emit verify-certificate event for handling verification

2015-11-13 01:25:23 +05:30 · 2015-11-13 01:25:23 +05:30 · 37e6e6fab7
commit 37e6e6fab7
parent d072e61282
8 changed files with 313 additions and 93 deletions
--- a/atom/browser/api/atom_api_session.cc
+++ b/atom/browser/api/atom_api_session.cc
@ -239,12 +239,24 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
  RunCallbackInUI(callback);
 }

+void PassVerificationResult(
+    scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
+    bool success) {
+  int result = net::OK;
+  if (!success)
+    result = net::ERR_FAILED;
+  request->ContinueWithResult(result);
+}
+
 }  // namespace

 Session::Session(AtomBrowserContext* browser_context)
    : browser_context_(browser_context) {
  AttachAsUserData(browser_context);

+  // Observe Browser to get certificate verification notification.
+  Browser::Get()->AddObserver(this);
+
  // Observe DownloadManger to get download notifications.
  content::BrowserContext::GetDownloadManager(browser_context)->
      AddObserver(this);
@ -253,9 +265,22 @@ Session::Session(AtomBrowserContext* browser_context)
 Session::~Session() {
  content::BrowserContext::GetDownloadManager(browser_context())->
      RemoveObserver(this);
+  Browser::Get()->RemoveObserver(this);
  Destroy();
 }

+void Session::OnCertVerification(
+    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
+  bool prevent_default = Emit(
+      "verify-certificate",
+      request->hostname(),
+      request->certificate(),
+      base::Bind(&PassVerificationResult, request));
+
+  if (!prevent_default)
+    request->ContinueWithResult(net::ERR_IO_PENDING);
+}
+
 void Session::OnDownloadCreated(content::DownloadManager* manager,
                                content::DownloadItem* item) {
  auto web_contents = item->GetWebContents();
@ -367,7 +392,6 @@ v8::Local<v8::Value> Session::Cookies(v8::Isolate* isolate) {

 mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
    v8::Isolate* isolate) {
-  auto browser = base::Unretained(Browser::Get());
  return mate::ObjectTemplateBuilder(isolate)
      .SetMethod("resolveProxy", &Session::ResolveProxy)
      .SetMethod("clearCache", &Session::ClearCache)
@ -376,10 +400,6 @@ mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
      .SetMethod("setDownloadPath", &Session::SetDownloadPath)
      .SetMethod("enableNetworkEmulation", &Session::EnableNetworkEmulation)
      .SetMethod("disableNetworkEmulation", &Session::DisableNetworkEmulation)
-      .SetMethod("setCertificateVerifier",
-                 base::Bind(&Browser::SetCertificateVerifier, browser))
-      .SetMethod("removeCertificateVerifier",
-                 base::Bind(&Browser::RemoveCertificateVerifier, browser))
      .SetProperty("cookies", &Session::Cookies);
 }

--- a/atom/browser/api/atom_api_session.h
+++ b/atom/browser/api/atom_api_session.h
@ -8,6 +8,8 @@
 #include <string>

 #include "atom/browser/api/trackable_object.h"
+#include "atom/browser/atom_cert_verifier.h"
+#include "atom/browser/browser_observer.h"
 #include "content/public/browser/download_manager.h"
 #include "native_mate/handle.h"
 #include "net/base/completion_callback.h"
@ -34,6 +36,7 @@ class AtomBrowserContext;
 namespace api {

 class Session: public mate::TrackableObject<Session>,
+               public BrowserObserver,
               public content::DownloadManager::Observer {
 public:
  using ResolveProxyCallback = base::Callback<void(std::string)>;
@ -52,6 +55,10 @@ class Session: public mate::TrackableObject<Session>,
  explicit Session(AtomBrowserContext* browser_context);
  ~Session();

