mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Merge pull request #3469 from atom/cleanup-verify-certificate

Browse source 
Emit verify-certificate only when default verifier fails
This commit is contained in:
Cheng Zhao 2015-11-17 21:57:58 +08:00
commit ab54fedc9a
11 changed files with 215 additions and 367 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
atom/browser/api/atom_api_session.cc
View file

@ -241,10 +241,7 @@ void SetProxyInIO(net::URLRequestContextGetter* getter,
void PassVerificationResult(
scoped_refptr<AtomCertVerifier::CertVerifyRequest> request,
bool success) {
int result = net::OK;
if (!success)
result = net::ERR_FAILED;
request->ContinueWithResult(result);
request->ContinueWithResult(success ? net::OK : net::ERR_FAILED);
}
} // namespace
@ -268,12 +265,13 @@ Session::~Session() {
void Session::RequestCertVerification(
const scoped_refptr<AtomCertVerifier::CertVerifyRequest>& request) {
bool prevent_default = Emit(
"verify-certificate",
request->hostname(),
request->certificate(),
"untrusted-certificate",
request->args().hostname,
request->args().cert,
base::Bind(&PassVerificationResult, request));
if (!prevent_default)
// Tell the request to use the result of default verifier.
request->ContinueWithResult(net::ERR_IO_PENDING);
}
@ -297,6 +295,7 @@ bool Session::IsDestroyed() const {
}
void Session::Destroy() {
browser_context_->cert_verifier()->SetDelegate(nullptr);
browser_context_ = nullptr;
}

2
atom/browser/api/atom_api_session.h
View file

@ -8,7 +8,7 @@
#include <string>
#include "atom/browser/api/trackable_object.h"
#include "atom/browser/atom_cert_verifier.h"
#include "atom/browser/net/atom_cert_verifier.h"
#include "content/public/browser/download_manager.h"
#include "native_mate/handle.h"
#include "net/base/completion_callback.h"

4
atom/browser/atom_browser_context.cc
View file

@ -5,10 +5,10 @@
#include "atom/browser/atom_browser_context.h"
#include "atom/browser/atom_browser_main_parts.h"
#include "atom/browser/atom_cert_verifier.h"
#include "atom/browser/atom_download_manager_delegate.h"
#include "atom/browser/atom_ssl_config_service.h"
#include "atom/browser/browser.h"
#include "atom/browser/net/atom_cert_verifier.h"
#include "atom/browser/net/atom_ssl_config_service.h"
#include "atom/browser/net/atom_url_request_job_factory.h"
#include "atom/browser/net/asar/asar_protocol_handler.h"
#include "atom/browser/net/http_protocol_handler.h"

