emit verify-certificate event for handling verification

2015-11-13 01:25:23 +05:30 · 2015-11-13 01:25:23 +05:30 · 37e6e6fab7
commit 37e6e6fab7
parent d072e61282
8 changed files with 313 additions and 93 deletions
--- a/atom/browser/api/atom_api_session.cc
+++ b/atom/browser/api/atom_api_session.cc
@ -239,12 +239,24 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
  RunCallbackInUI(callback);
 }
 void PassVerificationResult(
    scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
    bool success) {
  int result = net::OK;
  if (!success)
    result = net::ERR_FAILED;
  request->ContinueWithResult(result);
 }
 }  // namespace
 Session::Session(AtomBrowserContext* browser_context)
    : browser_context_(browser_context) {
  AttachAsUserData(browser_context);
  // Observe Browser to get certificate verification notification.
  Browser::Get()->AddObserver(this);
  // Observe DownloadManger to get download notifications.
  content::BrowserContext::GetDownloadManager(browser_context)->
      AddObserver(this);
@ -253,9 +265,22 @@ Session::Session(AtomBrowserContext* browser_context)
 Session::~Session() {
  content::BrowserContext::GetDownloadManager(browser_context())->
      RemoveObserver(this);
  Browser::Get()->RemoveObserver(this);
  Destroy();
 }
 void Session::OnCertVerification(
    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
  bool prevent_default = Emit(
      "verify-certificate",
      request->hostname(),
      request->certificate(),
      base::Bind(&PassVerificationResult, request));
  if (!prevent_default)
    request->ContinueWithResult(net::ERR_IO_PENDING);
 }
 void Session::OnDownloadCreated(content::DownloadManager* manager,
                                content::DownloadItem* item) {
  auto web_contents = item->GetWebContents();
@ -367,7 +392,6 @@ v8::Local<v8::Value> Session::Cookies(v8::Isolate* isolate) {
 mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
    v8::Isolate* isolate) {
  auto browser = base::Unretained(Browser::Get());
  return mate::ObjectTemplateBuilder(isolate)
      .SetMethod("resolveProxy", &Session::ResolveProxy)
      .SetMethod("clearCache", &Session::ClearCache)
@ -376,10 +400,6 @@ mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
      .SetMethod("setDownloadPath", &Session::SetDownloadPath)
      .SetMethod("enableNetworkEmulation", &Session::EnableNetworkEmulation)
      .SetMethod("disableNetworkEmulation", &Session::DisableNetworkEmulation)
      .SetMethod("setCertificateVerifier",
                 base::Bind(&Browser::SetCertificateVerifier, browser))
      .SetMethod("removeCertificateVerifier",
                 base::Bind(&Browser::RemoveCertificateVerifier, browser))
      .SetProperty("cookies", &Session::Cookies);
 }
--- a/atom/browser/api/atom_api_session.h
+++ b/atom/browser/api/atom_api_session.h
@ -8,6 +8,8 @@
 #include <string>
 #include "atom/browser/api/trackable_object.h"
 #include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/browser_observer.h"
 #include "content/public/browser/download_manager.h"
 #include "native_mate/handle.h"
 #include "net/base/completion_callback.h"
@ -34,6 +36,7 @@ class AtomBrowserContext;
 namespace api {
 class Session: public mate::TrackableObject<Session>,
               public BrowserObserver,
               public content::DownloadManager::Observer {
 public:
  using ResolveProxyCallback = base::Callback<void(std::string)>;
@ -52,6 +55,10 @@ class Session: public mate::TrackableObject<Session>,
  explicit Session(AtomBrowserContext* browser_context);
  ~Session();
  // BrowserObserver:
  void OnCertVerification(
      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>&) override;
  // content::DownloadManager::Observer:
  void OnDownloadCreated(content::DownloadManager* manager,
                         content::DownloadItem* item) override;
--- a/atom/browser/atom_cert_verifier.cc
+++ b/atom/browser/atom_cert_verifier.cc
@ -6,36 +6,108 @@
 #include "atom/browser/browser.h"
 #include "atom/common/native_mate_converters/net_converter.h"
 #include "base/callback_helpers.h"
 #include "base/sha1.h"
 #include "base/stl_util.h"
 #include "content/public/browser/browser_thread.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 using content::BrowserThread;
 namespace atom {
-namespace {
+AtomCertVerifier::RequestParams::RequestParams(
-
+    const net::SHA1HashValue cert_fingerprint,
-void RunResult(const net::CompletionCallback& callback, bool success) {
+    const net::SHA1HashValue ca_fingerprint,
-  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+    const std::string& hostname_arg,
-
+    const std::string& ocsp_response_arg,
-  int result = net::OK;
+    int flags_arg)
-  if (!success)
+    : hostname(hostname_arg),
-    result = net::ERR_FAILED;
+      ocsp_response(ocsp_response_arg),
-
+      flags(flags_arg) {
-  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+  hash_values.reserve(3);
-                          base::Bind(callback, result));
+  net::SHA1HashValue ocsp_hash;
  base::SHA1HashBytes(
      reinterpret_cast<const unsigned char*>(ocsp_response.data()),
      ocsp_response.size(), ocsp_hash.data);
  hash_values.push_back(ocsp_hash);
  hash_values.push_back(cert_fingerprint);
  hash_values.push_back(ca_fingerprint);
