session: api to allow handling certificate verification

2015-11-05 19:36:36 +05:30 · 2015-11-05 19:36:36 +05:30 · d072e61282
commit d072e61282
parent ce0167756e
14 changed files with 231 additions and 17 deletions
--- a/atom/browser/api/atom_api_app.cc
+++ b/atom/browser/api/atom_api_app.cc
@ -61,21 +61,6 @@ struct Converter<Browser::UserTask> {
 };
 #endif

-template<>
-struct Converter<scoped_refptr<net::X509Certificate>> {
-  static v8::Local<v8::Value> ToV8(
-      v8::Isolate* isolate,
-      const scoped_refptr<net::X509Certificate>& val) {
-    mate::Dictionary dict(isolate, v8::Object::New(isolate));
-    std::string encoded_data;
-    net::X509Certificate::GetPEMEncoded(
-        val->os_cert_handle(), &encoded_data);
-    dict.Set("data", encoded_data);
-    dict.Set("issuerName", val->issuer().GetDisplayName());
-    return dict.GetHandle();
-  }
-};
-
 }  // namespace mate


--- a/atom/browser/api/atom_api_session.cc
+++ b/atom/browser/api/atom_api_session.cc
@ -13,9 +13,11 @@
 #include "atom/browser/api/save_page_handler.h"
 #include "atom/browser/atom_browser_context.h"
 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/browser.h"
 #include "atom/common/native_mate_converters/callback.h"
 #include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
+#include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/node_includes.h"
 #include "base/files/file_path.h"
 #include "base/prefs/pref_service.h"
@ -365,6 +367,7 @@ v8::Local<v8::Value> Session::Cookies(v8::Isolate* isolate) {

 mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
    v8::Isolate* isolate) {
+  auto browser = base::Unretained(Browser::Get());
  return mate::ObjectTemplateBuilder(isolate)
      .SetMethod("resolveProxy", &Session::ResolveProxy)
      .SetMethod("clearCache", &Session::ClearCache)
@ -373,6 +376,10 @@ mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
      .SetMethod("setDownloadPath", &Session::SetDownloadPath)
      .SetMethod("enableNetworkEmulation", &Session::EnableNetworkEmulation)
      .SetMethod("disableNetworkEmulation", &Session::DisableNetworkEmulation)
+      .SetMethod("setCertificateVerifier",
+                 base::Bind(&Browser::SetCertificateVerifier, browser))
+      .SetMethod("removeCertificateVerifier",
+                 base::Bind(&Browser::RemoveCertificateVerifier, browser))
      .SetProperty("cookies", &Session::Cookies);
 }

--- a/atom/browser/atom_browser_context.cc
+++ b/atom/browser/atom_browser_context.cc
@ -5,6 +5,7 @@
 #include "atom/browser/atom_browser_context.h"

 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/atom_download_manager_delegate.h"
 #include "atom/browser/atom_ssl_config_service.h"
 #include "atom/browser/browser.h"
@ -158,6 +159,10 @@ content::BrowserPluginGuestManager* AtomBrowserContext::GetGuestManager() {
  return guest_manager_.get();
 }

+net::CertVerifier* AtomBrowserContext::CreateCertVerifier() {
+  return new AtomCertVerifier;
+}
+
 net::SSLConfigService* AtomBrowserContext::CreateSSLConfigService() {
  return new AtomSSLConfigService;
 }
--- a/atom/browser/atom_browser_context.h
+++ b/atom/browser/atom_browser_context.h
@ -27,6 +27,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
      content::URLRequestInterceptorScopedVector* interceptors) override;
  net::HttpCache::BackendFactory* CreateHttpCacheBackendFactory(
      const base::FilePath& base_path) override;
+  net::CertVerifier* CreateCertVerifier() override;
  net::SSLConfigService* CreateSSLConfigService() override;
  bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;

