Changeset 181317 in webkit


Ignore:
Timestamp:
Mar 10, 2015 12:34:06 AM (9 years ago)
Author:
mitz@apple.com
Message:

Source/WebCore:
WebCore part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
https://bugs.webkit.org/show_bug.cgi?id=142461

Reviewed by Sam Weinig.

  • WebCore.xcodeproj/project.pbxproj: Added reference to SecuritySPI.h and sorted the

spi/cocoa group.

  • platform/network/cf/CertificateInfo.h: Declared new member function

containsNonRootSHA1SignedCertificate.

  • platform/network/mac/CertificateInfoMac.mm:

(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added. Checks if any but
the last certificate in the chain uses SHA-1 as its signature hash algorithm.

  • platform/network/curl/CertificateInfo.h:

(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added notImplemented
implementation.

  • platform/network/soup/CertificateInfo.h:

(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Ditto.

  • platform/spi/cocoa/SecuritySPI.h: Added.

Source/WebKit2:
WebKit2 part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
https://bugs.webkit.org/show_bug.cgi?id=142461

Reviewed by Sam Weinig.

  • UIProcess/API/Cocoa/WKWebView.mm:

(-[WKWebView initWithFrame:configuration:]): Initialize
webPageConfiguration.treatsSHA1SignedCertificatesAsInsecure from the WKWebViewConfiguration.

  • UIProcess/API/Cocoa/WKWebViewConfiguration.mm:

Added _treatsSHA1SignedCertificatesAsInsecure ivar.
(-[WKWebViewConfiguration copyWithZone:]): Copy _treatsSHA1SignedCertificatesAsInsecure.
(-[WKWebViewConfiguration _treatsSHA1SignedCertificatesAsInsecure]): Added this getter.
(-[WKWebViewConfiguration _setTreatsSHA1SignedCertificatesAsInsecure:]): Added this setter.

  • UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Declared new

_treatsSHA1SignedCertificatesAsInsecure property.

  • UIProcess/PageLoadState.cpp:

(WebKit::PageLoadState::didCommitLoad): Use new hasInsecureContent parameter to initialize
hasInsecureContent parameter in the uncommitted state.

  • UIProcess/PageLoadState.h:
  • UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::WebPageProxy): Initialize new m_treatsSHA1CertificatesAsInsecure
member variable from the WebPageConfiguration.
(WebKit::WebPageProxy::didCommitLoadForFrame): Pass true for the new hasInsecureContent to
PageLoadState::didCommitLoad if we are treating SHA1-signed certificates as insecure and
the certificate info contains a non-root SHA1-signed certificate.

  • UIProcess/WebPageProxy.h: Added m_treatsSHA1CertificatesAsInsecure member variable.
Location:
trunk/Source
Files:
1 added
14 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r181310 r181317  
     12015-03-10  Dan Bernstein  <mitz@apple.com>
     2
     3        WebCore part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
     4        https://bugs.webkit.org/show_bug.cgi?id=142461
     5
     6        Reviewed by Sam Weinig.
     7
     8        * WebCore.xcodeproj/project.pbxproj: Added reference to SecuritySPI.h and sorted the
     9        spi/cocoa group.
     10
     11        * platform/network/cf/CertificateInfo.h: Declared new member function
     12        containsNonRootSHA1SignedCertificate.
     13
     14        * platform/network/mac/CertificateInfoMac.mm:
     15        (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added. Checks if any but
     16        the last certificate in the chain uses SHA-1 as its signature hash algorithm.
     17
     18        * platform/network/curl/CertificateInfo.h:
     19        (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added notImplemented
     20        implementation.
     21
     22        * platform/network/soup/CertificateInfo.h:
     23        (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Ditto.
     24
     25        * platform/spi/cocoa/SecuritySPI.h: Added.
     26
    1272015-03-09  Chris Dumez  <cdumez@apple.com>
    228
  • trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

    r181291 r181317  
    13261326                33D0212D131DB37B004091A8 /* CookieStorage.h in Headers */ = {isa = PBXBuildFile; fileRef = E13F01EA1270E10D00DFBA71 /* CookieStorage.h */; settings = {ATTRIBUTES = (Private, ); }; };
    13271327                3571883EEF618793751E4089 /* RenderMathMLMenclose.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 3662F984047CEDBE5DDDAFAA /* RenderMathMLMenclose.cpp */; };
     1328                3717833A1AACDCF7000910E3 /* SecuritySPI.h in Headers */ = {isa = PBXBuildFile; fileRef = 371783391AACDCF7000910E3 /* SecuritySPI.h */; };
    13281329                3717D7E817ECC591003C276D /* extract-localizable-strings.pl in Copy Scripts */ = {isa = PBXBuildFile; fileRef = 3717D7E517ECC3A6003C276D /* extract-localizable-strings.pl */; };
    13291330                371A67CB11C6C7DB00047B8B /* HyphenationCF.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 371A67CA11C6C7DB00047B8B /* HyphenationCF.cpp */; };
     
