From 217311ef213ba1347506cd165b30447fd789f130 Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Tue, 17 Nov 2015 19:00:33 +0800 Subject: [PATCH 1/6] No need to use weak reference Ref-counting manages everything. --- atom/browser/api/atom_api_session.cc | 5 +---- atom/browser/atom_cert_verifier.cc | 8 +++----- atom/browser/atom_cert_verifier.h | 5 +---- 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc index 07b9b68a94d..579b64bf4a7 100644 --- a/atom/browser/api/atom_api_session.cc +++ b/atom/browser/api/atom_api_session.cc @@ -241,10 +241,7 @@ void SetProxyInIO(net::URLRequestContextGetter* getter, void PassVerificationResult( scoped_refptr request, bool success) { - int result = net::OK; - if (!success) - result = net::ERR_FAILED; - request->ContinueWithResult(result); + request->ContinueWithResult(success ? net::OK : net::ERR_FAILED); } } // namespace diff --git a/atom/browser/atom_cert_verifier.cc b/atom/browser/atom_cert_verifier.cc index e56e611faa8..0ff0d1e4a54 100644 --- a/atom/browser/atom_cert_verifier.cc +++ b/atom/browser/atom_cert_verifier.cc @@ -66,8 +66,7 @@ void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() { key_.flags, crl_set_.get(), verify_result_, - base::Bind(&CertVerifyRequest::RunResult, - weak_ptr_factory_.GetWeakPtr()), + base::Bind(&CertVerifyRequest::RunResult, this), out_req_, net_log_); @@ -86,15 +85,14 @@ void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { if (result != net::ERR_IO_PENDING) { BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, base::Bind(&CertVerifyRequest::RunResult, - weak_ptr_factory_.GetWeakPtr(), + this, result)); return; } BrowserThread::PostTask( BrowserThread::IO, FROM_HERE, - base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier, - weak_ptr_factory_.GetWeakPtr())); + base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier, this)); } AtomCertVerifier::AtomCertVerifier() diff --git a/atom/browser/atom_cert_verifier.h b/atom/browser/atom_cert_verifier.h index e5560ff82fe..50446dd38bd 100644 --- a/atom/browser/atom_cert_verifier.h +++ b/atom/browser/atom_cert_verifier.h @@ -55,8 +55,7 @@ class AtomCertVerifier : public net::CertVerifier { verify_result_(verify_result), out_req_(out_req), net_log_(net_log), - handled_(false), - weak_ptr_factory_(this) { + handled_(false) { } void RunResult(int result); @@ -91,8 +90,6 @@ class AtomCertVerifier : public net::CertVerifier { std::vector callbacks_; bool handled_; - base::WeakPtrFactory weak_ptr_factory_; - DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest); }; From 37f355724a4557e8af4e3d9e62ff5633b16dedfb Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Tue, 17 Nov 2015 19:03:09 +0800 Subject: [PATCH 2/6] Move AtomCertVerifier to atom/browser/net --- atom/browser/api/atom_api_session.h | 2 +- atom/browser/atom_browser_context.cc | 2 +- atom/browser/{ => net}/atom_cert_verifier.cc | 2 +- atom/browser/{ => net}/atom_cert_verifier.h | 6 +++--- filenames.gypi | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) rename atom/browser/{ => net}/atom_cert_verifier.cc (99%) rename atom/browser/{ => net}/atom_cert_verifier.h (96%) diff --git a/atom/browser/api/atom_api_session.h b/atom/browser/api/atom_api_session.h index 05d67b8842e..db72558db47 100644 --- a/atom/browser/api/atom_api_session.h +++ b/atom/browser/api/atom_api_session.h @@ -8,7 +8,7 @@ #include #include "atom/browser/api/trackable_object.h" -#include "atom/browser/atom_cert_verifier.h" +#include "atom/browser/net/atom_cert_verifier.h" #include "content/public/browser/download_manager.h" #include "native_mate/handle.h" #include "net/base/completion_callback.h" diff --git a/atom/browser/atom_browser_context.cc