cert_verifier.h"
|
||||
|
||||
#include "atom/browser/browser.h"
|
||||
#include "atom/common/native_mate_converters/net_converter.h"
|
||||
#include "base/sha1.h"
|
||||
#include "base/stl_util.h"
|
||||
#include "content/public/browser/browser_thread.h"
|
||||
#include "net/base/net_errors.h"
|
||||
|
||||
using content::BrowserThread;
|
||||
|
||||
namespace atom {
|
||||
|
||||
AtomCertVerifier::RequestParams::RequestParams(
|
||||
const net::SHA1HashValue cert_fingerprint,
|
||||
const net::SHA1HashValue ca_fingerprint,
|
||||
const std::string& hostname_arg,
|
||||
const std::string& ocsp_response_arg,
|
||||
int flags_arg)
|
||||
: hostname(hostname_arg),
|
||||
ocsp_response(ocsp_response_arg),
|
||||
flags(flags_arg) {
|
||||
hash_values.reserve(3);
|
||||
net::SHA1HashValue ocsp_hash;
|
||||
base::SHA1HashBytes(
|
||||
reinterpret_cast<const unsigned char*>(ocsp_response.data()),
|
||||
ocsp_response.size(), ocsp_hash.data);
|
||||
hash_values.push_back(ocsp_hash);
|
||||
hash_values.push_back(cert_fingerprint);
|
||||
hash_values.push_back(ca_fingerprint);
|
||||
}
|
||||
|
||||
bool AtomCertVerifier::RequestParams::operator<(
|
||||
const RequestParams& other) const {
|
||||
if (flags != other.flags)
|
||||
return flags < other.flags;
|
||||
if (hostname != other.hostname)
|
||||
return hostname < other.hostname;
|
||||
return std::lexicographical_compare(
|
||||
hash_values.begin(),
|
||||
hash_values.end(),
|
||||
other.hash_values.begin(),
|
||||
other.hash_values.end(),
|
||||
net::SHA1HashValueLessThan());
|
||||
}
|
||||
|
||||
void AtomCertVerifier::CertVerifyRequest::RunResult(int result) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
|
||||
for (auto& callback : callbacks_)
|
||||
callback.Run(result);
|
||||
cert_verifier_->RemoveRequest(this);
|
||||
}
|
||||
|
||||
void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
|
||||
int rv = cert_verifier_->default_cert_verifier()->Verify(
|
||||
certificate_.get(),
|
||||
key_.hostname,
|
||||
key_.ocsp_response,
|
||||
key_.flags,
|
||||
crl_set_.get(),
|
||||
verify_result_,
|
||||
base::Bind(&CertVerifyRequest::RunResult,
|
||||
weak_ptr_factory_.GetWeakPtr()),
|
||||
out_req_,
|
||||
net_log_);
|
||||
|
||||
if (rv != net::ERR_IO_PENDING)
|
||||
RunResult(rv);
|
||||
}
|
||||
|
||||
void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::UI);
|
||||
|
||||
if (handled_)
|
||||
return;
|
||||
|
||||
handled_ = true;
|
||||
|
||||
if (result != net::ERR_IO_PENDING) {
|
||||
BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
|
||||
base::Bind(&CertVerifyRequest::RunResult,
|
||||
weak_ptr_factory_.GetWeakPtr(),
|
||||
result));
|
||||
return;
|
||||
}
|
||||
|
||||
BrowserThread::PostTask(
|
||||
BrowserThread::IO, FROM_HERE,
|
||||
base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier,
|
||||
weak_ptr_factory_.GetWeakPtr()));
|
||||
}
|
||||
|
||||
AtomCertVerifier::AtomCertVerifier()
|
||||
: delegate_(nullptr) {
|
||||
default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
|
||||
}
|
||||
|
||||
AtomCertVerifier::~AtomCertVerifier() {
|
||||
}
|
||||
|
||||
int AtomCertVerifier::Verify(
|
||||
net::X509Certificate* cert,
|
||||
const std::string& hostname,
|
||||
const std::string& ocsp_response,
|
||||
int flags,
|
||||
net::CRLSet* crl_set,
|
||||
net::CertVerifyResult* verify_result,
|
||||
const net::CompletionCallback& callback,
|
||||
scoped_ptr<Request>* out_req,