    84268427                339B5B62131DAA3200F48D02 /* CookiesStrategy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CookiesStrategy.h; sourceTree = "<group>"; };
    84278428                3662F984047CEDBE5DDDAFAA /* RenderMathMLMenclose.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = RenderMathMLMenclose.cpp; path = rendering/mathml/RenderMathMLMenclose.cpp; sourceTree = SOURCE_ROOT; };
     8429                371783391AACDCF7000910E3 /* SecuritySPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecuritySPI.h; sourceTree = "<group>"; };
    84288430                3717D7E517ECC3A6003C276D /* extract-localizable-strings.pl */ = {isa = PBXFileReference; lastKnownFileType = text.script.perl; path = "extract-localizable-strings.pl"; sourceTree = "<group>"; };
    84298431                371A67CA11C6C7DB00047B8B /* HyphenationCF.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HyphenationCF.cpp; sourceTree = "<group>"; };
     
    1638816390                        isa = PBXGroup;
    1638916391                        children = (
     16392                                CD4097FF1A8C855F004C65E9 /* CFNSURLConnectionSPI.h */,
    1639016393                                1C5E980F1A02CEFA002DB55F /* CoreTextSPI.h */,
    1639116394                                CE12524A1A16C79B00864480 /* DispatchSPI.h */,
     
    1640316406                                CE1252521A1BEC0600864480 /* NSStringSPI.h */,
    1640416407                                CE1252541A1BEC0E00864480 /* NSURLDownloadSPI.h */,
    16405                                 CD4097FF1A8C855F004C65E9 /* CFNSURLConnectionSPI.h */,
    1640616408                                653EF83819A043AE0052202C /* NSURLFileTypeMappingsSPI.h */,
    1640716409                                CE12523C1A1676CD00864480 /* QuartzCoreSPI.h */,
     16410                                371783391AACDCF7000910E3 /* SecuritySPI.h */,
    1640816411                                CEC337AC1A46071F009B8523 /* ServersSPI.h */,
    1640916412                                A19D93451A9FEC7200B46C24 /* WebFilterEvaluatorSPI.h */,
     
    2380223805                                E1FE137518402A6700892F13 /* CommonCryptoUtilities.h in Headers */,
    2380323806                                37C236111097EE7700EF9F72 /* ComplexTextController.h in Headers */,
     23807                                3717833A1AACDCF7000910E3 /* SecuritySPI.h in Headers */,
    2380423808                                316FE1160E6E1DA700BF6088 /* CompositeAnimation.h in Headers */,
    2380523809                                93309DDD099E64920056E581 /* CompositeEditCommand.h in Headers */,
  • trunk/Source/WebCore/platform/network/cf/CertificateInfo.h

    r173423 r181317  
    4141    CFArrayRef certificateChain() const { return m_certificateChain.get(); }
    4242
     43    WEBCORE_EXPORT bool containsNonRootSHA1SignedCertificate() const;
     44
    4345#ifndef NDEBUG
    4446    void dump() const;
  • trunk/Source/WebCore/platform/network/curl/CertificateInfo.h

    r173465 r181317  
    2727#define CertificateInfo_h
    2828
     29#include "NotImplemented.h"
     30
    2931namespace WebCore {
    3032
     
