diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-02-23 15:24:46 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-02-23 15:59:06 +0000 |
commit | 53944320a5e82943c3dfe11e74890f4928a15a47 (patch) | |
tree | 95e295c2cfe4d4de1990848e113236517216d1ca /src | |
parent | f0ae944eaed5e551fd680bd0126f0f500faab432 (diff) |
Implement SSLHostStateDelegate
This class was introduced to track accepted certificate errors.
Our lack of implementation caused a regression in certificate error
handling.
Task-number: QTBUG-51319
Change-Id: Idf3314fd17a5f9cb13a4513a3ccdb40954519c0d
Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/core/browser_context_qt.cpp | 5 | ||||
-rw-r--r-- | src/core/browser_context_qt.h | 2 | ||||
-rw-r--r-- | src/core/core_gyp_generator.pro | 2 | ||||
-rw-r--r-- | src/core/ssl_host_state_delegate_qt.cpp | 135 | ||||
-rw-r--r-- | src/core/ssl_host_state_delegate_qt.h | 80 |
5 files changed, 223 insertions, 1 deletions
diff --git a/src/core/browser_context_qt.cpp b/src/core/browser_context_qt.cpp index d21f963a9..902af8af9 100644 --- a/src/core/browser_context_qt.cpp +++ b/src/core/browser_context_qt.cpp @@ -41,6 +41,7 @@ #include "permission_manager_qt.h" #include "qtwebenginecoreglobal_p.h" #include "resource_context_qt.h" +#include "ssl_host_state_delegate_qt.h" #include "type_conversion.h" #include "url_request_context_getter_qt.h" @@ -132,7 +133,9 @@ content::PushMessagingService *BrowserContextQt::GetPushMessagingService() content::SSLHostStateDelegate* BrowserContextQt::GetSSLHostStateDelegate() { - return 0; + if (!sslHostStateDelegate) + sslHostStateDelegate.reset(new SSLHostStateDelegateQt(m_adapter)); + return sslHostStateDelegate.get(); } scoped_ptr<content::ZoomLevelDelegate> BrowserContextQt::CreateZoomLevelDelegate(const base::FilePath&) diff --git a/src/core/browser_context_qt.h b/src/core/browser_context_qt.h index 9deb42b56..ba6e1dce1 100644 --- a/src/core/browser_context_qt.h +++ b/src/core/browser_context_qt.h @@ -48,6 +48,7 @@ namespace QtWebEngineCore { class BrowserContextAdapter; class PermissionManagerQt; +class SSLHostStateDelegateQt; class URLRequestContextGetterQt; class BrowserContextQt : public content::BrowserContext @@ -84,6 +85,7 @@ private: scoped_ptr<content::ResourceContext> resourceContext; scoped_refptr<URLRequestContextGetterQt> url_request_getter_; scoped_ptr<PermissionManagerQt> permissionManager; + scoped_ptr<SSLHostStateDelegateQt> sslHostStateDelegate; BrowserContextAdapter *m_adapter; friend class BrowserContextAdapter; diff --git a/src/core/core_gyp_generator.pro b/src/core/core_gyp_generator.pro index 0685abd7e..e018c010f 100644 --- a/src/core/core_gyp_generator.pro +++ b/src/core/core_gyp_generator.pro @@ -77,6 +77,7 @@ SOURCES = \ resource_bundle_qt.cpp \ resource_context_qt.cpp \ resource_dispatcher_host_delegate_qt.cpp \ + ssl_host_state_delegate_qt.cpp \ stream_video_node.cpp \ surface_factory_qt.cpp \ url_request_context_getter_qt.cpp \ @@ -149,6 +150,7 @@ HEADERS = \ renderer/web_channel_ipc_transport.h \ resource_context_qt.h \ resource_dispatcher_host_delegate_qt.h \ + ssl_host_state_delegate_qt.h \ stream_video_node.h \ surface_factory_qt.h \ type_conversion.h \ diff --git a/src/core/ssl_host_state_delegate_qt.cpp b/src/core/ssl_host_state_delegate_qt.cpp new file mode 100644 index 000000000..cf17b944c --- /dev/null +++ b/src/core/ssl_host_state_delegate_qt.cpp @@ -0,0 +1,135 @@ +/**************************************************************************** +** +** Copyright (C) 2016 The Qt Company Ltd. +** Contact: http://www.qt.io/licensing/ +** +** This file is part of the QtWebEngine module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see http://www.qt.io/terms-conditions. For further +** information use the contact form at http://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPLv3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or later as published by the Free +** Software Foundation and appearing in the file LICENSE.GPL included in +** the packaging of this file. Please review the following information to +** ensure the GNU General Public License version 2.0 requirements will be +** met: http://www.gnu.org/licenses/gpl-2.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +#include "ssl_host_state_delegate_qt.h" + +#include "type_conversion.h" + +namespace QtWebEngineCore { + +// Mirrors implementation in aw_ssl_host_state_delegate.cc + +static net::SHA256HashValue getChainFingerprint256(const net::X509Certificate &cert) +{ + net::SHA256HashValue fingerprint = + net::X509Certificate::CalculateChainFingerprint256(cert.os_cert_handle(), cert.GetIntermediateCertificates()); + return fingerprint; +} + +CertPolicy::CertPolicy() +{ +} + +CertPolicy::~CertPolicy() +{ +} + +bool CertPolicy::Check(const net::X509Certificate& cert, net::CertStatus error) const +{ + net::SHA256HashValue fingerprint = getChainFingerprint256(cert); + auto allowed_iter = m_allowed.find(fingerprint); + if ((allowed_iter != m_allowed.end()) && (allowed_iter->second & error) && ((allowed_iter->second & error) == error)) + return true; + return false; +} + +void CertPolicy::Allow(const net::X509Certificate& cert, net::CertStatus error) +{ + net::SHA256HashValue fingerprint = getChainFingerprint256(cert); + m_allowed[fingerprint] |= error; +} + +SSLHostStateDelegateQt::SSLHostStateDelegateQt(BrowserContextAdapter *contextAdapter) + : m_contextAdapter(contextAdapter) +{ +} + +SSLHostStateDelegateQt::~SSLHostStateDelegateQt() +{ +} + +void SSLHostStateDelegateQt::AllowCert(const std::string &host, const net::X509Certificate &cert, net::CertStatus error) +{ + m_certPolicyforHost[host].Allow(cert, error); +} + +// Clear all allow preferences. +void SSLHostStateDelegateQt::Clear() +{ + m_certPolicyforHost.clear(); +} + +// Queries whether |cert| is allowed for |host| and |error|. Returns true in +// |expired_previous_decision| if a previous user decision expired immediately +// prior to this query, otherwise false. +content::SSLHostStateDelegate::CertJudgment SSLHostStateDelegateQt::QueryPolicy( + const std::string &host, const net::X509Certificate &cert, + net::CertStatus error,bool *expired_previous_decision) +{ + return m_certPolicyforHost[host].Check(cert, error) ? SSLHostStateDelegate::ALLOWED : SSLHostStateDelegate::DENIED; +} + +// Records that a host has run insecure content. +void SSLHostStateDelegateQt::HostRanInsecureContent(const std::string &host, int pid) +{ +} + +// Returns whether the specified host ran insecure content. +bool SSLHostStateDelegateQt::DidHostRunInsecureContent(const std::string &host, int pid) const +{ + return false; +} + +// Revokes all SSL certificate error allow exceptions made by the user for +// |host|. +void SSLHostStateDelegateQt::RevokeUserAllowExceptions(const std::string &host) +{ + m_certPolicyforHost.erase(host); +} + +// Returns whether the user has allowed a certificate error exception for +// |host|. This does not mean that *all* certificate errors are allowed, just +// that there exists an exception. To see if a particular certificate and +// error combination exception is allowed, use QueryPolicy(). +bool SSLHostStateDelegateQt::HasAllowException(const std::string &host) const +{ + auto policy_iterator = m_certPolicyforHost.find(host); + return policy_iterator != m_certPolicyforHost.end() && + policy_iterator->second.HasAllowException(); +} + + +} // namespace QtWebEngineCore diff --git a/src/core/ssl_host_state_delegate_qt.h b/src/core/ssl_host_state_delegate_qt.h new file mode 100644 index 000000000..7c91fcb2d --- /dev/null +++ b/src/core/ssl_host_state_delegate_qt.h @@ -0,0 +1,80 @@ +/**************************************************************************** +** +** Copyright (C) 2016 The Qt Company Ltd. +** Contact: http://www.qt.io/licensing/ +** +** This file is part of the QtWebEngine module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see http://www.qt.io/terms-conditions. For further +** information use the contact form at http://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPLv3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or later as published by the Free +** Software Foundation and appearing in the file LICENSE.GPL included in +** the packaging of this file. Please review the following information to +** ensure the GNU General Public License version 2.0 requirements will be +** met: http://www.gnu.org/licenses/gpl-2.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +#ifndef SSL_HOST_STATE_DELEGATE_QT_H +#define SSL_HOST_STATE_DELEGATE_QT_H + +#include "content/public/browser/ssl_host_state_delegate.h" +#include "browser_context_adapter.h" + +namespace QtWebEngineCore { + +class CertPolicy { +public: + CertPolicy(); + ~CertPolicy(); + bool Check(const net::X509Certificate& cert, net::CertStatus error) const; + void Allow(const net::X509Certificate& cert, net::CertStatus error); + bool HasAllowException() const { return m_allowed.size() > 0; } + +private: + std::map<net::SHA256HashValue, net::CertStatus, net::SHA256HashValueLessThan> m_allowed; +}; + +class SSLHostStateDelegateQt : public content::SSLHostStateDelegate { + +public: + SSLHostStateDelegateQt(BrowserContextAdapter *); + ~SSLHostStateDelegateQt(); + + // content::SSLHostStateDelegate implementation: + virtual void AllowCert(const std::string &, const net::X509Certificate &cert, net::CertStatus error) override; + virtual void Clear() override; + virtual CertJudgment QueryPolicy(const std::string &host, const net::X509Certificate &cert, + net::CertStatus error,bool *expired_previous_decision) override; + virtual void HostRanInsecureContent(const std::string &host, int pid) override; + virtual bool DidHostRunInsecureContent(const std::string &host, int pid) const override; + virtual void RevokeUserAllowExceptions(const std::string &host) override; + virtual bool HasAllowException(const std::string &host) const override; + +private: + BrowserContextAdapter *m_contextAdapter; + std::map<std::string, CertPolicy> m_certPolicyforHost; +}; + +} // namespace QtWebEngineCore + +#endif // SSL_HOST_STATE_DELEGATE_QT_H |