--- a/atom/browser/atom_cert_verifier.cc
+++ b/atom/browser/atom_cert_verifier.cc
@ -0,0 +1,84 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "atom/browser/atom_cert_verifier.h"
+
+#include "atom/browser/browser.h"
+#include "atom/common/native_mate_converters/net_converter.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/base/net_errors.h"
+#include "net/cert/x509_certificate.h"
+
+using content::BrowserThread;
+
+namespace atom {
+
+namespace {
+
+void RunResult(const net::CompletionCallback& callback, bool success) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  int result = net::OK;
+  if (!success)
+    result = net::ERR_FAILED;
+
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                          base::Bind(callback, result));
+}
+
+}  // namespace
+
+AtomCertVerifier::AtomCertVerifier() {
+  Browser::Get()->AddObserver(this);
+  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
+}
+
+AtomCertVerifier::~AtomCertVerifier() {
+  Browser::Get()->RemoveObserver(this);
+}
+
+int AtomCertVerifier::Verify(
+    net::X509Certificate* cert,
+    const std::string& hostname,
+    const std::string& ocsp_response,
+    int flags,
+    net::CRLSet* crl_set,
+    net::CertVerifyResult* verify_result,
+    const net::CompletionCallback& callback,
+    scoped_ptr<Request>* out_req,
+    const net::BoundNetLog& net_log) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (callback.is_null() || !verify_result || hostname.empty())
+    return net::ERR_INVALID_ARGUMENT;
+
+  if (!handler_.is_null()) {
+    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+                            base::Bind(handler_, hostname,
+                                       make_scoped_refptr(cert),
+                                       base::Bind(&RunResult, callback)));
+    return net::ERR_IO_PENDING;
+  }
+
+  return default_cert_verifier_->Verify(cert, hostname, ocsp_response,
+                                        flags, crl_set, verify_result,
+                                        callback, out_req, net_log);
+}
+
+bool AtomCertVerifier::SupportsOCSPStapling() {
+  if (handler_.is_null())
+    return default_cert_verifier_->SupportsOCSPStapling();
+  return false;
+}
+
+void AtomCertVerifier::OnSetCertificateVerifier(
+    const CertificateVerifier& handler) {
+  handler_ = handler;
+}
+
+void AtomCertVerifier::OnRemoveCertificateVerifier() {
+  handler_.Reset();
+}
+
+}  // namespace atom
--- a/atom/browser/atom_cert_verifier.h
+++ b/atom/browser/atom_cert_verifier.h
@ -0,0 +1,47 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+
+#include <string>
+
+#include "atom/browser/browser_observer.h"
+#include "net/cert/cert_verifier.h"
+
+namespace atom {
+
+class AtomCertVerifier : public net::CertVerifier,
+                         public BrowserObserver {
+ public:
+  AtomCertVerifier();
+  ~AtomCertVerifier() override;
+
+  // net::CertVerifier:
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override;
+  bool SupportsOCSPStapling() override;
+
+ protected:
+  void OnSetCertificateVerifier(const CertificateVerifier& handler) override;
+  void OnRemoveCertificateVerifier() override;
+
+ private:
+  scoped_ptr<net::CertVerifier> default_cert_verifier_;
+
+  CertificateVerifier handler_;
+
+  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
+};
+
+}   // namespace atom
+
+#endif  // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
--- a/atom/browser/browser.cc
+++ b/atom/browser/browser.cc
@ -156,6 +156,16 @@ void Browser::RequestLogin(LoginHandler* login_handler) {
  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnLogin(login_handler));
 }

+void Browser::SetCertificateVerifier(const CertificateVerifier& handler) {
+  FOR_EACH_OBSERVER(BrowserObserver,
+                    observers_,
+                    OnSetCertificateVerifier(handler));
+}
+
+void Browser::RemoveCertificateVerifier() {
+  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnRemoveCertificateVerifier());
+}
+
 void Browser::NotifyAndShutdown() {
  if (is_shutdown_)
    return;
--- a/atom/browser/browser.h
+++ b/atom/browser/browser.h
@ -135,6 +135,10 @@ class Browser : public WindowListObserver {
  // Request basic auth login.
  void RequestLogin(LoginHandler* login_handler);

+  // Set.remove the ceritificate verifier provided by the user.
+  void SetCertificateVerifier(const CertificateVerifier& handler);
+  void RemoveCertificateVerifier();
+
  void AddObserver(BrowserObserver* obs) {
    observers_.AddObserver(obs);
  }
--- a/atom/browser/browser_observer.h
+++ b/atom/browser/browser_observer.h
@ -7,6 +7,7 @@

 #include <string>

+#include "base/callback.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/browser/client_certificate_delegate.h"

@ -16,12 +17,19 @@ class WebContents;

 namespace net {
 class SSLCertRequestInfo;
+class X509Certificate;
 }

 namespace atom {

 class LoginHandler;

+// A callback specialisation used by AtomCertVerifier during verification.
+using CertificateVerifier =
+    base::Callback<void(const std::string&,
+                        scoped_refptr<net::X509Certificate>,
+                        const base::Callback<void(bool)>&)>;
+
 class BrowserObserver {
 public:
  // The browser is about to close all windows.
@ -62,6 +70,9 @@ class BrowserObserver {
  // The browser requests HTTP login.
  virtual void OnLogin(LoginHandler* login_handler) {}