+  // BrowserObserver:
+  void OnCertVerification(
+      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>&) override;
+
  // content::DownloadManager::Observer:
  void OnDownloadCreated(content::DownloadManager* manager,
                         content::DownloadItem* item) override;
--- a/atom/browser/atom_cert_verifier.cc
+++ b/atom/browser/atom_cert_verifier.cc
@ -6,36 +6,108 @@

 #include "atom/browser/browser.h"
 #include "atom/common/native_mate_converters/net_converter.h"
+#include "base/callback_helpers.h"
+#include "base/sha1.h"
+#include "base/stl_util.h"
 #include "content/public/browser/browser_thread.h"
 #include "net/base/net_errors.h"
-#include "net/cert/x509_certificate.h"

 using content::BrowserThread;

 namespace atom {

-namespace {
-
-void RunResult(const net::CompletionCallback& callback, bool success) {
-  DCHECK_CURRENTLY_ON(BrowserThread::UI);
-
-  int result = net::OK;
-  if (!success)
-    result = net::ERR_FAILED;
-
-  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
-                          base::Bind(callback, result));
+AtomCertVerifier::RequestParams::RequestParams(
+    const net::SHA1HashValue cert_fingerprint,
+    const net::SHA1HashValue ca_fingerprint,
+    const std::string& hostname_arg,
+    const std::string& ocsp_response_arg,
+    int flags_arg)
+    : hostname(hostname_arg),
+      ocsp_response(ocsp_response_arg),
+      flags(flags_arg) {
+  hash_values.reserve(3);
+  net::SHA1HashValue ocsp_hash;
+  base::SHA1HashBytes(
+      reinterpret_cast<const unsigned char*>(ocsp_response.data()),
+      ocsp_response.size(), ocsp_hash.data);
+  hash_values.push_back(ocsp_hash);
+  hash_values.push_back(cert_fingerprint);
+  hash_values.push_back(ca_fingerprint);
 }

-}  // namespace
+bool AtomCertVerifier::RequestParams::operator<(
+    const RequestParams& other) const {
+  if (flags != other.flags)
+    return flags < other.flags;
+  if (hostname != other.hostname)
+    return hostname < other.hostname;
+  return std::lexicographical_compare(
+      hash_values.begin(),
+      hash_values.end(),
+      other.hash_values.begin(),
+      other.hash_values.end(),
+      net::SHA1HashValueLessThan());
+}
+
+void AtomCertVerifier::CertVerifyRequest::RunResult(int result) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  for (auto& callback : callbacks_)
+    callback.Run(result);
+  cert_verifier_->RemoveRequest(this);
+  Release();
+}
+
+void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  int rv = cert_verifier_->default_cert_verifier()->Verify(
+      certificate_.get(),
+      key_.hostname,
+      key_.ocsp_response,
+      key_.flags,
+      crl_set_.get(),
+      verify_result_,
+      base::Bind(&CertVerifyRequest::RunResult,
+                 weak_ptr_factory_.GetWeakPtr()),
+      &new_out_req_,
+      net_log_);
+
+  if (rv != net::ERR_IO_PENDING && !callbacks_.empty()) {
+    for (auto& callback : callbacks_)
+      callback.Run(rv);
+    cert_verifier_->RemoveRequest(this);
+    Release();
+  }
+}
+
+void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  if (handled_)
+    return;
+
+  handled_ = true;
+
+  if (result != net::ERR_IO_PENDING) {
+    BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                            base::Bind(&CertVerifyRequest::RunResult,
+                                       weak_ptr_factory_.GetWeakPtr(),
+                                       result));
+    return;
+  }
+
+  BrowserThread::PostTask(
+      BrowserThread::IO, FROM_HERE,
+      base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier,
+                 weak_ptr_factory_.GetWeakPtr()));
+}

 AtomCertVerifier::AtomCertVerifier() {
-  Browser::Get()->AddObserver(this);
  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
 }