 }
-}  // namespace
+bool AtomCertVerifier::RequestParams::operator<(
    const RequestParams& other) const {
  if (flags != other.flags)
    return flags < other.flags;
  if (hostname != other.hostname)
    return hostname < other.hostname;
  return std::lexicographical_compare(
      hash_values.begin(),
      hash_values.end(),
      other.hash_values.begin(),
      other.hash_values.end(),
      net::SHA1HashValueLessThan());
 }
 void AtomCertVerifier::CertVerifyRequest::RunResult(int result) {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  for (auto& callback : callbacks_)
    callback.Run(result);
  cert_verifier_->RemoveRequest(this);
  Release();
 }
 void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  int rv = cert_verifier_->default_cert_verifier()->Verify(
      certificate_.get(),
      key_.hostname,
      key_.ocsp_response,
      key_.flags,
      crl_set_.get(),
      verify_result_,
      base::Bind(&CertVerifyRequest::RunResult,
                 weak_ptr_factory_.GetWeakPtr()),
      &new_out_req_,
      net_log_);
  if (rv != net::ERR_IO_PENDING && !callbacks_.empty()) {
    for (auto& callback : callbacks_)
      callback.Run(rv);
    cert_verifier_->RemoveRequest(this);
    Release();
  }
 }
 void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
  DCHECK_CURRENTLY_ON(BrowserThread::UI);
  if (handled_)
    return;
  handled_ = true;
  if (result != net::ERR_IO_PENDING) {
    BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
                            base::Bind(&CertVerifyRequest::RunResult,
                                       weak_ptr_factory_.GetWeakPtr(),
                                       result));
    return;
  }
  BrowserThread::PostTask(
      BrowserThread::IO, FROM_HERE,
      base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier,
                 weak_ptr_factory_.GetWeakPtr()));
 }
 AtomCertVerifier::AtomCertVerifier() {
  Browser::Get()->AddObserver(this);
  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
 }
 AtomCertVerifier::~AtomCertVerifier() {
  Browser::Get()->RemoveObserver(this);
 }
 int AtomCertVerifier::Verify(
@ -53,32 +125,57 @@ int AtomCertVerifier::Verify(
  if (callback.is_null() || !verify_result || hostname.empty())
    return net::ERR_INVALID_ARGUMENT;
-  if (!handler_.is_null()) {
+  const RequestParams key(cert->fingerprint(),
                          cert->ca_fingerprint(),
                          hostname,
                          ocsp_response,
                          flags);
  CertVerifyRequest* request = FindRequest(key);
  if (!request) {
    request = new CertVerifyRequest(this,
                                    key,
                                    cert,
                                    crl_set,
                                    verify_result,
                                    out_req,
                                    net_log);
    requests_.insert(make_scoped_refptr(request));
    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
-                            base::Bind(handler_, hostname,
+                            base::Bind(&Browser::RequestCertVerification,
-                                       make_scoped_refptr(cert),
+                                       base::Unretained(Browser::Get()),
-                                       base::Bind(&RunResult, callback)));
+                                       make_scoped_refptr(request)));
    return net::ERR_IO_PENDING;
  }
-  return default_cert_verifier_->Verify(cert, hostname, ocsp_response,
+  request->AddCompletionCallback(callback);
-                                        flags, crl_set, verify_result,
+
-                                        callback, out_req, net_log);
+  return net::ERR_IO_PENDING;
 }
 bool AtomCertVerifier::SupportsOCSPStapling() {
-  if (handler_.is_null())
+  return true;
    return default_cert_verifier_->SupportsOCSPStapling();
  return false;
 }
-void AtomCertVerifier::OnSetCertificateVerifier(
+AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest(
-    const CertificateVerifier& handler) {
+    const RequestParams& key) {
-  handler_ = handler;
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  auto it = std::lower_bound(requests_.begin(),
                             requests_.end(),
                             key,
                             CertVerifyRequestToRequestParamsComparator());
  if (it != requests_.end() && !(key < (*it)->key()))
    return (*it).get();
  return nullptr;
 }
-void AtomCertVerifier::OnRemoveCertificateVerifier() {
+void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) {
-  handler_.Reset();
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
  bool erased = requests_.erase(request) == 1;
  DCHECK(erased);
 }
 }  // namespace atom
--- a/atom/browser/atom_cert_verifier.h
+++ b/atom/browser/atom_cert_verifier.h
@ -5,19 +5,108 @@
 #ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
 #define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
 #include <set>
 #include <string>
 #include <vector>
-#include "atom/browser/browser_observer.h"
+#include "base/memory/ref_counted.h"
 #include "net/base/hash_value.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/x509_certificate.h"
 #include "net/log/net_log.h"
