session: api to allow handling certificate verification

atom/browser/api/atom_api_app.cc

@@ -61,21 +61,6 @@ struct Converter<Browser::UserTask> {
 };
 #endif
 
-template<>
-struct Converter<scoped_refptr<net::X509Certificate>> {
-  static v8::Local<v8::Value> ToV8(
-      v8::Isolate* isolate,
-      const scoped_refptr<net::X509Certificate>& val) {
-    mate::Dictionary dict(isolate, v8::Object::New(isolate));
-    std::string encoded_data;
-    net::X509Certificate::GetPEMEncoded(
-        val->os_cert_handle(), &encoded_data);
-    dict.Set("data", encoded_data);
-    dict.Set("issuerName", val->issuer().GetDisplayName());
-    return dict.GetHandle();
-  }
-};
-
 }  // namespace mate
 
 

atom/browser/api/atom_api_session.cc

@@ -13,9 +13,11 @@
 #include "atom/browser/api/save_page_handler.h"
 #include "atom/browser/atom_browser_context.h"
 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/browser.h"
 #include "atom/common/native_mate_converters/callback.h"
 #include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
+#include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/node_includes.h"
 #include "base/files/file_path.h"
 #include "base/prefs/pref_service.h"
@@ -365,6 +367,7 @@ v8::Local<v8::Value> Session::Cookies(v8::Isolate* isolate) {
 
 mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
     v8::Isolate* isolate) {
+  auto browser = base::Unretained(Browser::Get());
   return mate::ObjectTemplateBuilder(isolate)
       .SetMethod("resolveProxy", &Session::ResolveProxy)
       .SetMethod("clearCache", &Session::ClearCache)
@@ -373,6 +376,10 @@ mate::ObjectTemplateBuilder Session::GetObjectTemplateBuilder(
       .SetMethod("setDownloadPath", &Session::SetDownloadPath)
       .SetMethod("enableNetworkEmulation", &Session::EnableNetworkEmulation)
       .SetMethod("disableNetworkEmulation", &Session::DisableNetworkEmulation)
+      .SetMethod("setCertificateVerifier",
+                 base::Bind(&Browser::SetCertificateVerifier, browser))
+      .SetMethod("removeCertificateVerifier",
+                 base::Bind(&Browser::RemoveCertificateVerifier, browser))
       .SetProperty("cookies", &Session::Cookies);
 }
 

atom/browser/atom_browser_context.cc

@@ -5,6 +5,7 @@
 #include "atom/browser/atom_browser_context.h"
 
 #include "atom/browser/atom_browser_main_parts.h"
+#include "atom/browser/atom_cert_verifier.h"
 #include "atom/browser/atom_download_manager_delegate.h"
 #include "atom/browser/atom_ssl_config_service.h"
 #include "atom/browser/browser.h"
@@ -158,6 +159,10 @@ content::BrowserPluginGuestManager* AtomBrowserContext::GetGuestManager() {
   return guest_manager_.get();
 }
 
+net::CertVerifier* AtomBrowserContext::CreateCertVerifier() {
+  return new AtomCertVerifier;
+}
+
 net::SSLConfigService* AtomBrowserContext::CreateSSLConfigService() {
   return new AtomSSLConfigService;
 }

atom/browser/atom_browser_context.h

@@ -27,6 +27,7 @@ class AtomBrowserContext : public brightray::BrowserContext {
       content::URLRequestInterceptorScopedVector* interceptors) override;
   net::HttpCache::BackendFactory* CreateHttpCacheBackendFactory(
       const base::FilePath& base_path) override;
+  net::CertVerifier* CreateCertVerifier() override;
   net::SSLConfigService* CreateSSLConfigService() override;
   bool AllowNTLMCredentialsForDomain(const GURL& auth_origin) override;
 