|
||||
const net::BoundNetLog& net_log) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
|
||||
if (callback.is_null() || !verify_result || hostname.empty() || !delegate_)
|
||||
return net::ERR_INVALID_ARGUMENT;
|
||||
|
||||
const RequestParams key(cert->fingerprint(),
|
||||
cert->ca_fingerprint(),
|
||||
hostname,
|
||||
ocsp_response,
|
||||
flags);
|
||||
|
||||
CertVerifyRequest* request = FindRequest(key);
|
||||
|
||||
if (!request) {
|
||||
request = new CertVerifyRequest(this,
|
||||
key,
|
||||
cert,
|
||||
crl_set,
|
||||
verify_result,
|
||||
out_req,
|
||||
net_log);
|
||||
requests_.insert(make_scoped_refptr(request));
|
||||
|
||||
BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
|
||||
base::Bind(&Delegate::RequestCertVerification,
|
||||
base::Unretained(delegate_),
|
||||
make_scoped_refptr(request)));
|
||||
}
|
||||
|
||||
request->AddCompletionCallback(callback);
|
||||
|
||||
return net::ERR_IO_PENDING;
|
||||
}
|
||||
|
||||
bool AtomCertVerifier::SupportsOCSPStapling() {
|
||||
return true;
|
||||
}
|
||||
|
||||
AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest(
|
||||
const RequestParams& key) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
|
||||
auto it = std::lower_bound(requests_.begin(),
|
||||
requests_.end(),
|
||||
key,
|
||||
CertVerifyRequestToRequestParamsComparator());
|
||||
if (it != requests_.end() && !(key < (*it)->key()))
|
||||
return (*it).get();
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
|
||||
bool erased = requests_.erase(request) == 1;
|
||||
DCHECK(erased);
|
||||
}
|
||||
|
||||
} // namespace atom
|
165
atom/browser/atom_cert_verifier.h
Normal file
165
atom/browser/atom_cert_verifier.h
Normal file
|
@ -0,0 +1,165 @@
|
|||
// Copyright (c) 2015 GitHub, Inc.
|
||||
// Use of this source code is governed by the MIT license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
|
||||
#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
|
||||
|
||||
#include <set>
|
||||
#include <string>
|
||||
#include <vector>
|
||||
|
||||
#include "base/memory/ref_counted.h"
|
||||
#include "net/base/hash_value.h"
|
||||
#include "net/cert/cert_verifier.h"
|
||||
#include "net/cert/crl_set.h"
|
||||
#include "net/cert/x509_certificate.h"
|
||||
#include "net/log/net_log.h"
|
||||
|
||||
namespace atom {
|
||||
|
||||
class AtomCertVerifier : public net::CertVerifier {
|
||||
public:
|
||||
struct RequestParams {
|
||||
RequestParams(
|
||||
const net::SHA1HashValue cert_fingerprint,
|
||||
const net::SHA1HashValue ca_fingerprint,
|
||||
const std::string& hostname_arg,
|
||||
const std::string& ocsp_response,
|
||||
int flags);
|
||||
~RequestParams() {}
|
||||
|
||||
bool operator<(const RequestParams& other) const;
|
||||
|
||||
std::string hostname;
|
||||
std::string ocsp_response;
|
||||
int flags;
|
||||
std::vector<net::SHA1HashValue> hash_values;
|
||||
};
|
||||
|
||||
class CertVerifyRequest
|
||||
: public base::RefCountedThreadSafe<CertVerifyRequest> {
|
||||
public:
|
||||
CertVerifyRequest(
|
||||
AtomCertVerifier* cert_verifier,
|
||||
const RequestParams& key,
|
||||
scoped_refptr<net::X509Certificate> cert,
|
||||
scoped_refptr<net::CRLSet> crl_set,
|
||||
net::CertVerifyResult* verify_result,
|
||||
scoped_ptr<Request>* out_req,
|
||||
const net::BoundNetLog& net_log)
|
||||
: cert_verifier_(cert_verifier),
|
||||
key_(key),
|
||||
certificate_(cert),
|
||||
crl_set_(crl_set),