 AtomCertVerifier::~AtomCertVerifier() {
-  Browser::Get()->RemoveObserver(this);
 }

 int AtomCertVerifier::Verify(
@ -53,32 +125,57 @@ int AtomCertVerifier::Verify(
  if (callback.is_null() || !verify_result || hostname.empty())
    return net::ERR_INVALID_ARGUMENT;

-  if (!handler_.is_null()) {
+  const RequestParams key(cert->fingerprint(),
+                          cert->ca_fingerprint(),
+                          hostname,
+                          ocsp_response,
+                          flags);
+
+  CertVerifyRequest* request = FindRequest(key);
+
+  if (!request) {
+    request = new CertVerifyRequest(this,
+                                    key,
+                                    cert,
+                                    crl_set,
+                                    verify_result,
+                                    out_req,
+                                    net_log);
+    requests_.insert(make_scoped_refptr(request));
+
    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
-                            base::Bind(handler_, hostname,
-                                       make_scoped_refptr(cert),
-                                       base::Bind(&RunResult, callback)));
-    return net::ERR_IO_PENDING;
+                            base::Bind(&Browser::RequestCertVerification,
+                                       base::Unretained(Browser::Get()),
+                                       make_scoped_refptr(request)));
  }

-  return default_cert_verifier_->Verify(cert, hostname, ocsp_response,
-                                        flags, crl_set, verify_result,
-                                        callback, out_req, net_log);
+  request->AddCompletionCallback(callback);
+
+  return net::ERR_IO_PENDING;
 }

 bool AtomCertVerifier::SupportsOCSPStapling() {
-  if (handler_.is_null())
-    return default_cert_verifier_->SupportsOCSPStapling();
-  return false;
+  return true;
 }

-void AtomCertVerifier::OnSetCertificateVerifier(
-    const CertificateVerifier& handler) {
-  handler_ = handler;
+AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest(
+    const RequestParams& key) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  auto it = std::lower_bound(requests_.begin(),
+                             requests_.end(),
+                             key,
+                             CertVerifyRequestToRequestParamsComparator());
+  if (it != requests_.end() && !(key < (*it)->key()))
+    return (*it).get();
+  return nullptr;
 }

-void AtomCertVerifier::OnRemoveCertificateVerifier() {
-  handler_.Reset();
+void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  bool erased = requests_.erase(request) == 1;
+  DCHECK(erased);
 }

 }  // namespace atom
--- a/atom/browser/atom_cert_verifier.h
+++ b/atom/browser/atom_cert_verifier.h
@ -5,19 +5,108 @@
 #ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
 #define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_

+#include <set>
 #include <string>
+#include <vector>

-#include "atom/browser/browser_observer.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/hash_value.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/crl_set.h"
+#include "net/cert/x509_certificate.h"
+#include "net/log/net_log.h"