atom/browser/atom_cert_verifier.cc

@@ -0,0 +1,84 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "atom/browser/atom_cert_verifier.h"
+
+#include "atom/browser/browser.h"
+#include "atom/common/native_mate_converters/net_converter.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/base/net_errors.h"
+#include "net/cert/x509_certificate.h"
+
+using content::BrowserThread;
+
+namespace atom {
+
+namespace {
+
+void RunResult(const net::CompletionCallback& callback, bool success) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  int result = net::OK;
+  if (!success)
+    result = net::ERR_FAILED;
+
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                          base::Bind(callback, result));
+}
+
+}  // namespace
+
+AtomCertVerifier::AtomCertVerifier() {
+  Browser::Get()->AddObserver(this);
+  default_cert_verifier_.reset(net::CertVerifier::CreateDefault());
+}
+
+AtomCertVerifier::~AtomCertVerifier() {
+  Browser::Get()->RemoveObserver(this);
+}
+
+int AtomCertVerifier::Verify(
+    net::X509Certificate* cert,
+    const std::string& hostname,
+    const std::string& ocsp_response,
+    int flags,
+    net::CRLSet* crl_set,
+    net::CertVerifyResult* verify_result,
+    const net::CompletionCallback& callback,
+    scoped_ptr<Request>* out_req,
+    const net::BoundNetLog& net_log) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (callback.is_null() || !verify_result || hostname.empty())
+    return net::ERR_INVALID_ARGUMENT;
+
+  if (!handler_.is_null()) {
+    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+                            base::Bind(handler_, hostname,
+                                       make_scoped_refptr(cert),
+                                       base::Bind(&RunResult, callback)));
+    return net::ERR_IO_PENDING;
+  }
+
+  return default_cert_verifier_->Verify(cert, hostname, ocsp_response,
+                                        flags, crl_set, verify_result,
+                                        callback, out_req, net_log);
+}
+
+bool AtomCertVerifier::SupportsOCSPStapling() {
+  if (handler_.is_null())
+    return default_cert_verifier_->SupportsOCSPStapling();
+  return false;
+}
+
+void AtomCertVerifier::OnSetCertificateVerifier(
+    const CertificateVerifier& handler) {
+  handler_ = handler;
+}
+
+void AtomCertVerifier::OnRemoveCertificateVerifier() {
+  handler_.Reset();
+}
+
+}  // namespace atom

atom/browser/atom_cert_verifier.h

@@ -0,0 +1,47 @@
+// Copyright (c) 2015 GitHub, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+#define ATOM_BROWSER_ATOM_CERT_VERIFIER_H_
+
+#include <string>
+
+#include "atom/browser/browser_observer.h"
+#include "net/cert/cert_verifier.h"
+
+namespace atom {
+
+class AtomCertVerifier : public net::CertVerifier,
+                         public BrowserObserver {
+ public:
+  AtomCertVerifier();
+  ~AtomCertVerifier() override;
+
+  // net::CertVerifier:
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override;
+  bool SupportsOCSPStapling() override;
+
+ protected:
+  void OnSetCertificateVerifier(const CertificateVerifier& handler) override;
+  void OnRemoveCertificateVerifier() override;
+
+ private:
+  scoped_ptr<net::CertVerifier> default_cert_verifier_;
+
+  CertificateVerifier handler_;
+
+  DISALLOW_COPY_AND_ASSIGN(AtomCertVerifier);
+};
+
+}   // namespace atom
+
+#endif  // ATOM_BROWSER_ATOM_CERT_VERIFIER_H_

atom/browser/browser.cc

@@ -156,6 +156,16 @@ void Browser::RequestLogin(LoginHandler* login_handler) {
   FOR_EACH_OBSERVER(BrowserObserver, observers_, OnLogin(login_handler));
 }
 
+void Browser::SetCertificateVerifier(const CertificateVerifier& handler) {
+  FOR_EACH_OBSERVER(BrowserObserver,
+                    observers_,
+                    OnSetCertificateVerifier(handler));
+}
+
+void Browser::RemoveCertificateVerifier() {
+  FOR_EACH_OBSERVER(BrowserObserver, observers_, OnRemoveCertificateVerifier());
+}
+
 void Browser::NotifyAndShutdown() {
   if (is_shutdown_)
     return;

atom/browser/browser.h

@@ -135,6 +135,10 @@ class Browser : public WindowListObserver {
   // Request basic auth login.
   void RequestLogin(LoginHandler* login_handler);
 
+  // Set.remove the ceritificate verifier provided by the user.
+  void SetCertificateVerifier(const CertificateVerifier& handler);
+  void RemoveCertificateVerifier();
+
   void AddObserver(BrowserObserver* obs) {
     observers_.AddObserver(obs);
   }

atom/browser/browser_observer.h

@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/callback.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/browser/client_certificate_delegate.h"
 
@@ -16,12 +17,19 @@ class WebContents;
 
 namespace net {
 class SSLCertRequestInfo;
+class X509Certificate;
 }
 
 namespace atom {
 
 class LoginHandler;
 
+// A callback specialisation used by AtomCertVerifier during verification.
+using CertificateVerifier =
+    base::Callback<void(const std::string&,
+                        scoped_refptr<net::X509Certificate>,
+                        const base::Callback<void(bool)>&)>;
+
 class BrowserObserver {
  public:
   // The browser is about to close all windows.
@@ -62,6 +70,9 @@ class BrowserObserver {
   // The browser requests HTTP login.
   virtual void OnLogin(LoginHandler* login_handler) {}
 