b/atom/browser/atom_browser_context.cc index b1092757ae4..ab3ab1bd139 100644 --- a/atom/browser/atom_browser_context.cc +++ b/atom/browser/atom_browser_context.cc @@ -5,10 +5,10 @@ #include "atom/browser/atom_browser_context.h" #include "atom/browser/atom_browser_main_parts.h" -#include "atom/browser/atom_cert_verifier.h" #include "atom/browser/atom_download_manager_delegate.h" #include "atom/browser/atom_ssl_config_service.h" #include "atom/browser/browser.h" +#include "atom/browser/net/atom_cert_verifier.h" #include "atom/browser/net/atom_url_request_job_factory.h" #include "atom/browser/net/asar/asar_protocol_handler.h" #include "atom/browser/net/http_protocol_handler.h" diff --git a/atom/browser/atom_cert_verifier.cc b/atom/browser/net/atom_cert_verifier.cc similarity index 99% rename from atom/browser/atom_cert_verifier.cc rename to atom/browser/net/atom_cert_verifier.cc index 0ff0d1e4a54..65e55828082 100644 --- a/atom/browser/atom_cert_verifier.cc +++ b/atom/browser/net/atom_cert_verifier.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by the MIT license that can be // found in the LICENSE file. -#include "atom/browser/atom_cert_verifier.h" +#include "atom/browser/net/atom_cert_verifier.h" #include "atom/browser/browser.h" #include "atom/common/native_mate_converters/net_converter.h" diff --git a/atom/browser/atom_cert_verifier.h b/atom/browser/net/atom_cert_verifier.h similarity index 96% rename from atom/browser/atom_cert_verifier.h rename to atom/browser/net/atom_cert_verifier.h index 50446dd38bd..52b6fb5303e 100644 --- a/atom/browser/atom_cert_verifier.h +++ b/atom/browser/net/atom_cert_verifier.h @@ -2,8 +2,8 @@ // Use of this source code is governed by the MIT license that can be // found in the LICENSE file. -#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_ -#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_ +#ifndef ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ +#define ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ #include #include @@ -159,4 +159,4 @@ class AtomCertVerifier : public net::CertVerifier { } // namespace atom -#endif // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_ +#endif // ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ diff --git a/filenames.gypi b/filenames.gypi index fd8856abd4d..92e0a2c204f 100644 --- a/filenames.gypi +++ b/filenames.gypi @@ -131,8 +131,6 @@ 'atom/browser/atom_download_manager_delegate.h', 'atom/browser/atom_browser_main_parts.cc', 'atom/browser/atom_browser_main_parts.h', - 'atom/browser/atom_cert_verifier.cc', - 'atom/browser/atom_cert_verifier.h', 'atom/browser/atom_browser_main_parts_mac.mm', 'atom/browser/atom_browser_main_parts_posix.cc', 'atom/browser/atom_javascript_dialog_manager.cc', @@ -175,6 +173,8 @@ 'atom/browser/net/asar/asar_protocol_handler.h', 'atom/browser/net/asar/url_request_asar_job.cc', 'atom/browser/net/asar/url_request_asar_job.h', + 'atom/browser/net/atom_cert_verifier.cc', + 'atom/browser/net/atom_cert_verifier.h', 'atom/browser/net/atom_url_request_job_factory.cc', 'atom/browser/net/atom_url_request_job_factory.h', 'atom/browser/net/http_protocol_handler.cc', From ea1e4160eace08e8fb216af6a6413baaa7577520 Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Tue, 17 Nov 2015 19:05:38 +0800 Subject: [PATCH 3/6] Move AtomSSLConfigService to atom/browser/net --- atom/browser/atom_browser_context.cc | 2 +- atom/browser/{ => net}/atom_ssl_config_service.cc | 2 +- atom/browser/{ => net}/atom_ssl_config_service.h | 6 +++--- filenames.gypi | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) rename atom/browser/{ => net}/atom_ssl_config_service.cc (97%) rename atom/browser/{ => net}/atom_ssl_config_service.h (76%) diff --git a/atom/browser/atom_browser_context.cc b/atom/browser/atom_browser_context.cc index ab3ab1bd139..08c79996272 100644 --- a/atom/browser/atom_browser_context.cc +++ b/atom/browser/atom_browser_context.cc @@ -6,9 +6,9 @@ #include "atom/browser/atom_browser_main_parts.h" #include "atom/browser/atom_download_manager_delegate.h" -#include "atom/browser/atom_ssl_config_service.h" #include "atom/browser/browser.h" #include "atom/browser/net/atom_cert_verifier.h" +#include "atom/browser/net/atom_ssl_config_service.h" #include "atom/browser/net/atom_url_request_job_factory.h" #include "atom/browser/net/asar/asar_protocol_handler.h" #include "atom/browser/net/http_protocol_handler.h" diff --git a/atom/browser/atom_ssl_config_service.cc b/atom/browser/net/atom_ssl_config_service.cc similarity index 97% rename from atom/browser/atom_ssl_config_service.cc rename to atom/browser/net/atom_ssl_config_service.cc index 0a47067b0a6..2b3143e93cb 100644 --- a/atom/browser/atom_ssl_config_service.cc +++ b/atom/browser/net/atom_ssl_config_service.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by the MIT license that can be // found in the LICENSE file. -#include "atom/browser/atom_ssl_config_service.h" +#include "atom/browser/net/atom_ssl_config_service.h" #include #include diff --git a/atom/browser/atom_ssl_config_service.h b/atom/browser/net/atom_ssl_config_service.h similarity index 76% rename from atom/browser/atom_ssl_config_service.h rename to atom/browser/net/atom_ssl_config_service.h index 3fa91c62c43..2e3ac4f6c59 100644 --- a/atom/browser/atom_ssl_config_service.h +++ b/atom/browser/net/atom_ssl_config_service.h @@ -2,8 +2,8 @@ // Use of this source code is governed by the MIT license that can be // found in the LICENSE file. -#ifndef ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_ -#define ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_ +#ifndef ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_ +#define ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_ #include "net/ssl/ssl_config_service.h" @@ -25,4 +25,4 @@ class AtomSSLConfigService : public net::SSLConfigService { } // namespace atom -#endif // ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_ +#endif // ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_ diff --git a/filenames.gypi b/filenames.gypi index 92e0a2c204f..7e1f3e1827e 100644 --- a/filenames.gypi +++ b/filenames.gypi @@ -141,8 +141,6 @@ 'atom/browser/atom_resource_dispatcher_host_delegate.h', 'atom/browser/atom_speech_recognition_manager_delegate.cc', 'atom/browser/atom_speech_recognition_manager_delegate.h', - 'atom/browser/atom_ssl_config_service.cc', - 'atom/browser/atom_ssl_config_service.h', 'atom/browser/bridge_task_runner.cc', 'atom/browser/bridge_task_runner.h', 'atom/browser/browser.cc', @@ -175,6 +173,8 @@ 'atom/browser/net/asar/url_request_asar_job.h', 'atom/browser/net/atom_cert_verifier.cc', 'atom/browser/net/atom_cert_verifier.h', + 'atom/browser/net/atom_ssl_config_service.cc', + 'atom/browser/net/atom_ssl_config_service.h', 'atom/browser/net/atom_url_request_job_factory.cc', 'atom/browser/net/atom_url_request_job_factory.h', 'atom/browser/net/http_protocol_handler.cc', From e3517b701e0f1d18a965cb8f67888baddb8645ce Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Tue, 17 Nov 2015 19:44:55 +0800 Subject: [PATCH 4/6] Create a new CertVerifierRequest for each request It greatly simplifies the code. --- atom/browser/api/atom_api_session.cc | 3 +- atom/browser/net/atom_cert_verifier.cc | 129 ++++--------------------- atom/browser/net/atom_cert_verifier.h | 105 ++++++-------------- 3 files changed, 48 insertions(+), 189 