diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc index 07b9b68a94d..6527f67ab3f 100644 --- a/atom/browser/api/atom_api_session.cc +++ b/atom/browser/api/atom_api_session.cc @@ -241,10 +241,7 @@ void SetProxyInIO(net::URLRequestContextGetter* getter, void PassVerificationResult( scoped_refptr request, bool success) { - int result = net::OK; - if (!success) - result = net::ERR_FAILED; - request->ContinueWithResult(result); + request->ContinueWithResult(success ? net::OK : net::ERR_FAILED); } } // namespace @@ -268,12 +265,13 @@ Session::~Session() { void Session::RequestCertVerification( const scoped_refptr& request) { bool prevent_default = Emit( - "verify-certificate", - request->hostname(), - request->certificate(), + "untrusted-certificate", + request->args().hostname, + request->args().cert, base::Bind(&PassVerificationResult, request)); if (!prevent_default) + // Tell the request to use the result of default verifier. request->ContinueWithResult(net::ERR_IO_PENDING); } @@ -297,6 +295,7 @@ bool Session::IsDestroyed() const { } void Session::Destroy() { + browser_context_->cert_verifier()->SetDelegate(nullptr); browser_context_ = nullptr; } diff --git a/atom/browser/api/atom_api_session.h b/atom/browser/api/atom_api_session.h index 05d67b8842e..db72558db47 100644 --- a/atom/browser/api/atom_api_session.h +++ b/atom/browser/api/atom_api_session.h @@ -8,7 +8,7 @@ #include #include "atom/browser/api/trackable_object.h" -#include "atom/browser/atom_cert_verifier.h" +#include "atom/browser/net/atom_cert_verifier.h" #include "content/public/browser/download_manager.h" #include "native_mate/handle.h" #include "net/base/completion_callback.h" diff --git a/atom/browser/atom_browser_context.cc b/atom/browser/atom_browser_context.cc index b1092757ae4..08c79996272 100644 --- a/atom/browser/atom_browser_context.cc +++ b/atom/browser/atom_browser_context.cc @@ -5,10 +5,10 @@ #include "atom/browser/atom_browser_context.h" #include "atom/browser/atom_browser_main_parts.h" -#include "atom/browser/atom_cert_verifier.h" #include "atom/browser/atom_download_manager_delegate.h" -#include "atom/browser/atom_ssl_config_service.h" #include "atom/browser/browser.h" +#include "atom/browser/net/atom_cert_verifier.h" +#include "atom/browser/net/atom_ssl_config_service.h" #include "atom/browser/net/atom_url_request_job_factory.h" #include "atom/browser/net/asar/asar_protocol_handler.h" #include "atom/browser/net/http_protocol_handler.h" diff --git a/atom/browser/atom_cert_verifier.cc b/atom/browser/atom_cert_verifier.cc deleted file mode 100644 index e56e611faa8..00000000000 --- a/atom/browser/atom_cert_verifier.cc +++ /dev/null @@ -1,176 +0,0 @@ -// Copyright (c) 2015 GitHub, Inc. -// Use of this source code is governed by the MIT license that can be -// found in the LICENSE file. - -#include "atom/browser/atom_cert_verifier.h" - -#include "atom/browser/browser.h" -#include "atom/common/native_mate_converters/net_converter.h" -#include "base/sha1.h" -#include "base/stl_util.h" -#include "content/public/browser/browser_thread.h" -#include "net/base/net_errors.h" - -using content::BrowserThread; - -namespace atom { - -AtomCertVerifier::RequestParams::RequestParams( - const net::SHA1HashValue cert_fingerprint, - const net::SHA1HashValue ca_fingerprint, - const std::string& hostname_arg, - const std::string& ocsp_response_arg, - int flags_arg) - : hostname(hostname_arg), - ocsp_response(ocsp_response_arg), - flags(flags_arg) { - hash_values.reserve(3); - net::SHA1HashValue ocsp_hash; - base::SHA1HashBytes( - reinterpret_cast(ocsp_response.data()), - ocsp_response.size(), ocsp_hash.data); - hash_values.push_back(ocsp_hash); - hash_values.push_back(cert_fingerprint); - hash_values.push_back(ca_fingerprint); -} - -bool AtomCertVerifier::RequestParams::operator<( - const RequestParams& other) const { - if (flags != other.flags) - return flags < other.flags; - if (hostname != other.hostname) - return hostname < other.hostname; - return std::lexicographical_compare( - hash_values.begin(), - hash_values.end(), - other.hash_values.begin(), - other.hash_values.end(), - net::SHA1HashValueLessThan()); -} - -void AtomCertVerifier::CertVerifyRequest::RunResult(int result) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - for (auto& callback : callbacks_) - callback.Run(result); - cert_verifier_->RemoveRequest(this); -} - -void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - int rv = cert_verifier_->default_cert_verifier()->Verify( - certificate_.get(), - key_.hostname, - key_.ocsp_response, - key_.flags, - crl_set_.get(), - verify_result_, - base::Bind(&CertVerifyRequest::RunResult, - weak_ptr_factory_.GetWeakPtr()), - out_req_, - net_log_); - - if (rv != net::ERR_IO_PENDING) - RunResult(rv); -} - -void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { - DCHECK_CURRENTLY_ON(BrowserThread::UI); - - if (handled_) - return; - - handled_ = true; - - if (result != net::ERR_IO_PENDING) { - BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, - base::Bind(&CertVerifyRequest::RunResult, - weak_ptr_factory_.GetWeakPtr(), - result)); - return; - } - - BrowserThread::PostTask( - BrowserThread::IO, FROM_HERE, - base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier, - weak_ptr_factory_.GetWeakPtr())); -} - -AtomCertVerifier::AtomCertVerifier() - : delegate_(nullptr) { - default_cert_verifier_.reset(net::CertVerifier::CreateDefault()); -} - -AtomCertVerifier::~AtomCertVerifier() { -} - -int AtomCertVerifier::Verify( - net::X509Certificate* cert, - const std::string& hostname, - const std::string& ocsp_response, - int flags, - net::CRLSet* crl_set, - net::CertVerifyResult* verify_result, - const net::CompletionCallback& callback, - scoped_ptr* out_req, - const net::BoundNetLog& net_log) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - if (callback.is_null() || !verify_result || hostname.empty() || !delegate_) - return net::ERR_INVALID_ARGUMENT; - - const RequestParams key(cert->fingerprint(), - cert->ca_fingerprint(), - hostname, - ocsp_response, - flags); - - CertVerifyRequest* request = FindRequest(key); - - if (!request) { - request = new CertVerifyRequest(this, - key, - cert, - crl_set, - verify_result, - out_req, - net_log); - requests_.insert(make_scoped_refptr(request)); - - BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, - base::Bind(&Delegate::RequestCertVerification, - base::Unretained(delegate_), - make_scoped_refptr(request))); - } - - request->AddCompletionCallback(callback); - - return net::ERR_IO_PENDING; -} - -bool AtomCertVerifier::SupportsOCSPStapling() { - return true; -} - -AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest( - const RequestParams& key) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - auto it = std::lower_bound(requests_.begin(), - requests_.end(), - key, - CertVerifyRequestToRequestParamsComparator()); - if (it != requests_.end() && !(key < (*it)->key())) - return (*it).get(); - return nullptr; -} - -void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - bool erased = requests_.erase(request) == 1; - DCHECK(erased); -} - -} // namespace atom diff --git a/atom/browser/atom_cert_verifier.h b/atom/browser/atom_cert_verifier.h deleted file mode 100644 index e5560ff82fe..00000000000 --- a/atom/browser/atom_cert_verifier.h +++ /dev/null @@ -1,165 +0,0 @@ -// Copyright (c) 2015 GitHub, Inc. -// Use of this source code is governed by the MIT license that can be -// found in the LICENSE file. - -#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_ -#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_ - -#include -#include -#include - -#include "base/memory/ref_counted.h" -#include "net/base/hash_value.h" -#include "net/cert/cert_verifier.h" -#include "net/cert/crl_set.h" -#include "net/cert/x509_certificate.h" -#include "net/log/net_log.h" - -namespace atom { - -class AtomCertVerifier : public net::CertVerifier { - public: - struct RequestParams { - RequestParams( - const net::SHA1HashValue cert_fingerprint, - const net::SHA1HashValue ca_fingerprint, - const std::string& hostname_arg, - const std::string& ocsp_response, - int flags); - ~RequestParams() {} - - bool operator<(const RequestParams& other) const; - - std::string hostname; - std::string ocsp_response; - int flags; - std::vector hash_values; - }; - - class CertVerifyRequest - : public base::RefCountedThreadSafe { - public: - CertVerifyRequest( - AtomCertVerifier* cert_verifier, - const