Merge pull request #3344 from deepak1556/certificate_verifier_api_patch

session: api to allow handling certificate verification
2015-11-17 18:53:35 +08:00 · 2015-11-17 18:53:35 +08:00 · 24f573eceb
commit 24f573eceb
parent 855c1ead00 92c3ee8e16
12 changed files with 436 additions and 17 deletions
--- a/atom/browser/api/atom_api_app.cc
+++ b/atom/browser/api/atom_api_app.cc
@ -62,21 +62,6 @@ struct Converter<Browser::UserTask> {
 };
 #endif
 template<>
 struct Converter<scoped_refptr<net::X509Certificate>> {
  static v8::Local<v8::Value> ToV8(
      v8::Isolate* isolate,
      const scoped_refptr<net::X509Certificate>& val) {
    mate::Dictionary dict(isolate, v8::Object::New(isolate));
    std::string encoded_data;
    net::X509Certificate::GetPEMEncoded(
        val->os_cert_handle(), &encoded_data);
    dict.Set("data", encoded_data);
    dict.Set("issuerName", val->issuer().GetDisplayName());
    return dict.GetHandle();
  }
 };
 }  // namespace mate
--- a/atom/browser/api/atom_api_session.cc
+++ b/atom/browser/api/atom_api_session.cc
@ -16,6 +16,7 @@
 #include "atom/common/native_mate_converters/callback.h"
 #include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
 #include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/node_includes.h"
 #include "base/files/file_path.h"
 #include "base/prefs/pref_service.h"
@ -237,11 +238,21 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
  RunCallbackInUI(callback);
 }
 void PassVerificationResult(
    scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
    bool success) {
  int result = net::OK;
  if (!success)
    result = net::ERR_FAILED;
  request->ContinueWithResult(result);
 }
 }  // namespace
 Session::Session(AtomBrowserContext* browser_context)
    : browser_context_(browser_context) {
  AttachAsUserData(browser_context);
  browser_context->cert_verifier()->SetDelegate(this);
  // Observe DownloadManger to get download notifications.
  content::BrowserContext::GetDownloadManager(browser_context)->
@ -254,6 +265,18 @@ Session::~Session() {
  Destroy();
 }
 void Session::RequestCertVerification(
    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
  bool prevent_default = Emit(
      "verify-certificate",
      request->hostname(),
      request->certificate(),
      base::Bind(&PassVerificationResult, request));
  if (!prevent_default)
    request->ContinueWithResult(net::ERR_IO_PENDING);
 }
 void Session::OnDownloadCreated(content::DownloadManager* manager,
                                content::DownloadItem* item) {
  auto web_contents = item->GetWebContents();
--- a/atom/browser/api/atom_api_session.h
+++ b/atom/browser/api/atom_api_session.h
@ -8,6 +8,7 @@
 #include <string>
 #include "atom/browser/api/trackable_object.h"
 #include "atom/browser/atom_cert_verifier.h"
 #include "content/public/browser/download_manager.h"
 #include "native_mate/handle.h"
 #include "net/base/completion_callback.h"
@ -34,6 +35,7 @@ class AtomBrowserContext;
 namespace api {
 class Session: public mate::TrackableObject<Session>,
               public AtomCertVerifier::Delegate,
               public content::DownloadManager::Observer {
 public:
  using ResolveProxyCallback = base::Callback<void(std::string)>;
@ -52,6 +54,10 @@ class Session: public mate::TrackableObject<Session>,
  explicit Session(AtomBrowserContext* browser_context);
  ~Session();
  // AtomCertVerifier::Delegate:
  void RequestCertVerification(
      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>&) override;
  // content::DownloadManager::Observer:
  void OnDownloadCreated(content::DownloadManager* manager,
                         content::DownloadItem* item) override;
--- a/atom/browser/atom_browser_context.cc
+++ b/atom/browser/atom_browser_context.cc
@ -5,6 +5,7 @@
 #include "atom/browser/atom_browser_context.h"
