session: api to allow handling certificate verification

2015-11-05 19:36:36 +05:30 · 2015-11-05 19:36:36 +05:30 · d072e61282
commit d072e61282
parent ce0167756e
14 changed files with 231 additions and 17 deletions
--- a/atom/browser/api/atom_api_app.cc
+++ b/atom/browser/api/atom_api_app.cc
@ -61,21 +61,6 @@ struct Converter<Browser::UserTask> {
 };
 #endif

-template<>
-struct Converter<scoped_refptr<net::X509Certificate>> {
-  static v8::Local<v8::Value> ToV8(
-      v8::Isolate* isolate,
-      const scoped_refptr<net::X509Certificate>& val) {
-    mate::Dictionary dict(isolate, v8::Object::New(isolate));
-    std::string encoded_data;
-    net::X509Certificate::GetPEMEncoded(
-        val->os_cert_handle(), &encoded_data);
-    dict.Set("data", encoded_data);
-    dict.Set("issuerName", val->issuer().GetDisplayName());
-    return dict.GetHandle();
-  }
-};
-
 }  // namespace mate


--- a/atom/browser/api/atom_api_session.cc
+++ b/atom/browser/api/atom_api_session.cc
@ -13,9 +13,11 @@
 #include "atom/browser/api/save_page_handler.h"
 #include "atom/browser/atom_browser_context.h"
 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/browser.h"
 #include "atom/common/native_mate_converters/callback.h"
 #include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
+#include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/node_includes.h"
 #include "base/files/file_path.h"
 #include "base/prefs/pref_service.h"
@ -365,6 +367,7 @@ v8::Local<v8::Value> Session::Cookies(v8::Isolate* isolate) {

 mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
    v8::Isolate* isolate) {
+  auto browser = base::Unretained(Browser::Get());
  return mate::ObjectTemplateBuilder(isolate)
      .SetMethod("resolveProxy", &Session::ResolveProxy)
      .SetMethod("clearCache", &Session::ClearCache)
@ -373,6 +376,10 @@ mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
      .SetMethod("setDownloadPath", &Session::SetDownloadPath)
      .SetMethod("enableNetworkEmulation", &Session::EnableNetworkEmulation)
      .SetMethod("disableNetworkEmulation", &Session::DisableNetworkEmulation)
+      .SetMethod("setCertificateVerifier",
+                 base::Bind(&Browser::SetCertificateVerifier, browser))
+      .SetMethod("removeCertificateVerifier",
+                 base::Bind(&Browser::RemoveCertificateVerifier, browser))
      .SetProperty("cookies", &Session::Cookies);
 }

--- a/atom/browser/atom_browser_context.cc
+++ b/atom/browser/atom_browser_context.cc
@ -5,6 +5,7 @@
 #include "atom/browser/atom_browser_context.h"

 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/atom_download_manager_delegate.h"
 #include "atom/browser/atom_ssl_config_service.h"
 #include "atom/browser/browser.h"
@ -158,6 +159,10 @@ content::BrowserPluginGuestManager* AtomBrowserContext::GetGuestManager() {
  return guest_manager_.get();
 }

+net::CertVerifier* AtomBrowserContext::CreateCertVerifier() {
+  return new AtomCertVerifier;
+}
+
 net::SSLConfigService* AtomBrowserContext::CreateSSLConfigService() {
  return new AtomSSLConfigService;
 }
--- a/atom/browser/atom_browser_context.h
+++ b/atom/browser/atom_browser_context.h
@ -27,6 +27,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
      content::URLRequestInterceptorScopedVector* interceptors) override;
  net::HttpCache::BackendFactory* CreateHttpCacheBackendFactory(
      const base::FilePath& base_path) override;
+  net::CertVerifier* CreateCertVerifier() override;
  net::SSLConfigService* CreateSSLConfigService() override;
  bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;

