web/session/session_certificate_policy_cache_impl.mm - chromium/src/ios - Git at Google

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #import "ios/web/session/session_certificate_policy_cache_impl.h"

 #include "base/bind.h"
 #include "base/task/post_task.h"
 #include "ios/web/public/browser_state.h"
 #include "ios/web/public/security/certificate_policy_cache.h"
 #import "ios/web/public/session/crw_session_certificate_policy_cache_storage.h"
 #include "ios/web/public/thread/web_task_traits.h"
 #include "ios/web/public/thread/web_thread.h"
 #include "net/cert/x509_util.h"
 #include "net/cert/x509_util_ios.h"

 #if !defined(__has_feature) || !__has_feature(objc_arc)
 #error "This file requires ARC support."
 #endif

 // Break if CertStatus values changed, as they are persisted on disk and thus
 // must be consistent.
 static_assert(net::CERT_STATUS_ALL_ERRORS == 0xFF00FFFF,
               "The value of CERT_STATUS_ALL_ERRORS changed!");
 static_assert(net::CERT_STATUS_COMMON_NAME_INVALID == 1 << 0,
               "The value of CERT_STATUS_COMMON_NAME_INVALID changed!");
 static_assert(net::CERT_STATUS_DATE_INVALID == 1 << 1,
               "The value of CERT_STATUS_DATE_INVALID changed!");
 static_assert(net::CERT_STATUS_AUTHORITY_INVALID == 1 << 2,
               "The value of CERT_STATUS_AUTHORITY_INVALID changed!");
 static_assert(net::CERT_STATUS_NO_REVOCATION_MECHANISM == 1 << 4,
               "The value of CERT_STATUS_NO_REVOCATION_MECHANISM changed!");
 static_assert(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION == 1 << 5,
               "The value of CERT_STATUS_UNABLE_TO_CHECK_REVOCATION changed!");
 static_assert(net::CERT_STATUS_REVOKED == 1 << 6,
               "The value of CERT_STATUS_REVOKED changed!");
 static_assert(net::CERT_STATUS_INVALID == 1 << 7,
               "The value of CERT_STATUS_INVALID changed!");
 static_assert(net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM == 1 << 8,
               "The value of CERT_STATUS_WEAK_SIGNATURE_ALGORITHM changed!");
 static_assert(net::CERT_STATUS_NON_UNIQUE_NAME == 1 << 10,
               "The value of CERT_STATUS_NON_UNIQUE_NAME changed!");
 static_assert(net::CERT_STATUS_WEAK_KEY == 1 << 11,
               "The value of CERT_STATUS_WEAK_KEY changed!");
 static_assert(net::CERT_STATUS_IS_EV == 1 << 16,
               "The value of CERT_STATUS_IS_EV changed!");
 static_assert(net::CERT_STATUS_REV_CHECKING_ENABLED == 1 << 17,
               "The value of CERT_STATUS_REV_CHECKING_ENABLED changed!");

 namespace web {

 SessionCertificatePolicyCacheImpl::SessionCertificatePolicyCacheImpl(
     BrowserState* browser_state)
     : SessionCertificatePolicyCache(browser_state),
       allowed_certs_([[NSMutableSet alloc] init]) {}

 SessionCertificatePolicyCacheImpl::~SessionCertificatePolicyCacheImpl() {}

 void SessionCertificatePolicyCacheImpl::UpdateCertificatePolicyCache(
     const scoped_refptr<web::CertificatePolicyCache>& cache) const {
   DCHECK_CURRENTLY_ON(WebThread::UI);
   DCHECK(cache.get());
   NSSet* allowed_certs = [NSSet setWithSet:allowed_certs_];
   const scoped_refptr<CertificatePolicyCache> cache_copy = cache;
   base::PostTask(FROM_HERE, {WebThread::IO}, base::BindOnce(^{
                    for (CRWSessionCertificateStorage* cert in allowed_certs) {
                      cache_copy->AllowCertForHost(cert.certificate, cert.host,
                                                   cert.status);
                    }
                  }));
 }

 void SessionCertificatePolicyCacheImpl::RegisterAllowedCertificate(
     scoped_refptr<net::X509Certificate> certificate,
     const std::string& host,
     net::CertStatus status) {
   DCHECK_CURRENTLY_ON(WebThread::UI);
   // Store user decisions with the leaf cert, ignoring any intermediates.
   // This is because WKWebView returns the verified certificate chain in
   // |webView:didReceiveAuthenticationChallenge:completionHandler:|,
   // but the server-supplied chain in
   // |webView:didFailProvisionalNavigation:withError:|.
   if (!certificate->intermediate_buffers().empty()) {
     certificate = net::X509Certificate::CreateFromBuffer(
         bssl::UpRef(certificate->cert_buffer()), {});
     DCHECK(certificate);
   }
   DCHECK(certificate->intermediate_buffers().empty());

   [allowed_certs_ addObject:[[CRWSessionCertificateStorage alloc]
                                 initWithCertificate:certificate
                                                host:host
                                              status:status]];
   const scoped_refptr<CertificatePolicyCache> cache =
       GetCertificatePolicyCache();
   base::PostTask(
       FROM_HERE, {WebThread::IO},
       base::BindOnce(&CertificatePolicyCache::AllowCertForHost, cache,
                      base::RetainedRef(certificate.get()), host, status));
 }

 void SessionCertificatePolicyCacheImpl::SetAllowedCerts(NSSet* allowed_certs) {
   allowed_certs_ = [allowed_certs mutableCopy];
 }

 NSSet* SessionCertificatePolicyCacheImpl::GetAllowedCerts() const {
   return allowed_certs_;
 }