RequestParams& key, - scoped_refptr cert, - scoped_refptr crl_set, - net::CertVerifyResult* verify_result, - scoped_ptr* out_req, - const net::BoundNetLog& net_log) - : cert_verifier_(cert_verifier), - key_(key), - certificate_(cert), - crl_set_(crl_set), - verify_result_(verify_result), - out_req_(out_req), - net_log_(net_log), - handled_(false), - weak_ptr_factory_(this) { - } - - void RunResult(int result); - void DelegateToDefaultVerifier(); - void ContinueWithResult(int result); - - void AddCompletionCallback(net::CompletionCallback callback) { - callbacks_.push_back(callback); - } - - const RequestParams key() const { return key_; } - - std::string hostname() const { return key_.hostname; } - - scoped_refptr certificate() const { - return certificate_; - } - - private: - friend class base::RefCountedThreadSafe; - ~CertVerifyRequest() {} - - AtomCertVerifier* cert_verifier_; - const RequestParams key_; - - scoped_refptr certificate_; - scoped_refptr crl_set_; - net::CertVerifyResult* verify_result_; - scoped_ptr* out_req_; - const net::BoundNetLog net_log_; - - std::vector callbacks_; - bool handled_; - - base::WeakPtrFactory weak_ptr_factory_; - - DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest); - }; - - class Delegate { - public: - Delegate() {} - virtual ~Delegate() {} - - // Called on UI thread. - virtual void RequestCertVerification( - const scoped_refptr& request) {} - }; - - AtomCertVerifier(); - virtual ~AtomCertVerifier(); - - void SetDelegate(Delegate* delegate) { - delegate_ = delegate; - } - - protected: - // net::CertVerifier: - int Verify(net::X509Certificate* cert, - const std::string& hostname, - const std::string& ocsp_response, - int flags, - net::CRLSet* crl_set, - net::CertVerifyResult* verify_result, - const net::CompletionCallback& callback, - scoped_ptr* out_req, - const net::BoundNetLog& net_log) override; - bool SupportsOCSPStapling() override; - - net::CertVerifier* default_cert_verifier() const { - return default_cert_verifier_.get(); - } - - private: - CertVerifyRequest* FindRequest(const RequestParams& key); - void RemoveRequest(CertVerifyRequest* request); - - struct CertVerifyRequestToRequestParamsComparator { - bool operator()(const scoped_refptr request, - const RequestParams& key) const { - return request->key() < key; - } - }; - - struct CertVerifyRequestComparator { - bool operator()(const scoped_refptr req1, - const scoped_refptr req2) const { - return req1->key() < req2->key(); - } - }; - - using ActiveRequestSet = - std::set, - CertVerifyRequestComparator>; - ActiveRequestSet requests_; - - Delegate* delegate_; - - scoped_ptr default_cert_verifier_; - - DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier); -}; - -} // namespace atom - -#endif // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_ diff --git a/atom/browser/net/atom_cert_verifier.cc b/atom/browser/net/atom_cert_verifier.cc new file mode 100644 index 00000000000..0f94e4fe2ad --- /dev/null +++ b/atom/browser/net/atom_cert_verifier.cc @@ -0,0 +1,95 @@ +// Copyright (c) 2015 GitHub, Inc. +// Use of this source code is governed by the MIT license that can be +// found in the LICENSE file. + +#include "atom/browser/net/atom_cert_verifier.h" + +#include "atom/browser/browser.h" +#include "atom/common/native_mate_converters/net_converter.h" +#include "content/public/browser/browser_thread.h" +#include "net/base/net_errors.h" +#include "net/cert/crl_set.h" +#include "net/cert/x509_certificate.h" + +using content::BrowserThread; + +namespace atom { + +AtomCertVerifier::CertVerifyRequest::~CertVerifyRequest() { +} + +void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { + DCHECK_CURRENTLY_ON(BrowserThread::UI); + + if (handled_) + return; + + handled_ = true; + BrowserThread::PostTask( + BrowserThread::IO, FROM_HERE, + base::Bind(args_.callback, + result == net::ERR_IO_PENDING ? result_ : result)); +} + +AtomCertVerifier::AtomCertVerifier() + : delegate_(nullptr) { + default_cert_verifier_.reset(net::CertVerifier::CreateDefault()); +} + +AtomCertVerifier::~AtomCertVerifier() { +} + +int AtomCertVerifier::Verify( + net::X509Certificate* cert, + const std::string& hostname, + const std::string& ocsp_response, + int