 #include "atom/browser/atom_browser_main_parts.h"
 #include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/atom_download_manager_delegate.h"
 #include "atom/browser/atom_ssl_config_service.h"
 #include "atom/browser/browser.h"
@ -60,6 +61,7 @@ std::string RemoveWhitespace(const std::string& str) {
 AtomBrowserContext::AtomBrowserContext(const std::string& partition,
                                       bool in_memory)
    : brightray::BrowserContext(partition, in_memory),
      cert_verifier_(new AtomCertVerifier),
      job_factory_(new AtomURLRequestJobFactory),
      allow_ntlm_everywhere_(false) {
 }
@ -158,6 +160,10 @@ content::BrowserPluginGuestManager* AtomBrowserContext::GetGuestManager() {
  return guest_manager_.get();
 }
 net::CertVerifier* AtomBrowserContext::CreateCertVerifier() {
  return cert_verifier_;
 }
 net::SSLConfigService* AtomBrowserContext::CreateSSLConfigService() {
  return new AtomSSLConfigService;
 }
--- a/atom/browser/atom_browser_context.h
+++ b/atom/browser/atom_browser_context.h
@ -12,6 +12,7 @@
 namespace atom {
 class AtomDownloadManagerDelegate;
 class AtomCertVerifier;
 class AtomURLRequestJobFactory;
 class WebViewManager;
@ -27,6 +28,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
      content::URLRequestInterceptorScopedVector* interceptors) override;
  net::HttpCache::BackendFactory* CreateHttpCacheBackendFactory(
      const base::FilePath& base_path) override;
  net::CertVerifier* CreateCertVerifier() override;
  net::SSLConfigService* CreateSSLConfigService() override;
  bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;
@ -39,6 +41,8 @@ class AtomBrowserContext : public brightray::BrowserContext {
  void AllowNTLMCredentialsForAllDomains(bool should_allow);
  AtomCertVerifier* cert_verifier() const { return cert_verifier_; }
  AtomURLRequestJobFactory* job_factory() const { return job_factory_; }
 private:
@ -46,6 +50,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
  scoped_ptr<WebViewManager> guest_manager_;
  // Managed by brightray::BrowserContext.
  AtomCertVerifier* cert_verifier_;
  AtomURLRequestJobFactory* job_factory_;
  bool allow_ntlm_everywhere_;
--- a/atom/browser/atom_cert_verifier.cc
+++ b/atom/browser/atom_cert_verifier.cc
@ -0,0 +1,176 @@
 // Copyright (c) 2015 GitHub, Inc.
 // Use of this source code is governed by the MIT license that can be
 // found in the LICENSE file.
 #include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/browser.h"
 #include "atom/common/native_mate_converters/net_converter.h"
 #include "base/sha1.h"
 #include "base/stl_util.h"
 #include "content/public/browser/browser_thread.h"
 #include "net/base/net_errors.h"
 using content::BrowserThread;
 namespace atom {
 AtomCertVerifier::RequestParams::RequestParams(
    const net::SHA1HashValue cert_fingerprint,
    const net::SHA1HashValue ca_fingerprint,
    const std::string& hostname_arg,
    const std::string& ocsp_response_arg,
    int flags_arg)
    : hostname(hostname_arg),
      ocsp_response(ocsp_response_arg),
      flags(flags_arg) {
  hash_values.reserve(3);
  net::SHA1HashValue ocsp_hash;
  base::SHA1HashBytes(
      reinterpret_cast<const unsigned char*>(ocsp_response.data()),
      ocsp_response.size(), ocsp_hash.data);
  hash_values.push_back(ocsp_hash);
  hash_values.push_back(cert_fingerprint);
  hash_values.push_back(ca_fingerprint);
 }
 bool AtomCertVerifier::RequestParams::operator<(
    const RequestParams& other) const {
  if (flags != other.flags)
    return flags < other.flags;
  if (hostname != other.hostname)
    return hostname < other.hostname;
  return std::lexicographical_compare(
      hash_values.begin(),
      hash_values.end(),
      other.hash_values.begin(),
      other.hash_values.end(),
      net::SHA1HashValueLessThan());
 }