176
atom/browser/atom_cert_verifier.cc
View file

@ -1,176 +0,0 @@
// Copyright (c) 2015 GitHub, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#include "atom/browser/atom_cert_verifier.h"
#include "atom/browser/browser.h"
#include "atom/common/native_mate_converters/net_converter.h"
#include "base/sha1.h"
#include "base/stl_util.h"
#include "content/public/browser/browser_thread.h"
#include "net/base/net_errors.h"
using content::BrowserThread;
namespace atom {
AtomCertVerifier::RequestParams::RequestParams(
const net::SHA1HashValue cert_fingerprint,
const net::SHA1HashValue ca_fingerprint,
const std::string& hostname_arg,
const std::string& ocsp_response_arg,
int flags_arg)
: hostname(hostname_arg),
ocsp_response(ocsp_response_arg),
flags(flags_arg) {
hash_values.reserve(3);
net::SHA1HashValue ocsp_hash;
base::SHA1HashBytes(
reinterpret_cast<const unsigned char*>(ocsp_response.data()),
ocsp_response.size(), ocsp_hash.data);
hash_values.push_back(ocsp_hash);
hash_values.push_back(cert_fingerprint);
hash_values.push_back(ca_fingerprint);
}
bool AtomCertVerifier::RequestParams::operator<(
const RequestParams& other) const {
if (flags != other.flags)
return flags < other.flags;
if (hostname != other.hostname)
return hostname < other.hostname;
return std::lexicographical_compare(
hash_values.begin(),
hash_values.end(),
other.hash_values.begin(),
other.hash_values.end(),
net::SHA1HashValueLessThan());
}
void AtomCertVerifier::CertVerifyRequest::RunResult(int result) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
for (auto& callback : callbacks_)
callback.Run(result);
cert_verifier_->RemoveRequest(this);
}
void AtomCertVerifier::CertVerifyRequest::DelegateToDefaultVerifier() {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
int rv = cert_verifier_->default_cert_verifier()->Verify(
certificate_.get(),
key_.hostname,
key_.ocsp_response,
key_.flags,
crl_set_.get(),
verify_result_,
base::Bind(&CertVerifyRequest::RunResult,
weak_ptr_factory_.GetWeakPtr()),
out_req_,
net_log_);
if (rv != net::ERR_IO_PENDING)
RunResult(rv);
}
void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
if (handled_)
return;
handled_ = true;
if (result != net::ERR_IO_PENDING) {
BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
base::Bind(&CertVerifyRequest::RunResult,
weak_ptr_factory_.GetWeakPtr(),
result));
return;
}
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::Bind(&CertVerifyRequest::DelegateToDefaultVerifier,
weak_ptr_factory_.GetWeakPtr()));
}
AtomCertVerifier::AtomCertVerifier()
: delegate_(nullptr) {
default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
}
AtomCertVerifier::~AtomCertVerifier() {
}
int AtomCertVerifier::Verify(
net::X509Certificate* cert,
const std::string& hostname,
const std::string& ocsp_response,
int flags,
net::CRLSet* crl_set,
net::CertVerifyResult* verify_result,
const net::CompletionCallback& callback,
scoped_ptr<Request>* out_req,
const net::BoundNetLog& net_log) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
if (callback.is_null() || !verify_result || hostname.empty() || !delegate_)
return net::ERR_INVALID_ARGUMENT;
const RequestParams key(cert->fingerprint(),
cert->ca_fingerprint(),
hostname,
ocsp_response,
flags);
CertVerifyRequest* request = FindRequest(key);
if (!request) {
request = new CertVerifyRequest(this,
key,
cert,
crl_set,
verify_result,
out_req,
net_log);
requests_.insert(make_scoped_refptr(request));
BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
base::Bind(&Delegate::RequestCertVerification,
base::Unretained(delegate_),
make_scoped_refptr(request)));
}
request->AddCompletionCallback(callback);
return net::ERR_IO_PENDING;
}
bool AtomCertVerifier::SupportsOCSPStapling() {
return true;
}
AtomCertVerifier::CertVerifyRequest* AtomCertVerifier::FindRequest(
const RequestParams& key) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
auto it = std::lower_bound(requests_.begin(),
requests_.end(),
key,
CertVerifyRequestToRequestParamsComparator());
if (it != requests_.end() && !(key < (*it)->key()))
return (*it).get();
return nullptr;
}
void AtomCertVerifier::RemoveRequest(CertVerifyRequest* request) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
bool erased = requests_.erase(request) == 1;
DCHECK(erased);
}
} // namespace atom

