Merge pull request #3344 from deepak1556/certificate_verifier_api_patch

session: api to allow handling certificate verification

atom/browser/api/atom_api_app.cc

@@ -62,21 +62,6 @@ struct Converter<Browser::UserTask> {
 };
 #endif
 
-template<>
-struct Converter<scoped_refptr<net::X509Certificate>> {
-  static v8::Local<v8::Value> ToV8(
-      v8::Isolate* isolate,
-      const scoped_refptr<net::X509Certificate>& val) {
-    mate::Dictionary dict(isolate, v8::Object::New(isolate));
-    std::string encoded_data;
-    net::X509Certificate::GetPEMEncoded(
-        val->os_cert_handle(), &encoded_data);
-    dict.Set("data", encoded_data);
-    dict.Set("issuerName", val->issuer().GetDisplayName());
-    return dict.GetHandle();
-  }
-};
-
 }  // namespace mate
 
 

atom/browser/api/atom_api_session.cc

@@ -16,6 +16,7 @@
 #include "atom/common/native_mate_converters/callback.h"
 #include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
+#include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/node_includes.h"
 #include "base/files/file_path.h"
 #include "base/prefs/pref_service.h"
@@ -237,11 +238,21 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
   RunCallbackInUI(callback);
 }
 
+void PassVerificationResult(
+    scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
+    bool success) {
+  int result = net::OK;
+  if (!success)
+    result = net::ERR_FAILED;
+  request->ContinueWithResult(result);
+}
+
 }  // namespace
 
 Session::Session(AtomBrowserContext* browser_context)
     : browser_context_(browser_context) {
   AttachAsUserData(browser_context);
+  browser_context->cert_verifier()->SetDelegate(this);
 
   // Observe DownloadManger to get download notifications.
   content::BrowserContext::GetDownloadManager(browser_context)->
@@ -254,6 +265,18 @@ Session::~Session() {
   Destroy();
 }
 
+void Session::RequestCertVerification(
+    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
+  bool prevent_default = Emit(
+      "verify-certificate",
+      request->hostname(),
+      request->certificate(),
+      base::Bind(&PassVerificationResult, request));
+
+  if (!prevent_default)
+    request->ContinueWithResult(net::ERR_IO_PENDING);
+}
+
 void Session::OnDownloadCreated(content::DownloadManager* manager,
                                 content::DownloadItem* item) {
   auto web_contents = item->GetWebContents();

atom/browser/api/atom_api_session.h

@@ -8,6 +8,7 @@
 #include <string>
 
 #include "atom/browser/api/trackable_object.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "content/public/browser/download_manager.h"
 #include "native_mate/handle.h"
 #include "net/base/completion_callback.h"
@@ -34,6 +35,7 @@ class AtomBrowserContext;
 namespace api {
 
 class Session: public mate::TrackableObject<Session>,
+               public AtomCertVerifier::Delegate,
                public content::DownloadManager::Observer {
  public:
   using ResolveProxyCallback = base::Callback<void(std::string)>;
@@ -52,6 +54,10 @@ class Session: public mate::TrackableObject<Session>,
   explicit Session(AtomBrowserContext* browser_context);
   ~Session();
 
+  // AtomCertVerifier::Delegate:
+  void RequestCertVerification(
+      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>&) override;
+
   // content::DownloadManager::Observer:
   void OnDownloadCreated(content::DownloadManager* manager,
                          content::DownloadItem* item) override;

atom/browser/atom_browser_context.cc

@@ -5,6 +5,7 @@
 #include "atom/browser/atom_browser_context.h"
 
 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/atom_download_manager_delegate.h"
 #include "atom/browser/atom_ssl_config_service.h"
 #include "atom/browser/browser.h"
@@ -60,6 +61,7 @@ std::string RemoveWhitespace(const std::string& str) {
 AtomBrowserContext::AtomBrowserContext(const std::string& partition,
                                        bool in_memory)
     : brightray::BrowserContext(partition, in_memory),
+      cert_verifier_(new AtomCertVerifier),
       job_factory_(new AtomURLRequestJobFactory),
       allow_ntlm_everywhere_(false) {
 }
@@ -158,6 +160,10 @@ content::BrowserPluginGuestManager* AtomBrowserContext::GetGuestManager() {
   return guest_manager_.get();
 }
 
+net::CertVerifier* AtomBrowserContext::CreateCertVerifier() {
+  return cert_verifier_;
+}
+
 net::SSLConfigService* AtomBrowserContext::CreateSSLConfigService() {
   return new AtomSSLConfigService;
 }

atom/browser/atom_browser_context.h

@@ -12,6 +12,7 @@
 namespace atom {
 
 class AtomDownloadManagerDelegate;
+class AtomCertVerifier;
 class AtomURLRequestJobFactory;
 class WebViewManager;
 
@@ -27,6 +28,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
       content::URLRequestInterceptorScopedVector* interceptors) override;
   net::HttpCache::BackendFactory* CreateHttpCacheBackendFactory(
       const base::FilePath& base_path) override;
+  net::CertVerifier* CreateCertVerifier() override;
   net::SSLConfigService* CreateSSLConfigService() override;
   bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;
 