 void AtomCertVerifier::CertVerifyRequest::RunResult(int result) {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  for (auto& callback : callbacks_)
    callback.Run(result);
  cert_verifier_->RemoveRequest(this);
 }
 void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  int rv = cert_verifier_->default_cert_verifier()->Verify(
      certificate_.get(),
      key_.hostname,
      key_.ocsp_response,
      key_.flags,
      crl_set_.get(),
      verify_result_,
      base::Bind(&CertVerifyRequest::RunResult,
                 weak_ptr_factory_.GetWeakPtr()),
      out_req_,
      net_log_);
  if (rv != net::ERR_IO_PENDING)
    RunResult(rv);
 }
 void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
  DCHECK_CURRENTLY_ON(BrowserThread::UI);
  if (handled_)
    return;
  handled_ = true;
  if (result != net::ERR_IO_PENDING) {
    BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
                            base::Bind(&CertVerifyRequest::RunResult,
                                       weak_ptr_factory_.GetWeakPtr(),
                                       result));
    return;
  }
  BrowserThread::PostTask(
      BrowserThread::IO, FROM_HERE,
      base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier,
                 weak_ptr_factory_.GetWeakPtr()));
 }
 AtomCertVerifier::AtomCertVerifier()
    : delegate_(nullptr) {
  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
 }
 AtomCertVerifier::~AtomCertVerifier() {
 }
 int AtomCertVerifier::Verify(
    net::X509Certificate* cert,
    const std::string& hostname,
    const std::string& ocsp_response,
    int flags,
    net::CRLSet* crl_set,
    net::CertVerifyResult* verify_result,
    const net::CompletionCallback& callback,
    scoped_ptr<Request>* out_req,
    const net::BoundNetLog& net_log) {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  if (callback.is_null() || !verify_result || hostname.empty() || !delegate_)
    return net::ERR_INVALID_ARGUMENT;
  const RequestParams key(cert->fingerprint(),
                          cert->ca_fingerprint(),
                          hostname,
                          ocsp_response,
                          flags);
  CertVerifyRequest* request = FindRequest(key);
  if (!request) {
    request = new CertVerifyRequest(this,
                                    key,
                                    cert,
                                    crl_set,
                                    verify_result,
                                    out_req,
                                    net_log);
    requests_.insert(make_scoped_refptr(request));
    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
                            base::Bind(&Delegate::RequestCertVerification,
                                       base::Unretained(delegate_),
                                       make_scoped_refptr(request)));
  }
  request->AddCompletionCallback(callback);
  return net::ERR_IO_PENDING;
 }
 bool AtomCertVerifier::SupportsOCSPStapling() {
  return true;
 }
 AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest(
    const RequestParams& key) {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  auto it = std::lower_bound(requests_.begin(),
                             requests_.end(),
                             key,
                             CertVerifyRequestToRequestParamsComparator());
  if (it != requests_.end() && !(key < (*it)->key()))
    return (*it).get();
  return nullptr;
 }
 void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  bool erased = requests_.erase(request) == 1;
  DCHECK(erased);
 }
 }  // namespace atom
--- a/atom/browser/atom_cert_verifier.h
+++ b/atom/browser/atom_cert_verifier.h
@ -0,0 +1,165 @@
 // Copyright (c) 2015 GitHub, Inc.
 // Use of this source code is governed by the MIT license that can be
 // found in the LICENSE file.