 }  // namespace web
	// Copyright 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#import "ios/web/session/session_certificate_policy_cache_impl.h"

	#include "base/bind.h"
	#include "base/task/post_task.h"
	#include "ios/web/public/browser_state.h"
	#include "ios/web/public/security/certificate_policy_cache.h"
	#import "ios/web/public/session/crw_session_certificate_policy_cache_storage.h"
	#include "ios/web/public/thread/web_task_traits.h"
	#include "ios/web/public/thread/web_thread.h"
	#include "net/cert/x509_util.h"
	#include "net/cert/x509_util_ios.h"

	#if !defined(__has_feature) \|\| !__has_feature(objc_arc)
	#error "This file requires ARC support."
	#endif

	// Break if CertStatus values changed, as they are persisted on disk and thus
	// must be consistent.
	static_assert(net::CERT_STATUS_ALL_ERRORS == 0xFF00FFFF,
	"The value of CERT_STATUS_ALL_ERRORS changed!");
	static_assert(net::CERT_STATUS_COMMON_NAME_INVALID == 1 << 0,
	"The value of CERT_STATUS_COMMON_NAME_INVALID changed!");
	static_assert(net::CERT_STATUS_DATE_INVALID == 1 << 1,
	"The value of CERT_STATUS_DATE_INVALID changed!");
	static_assert(net::CERT_STATUS_AUTHORITY_INVALID == 1 << 2,
	"The value of CERT_STATUS_AUTHORITY_INVALID changed!");
	static_assert(net::CERT_STATUS_NO_REVOCATION_MECHANISM == 1 << 4,
	"The value of CERT_STATUS_NO_REVOCATION_MECHANISM changed!");
	static_assert(net::CERT_STATUS_UNABLE_TO_CHECK_REVOCATION == 1 << 5,
	"The value of CERT_STATUS_UNABLE_TO_CHECK_REVOCATION changed!");
	static_assert(net::CERT_STATUS_REVOKED == 1 << 6,
	"The value of CERT_STATUS_REVOKED changed!");
	static_assert(net::CERT_STATUS_INVALID == 1 << 7,
	"The value of CERT_STATUS_INVALID changed!");
	static_assert(net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM == 1 << 8,
	"The value of CERT_STATUS_WEAK_SIGNATURE_ALGORITHM changed!");
	static_assert(net::CERT_STATUS_NON_UNIQUE_NAME == 1 << 10,
	"The value of CERT_STATUS_NON_UNIQUE_NAME changed!");
	static_assert(net::CERT_STATUS_WEAK_KEY == 1 << 11,
	"The value of CERT_STATUS_WEAK_KEY changed!");
	static_assert(net::CERT_STATUS_IS_EV == 1 << 16,
	"The value of CERT_STATUS_IS_EV changed!");
	static_assert(net::CERT_STATUS_REV_CHECKING_ENABLED == 1 << 17,
	"The value of CERT_STATUS_REV_CHECKING_ENABLED changed!");

	namespace web {

	SessionCertificatePolicyCacheImpl::SessionCertificatePolicyCacheImpl(
	BrowserState* browser_state)
	: SessionCertificatePolicyCache(browser_state),
	allowed_certs_([[NSMutableSet alloc] init]) {}

	SessionCertificatePolicyCacheImpl::~SessionCertificatePolicyCacheImpl() {}

	void SessionCertificatePolicyCacheImpl::UpdateCertificatePolicyCache(
	const scoped_refptr<web::CertificatePolicyCache>& cache) const {
	DCHECK_CURRENTLY_ON(WebThread::UI);
	DCHECK(cache.get());
	NSSet* allowed_certs = [NSSet setWithSet:allowed_certs_];
	const scoped_refptr<CertificatePolicyCache> cache_copy = cache;
	base::PostTask(FROM_HERE, {WebThread::IO}, base::BindOnce(^{
	for (CRWSessionCertificateStorage* cert in allowed_certs) {
	cache_copy->AllowCertForHost(cert.certificate, cert.host,
	cert.status);
	}
	}));
	}

	void SessionCertificatePolicyCacheImpl::RegisterAllowedCertificate(
	scoped_refptr<net::X509Certificate> certificate,
	const std::string& host,
	net::CertStatus status) {
	DCHECK_CURRENTLY_ON(WebThread::UI);
	// Store user decisions with the leaf cert, ignoring any intermediates.
	// This is because WKWebView returns the verified certificate chain in
	// \|webView:didReceiveAuthenticationChallenge:completionHandler:\|,
	// but the server-supplied chain in
	// \|webView:didFailProvisionalNavigation:withError:\|.
	if (!certificate->intermediate_buffers().empty()) {
	certificate = net::X509Certificate::CreateFromBuffer(
	bssl::UpRef(certificate->cert_buffer()), {});
	DCHECK(certificate);
	}
	DCHECK(certificate->intermediate_buffers().empty());

	[allowed_certs_ addObject:[[CRWSessionCertificateStorage alloc]
	initWithCertificate:certificate
	host:host
	status:status]];
	const scoped_refptr<CertificatePolicyCache> cache =
	GetCertificatePolicyCache();
	base::PostTask(
	FROM_HERE, {WebThread::IO},
	base::BindOnce(&CertificatePolicyCache::AllowCertForHost, cache,
	base::RetainedRef(certificate.get()), host, status));
	}

	void SessionCertificatePolicyCacheImpl::SetAllowedCerts(NSSet* allowed_certs) {
	allowed_certs_ = [allowed_certs mutableCopy];
	}

	NSSet* SessionCertificatePolicyCacheImpl::GetAllowedCerts() const {
	return allowed_certs_;
	}

	} // namespace web