 namespace atom {

-class AtomCertVerifier : public net::CertVerifier,
-                         public BrowserObserver {
+class AtomCertVerifier : public net::CertVerifier {
 public:
+  struct RequestParams {
+    RequestParams(
+        const net::SHA1HashValue cert_fingerprint,
+        const net::SHA1HashValue ca_fingerprint,
+        const std::string& hostname_arg,
+        const std::string& ocsp_response,
+        int flags);
+    ~RequestParams() {}
+
+    bool operator<(const RequestParams& other) const;
+
+    std::string hostname;
+    std::string ocsp_response;
+    int flags;
+    std::vector<net::SHA1HashValue> hash_values;
+  };
+
+  class CertVerifyRequest
+      : public net::CertVerifier::Request,
+        public base::RefCountedThreadSafe<CertVerifyRequest> {
+   public:
+    CertVerifyRequest(
+        AtomCertVerifier* cert_verifier,
+        const RequestParams& key,
+        scoped_refptr<net::X509Certificate> cert,
+        scoped_refptr<net::CRLSet> crl_set,
+        net::CertVerifyResult* verify_result,
+        scoped_ptr<Request>* out_req,
+        const net::BoundNetLog& net_log)
+        : cert_verifier_(cert_verifier),
+          key_(key),
+          certificate_(cert),
+          crl_set_(crl_set),
+          verify_result_(verify_result),
+          out_req_(out_req),
+          net_log_(net_log),
+          handled_(false),
+          weak_ptr_factory_(this) {
+      out_req_->reset(this);
+      new_out_req_.reset(new net::CertVerifier::Request());
+    }
+
+    ~CertVerifyRequest() {
+      out_req_->reset();
+    }
+
+    void RunResult(int result);
+    void DelegateToDefaultVerifier();
+    void ContinueWithResult(int result);
+
+    void AddCompletionCallback(net::CompletionCallback callback) {
+      callbacks_.push_back(callback);
+    }
+
+    const RequestParams key() const { return key_; }
+
+    std::string hostname() const { return key_.hostname; }
+
+    scoped_refptr<net::X509Certificate> certificate() const {
+      return certificate_;
+    }
+
+   private:
+    friend class base::RefCountedThreadSafe<CertVerifyRequest>;
+
+    AtomCertVerifier* cert_verifier_;
+    const RequestParams key_;
+
+    scoped_refptr<net::X509Certificate> certificate_;
+    scoped_refptr<net::CRLSet> crl_set_;
+    net::CertVerifyResult* verify_result_;
+    scoped_ptr<Request>* out_req_;
+    scoped_ptr<Request> new_out_req_;
+    const net::BoundNetLog net_log_;
+
+    std::vector<net::CompletionCallback> callbacks_;
+    bool handled_;
+
+    base::WeakPtrFactory<CertVerifyRequest> weak_ptr_factory_;
+
+    DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
+  };
+
  AtomCertVerifier();
  ~AtomCertVerifier() override;

+ protected:
  // net::CertVerifier:
  int Verify(net::X509Certificate* cert,
             const std::string& hostname,
@ -30,14 +119,34 @@ class AtomCertVerifier : public net::CertVerifier,
             const net::BoundNetLog& net_log) override;
  bool SupportsOCSPStapling() override;

- protected:
-  void OnSetCertificateVerifier(const CertificateVerifier& handler) override;
-  void OnRemoveCertificateVerifier() override;
+  net::CertVerifier* default_cert_verifier() const {
+    return default_cert_verifier_.get();
+  }

 private:
-  scoped_ptr<net::CertVerifier> default_cert_verifier_;
+  CertVerifyRequest* FindRequest(const RequestParams& key);
+  void RemoveRequest(CertVerifyRequest* request);

-  CertificateVerifier handler_;
+  struct CertVerifyRequestToRequestParamsComparator {
+    bool operator()(const scoped_refptr<CertVerifyRequest> request,
+                    const RequestParams& key) const {
+      return request->key() < key;
+    }
+  };
+
+  struct CertVerifyRequestComparator {
+    bool operator()(const scoped_refptr<CertVerifyRequest> req1,
+                    const scoped_refptr<CertVerifyRequest> req2) const {
+      return req1->key() < req2->key();
+    }
+  };
+
+  using ActiveRequestSet =
+      std::set<scoped_refptr<CertVerifyRequest>,
+               CertVerifyRequestComparator>;
+  ActiveRequestSet requests_;
+
+  scoped_ptr<net::CertVerifier> default_cert_verifier_;

  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
 };
--- a/atom/browser/browser.cc
+++ b/atom/browser/browser.cc
@ -7,6 +7,7 @@
 #include <string>

 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/native_window.h"
 #include "atom/browser/window_list.h"
 #include "base/message_loop/message_loop.h"
@ -156,14 +157,11 @@ void Browser::RequestLogin(LoginHandler* login_handler) {
  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnLogin(login_handler));
 }