165
atom/browser/atom_cert_verifier.h
View file

@ -1,165 +0,0 @@
// Copyright (c) 2015 GitHub, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
#include <set>
#include <string>
#include <vector>
#include "base/memory/ref_counted.h"
#include "net/base/hash_value.h"
#include "net/cert/cert_verifier.h"
#include "net/cert/crl_set.h"
#include "net/cert/x509_certificate.h"
#include "net/log/net_log.h"
namespace atom {
class AtomCertVerifier : public net::CertVerifier {
public:
struct RequestParams {
RequestParams(
const net::SHA1HashValue cert_fingerprint,
const net::SHA1HashValue ca_fingerprint,
const std::string& hostname_arg,
const std::string& ocsp_response,
int flags);
~RequestParams() {}
bool operator<(const RequestParams& other) const;
std::string hostname;
std::string ocsp_response;
int flags;
std::vector<net::SHA1HashValue> hash_values;
};
class CertVerifyRequest
: public base::RefCountedThreadSafe<CertVerifyRequest> {
public:
CertVerifyRequest(
AtomCertVerifier* cert_verifier,
const RequestParams& key,
scoped_refptr<net::X509Certificate> cert,
scoped_refptr<net::CRLSet> crl_set,
net::CertVerifyResult* verify_result,
scoped_ptr<Request>* out_req,
const net::BoundNetLog& net_log)
: cert_verifier_(cert_verifier),
key_(key),
certificate_(cert),
crl_set_(crl_set),
verify_result_(verify_result),
out_req_(out_req),
net_log_(net_log),
handled_(false),
weak_ptr_factory_(this) {
}
void RunResult(int result);
void DelegateToDefaultVerifier();
void ContinueWithResult(int result);
void AddCompletionCallback(net::CompletionCallback callback) {
callbacks_.push_back(callback);
}
const RequestParams key() const { return key_; }
std::string hostname() const { return key_.hostname; }
scoped_refptr<net::X509Certificate> certificate() const {
return certificate_;
}
private:
friend class base::RefCountedThreadSafe<CertVerifyRequest>;
~CertVerifyRequest() {}
AtomCertVerifier* cert_verifier_;
const RequestParams key_;
scoped_refptr<net::X509Certificate> certificate_;
scoped_refptr<net::CRLSet> crl_set_;
net::CertVerifyResult* verify_result_;
scoped_ptr<Request>* out_req_;
const net::BoundNetLog net_log_;
std::vector<net::CompletionCallback> callbacks_;
bool handled_;
base::WeakPtrFactory<CertVerifyRequest> weak_ptr_factory_;
DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
};
class Delegate {
public:
Delegate() {}
virtual ~Delegate() {}
// Called on UI thread.
virtual void RequestCertVerification(
const scoped_refptr<CertVerifyRequest>& request) {}
};
AtomCertVerifier();
virtual ~AtomCertVerifier();
void SetDelegate(Delegate* delegate) {
delegate_ = delegate;
}
protected:
// net::CertVerifier:
int Verify(net::X509Certificate* cert,
const std::string& hostname,
const std::string& ocsp_response,
int flags,
net::CRLSet* crl_set,
net::CertVerifyResult* verify_result,
const net::CompletionCallback& callback,
scoped_ptr<Request>* out_req,
const net::BoundNetLog& net_log) override;
bool SupportsOCSPStapling() override;
net::CertVerifier* default_cert_verifier() const {
return default_cert_verifier_.get();
}
private:
CertVerifyRequest* FindRequest(const RequestParams& key);
void RemoveRequest(CertVerifyRequest* request);
struct CertVerifyRequestToRequestParamsComparator {
bool operator()(const scoped_refptr<CertVerifyRequest> request,
const RequestParams& key) const {
return request->key() < key;
}
};
struct CertVerifyRequestComparator {
bool operator()(const scoped_refptr<CertVerifyRequest> req1,
const scoped_refptr<CertVerifyRequest> req2) const {
return req1->key() < req2->key();
}
};
using ActiveRequestSet =
std::set<scoped_refptr<CertVerifyRequest>,
CertVerifyRequestComparator>;
ActiveRequestSet requests_;
Delegate* delegate_;
scoped_ptr<net::CertVerifier> default_cert_verifier_;
DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
};
} // namespace atom
#endif // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_