+  virtual void OnSetCertificateVerifier(const CertificateVerifier& handler) {}
+  virtual void OnRemoveCertificateVerifier() {}
+
 protected:
  virtual ~BrowserObserver() {}
 };
--- a/atom/common/native_mate_converters/net_converter.cc
+++ b/atom/common/native_mate_converters/net_converter.cc
@ -4,7 +4,11 @@

 #include "atom/common/native_mate_converters/net_converter.h"

+#include <string>
+
+#include "atom/common/node_includes.h"
 #include "native_mate/dictionary.h"
+#include "net/cert/x509_certificate.h"
 #include "net/url_request/url_request.h"

 namespace mate {
@ -31,4 +35,19 @@ v8::Local<v8::Value> Converter<const net::AuthChallengeInfo*>::ToV8(
  return mate::ConvertToV8(isolate, dict);
 }

+// static
+v8::Local<v8::Value> Converter<scoped_refptr<net::X509Certificate>>::ToV8(
+    v8::Isolate* isolate, const scoped_refptr<net::X509Certificate>& val) {
+  mate::Dictionary dict(isolate, v8::Object::New(isolate));
+  std::string encoded_data;
+  net::X509Certificate::GetPEMEncoded(
+      val->os_cert_handle(), &encoded_data);
+  auto buffer = node::Buffer::Copy(isolate,
+                                   encoded_data.data(),
+                                   encoded_data.size()).ToLocalChecked();
+  dict.Set("data", buffer);
+  dict.Set("issuerName", val->issuer().GetDisplayName());
+  return dict.GetHandle();
+}
+
 }  // namespace mate
--- a/atom/common/native_mate_converters/net_converter.h
+++ b/atom/common/native_mate_converters/net_converter.h
@ -5,11 +5,13 @@
 #ifndef ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
 #define ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_

+#include "base/memory/ref_counted.h"
 #include "native_mate/converter.h"

 namespace net {
 class AuthChallengeInfo;
 class URLRequest;
+class X509Certificate;
 }

 namespace mate {
@ -26,6 +28,12 @@ struct Converter<const net::AuthChallengeInfo*> {
                                   const net::AuthChallengeInfo* val);
 };

+template<>
+struct Converter<scoped_refptr<net::X509Certificate>> {
+  static v8::Local<v8::Value> ToV8(v8::Isolate* isolate,
+      const scoped_refptr<net::X509Certificate>& val);
+};
+
 }  // namespace mate

 #endif  // ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
--- a/docs/api/app.md
+++ b/docs/api/app.md
@ -139,8 +139,8 @@ Returns:
 * `webContents` [WebContents](web-contents.md)
 * `url` URL
 * `certificateList` [Objects]
-  * `data` PEM encoded data
-  * `issuerName` Issuer's Common Name
+  * `data` Buffer - PEM encoded data
+  * `issuerName` String - Issuer's Common Name
 * `callback` Function

 Emitted when a client certificate is requested.
--- a/docs/api/session.md
+++ b/docs/api/session.md
@ -220,3 +220,34 @@ window.webContents.session.enableNetworkEmulation({offline: true});

 Disables any network emulation already active for the `session`. Resets to
 the original network configuration.
+
+### `session.setCertificateVerifier(handler)`
+
+* `handler` Function
+  * `hostname` String
+  * `certificate` Object
+    * `data` Buffer - PEM encoded data
+    * `issuerName` String
+  * `callback` Function
+
+Sets the certificate verifier for the `session`, will be called
+whenever a server certificate verification is requested by the
+network layer with `hostname`, `certificate` and `callback`.
+`callback` should be called with a boolean response to
+indicate continuation or cancellation of the request.
+
+```js
+var handler = function(hostname, certificate, callback) {
+  if (hostname == "github.com") {
+    // verification logic
+    callback(true)
+  }
+  callback(false)
+}
+
+window.webContents.session.setCertificateVerifier(handler)
+```
+
+### `session.removeCertificateVerifier()`
+
+Removes the certificate verifier provided for the `session`.
--- a/filenames.gypi
+++ b/filenames.gypi
@ -128,6 +128,8 @@
      'atom/browser/atom_download_manager_delegate.h',
      'atom/browser/atom_browser_main_parts.cc',
      'atom/browser/atom_browser_main_parts.h',
+      'atom/browser/atom_cert_verifier.cc',
+      'atom/browser/atom_cert_verifier.h',
      'atom/browser/atom_browser_main_parts_mac.mm',
      'atom/browser/atom_browser_main_parts_posix.cc',
      'atom/browser/atom_javascript_dialog_manager.cc',