|
||||
verify_result_(verify_result),
|
||||
out_req_(out_req),
|
||||
net_log_(net_log),
|
||||
handled_(false),
|
||||
weak_ptr_factory_(this) {
|
||||
}
|
||||
|
||||
void RunResult(int result);
|
||||
void DelegateToDefaultVerifier();
|
||||
void ContinueWithResult(int result);
|
||||
|
||||
void AddCompletionCallback(net::CompletionCallback callback) {
|
||||
callbacks_.push_back(callback);
|
||||
}
|
||||
|
||||
const RequestParams key() const { return key_; }
|
||||
|
||||
std::string hostname() const { return key_.hostname; }
|
||||
|
||||
scoped_refptr<net::X509Certificate> certificate() const {
|
||||
return certificate_;
|
||||
}
|
||||
|
||||
private:
|
||||
friend class base::RefCountedThreadSafe<CertVerifyRequest>;
|
||||
~CertVerifyRequest() {}
|
||||
|
||||
AtomCertVerifier* cert_verifier_;
|
||||
const RequestParams key_;
|
||||
|
||||
scoped_refptr<net::X509Certificate> certificate_;
|
||||
scoped_refptr<net::CRLSet> crl_set_;
|
||||
net::CertVerifyResult* verify_result_;
|
||||
scoped_ptr<Request>* out_req_;
|
||||
const net::BoundNetLog net_log_;
|
||||
|
||||
std::vector<net::CompletionCallback> callbacks_;
|
||||
bool handled_;
|
||||
|
||||
base::WeakPtrFactory<CertVerifyRequest> weak_ptr_factory_;
|
||||
|
||||
DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
|
||||
};
|
||||
|
||||
class Delegate {
|
||||
public:
|
||||
Delegate() {}
|
||||
virtual ~Delegate() {}
|
||||
|
||||
// Called on UI thread.
|
||||
virtual void RequestCertVerification(
|
||||
const scoped_refptr<CertVerifyRequest>& request) {}
|
||||
};
|
||||
|
||||
AtomCertVerifier();
|
||||
virtual ~AtomCertVerifier();
|
||||
|
||||
void SetDelegate(Delegate* delegate) {
|
||||
delegate_ = delegate;
|
||||
}
|
||||
|
||||
protected:
|
||||
// net::CertVerifier:
|
||||
int Verify(net::X509Certificate* cert,
|
||||
const std::string& hostname,
|
||||
const std::string& ocsp_response,
|
||||
int flags,
|
||||
net::CRLSet* crl_set,
|
||||
net::CertVerifyResult* verify_result,
|
||||
const net::CompletionCallback& callback,
|
||||
scoped_ptr<Request>* out_req,
|
||||
const net::BoundNetLog& net_log) override;
|
||||
bool SupportsOCSPStapling() override;
|
||||
|
||||
net::CertVerifier* default_cert_verifier() const {
|
||||
return default_cert_verifier_.get();
|
||||
}
|
||||
|
||||
private:
|
||||
CertVerifyRequest* FindRequest(const RequestParams& key);
|
||||
void RemoveRequest(CertVerifyRequest* request);
|
||||
|
||||
struct CertVerifyRequestToRequestParamsComparator {
|
||||
bool operator()(const scoped_refptr<CertVerifyRequest> request,
|
||||
const RequestParams& key) const {
|
||||
return request->key() < key;
|
||||
}
|
||||
};
|
||||
|
||||
struct CertVerifyRequestComparator {
|
||||
bool operator()(const scoped_refptr<CertVerifyRequest> req1,
|
||||
const scoped_refptr<CertVerifyRequest> req2) const {
|
||||
return req1->key() < req2->key();
|
||||
}
|
||||
};
|
||||
|
||||
using ActiveRequestSet =
|
||||
std::set<scoped_refptr<CertVerifyRequest>,
|
||||
CertVerifyRequestComparator>;
|
||||
ActiveRequestSet requests_;
|
||||
|
||||
Delegate* delegate_;
|
||||
|
||||
scoped_ptr<net::CertVerifier> default_cert_verifier_;
|
||||
|
||||
DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
|
||||
};
|
||||
|
||||
} // namespace atom
|
||||
|
||||
#endif // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
|
Loading…
Add table
Add a link
Reference in a new issue