 #ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
 #define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
 #include <set>
 #include <string>
 #include <vector>
 #include "base/memory/ref_counted.h"
 #include "net/base/hash_value.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/x509_certificate.h"
 #include "net/log/net_log.h"
 namespace atom {
 class AtomCertVerifier : public net::CertVerifier {
 public:
  struct RequestParams {
    RequestParams(
        const net::SHA1HashValue cert_fingerprint,
        const net::SHA1HashValue ca_fingerprint,
        const std::string& hostname_arg,
        const std::string& ocsp_response,
        int flags);
    ~RequestParams() {}
    bool operator<(const RequestParams& other) const;
    std::string hostname;
    std::string ocsp_response;
    int flags;
    std::vector<net::SHA1HashValue> hash_values;
  };
  class CertVerifyRequest
      : public base::RefCountedThreadSafe<CertVerifyRequest> {
   public:
    CertVerifyRequest(
        AtomCertVerifier* cert_verifier,
        const RequestParams& key,
        scoped_refptr<net::X509Certificate> cert,
        scoped_refptr<net::CRLSet> crl_set,
        net::CertVerifyResult* verify_result,
        scoped_ptr<Request>* out_req,
        const net::BoundNetLog& net_log)
        : cert_verifier_(cert_verifier),
          key_(key),
          certificate_(cert),
          crl_set_(crl_set),
          verify_result_(verify_result),
          out_req_(out_req),
          net_log_(net_log),
          handled_(false),
          weak_ptr_factory_(this) {
    }
    void RunResult(int result);
    void DelegateToDefaultVerifier();
    void ContinueWithResult(int result);
    void AddCompletionCallback(net::CompletionCallback callback) {
      callbacks_.push_back(callback);
    }
    const RequestParams key() const { return key_; }
    std::string hostname() const { return key_.hostname; }
    scoped_refptr<net::X509Certificate> certificate() const {
      return certificate_;
    }
   private:
    friend class base::RefCountedThreadSafe<CertVerifyRequest>;
    ~CertVerifyRequest() {}
    AtomCertVerifier* cert_verifier_;
    const RequestParams key_;
    scoped_refptr<net::X509Certificate> certificate_;
    scoped_refptr<net::CRLSet> crl_set_;
    net::CertVerifyResult* verify_result_;
    scoped_ptr<Request>* out_req_;
    const net::BoundNetLog net_log_;
    std::vector<net::CompletionCallback> callbacks_;
    bool handled_;
    base::WeakPtrFactory<CertVerifyRequest> weak_ptr_factory_;
    DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
  };
  class Delegate {
   public:
    Delegate() {}
    virtual ~Delegate() {}
    // Called on UI thread.
    virtual void RequestCertVerification(
        const scoped_refptr<CertVerifyRequest>& request) {}
  };
  AtomCertVerifier();
  virtual ~AtomCertVerifier();
  void SetDelegate(Delegate* delegate) {
    delegate_ = delegate;
  }
 protected:
  // net::CertVerifier:
  int Verify(net::X509Certificate* cert,
             const std::string& hostname,
             const std::string& ocsp_response,
             int flags,
             net::CRLSet* crl_set,
             net::CertVerifyResult* verify_result,
             const net::CompletionCallback& callback,
             scoped_ptr<Request>* out_req,
             const net::BoundNetLog& net_log) override;
  bool SupportsOCSPStapling() override;
  net::CertVerifier* default_cert_verifier() const {
    return default_cert_verifier_.get();
  }
 private:
  CertVerifyRequest* FindRequest(const RequestParams& key);
  void RemoveRequest(CertVerifyRequest* request);
  struct CertVerifyRequestToRequestParamsComparator {
    bool operator()(const scoped_refptr<CertVerifyRequest> request,
                    const RequestParams& key) const {
      return request->key() < key;
    }
  };
  struct CertVerifyRequestComparator {
    bool operator()(const scoped_refptr<CertVerifyRequest> req1,
                    const scoped_refptr<CertVerifyRequest> req2) const {
      return req1->key() < req2->key();
    }
  };