+  virtual void OnSetCertificateVerifier(const CertificateVerifier& handler) {}
+  virtual void OnRemoveCertificateVerifier() {}
+
  protected:
   virtual ~BrowserObserver() {}
 };

atom/common/native_mate_converters/net_converter.cc

@@ -4,7 +4,11 @@
 
 #include "atom/common/native_mate_converters/net_converter.h"
 
+#include <string>
+
+#include "atom/common/node_includes.h"
 #include "native_mate/dictionary.h"
+#include "net/cert/x509_certificate.h"
 #include "net/url_request/url_request.h"
 
 namespace mate {
@@ -31,4 +35,19 @@ v8::Local<v8::Value> Converter<const net::AuthChallengeInfo*>::ToV8(
   return mate::ConvertToV8(isolate, dict);
 }
 
+// static
+v8::Local<v8::Value> Converter<scoped_refptr<net::X509Certificate>>::ToV8(
+    v8::Isolate* isolate, const scoped_refptr<net::X509Certificate>& val) {
+  mate::Dictionary dict(isolate, v8::Object::New(isolate));
+  std::string encoded_data;
+  net::X509Certificate::GetPEMEncoded(
+      val->os_cert_handle(), &encoded_data);
+  auto buffer = node::Buffer::Copy(isolate,
+                                   encoded_data.data(),
+                                   encoded_data.size()).ToLocalChecked();
+  dict.Set("data", buffer);
+  dict.Set("issuerName", val->issuer().GetDisplayName());
+  return dict.GetHandle();
+}
+
 }  // namespace mate

atom/common/native_mate_converters/net_converter.h

@@ -5,11 +5,13 @@
 #ifndef ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
 #define ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_
 
+#include "base/memory/ref_counted.h"
 #include "native_mate/converter.h"
 
 namespace net {
 class AuthChallengeInfo;
 class URLRequest;
+class X509Certificate;
 }
 
 namespace mate {
@@ -26,6 +28,12 @@ struct Converter<const net::AuthChallengeInfo*> {
                                    const net::AuthChallengeInfo* val);
 };
 
+template<>
+struct Converter<scoped_refptr<net::X509Certificate>> {
+  static v8::Local<v8::Value> ToV8(v8::Isolate* isolate,
+      const scoped_refptr<net::X509Certificate>& val);
+};
+
 }  // namespace mate
 
 #endif  // ATOM_COMMON_NATIVE_MATE_CONVERTERS_NET_CONVERTER_H_

docs/api/app.md

@@ -139,8 +139,8 @@ Returns:
 * `webContents` [WebContents](web-contents.md)
 * `url` URL
 * `certificateList` [Objects]
-  * `data` PEM encoded data
+  * `data` Buffer - PEM encoded data
-  * `issuerName` Issuer's Common Name
+  * `issuerName` String - Issuer's Common Name
 * `callback` Function
 
 Emitted when a client certificate is requested.

docs/api/session.md

@@ -220,3 +220,34 @@ window.webContents.session.enableNetworkEmulation({offline: true});
 
 Disables any network emulation already active for the `session`. Resets to
 the original network configuration.
+
+### `session.setCertificateVerifier(handler)`
+
+* `handler` Function
+  * `hostname` String
+  * `certificate` Object
+    * `data` Buffer - PEM encoded data
+    * `issuerName` String
+  * `callback` Function
+
+Sets the certificate verifier for the `session`, will be called
+whenever a server certificate verification is requested by the
+network layer with `hostname`, `certificate` and `callback`.
+`callback` should be called with a boolean response to
+indicate continuation or cancellation of the request.
+
+```js
+var handler = function(hostname, certificate, callback) {
+  if (hostname == "github.com") {
+    // verification logic
+    callback(true)
+  }
+  callback(false)
+}
+
+window.webContents.session.setCertificateVerifier(handler)
+```
+
+### `session.removeCertificateVerifier()`
+
+Removes the certificate verifier provided for the `session`.

filenames.gypi

@@ -128,6 +128,8 @@
       'atom/browser/atom_download_manager_delegate.h',
       'atom/browser/atom_browser_main_parts.cc',
       'atom/browser/atom_browser_main_parts.h',
+      'atom/browser/atom_cert_verifier.cc',
+      'atom/browser/atom_cert_verifier.h',
       'atom/browser/atom_browser_main_parts_mac.mm',
       'atom/browser/atom_browser_main_parts_posix.cc',
       'atom/browser/atom_javascript_dialog_manager.cc',