Changeset 169655 in webkit

Timestamp:

Jun 6, 2014 12:04:10 PM (10 years ago)

Author:

mitz@apple.com

Message:

Source/WebCore: WebCore part of <rdar://problem/17095692> [iOS] Client-certificate authentication isn’t working
​https://bugs.webkit.org/show_bug.cgi?id=133527

Reviewed by Darin Adler.

• WebCore.exp.in: Exported some Credential member functions.

Source/WebKit2: <rdar://problem/17095692> [iOS] Client-certificate authentication isn’t working
​https://bugs.webkit.org/show_bug.cgi?id=133527

Reviewed by Darin Adler.

• Configurations/Network-iOS.entitlements: Enabled the Network process to access the keys

needed to create identities to authenticate with.

• Shared/WebCoreArgumentCoders.cpp:

(IPC::ArgumentCoder<Credential>::encode): Encode the credential type, and if it is a client
certificate, encode the identity and the certificates.
(IPC::ArgumentCoder<Credential>::decode): Decode the credential type. If it is a client
certificate, decode the identity and the certificates and use the proper Credential
constructor.

• Shared/cf/ArgumentCodersCF.cpp:

(IPC::typeFromCFTypeRef): Handle SecIdentityRef.
(IPC::encode): Encode an identity by encoding its certificate and a persistent reference to
its key.
(IPC::decode): Decode a certificate and a persistent reference to a key, find the key, and
create an identity.

• Shared/cf/ArgumentCodersCF.h:

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/WebCore.exp.in (modified) (2 diffs)
• WebKit2/ChangeLog (modified) (1 diff)
• WebKit2/Configurations/Network-iOS.entitlements (modified) (1 diff)
• WebKit2/Shared/WebCoreArgumentCoders.cpp (modified) (3 diffs)
• WebKit2/Shared/cf/ArgumentCodersCF.cpp (modified) (6 diffs)
• WebKit2/Shared/cf/ArgumentCodersCF.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-06-06  Dan Bernstein  <mitz@apple.com>
+
+        WebCore part of <rdar://problem/17095692> [iOS] Client-certificate authentication isn’t working
+        https://bugs.webkit.org/show_bug.cgi?id=133527
+
+        Reviewed by Darin Adler.
+
+        * WebCore.exp.in: Exported some Credential member functions.
+
 2014-06-06  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebCore/WebCore.exp.in

@@ -72 +72 @@
 __ZN7WebCore10ClientRectC1ERKNS_9FloatRectE
 __ZN7WebCore10ClientRectC1Ev
+__ZN7WebCore10CredentialC1EP13__SecIdentityPK9__CFArrayNS_21CredentialPersistenceE
 __ZN7WebCore10CredentialC1ERKN3WTF6StringES4_NS_21CredentialPersistenceE
 __ZN7WebCore10CredentialC1Ev
@@ -1506 +1507 @@
 __ZNK7WebCore10Credential11hasPasswordEv
 __ZNK7WebCore10Credential11persistenceEv
+__ZNK7WebCore10Credential12certificatesEv
+__ZNK7WebCore10Credential4typeEv
 __ZNK7WebCore10Credential4userEv
 __ZNK7WebCore10Credential7isEmptyEv
+__ZNK7WebCore10Credential8identityEv
 __ZNK7WebCore10Credential8passwordEv
 __ZNK7WebCore10FloatPointcv7CGPointEv

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2014-06-06  Dan Bernstein  <mitz@apple.com>
+
+        <rdar://problem/17095692> [iOS] Client-certificate authentication isn’t working
+        https://bugs.webkit.org/show_bug.cgi?id=133527
+
+        Reviewed by Darin Adler.
+
+        * Configurations/Network-iOS.entitlements: Enabled the Network process to access the keys
+        needed to create identities to authenticate with.
+
+        * Shared/WebCoreArgumentCoders.cpp:
+        (IPC::ArgumentCoder<Credential>::encode): Encode the credential type, and if it is a client
+        certificate, encode the identity and the certificates.
+        (IPC::ArgumentCoder<Credential>::decode): Decode the credential type. If it is a client
+        certificate, decode the identity and the certificates and use the proper Credential
+        constructor.
+
+        * Shared/cf/ArgumentCodersCF.cpp:
+        (IPC::typeFromCFTypeRef): Handle SecIdentityRef.
+        (IPC::encode): Encode an identity by encoding its certificate and a persistent reference to
+        its key.
+        (IPC::decode): Decode a certificate and a persistent reference to a key, find the key, and
+        create an identity.
+        * Shared/cf/ArgumentCodersCF.h:
+
 2014-06-05  Benjamin Poulain  <bpoulain@apple.com>
 

trunk/Source/WebKit2/Configurations/Network-iOS.entitlements

@@ -5 +5 @@
         <key>com.apple.private.network.socket-delegate</key>
         <true/>
+        <key>keychain-access-groups</key>
+        <array>
+                <string>com.apple.identities</string>
+        </array>
 </dict>
 </plist>