95
atom/browser/net/atom_cert_verifier.cc Normal file
View file

@ -0,0 +1,95 @@
// Copyright (c) 2015 GitHub, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#include "atom/browser/net/atom_cert_verifier.h"
#include "atom/browser/browser.h"
#include "atom/common/native_mate_converters/net_converter.h"
#include "content/public/browser/browser_thread.h"
#include "net/base/net_errors.h"
#include "net/cert/crl_set.h"
#include "net/cert/x509_certificate.h"
using content::BrowserThread;
namespace atom {
AtomCertVerifier::CertVerifyRequest::~CertVerifyRequest() {
}
void AtomCertVerifier::CertVerifyRequest::ContinueWithResult(int result) {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
if (handled_)
return;
handled_ = true;
BrowserThread::PostTask(
BrowserThread::IO, FROM_HERE,
base::Bind(args_.callback,
result == net::ERR_IO_PENDING ? result_ : result));
}
AtomCertVerifier::AtomCertVerifier()
: delegate_(nullptr) {
default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
}
AtomCertVerifier::~AtomCertVerifier() {
}
int AtomCertVerifier::Verify(
net::X509Certificate* cert,
const std::string& hostname,
const std::string& ocsp_response,
int flags,
net::CRLSet* crl_set,
net::CertVerifyResult* verify_result,
const net::CompletionCallback& callback,
scoped_ptr<Request>* out_req,
const net::BoundNetLog& net_log) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
if (callback.is_null() || !verify_result || hostname.empty() || !delegate_)
return net::ERR_INVALID_ARGUMENT;
VerifyArgs args = { cert, hostname, callback };
int result = default_cert_verifier_->Verify(
cert, hostname, ocsp_response, flags, crl_set, verify_result,
base::Bind(&AtomCertVerifier::OnDefaultVerificationResult,
base::Unretained(this), args),
out_req, net_log);
if (result != net::OK && result != net::ERR_IO_PENDING) {
// The default verifier fails immediately.
VerifyCertificateFromDelegate(args, result);
return net::ERR_IO_PENDING;
}
return result;
}
bool AtomCertVerifier::SupportsOCSPStapling() {
return true;
}
void AtomCertVerifier::VerifyCertificateFromDelegate(
const VerifyArgs& args, int result) {
CertVerifyRequest* request = new CertVerifyRequest(this, result, args);
BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
base::Bind(&Delegate::RequestCertVerification,
base::Unretained(delegate_),
make_scoped_refptr(request)));
}
void AtomCertVerifier::OnDefaultVerificationResult(
const VerifyArgs& args, int result) {
if (result == net::OK) {
args.callback.Run(result);
return;
}
VerifyCertificateFromDelegate(args, result);
}
} // namespace atom

94
atom/browser/net/atom_cert_verifier.h Normal file
View file

@ -0,0 +1,94 @@
// Copyright (c) 2015 GitHub, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#ifndef ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_
#define ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_
#include <string>
#include "base/memory/ref_counted.h"
#include "net/cert/cert_verifier.h"
namespace atom {
class AtomCertVerifier : public net::CertVerifier {
public:
struct VerifyArgs {
scoped_refptr<net::X509Certificate> cert;
const std::string& hostname;
net::CompletionCallback callback;
};
class CertVerifyRequest
: public base::RefCountedThreadSafe<CertVerifyRequest> {
public:
CertVerifyRequest(AtomCertVerifier* cert_verifier,
int result,
const VerifyArgs& args)
: cert_verifier_(cert_verifier),
result_(result),
args_(args),
handled_(false) {
}
void ContinueWithResult(int result);
const VerifyArgs& args() const { return args_; }
private:
friend class base::RefCountedThreadSafe<CertVerifyRequest>;
~CertVerifyRequest();
AtomCertVerifier* cert_verifier_;
int result_;
VerifyArgs args_;
bool handled_;
DISALLOW_COPY_AND_ASSIGN(CertVerifyRequest);
};
class Delegate {
public:
virtual ~Delegate() {}
// Called on UI thread.
virtual void RequestCertVerification(
const scoped_refptr<CertVerifyRequest>& request) {}
};
AtomCertVerifier();
virtual ~AtomCertVerifier();
void SetDelegate(Delegate* delegate) {
delegate_ = delegate;
}
protected:
// net::CertVerifier:
int Verify(net::X509Certificate* cert,
const std::string& hostname,
const std::string& ocsp_response,
int flags,
net::CRLSet* crl_set,
net::CertVerifyResult* verify_result,
const net::CompletionCallback& callback,
scoped_ptr<Request>* out_req,
const net::BoundNetLog& net_log) override;
bool SupportsOCSPStapling() override;
private:
friend class CertVerifyRequest;
void VerifyCertificateFromDelegate(const VerifyArgs& args, int result);
void OnDefaultVerificationResult(const VerifyArgs& args, int result);
Delegate* delegate_;
scoped_ptr<net::CertVerifier> default_cert_verifier_;
DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
};
} // namespace atom
#endif // ATOM_BROWSER_NET_ATOM_CERT_VERIFIER_H_