@@ -39,6 +41,8 @@ class AtomBrowserContext : public brightray::BrowserContext {
 
   void AllowNTLMCredentialsForAllDomains(bool should_allow);
 
+  AtomCertVerifier* cert_verifier() const { return cert_verifier_; }
+
   AtomURLRequestJobFactory* job_factory() const { return job_factory_; }
 
  private:
@@ -46,6 +50,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
   scoped_ptr<WebViewManager> guest_manager_;
 
   // Managed by brightray::BrowserContext.
+  AtomCertVerifier* cert_verifier_;
   AtomURLRequestJobFactory* job_factory_;
 
   bool allow_ntlm_everywhere_;

atom/browser/atom_cert_verifier.cc

@@ -0,0 +1,176 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "atom/browser/atom_cert_verifier.h"
+
+#include "atom/browser/browser.h"
+#include "atom/common/native_mate_converters/net_converter.h"
+#include "base/sha1.h"
+#include "base/stl_util.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/base/net_errors.h"
+
+using content::BrowserThread;
+
+namespace atom {
+
+AtomCertVerifier::RequestParams::RequestParams(
+    const net::SHA1HashValue cert_fingerprint,
+    const net::SHA1HashValue ca_fingerprint,
+    const std::string& hostname_arg,
+    const std::string& ocsp_response_arg,
+    int flags_arg)
+    : hostname(hostname_arg),
+      ocsp_response(ocsp_response_arg),
+      flags(flags_arg) {
+  hash_values.reserve(3);
+  net::SHA1HashValue ocsp_hash;
+  base::SHA1HashBytes(
+      reinterpret_cast<const unsigned char*>(ocsp_response.data()),
+      ocsp_response.size(), ocsp_hash.data);
+  hash_values.push_back(ocsp_hash);
+  hash_values.push_back(cert_fingerprint);
+  hash_values.push_back(ca_fingerprint);
+}
+
+bool AtomCertVerifier::RequestParams::operator<(
+    const RequestParams& other) const {
+  if (flags != other.flags)
+    return flags < other.flags;
+  if (hostname != other.hostname)
+    return hostname < other.hostname;
+  return std::lexicographical_compare(
+      hash_values.begin(),
+      hash_values.end(),
+      other.hash_values.begin(),
+      other.hash_values.end(),
+      net::SHA1HashValueLessThan());
+}
+
+void AtomCertVerifier::CertVerifyRequest::RunResult(int result) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  for (auto& callback : callbacks_)
+    callback.Run(result);
+  cert_verifier_->RemoveRequest(this);
+}
+
+void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  int rv = cert_verifier_->default_cert_verifier()->Verify(
+      certificate_.get(),
+      key_.hostname,
+      key_.ocsp_response,
+      key_.flags,
+      crl_set_.get(),
+      verify_result_,
+      base::Bind(&CertVerifyRequest::RunResult,
+                 weak_ptr_factory_.GetWeakPtr()),
+      out_req_,
+      net_log_);
+
+  if (rv != net::ERR_IO_PENDING)
+    RunResult(rv);
+}
+
+void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  if (handled_)
+    return;
+
+  handled_ = true;
+
+  if (result != net::ERR_IO_PENDING) {
+    BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                            base::Bind(&CertVerifyRequest::RunResult,
+                                       weak_ptr_factory_.GetWeakPtr(),
+                                       result));
+    return;
+  }
+
+  BrowserThread::PostTask(
+      BrowserThread::IO, FROM_HERE,
+      base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier,
+                 weak_ptr_factory_.GetWeakPtr()));
+}
+
+AtomCertVerifier::AtomCertVerifier()
+    : delegate_(nullptr) {
+  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
+}
+
+AtomCertVerifier::~AtomCertVerifier() {
+}
+
+int AtomCertVerifier::Verify(
+    net::X509Certificate* cert,
+    const std::string& hostname,
+    const std::string& ocsp_response,
+    int flags,
+    net::CRLSet* crl_set,
+    net::CertVerifyResult* verify_result,
+    const net::CompletionCallback& callback,
+    scoped_ptr<Request>* out_req,
+    const net::BoundNetLog& net_log) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (callback.is_null() || !verify_result || hostname.empty() || !delegate_)
+    return net::ERR_INVALID_ARGUMENT;
+
+  const RequestParams key(cert->fingerprint(),
+                          cert->ca_fingerprint(),
+                          hostname,
+                          ocsp_response,
+                          flags);
+
+  CertVerifyRequest* request = FindRequest(key);
+
+  if (!request) {
+    request = new CertVerifyRequest(this,
+                                    key,
+                                    cert,
+                                    crl_set,
+                                    verify_result,
+                                    out_req,
+                                    net_log);
+    requests_.insert(make_scoped_refptr(request));
+
+    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+                            base::Bind(&Delegate::RequestCertVerification,
+                                       base::Unretained(delegate_),
+                                       make_scoped_refptr(request)));
+  }
+
+  request->AddCompletionCallback(callback);
+
+  return net::ERR_IO_PENDING;
+}
+
+bool AtomCertVerifier::SupportsOCSPStapling() {
+  return true;
+}
+
+AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest(
+    const RequestParams& key) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  auto it = std::lower_bound(requests_.begin(),
+                             requests_.end(),
+                             key,
+                             CertVerifyRequestToRequestParamsComparator());
+  if (it != requests_.end() && !(key < (*it)->key()))
+    return (*it).get();
+  return nullptr;
+}
+
+void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  bool erased = requests_.erase(request) == 1;
+  DCHECK(erased);
+}
+
+}  // namespace atom