trunk/Source/WebKit2/Shared/WebCoreArgumentCoders.cpp

@@ -70 +70 @@
 #include <wtf/text/StringHash.h>
 
+#if PLATFORM(COCOA)
+#include "ArgumentCodersCF.h"
+#endif
+
 #if PLATFORM(IOS)
 #include <WebCore/FloatQuad.h>
@@ -468 +472 @@
 void ArgumentCoder<Credential>::encode(ArgumentEncoder& encoder, const Credential& credential)
 {
+#if CERTIFICATE_CREDENTIALS_SUPPORTED
+    encoder.encodeEnum(credential.type());
+
+    if (credential.type() == CredentialTypeClientCertificate) {
+        IPC::encode(encoder, credential.identity());
+
+        encoder << !!credential.certificates();
+        if (credential.certificates())
+            IPC::encode(encoder, credential.certificates());
+
+        encoder.encodeEnum(credential.persistence());
+        return;
+    }
+#endif
     encoder << credential.user() << credential.password();
+
     encoder.encodeEnum(credential.persistence());
 }
@@ -474 +493 @@
 bool ArgumentCoder<Credential>::decode(ArgumentDecoder& decoder, Credential& credential)
 {
+#if CERTIFICATE_CREDENTIALS_SUPPORTED
+    CredentialType type;
+
+    if (!decoder.decodeEnum(type))
+        return false;
+
+    if (type == CredentialTypeClientCertificate) {
+        RetainPtr<SecIdentityRef> identity;
+        if (!IPC::decode(decoder, identity))
+            return false;
+
+        bool hasCertificates;
+        if (!decoder.decode(hasCertificates))
+            return false;
+
+        RetainPtr<CFArrayRef> certificates;
+        if (hasCertificates) {
+            if (!IPC::decode(decoder, certificates))
+                return false;
+        }
+
+        CredentialPersistence persistence;
+        if (!decoder.decodeEnum(persistence))
+            return false;
+
+        credential = Credential(identity.get(), certificates.get(), persistence);
+        return true;
+    }
+#endif
+
     String user;
     if (!decoder.decode(user))

trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp

@@ -37 +37 @@
 #endif
 
+#if defined(__has_include) && __has_include(<Security/SecIdentityPriv.h>)
+#include <Security/SecIdentityPriv.h>
+#endif
+
+extern "C" SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey);
+
+#if defined(__has_include) && __has_include(<Security/SecKeyPriv.h>)
+#include <Security/SecKeyPriv.h>
+#endif
+
+extern "C" OSStatus SecKeyCopyPersistentRef(SecKeyRef key, CFDataRef* persistentRef);
+extern "C" OSStatus SecKeyFindWithPersistentRef(CFDataRef persistentRef, SecKeyRef* lookedUpData);
+
 using namespace WebCore;
 
@@ -58 +71 @@
     CFURL,
     SecCertificate,
+    SecIdentity,
 #if HAVE(SEC_KEYCHAIN)
     SecKeychainItem,
@@ -93 +107 @@
     if (typeID == SecCertificateGetTypeID())
         return SecCertificate;
+    if (typeID == SecIdentityGetTypeID())
+        return SecIdentity;
 #if HAVE(SEC_KEYCHAIN)
     if (typeID == SecKeychainItemGetTypeID())
@@ -136 +152 @@
     case SecCertificate:
         encode(encoder, (SecCertificateRef)typeRef);
+        return;
+    case SecIdentity:
+        encode(encoder, (SecIdentityRef)(typeRef));
         return;
 #if HAVE(SEC_KEYCHAIN)
@@ -222 +241 @@
             return false;
         result = adoptCF(certificate.leakRef());
+        return true;
+    }
+    case SecIdentity: {
+        RetainPtr<SecIdentityRef> identity;
+        if (!decode(decoder, identity))
+            return false;
+        result = adoptCF(identity.leakRef());
         return true;
     }
@@ -556 +582 @@
 }
 
+void encode(ArgumentEncoder& encoder, SecIdentityRef identity)
+{
+    SecCertificateRef certificate = nullptr;
+    SecIdentityCopyCertificate(identity, &certificate);
+    encode(encoder, certificate);
+    CFRelease(certificate);
+
+    SecKeyRef key = nullptr;
+    SecIdentityCopyPrivateKey(identity, &key);
+
+    CFDataRef keyData = nullptr;
+    SecKeyCopyPersistentRef(key, &keyData);
+    CFRelease(key);
+
+    encoder << !!keyData;
+    if (keyData) {
+        encode(encoder, keyData);
+        CFRelease(keyData);
+    }
+}
+
+bool decode(ArgumentDecoder& decoder, RetainPtr<SecIdentityRef>& result)
+{
+    RetainPtr<SecCertificateRef> certificate;
+    if (!decode(decoder, certificate))
+        return false;
+
+    bool hasKey;
+    if (!decoder.decode(hasKey))
+        return false;
+
+    if (!hasKey)
+        return true;
+
+    RetainPtr<CFDataRef> keyData;
+    if (!decode(decoder, keyData))
+        return false;
+
+    SecKeyRef key = nullptr;
+    SecKeyFindWithPersistentRef(keyData.get(), &key);
+    if (key) {
+        result = adoptCF(SecIdentityCreate(kCFAllocatorDefault, certificate.get(), key));
+        CFRelease(key);
+    }
+
+    return true;
+}
+
 #if HAVE(SEC_KEYCHAIN)
 void encode(ArgumentEncoder& encoder, SecKeychainItemRef keychainItem)

trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h

@@ -79 +79 @@
 bool decode(ArgumentDecoder&, RetainPtr<SecCertificateRef>& result);
 
+// SecIdentityRef
+void encode(ArgumentEncoder&, SecIdentityRef);
+bool decode(ArgumentDecoder&, RetainPtr<SecIdentityRef>& result);
+
 #if HAVE(SEC_KEYCHAIN)
 // SecKeychainItemRef