flags, + net::CRLSet* crl_set, + net::CertVerifyResult* verify_result, + const net::CompletionCallback& callback, + scoped_ptr* out_req, + const net::BoundNetLog& net_log) { + DCHECK_CURRENTLY_ON(BrowserThread::IO); + + if (callback.is_null() || !verify_result || hostname.empty() || !delegate_) + return net::ERR_INVALID_ARGUMENT; + + VerifyArgs args = { cert, hostname, callback }; + int result = default_cert_verifier_->Verify( + cert, hostname, ocsp_response, flags, crl_set, verify_result, + base::Bind(&AtomCertVerifier::OnDefaultVerificationResult, + base::Unretained(this), args), + out_req, net_log); + if (result != net::OK && result != net::ERR_IO_PENDING) { + // The default verifier fails immediately. + VerifyCertificateFromDelegate(args, result); + return net::ERR_IO_PENDING; + } + + return result; +} + +bool AtomCertVerifier::SupportsOCSPStapling() { + return true; +} + +void AtomCertVerifier::VerifyCertificateFromDelegate( + const VerifyArgs& args, int result) { + CertVerifyRequest* request = new CertVerifyRequest(this, result, args); + BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, + base::Bind(&Delegate::RequestCertVerification, + base::Unretained(delegate_), + make_scoped_refptr(request))); +} + +void AtomCertVerifier::OnDefaultVerificationResult( + const VerifyArgs& args, int result) { + if (result == net::OK) { + args.callback.Run(result); + return; + } + + VerifyCertificateFromDelegate(args, result); +} + +} // namespace atom diff --git a/atom/browser/net/atom_cert_verifier.h b/atom/browser/net/atom_cert_verifier.h new file mode 100644 index 00000000000..8736db0f872 --- /dev/null +++ b/atom/browser/net/atom_cert_verifier.h @@ -0,0 +1,94 @@ +// Copyright (c) 2015 GitHub, Inc. +// Use of this source code is governed by the MIT license that can be +// found in the LICENSE file. + +#ifndef ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ +#define ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ + +#include + +#include "base/memory/ref_counted.h" +#include "net/cert/cert_verifier.h" + +namespace atom { + +class AtomCertVerifier : public net::CertVerifier { + public: + struct VerifyArgs { + scoped_refptr cert; + const std::string& hostname; + net::CompletionCallback callback; + }; + + class CertVerifyRequest + : public base::RefCountedThreadSafe { + public: + CertVerifyRequest(AtomCertVerifier* cert_verifier, + int result, + const VerifyArgs& args) + : cert_verifier_(cert_verifier), + result_(result), + args_(args), + handled_(false) { + } + + void ContinueWithResult(int result); + + const VerifyArgs& args() const { return args_; } + + private: + friend class base::RefCountedThreadSafe; + ~CertVerifyRequest(); + + AtomCertVerifier* cert_verifier_; + int result_; + VerifyArgs args_; + bool handled_; + + DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest); + }; + + class Delegate { + public: + virtual ~Delegate() {} + + // Called on UI thread. + virtual void RequestCertVerification( + const scoped_refptr& request) {} + }; + + AtomCertVerifier(); + virtual ~AtomCertVerifier(); + + void SetDelegate(Delegate* delegate) { + delegate_ = delegate; + } + + protected: + // net::CertVerifier: + int Verify(net::X509Certificate* cert, + const std::string& hostname, + const std::string& ocsp_response, + int flags, + net::CRLSet* crl_set, + net::CertVerifyResult* verify_result, + const net::CompletionCallback& callback, + scoped_ptr* out_req, + const net::BoundNetLog& net_log) override; + bool SupportsOCSPStapling() override; + + private: + friend class CertVerifyRequest; + + void VerifyCertificateFromDelegate(const VerifyArgs& args, int result); + void OnDefaultVerificationResult(const VerifyArgs& args, int result); + + Delegate* delegate_; + scoped_ptr default_cert_verifier_; + + DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier); +}; + +} // namespace atom + +#endif // ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ diff --git a/atom/browser/atom_ssl_config_service.cc b/atom/browser/net/atom_ssl_config_service.cc similarity index 97% rename from atom/browser/atom_ssl_config_service.cc rename to atom/browser/net/atom_ssl_config_service.cc index 0a47067b0a6..2b3143e93cb 100644 --- a/atom/browser/atom_ssl_config_service.cc +++ b/atom/browser/net/atom_ssl_config_service.