atom/browser/atom_cert_verifier.h

@@ -0,0 +1,165 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+
+#include <set>
+#include <string>
+#include <vector>
+
+#include "base/memory/ref_counted.h"
+#include "net/base/hash_value.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/crl_set.h"
+#include "net/cert/x509_certificate.h"
+#include "net/log/net_log.h"
+
+namespace atom {
+
+class AtomCertVerifier : public net::CertVerifier {
+ public:
+  struct RequestParams {
+    RequestParams(
+        const net::SHA1HashValue cert_fingerprint,
+        const net::SHA1HashValue ca_fingerprint,
+        const std::string& hostname_arg,
+        const std::string& ocsp_response,
+        int flags);
+    ~RequestParams() {}
+
+    bool operator<(const RequestParams& other) const;
+
+    std::string hostname;
+    std::string ocsp_response;
+    int flags;
+    std::vector<net::SHA1HashValue> hash_values;
+  };
+
+  class CertVerifyRequest
+      : public base::RefCountedThreadSafe<CertVerifyRequest> {
+   public:
+    CertVerifyRequest(
+        AtomCertVerifier* cert_verifier,
+        const RequestParams& key,
+        scoped_refptr<net::X509Certificate> cert,
+        scoped_refptr<net::CRLSet> crl_set,
+        net::CertVerifyResult* verify_result,
+        scoped_ptr<Request>* out_req,
+        const net::BoundNetLog& net_log)
+        : cert_verifier_(cert_verifier),
+          key_(key),
+          certificate_(cert),
+          crl_set_(crl_set),
+          verify_result_(verify_result),
+          out_req_(out_req),
+          net_log_(net_log),
+          handled_(false),
+          weak_ptr_factory_(this) {
+    }
+
+    void RunResult(int result);
+    void DelegateToDefaultVerifier();
+    void ContinueWithResult(int result);
+
+    void AddCompletionCallback(net::CompletionCallback callback) {
+      callbacks_.push_back(callback);
+    }
+
+    const RequestParams key() const { return key_; }
+
+    std::string hostname() const { return key_.hostname; }
+
+    scoped_refptr<net::X509Certificate> certificate() const {
+      return certificate_;
+    }
+
+   private:
+    friend class base::RefCountedThreadSafe<CertVerifyRequest>;
+    ~CertVerifyRequest() {}
+
+    AtomCertVerifier* cert_verifier_;
+    const RequestParams key_;
+
+    scoped_refptr<net::X509Certificate> certificate_;
+    scoped_refptr<net::CRLSet> crl_set_;
+    net::CertVerifyResult* verify_result_;
+    scoped_ptr<Request>* out_req_;
+    const net::BoundNetLog net_log_;
+
+    std::vector<net::CompletionCallback> callbacks_;
+    bool handled_;
+
+    base::WeakPtrFactory<CertVerifyRequest> weak_ptr_factory_;
+
+    DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
+  };
+
+  class Delegate {
+   public:
+    Delegate() {}
+    virtual ~Delegate() {}
+
+    // Called on UI thread.
+    virtual void RequestCertVerification(
+        const scoped_refptr<CertVerifyRequest>& request) {}
+  };
+
+  AtomCertVerifier();
+  virtual ~AtomCertVerifier();
+
+  void SetDelegate(Delegate* delegate) {
+    delegate_ = delegate;
+  }
+
+ protected:
+  // net::CertVerifier:
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override;
+  bool SupportsOCSPStapling() override;
+
+  net::CertVerifier* default_cert_verifier() const {
+    return default_cert_verifier_.get();
+  }
+
+ private:
+  CertVerifyRequest* FindRequest(const RequestParams& key);
+  void RemoveRequest(CertVerifyRequest* request);
+
+  struct CertVerifyRequestToRequestParamsComparator {
+    bool operator()(const scoped_refptr<CertVerifyRequest> request,
+                    const RequestParams& key) const {
+      return request->key() < key;
+    }
+  };
+
+  struct CertVerifyRequestComparator {
+    bool operator()(const scoped_refptr<CertVerifyRequest> req1,
+                    const scoped_refptr<CertVerifyRequest> req2) const {
+      return req1->key() < req2->key();
+    }
+  };
+
+  using ActiveRequestSet =
+      std::set<scoped_refptr<CertVerifyRequest>,
+               CertVerifyRequestComparator>;
+  ActiveRequestSet requests_;
+
+  Delegate* delegate_;
+
+  scoped_ptr<net::CertVerifier> default_cert_verifier_;
+
+  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
+};
+
+}   // namespace atom
+
+#endif  // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_