deletions(-) diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc index 579b64bf4a7..3ac36abf531 100644 --- a/atom/browser/api/atom_api_session.cc +++ b/atom/browser/api/atom_api_session.cc @@ -267,7 +267,7 @@ void Session::RequestCertVerification( bool prevent_default = Emit( "verify-certificate", request->hostname(), - request->certificate(), + make_scoped_refptr(request->cert()), base::Bind(&PassVerificationResult, request)); if (!prevent_default) @@ -294,6 +294,7 @@ bool Session::IsDestroyed() const { } void Session::Destroy() { + browser_context_->cert_verifier()->SetDelegate(nullptr); browser_context_ = nullptr; } diff --git a/atom/browser/net/atom_cert_verifier.cc b/atom/browser/net/atom_cert_verifier.cc index 65e55828082..dcfe29afdda 100644 --- a/atom/browser/net/atom_cert_verifier.cc +++ b/atom/browser/net/atom_cert_verifier.cc @@ -6,74 +6,15 @@ #include "atom/browser/browser.h" #include "atom/common/native_mate_converters/net_converter.h" -#include "base/sha1.h" -#include "base/stl_util.h" #include "content/public/browser/browser_thread.h" #include "net/base/net_errors.h" +#include "net/cert/crl_set.h" +#include "net/cert/x509_certificate.h" using content::BrowserThread; namespace atom { -AtomCertVerifier::RequestParams::RequestParams( - const net::SHA1HashValue cert_fingerprint, - const net::SHA1HashValue ca_fingerprint, - const std::string& hostname_arg, - const std::string& ocsp_response_arg, - int flags_arg) - : hostname(hostname_arg), - ocsp_response(ocsp_response_arg), - flags(flags_arg) { - hash_values.reserve(3); - net::SHA1HashValue ocsp_hash; - base::SHA1HashBytes( - reinterpret_cast(ocsp_response.data()), - ocsp_response.size(), ocsp_hash.data); - hash_values.push_back(ocsp_hash); - hash_values.push_back(cert_fingerprint); - hash_values.push_back(ca_fingerprint); -} - -bool AtomCertVerifier::RequestParams::operator<( - const RequestParams& other) const { - if (flags != other.flags) - return flags < other.flags; - if (hostname != other.hostname) - return hostname < other.hostname; - return std::lexicographical_compare( - hash_values.begin(), - hash_values.end(), - other.hash_values.begin(), - other.hash_values.end(), - net::SHA1HashValueLessThan()); -} - -void AtomCertVerifier::CertVerifyRequest::RunResult(int result) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - for (auto& callback : callbacks_) - callback.Run(result); - cert_verifier_->RemoveRequest(this); -} - -void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - int rv = cert_verifier_->default_cert_verifier()->Verify( - certificate_.get(), - key_.hostname, - key_.ocsp_response, - key_.flags, - crl_set_.get(), - verify_result_, - base::Bind(&CertVerifyRequest::RunResult, this), - out_req_, - net_log_); - - if (rv != net::ERR_IO_PENDING) - RunResult(rv); -} - void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { DCHECK_CURRENTLY_ON(BrowserThread::UI); @@ -84,9 +25,7 @@ void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { if (result != net::ERR_IO_PENDING) { BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, - base::Bind(&CertVerifyRequest::RunResult, - this, - result)); + base::Bind(callback_, result)); return; } @@ -95,6 +34,15 @@ void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier, this)); } +void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() { + DCHECK_CURRENTLY_ON(BrowserThread::IO); + int result = cert_verifier_->default_cert_verifier_->Verify( + cert_.get(), hostname_, ocsp_response_, flags_, crl_set_.get(), + verify_result_, callback_, out_req_, net_log_); + if (result != net::ERR_IO_PENDING) + callback_.Run(result); +} + AtomCertVerifier::AtomCertVerifier() : delegate_(nullptr) { default_cert_verifier_.reset(net::CertVerifier::CreateDefault()); @@ -118,32 +66,13 @@ int AtomCertVerifier::Verify( if (callback.is_null() || !verify_result || hostname.empty() || !delegate_) return net::ERR_INVALID_ARGUMENT; - const RequestParams key(cert->fingerprint(), - cert->ca_fingerprint(), - hostname, - ocsp_response, - flags); - - CertVerifyRequest* request = FindRequest(key); - - if (!request) { - request = new CertVerifyRequest(this, - key, - cert, - crl_set, - verify_result, - out_req, - net_log); - requests_.insert(make_scoped_refptr(request)); - - BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, - base::Bind(&Delegate::RequestCertVerification, - base::Unretained(delegate_), - make_scoped_refptr(request))); - } - - request->AddCompletionCallback(callback); - + CertVerifyRequest* request = new CertVerifyRequest( + this, cert, hostname, ocsp_response, flags, crl_set, verify_result, + callback, out_req, net_log); + BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, + base::Bind(&Delegate::RequestCertVerification, + base::Unretained(delegate_), + make_scoped_refptr(request))); return net::ERR_IO_PENDING; } @@ -151,24 +80,4 @@ bool AtomCertVerifier::SupportsOCSPStapling() { return true; } -AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest( - const RequestParams& key) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - auto it = std::lower_bound(requests_.begin(), - requests_.end(), - key, - CertVerifyRequestToRequestParamsComparator()); - if (it != requests_.end() && !(key < (*it)->key())) - return (*it).get(); - return nullptr; -} - -void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - - bool erased = requests_.erase(request) == 1; - DCHECK(erased); -} - } // namespace atom diff --git a/atom/browser/net/atom_cert_verifier.h b/atom/browser/net/atom_cert_verifier.h index 52b6fb5303e..02c2444cd7a 100644 --- a/atom/browser/net/atom_cert_verifier.h +++ b/atom/browser/net/atom_cert_verifier.h @@ -5,89 +5,64 @@ #ifndef ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ #define ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_ -#include #include -#include #include "base/memory/ref_counted.h" -#include "net/base/hash_value.h" #include "net/cert/cert_verifier.h" -#include "net/cert/crl_set.h" -#include "net/cert/x509_certificate.h" -#include "net/log/net_log.h" namespace atom { class AtomCertVerifier : public net::CertVerifier { public: - struct RequestParams { - RequestParams( - const net::SHA1HashValue cert_fingerprint, - const net::SHA1HashValue ca_fingerprint, - const std::string& hostname_arg, - const std::string& ocsp_response, - int flags); - ~RequestParams() {} - - bool operator<(const RequestParams& other) const; - - std::string hostname; - std::string ocsp_response; - int flags; - std::vector hash_values; - }; - class CertVerifyRequest : public base::RefCountedThreadSafe { public: - CertVerifyRequest( - AtomCertVerifier* cert_verifier, - const RequestParams& key, - scoped_refptr cert, - scoped_refptr crl_set, - net::CertVerifyResult* verify_result, - scoped_ptr* out_req, - const net::BoundNetLog& net_log) + CertVerifyRequest(AtomCertVerifier* cert_verifier, + net::X509Certificate* cert, + const std::string& hostname, + const std::string& ocsp_response, + int flags, + net::CRLSet* crl_set, + net::CertVerifyResult* verify_result, + const net::CompletionCallback& callback, + scoped_ptr* out_req, + const net::BoundNetLog& net_log) : cert_verifier_(cert_verifier), - key_(key), - certificate_(cert), + cert_(cert), + hostname_(hostname), + ocsp_response_(ocsp_response), + flags_(flags), crl_set_(crl_set), verify_result_(verify_result), + callback_(callback), out_req_(out_req), net_log_(net_log), handled_(false) { } - void