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by the MIT license that can be // found in the LICENSE file. -#include "atom/browser/atom_ssl_config_service.h" +#include "atom/browser/net/atom_ssl_config_service.h" #include #include diff --git a/atom/browser/atom_ssl_config_service.h b/atom/browser/net/atom_ssl_config_service.h similarity index 76% rename from atom/browser/atom_ssl_config_service.h rename to atom/browser/net/atom_ssl_config_service.h index 3fa91c62c43..2e3ac4f6c59 100644 --- a/atom/browser/atom_ssl_config_service.h +++ b/atom/browser/net/atom_ssl_config_service.h @@ -2,8 +2,8 @@ // Use of this source code is governed by the MIT license that can be // found in the LICENSE file. -#ifndef ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_ -#define ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_ +#ifndef ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_ +#define ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_ #include "net/ssl/ssl_config_service.h" @@ -25,4 +25,4 @@ class AtomSSLConfigService : public net::SSLConfigService { } // namespace atom -#endif // ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_ +#endif // ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_ diff --git a/docs/api/session.md b/docs/api/session.md index 210d5875351..e385e222d52 100644 --- a/docs/api/session.md +++ b/docs/api/session.md @@ -21,7 +21,7 @@ var session = win.webContents.session * `item` [DownloadItem](download-item.md) * `webContents` [WebContents](web-contents.md) -Fired when Electron is about to download `item` in `webContents`. +Emitted when Electron is about to download `item` in `webContents`. Calling `event.preventDefault()` will cancel the download. @@ -34,7 +34,7 @@ session.on('will-download', function(event, item, webContents) { }); ``` -### Event: 'verify-certificate' +### Event: 'untrusted-certificate' * `event` Event * `hostname` String @@ -43,18 +43,19 @@ session.on('will-download', function(event, item, webContents) { * `issuerName` String * `callback` Function -Fired whenever a server certificate verification is requested by the -network layer with `hostname`, `certificate` and `callback`. -`callback` should be called with a boolean response to -indicate continuation or cancellation of the request. +Emitted when failed to verify the `certificate` for `hostname`, to trust the +certificate you should prevent the default behavior with +`event.preventDefault()` and call `callback(true)`. ```js session.on('verify-certificate', function(event, hostname, certificate, callback) { if (hostname == "github.com") { - // verification logic + // Verification logic. + event.preventDefault(); callback(true); + } else { + callback(false); } - callback(false); }); ``` diff --git a/filenames.gypi b/filenames.gypi index fd8856abd4d..7e1f3e1827e 100644 --- a/filenames.gypi +++ b/filenames.gypi @@ -131,8 +131,6 @@ 'atom/browser/atom_download_manager_delegate.h', 'atom/browser/atom_browser_main_parts.cc', 'atom/browser/atom_browser_main_parts.h', - 'atom/browser/atom_cert_verifier.cc', - 'atom/browser/atom_cert_verifier.h', 'atom/browser/atom_browser_main_parts_mac.mm', 'atom/browser/atom_browser_main_parts_posix.cc', 'atom/browser/atom_javascript_dialog_manager.cc', @@ -143,8 +141,6 @@ 'atom/browser/atom_resource_dispatcher_host_delegate.h', 'atom/browser/atom_speech_recognition_manager_delegate.cc', 'atom/browser/atom_speech_recognition_manager_delegate.h', - 'atom/browser/atom_ssl_config_service.cc', - 'atom/browser/atom_ssl_config_service.h', 'atom/browser/bridge_task_runner.cc', 'atom/browser/bridge_task_runner.h', 'atom/browser/browser.cc', @@ -175,6 +171,10 @@ 'atom/browser/net/asar/asar_protocol_handler.h', 'atom/browser/net/asar/url_request_asar_job.cc', 'atom/browser/net/asar/url_request_asar_job.h', + 'atom/browser/net/atom_cert_verifier.cc', + 'atom/browser/net/atom_cert_verifier.h', + 'atom/browser/net/atom_ssl_config_service.cc', + 'atom/browser/net/atom_ssl_config_service.h', 'atom/browser/net/atom_url_request_job_factory.cc', 'atom/browser/net/atom_url_request_job_factory.h', 'atom/browser/net/http_protocol_handler.cc',