--- a/atom/browser/atom_cert_verifier.cc
+++ b/atom/browser/atom_cert_verifier.cc
@ -0,0 +1,84 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "atom/browser/atom_cert_verifier.h"
+
+#include "atom/browser/browser.h"
+#include "atom/common/native_mate_converters/net_converter.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/base/net_errors.h"
+#include "net/cert/x509_certificate.h"
+
+using content::BrowserThread;
+
+namespace atom {
+
+namespace {
+
+void RunResult(const net::CompletionCallback& callback, bool success) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  int result = net::OK;
+  if (!success)
+    result = net::ERR_FAILED;
+
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                          base::Bind(callback, result));
+}
+
+}  // namespace
+
+AtomCertVerifier::AtomCertVerifier() {
+  Browser::Get()->AddObserver(this);
+  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
+}
+
+AtomCertVerifier::~AtomCertVerifier() {
+  Browser::Get()->RemoveObserver(this);
+}
+
+int AtomCertVerifier::Verify(
+    net::X509Certificate* cert,
+    const std::string& hostname,
+    const std::string& ocsp_response,
+    int flags,
+    net::CRLSet* crl_set,
+    net::CertVerifyResult* verify_result,
+    const net::CompletionCallback& callback,
+    scoped_ptr<Request>* out_req,
+    const net::BoundNetLog& net_log) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (callback.is_null() || !verify_result || hostname.empty())
+    return net::ERR_INVALID_ARGUMENT;
+
+  if (!handler_.is_null()) {
+    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+                            base::Bind(handler_, hostname,
+                                       make_scoped_refptr(cert),
+                                       base::Bind(&RunResult, callback)));
+    return net::ERR_IO_PENDING;
+  }
+
+  return default_cert_verifier_->Verify(cert, hostname, ocsp_response,
+                                        flags, crl_set, verify_result,
+                                        callback, out_req, net_log);
+}
+
+bool AtomCertVerifier::SupportsOCSPStapling() {
+  if (handler_.is_null())
+    return default_cert_verifier_->SupportsOCSPStapling();
+  return false;
+}
+
+void AtomCertVerifier::OnSetCertificateVerifier(
+    const CertificateVerifier& handler) {
+  handler_ = handler;
+}
+
+void AtomCertVerifier::OnRemoveCertificateVerifier() {
+  handler_.Reset();
+}
+
+}  // namespace atom
--- a/atom/browser/atom_cert_verifier.h
+++ b/atom/browser/atom_cert_verifier.h
@ -0,0 +1,47 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+
+#include <string>
+
+#include "atom/browser/browser_observer.h"
+#include "net/cert/cert_verifier.h"
+
+namespace atom {
+
+class AtomCertVerifier : public net::CertVerifier,
+                         public BrowserObserver {
+ public:
+  AtomCertVerifier();
+  ~AtomCertVerifier() override;
+
+  // net::CertVerifier:
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override;
+  bool SupportsOCSPStapling() override;
+
+ protected:
+  void OnSetCertificateVerifier(const CertificateVerifier& handler) override;
+  void OnRemoveCertificateVerifier() override;
+
+ private:
+  scoped_ptr<net::CertVerifier> default_cert_verifier_;
+
+  CertificateVerifier handler_;
+
+  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
+};
+
+}   // namespace atom
+
+#endif  // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
--- a/atom/browser/browser.cc
+++ b/atom/browser/browser.cc
@ -156,6 +156,16 @@ void Browser::RequestLogin(LoginHandler* login_handler) {
  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnLogin(login_handler));
 }

+void Browser::SetCertificateVerifier(const CertificateVerifier& handler) {
+  FOR_EACH_OBSERVER(BrowserObserver,
+                    observers_,
+                    OnSetCertificateVerifier(handler));
+}
+
+void Browser::RemoveCertificateVerifier() {
+  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnRemoveCertificateVerifier());
+}
+
 void Browser::NotifyAndShutdown() {
  if (is_shutdown_)
    return;
--- a/atom/browser/browser.h
+++ b/atom/browser/browser.h
@ -135,6 +135,10 @@ class Browser : public WindowListObserver {
  // Request basic auth login.
  void RequestLogin(LoginHandler* login_handler);

+  // Set.remove the ceritificate verifier provided by the user.
+  void SetCertificateVerifier(const CertificateVerifier& handler);
+  void RemoveCertificateVerifier();
+
  void AddObserver(BrowserObserver* obs) {
    observers_.AddObserver(obs);
  }
--- a/atom/browser/browser_observer.h
+++ b/atom/browser/browser_observer.h
@ -7,6 +7,7 @@

 #include <string>

+#include "base/callback.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/browser/client_certificate_delegate.h"

@ -16,12 +17,19 @@ class WebContents;

 namespace net {
 class SSLCertRequestInfo;
+class X509Certificate;
 }

 namespace atom {

 class LoginHandler;

+// A callback specialisation used by AtomCertVerifier during verification.
+using CertificateVerifier =
+    base::Callback<void(const std::string&,
+                        scoped_refptr<net::X509Certificate>,
+                        const base::Callback<void(bool)>&)>;
+
 class BrowserObserver {
 public:
  // The browser is about to close all windows.
@ -62,6 +70,9 @@ class BrowserObserver {
  // The browser requests HTTP login.
  virtual void OnLogin(LoginHandler* login_handler) {}

+  virtual void OnSetCertificateVerifier(const CertificateVerifier& handler) {}
+  virtual void OnRemoveCertificateVerifier() {}
+
 protected:
  virtual ~BrowserObserver() {}
 };