2
atom/browser/atom_ssl_config_service.cc → atom/browser/net/atom_ssl_config_service.cc
View file

@ -2,7 +2,7 @@
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#include "atom/browser/atom_ssl_config_service.h"
#include "atom/browser/net/atom_ssl_config_service.h"
#include <string>
#include <vector>

6
atom/browser/atom_ssl_config_service.h → atom/browser/net/atom_ssl_config_service.h
View file

@ -2,8 +2,8 @@
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.
#ifndef ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_
#define ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_
#ifndef ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_
#define ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_
#include "net/ssl/ssl_config_service.h"
@ -25,4 +25,4 @@ class AtomSSLConfigService : public net::SSLConfigService {
} // namespace atom
#endif // ATOM_BROWSER_ATOM_SSL_CONFIG_SERVICE_H_
#endif // ATOM_BROWSER_NET_ATOM_SSL_CONFIG_SERVICE_H_

17
docs/api/session.md
View file

@ -21,7 +21,7 @@ var session = win.webContents.session
* `item` [DownloadItem](download-item.md)
* `webContents` [WebContents](web-contents.md)
Fired when Electron is about to download `item` in `webContents`.
Emitted when Electron is about to download `item` in `webContents`.
Calling `event.preventDefault()` will cancel the download.
@ -34,7 +34,7 @@ session.on('will-download', function(event, item, webContents) {
});
```
### Event: 'verify-certificate'
### Event: 'untrusted-certificate'
* `event` Event
* `hostname` String
@ -43,18 +43,19 @@ session.on('will-download', function(event, item, webContents) {
* `issuerName` String
* `callback` Function
Fired whenever a server certificate verification is requested by the
network layer with `hostname`, `certificate` and `callback`.
`callback` should be called with a boolean response to
indicate continuation or cancellation of the request.
Emitted when failed to verify the `certificate` for `hostname`, to trust the
certificate you should prevent the default behavior with
`event.preventDefault()` and call `callback(true)`.
```js
session.on('verify-certificate', function(event, hostname, certificate, callback) {
if (hostname == "github.com") {
// verification logic
// Verification logic.
event.preventDefault();
callback(true);
} else {
callback(false);
}
callback(false);
});
```

8
filenames.gypi
View file

@ -131,8 +131,6 @@
'atom/browser/atom_download_manager_delegate.h',
'atom/browser/atom_browser_main_parts.cc',
'atom/browser/atom_browser_main_parts.h',
'atom/browser/atom_cert_verifier.cc',
'atom/browser/atom_cert_verifier.h',
'atom/browser/atom_browser_main_parts_mac.mm',
'atom/browser/atom_browser_main_parts_posix.cc',
'atom/browser/atom_javascript_dialog_manager.cc',
@ -143,8 +141,6 @@
'atom/browser/atom_resource_dispatcher_host_delegate.h',
'atom/browser/atom_speech_recognition_manager_delegate.cc',
'atom/browser/atom_speech_recognition_manager_delegate.h',
'atom/browser/atom_ssl_config_service.cc',
'atom/browser/atom_ssl_config_service.h',
'atom/browser/bridge_task_runner.cc',
'atom/browser/bridge_task_runner.h',
'atom/browser/browser.cc',
@ -175,6 +171,10 @@
'atom/browser/net/asar/asar_protocol_handler.h',
'atom/browser/net/asar/url_request_asar_job.cc',
'atom/browser/net/asar/url_request_asar_job.h',
'atom/browser/net/atom_cert_verifier.cc',
'atom/browser/net/atom_cert_verifier.h',
'atom/browser/net/atom_ssl_config_service.cc',
'atom/browser/net/atom_ssl_config_service.h',
'atom/browser/net/atom_url_request_job_factory.cc',
'atom/browser/net/atom_url_request_job_factory.h',
'atom/browser/net/http_protocol_handler.cc',