  using ActiveRequestSet =
      std::set<scoped_refptr<CertVerifyRequest>,
               CertVerifyRequestComparator>;
  ActiveRequestSet requests_;
  Delegate* delegate_;
  scoped_ptr<net::CertVerifier> default_cert_verifier_;
  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
 };
 }   // namespace atom
 #endif  // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
--- a/atom/common/native_mate_converters/net_converter.cc
+++ b/atom/common/native_mate_converters/net_converter.cc
@ -4,7 +4,11 @@
 #include "atom/common/native_mate_converters/net_converter.h"
 #include <string>
 #include "atom/common/node_includes.h"
 #include "native_mate/dictionary.h"
 #include "net/cert/x509_certificate.h"
 #include "net/url_request/url_request.h"
 namespace mate {
@ -31,4 +35,19 @@ v8::Local<v8::Value> Converter<const net::AuthChallengeInfo*>::ToV8(
  return mate::ConvertToV8(isolate, dict);
 }
 // static
 v8::Local<v8::Value> Converter<scoped_refptr<net::X509Certificate>>::ToV8(
    v8::Isolate* isolate, const scoped_refptr<net::X509Certificate>& val) {
  mate::Dictionary dict(isolate, v8::Object::New(isolate));
  std::string encoded_data;
  net::X509Certificate::GetPEMEncoded(
      val->os_cert_handle(), &encoded_data);
  auto buffer = node::Buffer::Copy(isolate,
                                   encoded_data.data(),
                                   encoded_data.size()).ToLocalChecked();
  dict.Set("data", buffer);
  dict.Set("issuerName", val->issuer().GetDisplayName());
  return dict.GetHandle();
 }
 }  // namespace mate
--- a/atom/common/native_mate_converters/net_converter.h
+++ b/atom/common/native_mate_converters/net_converter.h
@ -5,11 +5,13 @@
 #ifndef ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
 #define ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
 #include "base/memory/ref_counted.h"
 #include "native_mate/converter.h"
 namespace net {
 class AuthChallengeInfo;
 class URLRequest;
 class X509Certificate;
 }
 namespace mate {
@ -26,6 +28,12 @@ struct Converter<const net::AuthChallengeInfo*> {
                                   const net::AuthChallengeInfo* val);
 };
 template<>
 struct Converter<scoped_refptr<net::X509Certificate>> {
  static v8::Local<v8::Value> ToV8(v8::Isolate* isolate,
      const scoped_refptr<net::X509Certificate>& val);
 };
 }  // namespace mate
 #endif  // ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
--- a/docs/api/app.md
+++ b/docs/api/app.md
@ -139,8 +139,8 @@ Returns:
 * `webContents` [WebContents](web-contents.md)
 * `url` URL
 * `certificateList` [Objects]
-  * `data` PEM encoded data
+  * `data` Buffer - PEM encoded data
-  * `issuerName` Issuer's Common Name
+  * `issuerName` String - Issuer's Common Name
 * `callback` Function
 Emitted when a client certificate is requested.
--- a/docs/api/session.md
+++ b/docs/api/session.md
@ -34,6 +34,30 @@ session.on('will-download', function(event, item, webContents) {
 });
 ```
 ### Event: 'verify-certificate'
 * `event` Event
 * `hostname` String
 * `certificate` Object
  * `data` Buffer - PEM encoded data
  * `issuerName` String
 * `callback` Function
 Fired whenever a server certificate verification is requested by the
 network layer with `hostname`, `certificate` and `callback`.
 `callback` should be called with a boolean response to
 indicate continuation or cancellation of the request.
 ```js
 session.on('verify-certificate', function(event, hostname, certificate, callback) {
  if (hostname == "github.com") {
    // verification logic
    callback(true);
  }
  callback(false);
 });
 ```
 ## Methods
 The `session` object has the following methods:
--- a/filenames.gypi
+++ b/filenames.gypi
@ -131,6 +131,8 @@
      'atom/browser/atom_download_manager_delegate.h',
      'atom/browser/atom_browser_main_parts.cc',
      'atom/browser/atom_browser_main_parts.h',
      'atom/browser/atom_cert_verifier.cc',
      'atom/browser/atom_cert_verifier.h',
      'atom/browser/atom_browser_main_parts_mac.mm',
      'atom/browser/atom_browser_main_parts_posix.cc',
      'atom/browser/atom_javascript_dialog_manager.cc',