diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-08-01 12:57:44 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-10-17 10:44:07 +0000 |
commit | 0b1025b8aea4aa0336671f7e908287d65490d120 (patch) | |
tree | 77c201fee93d3c184ce5b6b28d55fc01dc4a6d9e /src/core/profile_io_data_qt.cpp | |
parent | 7b886ab2cdfc94cc70477f51bd28961de52e989c (diff) |
Make it possible to enable OCSP on Linux
The code follows Chromium and also set a CertNetFetcher on both Linux
and macOS, but it appears to be currently unused.
[ChangeLog][QWebEngineProfile] A profile can now be designated to
download OCSP records and thus enable OCSP verification on Linux.
Task-number: QTBUG-58059
Task-number: QTBUG-71164
Change-Id: I84fd34d4351cb7aa4417ce4058f97bad4b8d0cd4
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'src/core/profile_io_data_qt.cpp')
-rw-r--r-- | src/core/profile_io_data_qt.cpp | 69 |
1 files changed, 68 insertions, 1 deletions
diff --git a/src/core/profile_io_data_qt.cpp b/src/core/profile_io_data_qt.cpp index fdd9a881c..ad8c2a110 100644 --- a/src/core/profile_io_data_qt.cpp +++ b/src/core/profile_io_data_qt.cpp @@ -85,6 +85,15 @@ #include "resource_context_qt.h" #include "type_conversion.h" +#if defined(USE_NSS_CERTS) +#include "net/cert_net/nss_ocsp.h" +#endif + +#if defined(OS_LINUX) || defined(OS_MACOSX) +#include "net/cert/cert_net_fetcher.h" +#include "net/cert_net/cert_net_fetcher_impl.h" +#endif + namespace QtWebEngineCore { static const char* const kDefaultAuthSchemes[] = { net::kBasicAuthScheme, @@ -170,6 +179,16 @@ ProfileIODataQt::~ProfileIODataQt() { if (content::BrowserThread::IsThreadInitialized(content::BrowserThread::IO)) DCHECK_CURRENTLY_ON(content::BrowserThread::IO); + + if (m_useForGlobalCertificateVerification) { +#if defined(USE_NSS_CERTS) + net::SetURLRequestContextForNSSHttpIO(nullptr); +#endif +#if defined(OS_LINUX) ||defined(OS_MACOSX) + net::ShutdownGlobalCertNetFetcher(); +#endif + } + m_resourceContext.reset(); if (m_cookieDelegate) m_cookieDelegate->setCookieMonster(0); // this will let CookieMonsterDelegateQt be deleted @@ -212,6 +231,7 @@ void ProfileIODataQt::initializeOnIOThread() m_initialized = true; generateAllStorage(); generateJobFactory(); + setGlobalCertificateVerification(); } void ProfileIODataQt::initializeOnUIThread() @@ -254,6 +274,26 @@ void ProfileIODataQt::generateAllStorage() m_updateAllStorage = false; } +class SSLConfigServiceQt : public net::SSLConfigService { +public: + SSLConfigServiceQt() + { + // Enable revocation checking: + m_defaultConfig.rev_checking_enabled = true; + // Mirroring Android WebView (we have no beef with Symantec, and our users might use them): + m_defaultConfig.symantec_enforcement_disabled = true; + } + ~SSLConfigServiceQt() override = default; + + void GetSSLConfig(net::SSLConfig* config) override + { + *config = m_defaultConfig; + } + +private: + net::SSLConfig m_defaultConfig; +}; + void ProfileIODataQt::generateStorage() { Q_ASSERT(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO)); @@ -297,7 +337,7 @@ void ProfileIODataQt::generateStorage() nullptr /* NetLog */, m_networkDelegate.get())); - m_storage->set_ssl_config_service(std::make_unique<net::SSLConfigServiceDefaults>()); + m_storage->set_ssl_config_service(std::make_unique<SSLConfigServiceQt>()); m_storage->set_transport_security_state(std::unique_ptr<net::TransportSecurityState>( new net::TransportSecurityState())); @@ -543,6 +583,21 @@ void ProfileIODataQt::regenerateJobFactory() } } +void ProfileIODataQt::setGlobalCertificateVerification() +{ + Q_ASSERT(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO)); + QMutexLocker lock(&m_mutex); + if (m_useForGlobalCertificateVerification) { +#if defined(USE_NSS_CERTS) + // Set request context used by NSS for OCSP requests. + net::SetURLRequestContextForNSSHttpIO(m_urlRequestContext.get()); +#endif +#if defined(OS_LINUX) || defined(OS_MACOSX) + net::SetGlobalCertNetFetcher(net::CreateCertNetFetcher(m_urlRequestContext.get())); +#endif + } +} + void ProfileIODataQt::setRequestContextData(content::ProtocolHandlerMap *protocolHandlers, content::URLRequestInterceptorScopedVector request_interceptors) { @@ -565,6 +620,7 @@ void ProfileIODataQt::setFullConfiguration() m_httpCachePath = m_profileAdapter->httpCachePath(); m_httpCacheMaxSize = m_profileAdapter->httpCacheMaxSize(); m_customUrlSchemes = m_profileAdapter->customUrlSchemes(); + m_useForGlobalCertificateVerification = m_profileAdapter->isUsedForGlobalCertificateVerification(); } void ProfileIODataQt::updateStorageSettings() @@ -692,4 +748,15 @@ bool ProfileIODataQt::canGetCookies(const QUrl &firstPartyUrl, const QUrl &url) return m_cookieDelegate->canGetCookies(firstPartyUrl, url); } +void ProfileIODataQt::updateUsedForGlobalCertificateVerification() +{ + Q_ASSERT(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI)); + QMutexLocker lock(&m_mutex); + m_useForGlobalCertificateVerification = m_profileAdapter->isUsedForGlobalCertificateVerification(); + + if (m_useForGlobalCertificateVerification) + content::BrowserThread::PostTask(content::BrowserThread::IO, FROM_HERE, + base::Bind(&ProfileIODataQt::setGlobalCertificateVerification, m_weakPtr)); +} + } // namespace QtWebEngineCore |