-void Browser::SetCertificateVerifier(const CertificateVerifier& handler) {
+void Browser::RequestCertVerification(
+    const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
  FOR_EACH_OBSERVER(BrowserObserver,
                    observers_,
-                    OnSetCertificateVerifier(handler));
-}
-
-void Browser::RemoveCertificateVerifier() {
-  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnRemoveCertificateVerifier());
+                    OnCertVerification(request));
 }

 void Browser::NotifyAndShutdown() {
--- a/atom/browser/browser.h
+++ b/atom/browser/browser.h
@ -29,6 +29,7 @@ class MenuModel;

 namespace atom {

+class AtomCertVerifier;
 class LoginHandler;

 // This class is used for control application-wide operations.
@ -135,9 +136,9 @@ class Browser : public WindowListObserver {
  // Request basic auth login.
  void RequestLogin(LoginHandler* login_handler);

-  // Set.remove the ceritificate verifier provided by the user.
-  void SetCertificateVerifier(const CertificateVerifier& handler);
-  void RemoveCertificateVerifier();
+  // Request Server Certificate Verification.
+  void RequestCertVerification(
+      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request);

  void AddObserver(BrowserObserver* obs) {
    observers_.AddObserver(obs);
--- a/atom/browser/browser_observer.h
+++ b/atom/browser/browser_observer.h
@ -7,7 +7,7 @@

 #include <string>

-#include "base/callback.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/browser/client_certificate_delegate.h"

@ -24,12 +24,6 @@ namespace atom {

 class LoginHandler;

-// A callback specialisation used by AtomCertVerifier during verification.
-using CertificateVerifier =
-    base::Callback<void(const std::string&,
-                        scoped_refptr<net::X509Certificate>,
-                        const base::Callback<void(bool)>&)>;
-
 class BrowserObserver {
 public:
  // The browser is about to close all windows.
@ -70,8 +64,9 @@ class BrowserObserver {
  // The browser requests HTTP login.
  virtual void OnLogin(LoginHandler* login_handler) {}

-  virtual void OnSetCertificateVerifier(const CertificateVerifier& handler) {}
-  virtual void OnRemoveCertificateVerifier() {}
+  // The browser requests Server Certificate Verification.
+  virtual void OnCertVerification(
+      const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {}

 protected:
  virtual ~BrowserObserver() {}
--- a/docs/api/session.md
+++ b/docs/api/session.md
@ -34,6 +34,30 @@ session.on('will-download', function(event, item, webContents) {
 });
 ```

+### Event: 'verify-certificate'
+
+* `event` Event
+* `hostname` String
+* `certificate` Object
+  * `data` Buffer - PEM encoded data
+  * `issuerName` String
+* `callback` Function
+
+Fired whenever a server certificate verification is requested by the
+network layer with `hostname`, `certificate` and `callback`.
+`callback` should be called with a boolean response to
+indicate continuation or cancellation of the request.
+
+```js
+session.on('verify-certificate', function(event, hostname, certificate, callback) {
+  if (hostname == "github.com") {
+    // verification logic
+    callback(true);
+  }
+  callback(false);
+});
+```
+
 ## Methods

 The `session` object has the following methods:
@ -220,34 +244,3 @@ window.webContents.session.enableNetworkEmulation({offline: true});

 Disables any network emulation already active for the `session`. Resets to
 the original network configuration.
-
-### `session.setCertificateVerifier(handler)`
-
-* `handler` Function
-  * `hostname` String
-  * `certificate` Object
-    * `data` Buffer - PEM encoded data
-    * `issuerName` String
-  * `callback` Function
-
-Sets the certificate verifier for the `session`, will be called
-whenever a server certificate verification is requested by the
-network layer with `hostname`, `certificate` and `callback`.
-`callback` should be called with a boolean response to
-indicate continuation or cancellation of the request.
-
-```js
-var handler = function(hostname, certificate, callback) {
-  if (hostname == "github.com") {
-    // verification logic
-    callback(true)
-  }
-  callback(false)
-}
-
-window.webContents.session.setCertificateVerifier(handler)
-```
-
-### `session.removeCertificateVerifier()`
-
-Removes the certificate verifier provided for the `session`.