RunResult(int result); - void DelegateToDefaultVerifier(); void ContinueWithResult(int result); - void AddCompletionCallback(net::CompletionCallback callback) { - callbacks_.push_back(callback); - } - - const RequestParams key() const { return key_; } - - std::string hostname() const { return key_.hostname; } - - scoped_refptr certificate() const { - return certificate_; - } + const std::string& hostname() const { return hostname_; } + net::X509Certificate* cert() const { return cert_.get(); } private: friend class base::RefCountedThreadSafe; ~CertVerifyRequest() {} - AtomCertVerifier* cert_verifier_; - const RequestParams key_; + void DelegateToDefaultVerifier(); - scoped_refptr certificate_; + AtomCertVerifier* cert_verifier_; + + scoped_refptr cert_; + std::string hostname_; + std::string ocsp_response_; + int flags_; scoped_refptr crl_set_; net::CertVerifyResult* verify_result_; + net::CompletionCallback callback_; scoped_ptr* out_req_; - const net::BoundNetLog net_log_; + const net::BoundNetLog& net_log_; - std::vector callbacks_; bool handled_; DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest); @@ -95,7 +70,6 @@ class AtomCertVerifier : public net::CertVerifier { class Delegate { public: - Delegate() {} virtual ~Delegate() {} // Called on UI thread. @@ -123,35 +97,10 @@ class AtomCertVerifier : public net::CertVerifier { const net::BoundNetLog& net_log) override; bool SupportsOCSPStapling() override; - net::CertVerifier* default_cert_verifier() const { - return default_cert_verifier_.get(); - } - private: - CertVerifyRequest* FindRequest(const RequestParams& key); - void RemoveRequest(CertVerifyRequest* request); - - struct CertVerifyRequestToRequestParamsComparator { - bool operator()(const scoped_refptr request, - const RequestParams& key) const { - return request->key() < key; - } - }; - - struct CertVerifyRequestComparator { - bool operator()(const scoped_refptr req1, - const scoped_refptr req2) const { - return req1->key() < req2->key(); - } - }; - - using ActiveRequestSet = - std::set, - CertVerifyRequestComparator>; - ActiveRequestSet requests_; + friend class CertVerifyRequest; Delegate* delegate_; - scoped_ptr default_cert_verifier_; DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier); From ebe66daa56c0926d004aa1769ad77e18fd044394 Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Tue, 17 Nov 2015 21:36:36 +0800 Subject: [PATCH 5/6] Emit verify-certificate only when default verifier fails --- atom/browser/api/atom_api_session.cc | 5 ++- atom/browser/net/atom_cert_verifier.cc | 62 +++++++++++++++----------- atom/browser/net/atom_cert_verifier.h | 51 +++++++-------------- docs/api/session.md | 15 ++++--- 4 files changed, 65 insertions(+), 68 deletions(-) diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc index 3ac36abf531..c75bf9dd0bc 100644 --- a/atom/browser/api/atom_api_session.cc +++ b/atom/browser/api/atom_api_session.cc @@ -266,11 +266,12 @@ void Session::RequestCertVerification( const scoped_refptr& request) { bool prevent_default = Emit( "verify-certificate", - request->hostname(), - make_scoped_refptr(request->cert()), + request->args().hostname, + request->args().cert, base::Bind(&PassVerificationResult, request)); if (!prevent_default) + // Tell the request to use the result of default verifier. request->ContinueWithResult(net::ERR_IO_PENDING); } diff --git a/atom/browser/net/atom_cert_verifier.cc b/atom/browser/net/atom_cert_verifier.cc index dcfe29afdda..0f94e4fe2ad 100644 --- a/atom/browser/net/atom_cert_verifier.cc +++ b/atom/browser/net/atom_cert_verifier.cc @@ -15,6 +15,9 @@ using content::BrowserThread; namespace atom { +AtomCertVerifier::CertVerifyRequest::~CertVerifyRequest() { +} + void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { DCHECK_CURRENTLY_ON(BrowserThread::UI); @@ -22,25 +25,10 @@ void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) { return; handled_ = true; - - if (result != net::ERR_IO_PENDING) { - BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, - base::Bind(callback_, result)); - return; - } - BrowserThread::PostTask( BrowserThread::IO, FROM_HERE, - base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier, this)); -} - -void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() { - DCHECK_CURRENTLY_ON(BrowserThread::IO); - int result = cert_verifier_->default_cert_verifier_->Verify( - cert_.get(), hostname_, ocsp_response_, flags_, crl_set_.get(), - verify_result_, callback_, out_req_, net_log_); - if (result != net::ERR_IO_PENDING) - callback_.Run(result); + base::Bind(args_.callback, + result == net::ERR_IO_PENDING ? result_ : result)); } AtomCertVerifier::AtomCertVerifier() @@ -66,18 +54,42 @@ int AtomCertVerifier::Verify( if (callback.is_null() || !verify_result || hostname.empty() || !delegate_) return net::ERR_INVALID_ARGUMENT; - CertVerifyRequest* request = new CertVerifyRequest( - this, cert, hostname, ocsp_response, flags, crl_set, verify_result, - callback, out_req, net_log); - BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, - base::Bind(&Delegate::RequestCertVerification, - base::Unretained(delegate_), - make_scoped_refptr(request))); - return net::ERR_IO_PENDING; + VerifyArgs args = { cert, hostname, callback }; + int result = default_cert_verifier_->Verify( + cert, hostname, ocsp_response, flags, crl_set, verify_result, + base::Bind(&AtomCertVerifier::OnDefaultVerificationResult, + base::Unretained(this), args), + out_req, net_log); + if (result != net::OK && result != net::ERR_IO_PENDING) { + // The default verifier fails immediately. + VerifyCertificateFromDelegate(args, result); + return net::ERR_IO_PENDING; + } + + return result; } bool AtomCertVerifier::SupportsOCSPStapling() { return true; } +void AtomCertVerifier::VerifyCertificateFromDelegate( + const VerifyArgs& args, int result) { + CertVerifyRequest* request = new CertVerifyRequest(this, result, args); + BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, + base::Bind(&Delegate::RequestCertVerification, + base::Unretained(delegate_), + make_scoped_refptr(request))); +} + +void AtomCertVerifier::OnDefaultVerificationResult( + const VerifyArgs& args, int result) { + if (result == net::OK) { + args.callback.Run(result); + return; + } + + VerifyCertificateFromDelegate(args, result); +} + } // namespace atom diff --git a/atom/browser/net/atom_cert_verifier.h b/atom/browser/net/atom_cert_verifier.h index 02c2444cd7a..8736db0f872 100644 --- a/atom/browser/net/atom_cert_verifier.h +++ b/atom/browser/net/atom_cert_verifier.h @@ -14,55 +14,35 @@ namespace atom { class AtomCertVerifier : public net::CertVerifier { public: + struct VerifyArgs { + scoped_refptr cert; + const std::string& hostname; + net::CompletionCallback callback; + }; + class CertVerifyRequest : public base::RefCountedThreadSafe { public: CertVerifyRequest(AtomCertVerifier* cert_verifier, - net::X509Certificate* cert, - const std::string& hostname, - const std::string& ocsp_response, - int flags, - net::CRLSet* crl_set, - net::CertVerifyResult* verify_result, - const net::CompletionCallback& callback, - scoped_ptr* out_req, - const net::BoundNetLog& net_log) + int result, + const VerifyArgs& args) : cert_verifier_(cert_verifier), - cert_(cert), - hostname_(hostname), - ocsp_response_(ocsp_response), - flags_(flags), - crl_set_(crl_set), - verify_result_(verify_result), - callback_(callback), - out_req_(out_req), - net_log_(net_log), + result_(result), + args_(args), handled_(false) { } void