 namespace atom {
-class AtomCertVerifier : public net::CertVerifier,
+class AtomCertVerifier : public net::CertVerifier {
                         public BrowserObserver {
 public:
  struct RequestParams {
    RequestParams(
        const net::SHA1HashValue cert_fingerprint,
        const net::SHA1HashValue ca_fingerprint,
        const std::string& hostname_arg,
        const std::string& ocsp_response,
        int flags);
    ~RequestParams() {}
    bool operator<(const RequestParams& other) const;
    std::string hostname;
    std::string ocsp_response;
    int flags;
    std::vector<net::SHA1HashValue> hash_values;
  };
  class CertVerifyRequest
      : public net::CertVerifier::Request,
        public base::RefCountedThreadSafe<CertVerifyRequest> {
   public:
    CertVerifyRequest(
        AtomCertVerifier* cert_verifier,
        const RequestParams& key,
        scoped_refptr<net::X509Certificate> cert,
        scoped_refptr<net::CRLSet> crl_set,
        net::CertVerifyResult* verify_result,
        scoped_ptr<Request>* out_req,
        const net::BoundNetLog& net_log)
        : cert_verifier_(cert_verifier),
          key_(key),
          certificate_(cert),
          crl_set_(crl_set),
          verify_result_(verify_result),
          out_req_(out_req),
          net_log_(net_log),
          handled_(false),
          weak_ptr_factory_(this) {
      out_req_->reset(this);
      new_out_req_.reset(new net::CertVerifier::Request());
    }
    ~CertVerifyRequest() {
      out_req_->reset();
    }
    void RunResult(int result);
    void DelegateToDefaultVerifier();
    void ContinueWithResult(int result);
    void AddCompletionCallback(net::CompletionCallback callback) {
      callbacks_.push_back(callback);
    }
    const RequestParams key() const { return key_; }
    std::string hostname() const { return key_.hostname; }
    scoped_refptr<net::X509Certificate> certificate() const {
      return certificate_;
    }
   private:
    friend class base::RefCountedThreadSafe<CertVerifyRequest>;
    AtomCertVerifier* cert_verifier_;
    const RequestParams key_;
    scoped_refptr<net::X509Certificate> certificate_;
    scoped_refptr<net::CRLSet> crl_set_;
    net::CertVerifyResult* verify_result_;
    scoped_ptr<Request>* out_req_;
    scoped_ptr<Request> new_out_req_;
    const net::BoundNetLog net_log_;
    std::vector<net::CompletionCallback> callbacks_;
    bool handled_;
    base::WeakPtrFactory<CertVerifyRequest> weak_ptr_factory_;
    DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
  };
  AtomCertVerifier();
  ~AtomCertVerifier() override;
 protected:
  // net::CertVerifier:
  int Verify(net::X509Certificate* cert,
             const std::string& hostname,
@ -30,14 +119,34 @@ class AtomCertVerifier : public net::CertVerifier,
             const net::BoundNetLog& net_log) override;
  bool SupportsOCSPStapling() override;
- protected:
+  net::CertVerifier* default_cert_verifier() const {
-  void OnSetCertificateVerifier(const CertificateVerifier& handler) override;
+    return default_cert_verifier_.get();
-  void OnRemoveCertificateVerifier() override;
+  }
 private:
-  scoped_ptr<net::CertVerifier> default_cert_verifier_;
+  CertVerifyRequest* FindRequest(const RequestParams& key);
  void RemoveRequest(CertVerifyRequest* request);
-  CertificateVerifier handler_;
+  struct CertVerifyRequestToRequestParamsComparator {
    bool operator()(const scoped_refptr<CertVerifyRequest> request,
                    const RequestParams& key) const {
      return request->key() < key;
    }
  };
  struct CertVerifyRequestComparator {
    bool operator()(const scoped_refptr<CertVerifyRequest> req1,
                    const scoped_refptr<CertVerifyRequest> req2) const {
      return req1->key() < req2->key();
    }
  };
  using ActiveRequestSet =
      std::set<scoped_refptr<CertVerifyRequest>,
               CertVerifyRequestComparator>;
  ActiveRequestSet requests_;
  scoped_ptr<net::CertVerifier> default_cert_verifier_;
  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
 };
--- a/atom/browser/browser.cc
+++ b/atom/browser/browser.cc
@ -7,6 +7,7 @@
 #include <string>
 #include "atom/browser/atom_browser_main_parts.h"
 #include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/native_window.h"
 #include "atom/browser/window_list.h"
 #include "base/message_loop/message_loop.h"
@ -156,14 +157,11 @@ void Browser::RequestLogin(LoginHandler* login_handler) {
  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnLogin(login_handler));
 }
-void Browser::SetCertificateVerifier(const CertificateVerifier& handler) {
+void Browser::RequestCertVerification(
    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
  FOR_EACH_OBSERVER(BrowserObserver,
                    observers_,
-                    OnSetCertificateVerifier(handler));
+                    OnCertVerification(request));
 }
 void Browser::RemoveCertificateVerifier() {
  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnRemoveCertificateVerifier());
 }
 void Browser::NotifyAndShutdown() {
--- a/atom/browser/browser.h
+++ b/atom/browser/browser.h
@ -29,6 +29,7 @@ class MenuModel;
 namespace atom {
 class AtomCertVerifier;
 class LoginHandler;
 // This class is used for control application-wide operations.