ContinueWithResult(int result); - const std::string& hostname() const { return hostname_; } - net::X509Certificate* cert() const { return cert_.get(); } + const VerifyArgs& args() const { return args_; } private: friend class base::RefCountedThreadSafe; - ~CertVerifyRequest() {} - - void DelegateToDefaultVerifier(); + ~CertVerifyRequest(); AtomCertVerifier* cert_verifier_; - - scoped_refptr cert_; - std::string hostname_; - std::string ocsp_response_; - int flags_; - scoped_refptr crl_set_; - net::CertVerifyResult* verify_result_; - net::CompletionCallback callback_; - scoped_ptr* out_req_; - const net::BoundNetLog& net_log_; - + int result_; + VerifyArgs args_; bool handled_; DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest); @@ -100,6 +80,9 @@ class AtomCertVerifier : public net::CertVerifier { private: friend class CertVerifyRequest; + void VerifyCertificateFromDelegate(const VerifyArgs& args, int result); + void OnDefaultVerificationResult(const VerifyArgs& args, int result); + Delegate* delegate_; scoped_ptr default_cert_verifier_; diff --git a/docs/api/session.md b/docs/api/session.md index 210d5875351..cd802f34b20 100644 --- a/docs/api/session.md +++ b/docs/api/session.md @@ -21,7 +21,7 @@ var session = win.webContents.session * `item` [DownloadItem](download-item.md) * `webContents` [WebContents](web-contents.md) -Fired when Electron is about to download `item` in `webContents`. +Emitted when Electron is about to download `item` in `webContents`. Calling `event.preventDefault()` will cancel the download. @@ -43,18 +43,19 @@ session.on('will-download', function(event, item, webContents) { * `issuerName` String * `callback` Function -Fired whenever a server certificate verification is requested by the -network layer with `hostname`, `certificate` and `callback`. -`callback` should be called with a boolean response to -indicate continuation or cancellation of the request. +Emitted when failed to verify the `certificate` for `hostname`, to trust the +certificate you should prevent the default behavior with +`event.preventDefault()` and call `callback(true)`. ```js session.on('verify-certificate', function(event, hostname, certificate, callback) { if (hostname == "github.com") { - // verification logic + // Verification logic. + event.preventDefault(); callback(true); + } else { + callback(false); } - callback(false); }); ``` From 961ee5a4d914e9195ef731c86d6f3b28295c7590 Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Tue, 17 Nov 2015 21:41:36 +0800 Subject: [PATCH 6/6] Rename verify-certificate to untrusted-certificate --- atom/browser/api/atom_api_session.cc | 2 +- docs/api/session.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atom/browser/api/atom_api_session.cc b/atom/browser/api/atom_api_session.cc index c75bf9dd0bc..6527f67ab3f 100644 --- a/atom/browser/api/atom_api_session.cc +++ b/atom/browser/api/atom_api_session.cc @@ -265,7 +265,7 @@ Session::~Session() { void Session::RequestCertVerification( const scoped_refptr& request) { bool prevent_default = Emit( - "verify-certificate", + "untrusted-certificate", request->args().hostname, request->args().cert, base::Bind(&PassVerificationResult, request)); diff --git a/docs/api/session.md b/docs/api/session.md index cd802f34b20..e385e222d52 100644 --- a/docs/api/session.md +++ b/docs/api/session.md @@ -34,7 +34,7 @@ session.on('will-download', function(event, item, webContents) { }); ``` -### Event: 'verify-certificate' +### Event: 'untrusted-certificate' * `event` Event * `hostname` String