@ -135,9 +136,9 @@ class Browser : public WindowListObserver {
  // Request basic auth login.
  void RequestLogin(LoginHandler* login_handler);
-  // Set.remove the ceritificate verifier provided by the user.
+  // Request Server Certificate Verification.
-  void SetCertificateVerifier(const CertificateVerifier& handler);
+  void RequestCertVerification(
-  void RemoveCertificateVerifier();
+      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request);
  void AddObserver(BrowserObserver* obs) {
    observers_.AddObserver(obs);
--- a/atom/browser/browser_observer.h
+++ b/atom/browser/browser_observer.h
@ -7,7 +7,7 @@
 #include <string>
-#include "base/callback.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/browser/client_certificate_delegate.h"
@ -24,12 +24,6 @@ namespace atom {
 class LoginHandler;
 // A callback specialisation used by AtomCertVerifier during verification.
 using CertificateVerifier =
    base::Callback<void(const std::string&,
                        scoped_refptr<net::X509Certificate>,
                        const base::Callback<void(bool)>&)>;
 class BrowserObserver {
 public:
  // The browser is about to close all windows.
@ -70,8 +64,9 @@ class BrowserObserver {
  // The browser requests HTTP login.
  virtual void OnLogin(LoginHandler* login_handler) {}
-  virtual void OnSetCertificateVerifier(const CertificateVerifier& handler) {}
+  // The browser requests Server Certificate Verification.
-  virtual void OnRemoveCertificateVerifier() {}
+  virtual void OnCertVerification(
      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {}
 protected:
  virtual ~BrowserObserver() {}
--- a/docs/api/session.md
+++ b/docs/api/session.md
@ -34,6 +34,30 @@ session.on('will-download', function(event, item, webContents) {
 });
 ```
 ### Event: 'verify-certificate'
 * `event` Event
 * `hostname` String
 * `certificate` Object
  * `data` Buffer - PEM encoded data
  * `issuerName` String
 * `callback` Function
 Fired whenever a server certificate verification is requested by the
 network layer with `hostname`, `certificate` and `callback`.
 `callback` should be called with a boolean response to
 indicate continuation or cancellation of the request.
 ```js
 session.on('verify-certificate', function(event, hostname, certificate, callback) {
  if (hostname == "github.com") {
    // verification logic
    callback(true);
  }
  callback(false);
 });
 ```
 ## Methods
 The `session` object has the following methods:
@ -220,34 +244,3 @@ window.webContents.session.enableNetworkEmulation({offline: true});
 Disables any network emulation already active for the `session`. Resets to
 the original network configuration.
 ### `session.setCertificateVerifier(handler)`
 * `handler` Function
  * `hostname` String
  * `certificate` Object
    * `data` Buffer - PEM encoded data
    * `issuerName` String
  * `callback` Function
 Sets the certificate verifier for the `session`, will be called
 whenever a server certificate verification is requested by the
 network layer with `hostname`, `certificate` and `callback`.
 `callback` should be called with a boolean response to
 indicate continuation or cancellation of the request.
 ```js
 var handler = function(hostname, certificate, callback) {
  if (hostname == "github.com") {
    // verification logic
    callback(true)
  }
  callback(false)
 }
 window.webContents.session.setCertificateVerifier(handler)
 ```
 ### `session.removeCertificateVerifier()`
 Removes the certificate verifier provided for the `session`.