    3335    CertificateInfo() { }
    3436
     37    bool containsNonRootSHA1SignedCertificate() const { notImplemented(); return false; }
    3538};
    3639
  • trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm

    r173423 r181317  
    11/*
    2  * Copyright (C) 2010 Apple Inc. All rights reserved.
     2 * Copyright (C) 2010, 2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2727#import "CertificateInfo.h"
    2828
     29#import "NotImplemented.h"
     30#import "SecuritySPI.h"
     31
    2932namespace WebCore {
     33
     34bool CertificateInfo::containsNonRootSHA1SignedCertificate() const
     35{
     36#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 90000
     37    for (CFIndex i = 0, size = CFArrayGetCount(m_certificateChain.get()) - 1; i < size; ++i) {
     38        SecCertificateRef certificate = (SecCertificateRef)CFArrayGetValueAtIndex(m_certificateChain.get(), i);
     39        if (SecCertificateGetSignatureHashAlgorithm(certificate) == kSecSignatureHashAlgorithmSHA1)
     40            return true;
     41    }
     42    return false;
     43#else
     44    notImplemented();
     45    return false;
     46#endif
     47}
    3048
    3149#ifndef NDEBUG
  • trunk/Source/WebCore/platform/network/soup/CertificateInfo.h

    r160487 r181317  
    2828#define CertificateInfo_h
    2929
     30#include "NotImplemented.h"
    3031#include <libsoup/soup.h>
    3132#include <wtf/gobject/GRefPtr.h>
     
    4950    void setTLSErrors(GTlsCertificateFlags tlsErrors) { m_tlsErrors = tlsErrors; }
    5051
     52    bool containsNonRootSHA1SignedCertificate() const { notImplemented(); return false; }
     53
    5154private:
    5255    GRefPtr<GTlsCertificate> m_certificate;
  • trunk/Source/WebKit2/ChangeLog

    r181272 r181317  
     12015-03-10  Dan Bernstein  <mitz@apple.com>
     2
     3        WebKit2 part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
     4        https://bugs.webkit.org/show_bug.cgi?id=142461
     5
     6        Reviewed by Sam Weinig.
     7
     8        * UIProcess/API/Cocoa/WKWebView.mm:
     9        (-[WKWebView initWithFrame:configuration:]): Initialize
     10        webPageConfiguration.treatsSHA1SignedCertificatesAsInsecure from the WKWebViewConfiguration.
     11
     12        * UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
     13        Added _treatsSHA1SignedCertificatesAsInsecure ivar.
     14        (-[WKWebViewConfiguration copyWithZone:]): Copy _treatsSHA1SignedCertificatesAsInsecure.
     15        (-[WKWebViewConfiguration _treatsSHA1SignedCertificatesAsInsecure]): Added this getter.
     16        (-[WKWebViewConfiguration _setTreatsSHA1SignedCertificatesAsInsecure:]): Added this setter.
     17
     18        * UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Declared new
     19        _treatsSHA1SignedCertificatesAsInsecure property.
     20
     21        * UIProcess/PageLoadState.cpp:
     22        (WebKit::PageLoadState::didCommitLoad): Use new hasInsecureContent parameter to initialize
     23        hasInsecureContent parameter in the uncommitted state.
     24        * UIProcess/PageLoadState.h:
     25
     26        * UIProcess/WebPageProxy.cpp:
     27        (WebKit::WebPageProxy::WebPageProxy): Initialize new m_treatsSHA1CertificatesAsInsecure
     28        member variable from the WebPageConfiguration.
     29        (WebKit::WebPageProxy::didCommitLoadForFrame): Pass true for the new hasInsecureContent to
     30        PageLoadState::didCommitLoad if we are treating SHA1-signed certificates as insecure and
     31        the certificate info contains a non-root SHA1-signed certificate.
     32        * UIProcess/WebPageProxy.h: Added m_treatsSHA1CertificatesAsInsecure member variable.
     33
    1342015-03-09  Geoffrey Garen  <ggaren@apple.com>
    235
  • trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm

    r180539 r181317  
    11/*
    2  * Copyright (C) 2014 Apple Inc. All rights reserved.
     2 * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    292292    webPageConfiguration.websiteDataStore = &[_configuration _websiteDataStore]->_websiteDataStore->websiteDataStore();
    293293    webPageConfiguration.sessionID = webPageConfiguration.websiteDataStore->sessionID();
     294    webPageConfiguration.treatsSHA1SignedCertificatesAsInsecure = [_configuration _treatsSHA1SignedCertificatesAsInsecure];
    294295
    295296    RefPtr<WebKit::WebPageGroup> pageGroup;
  • trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm

    r178975 r181317  
    11/*
    2  * Copyright (C) 2014 Apple Inc. All rights reserved.
     2 * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    8888    WebKit::WeakObjCPtr<WKWebView> _relatedWebView;
    8989    WebKit::WeakObjCPtr<WKWebView> _alternateWebViewForNavigationGestures;
     90    BOOL _treatsSHA1SignedCertificatesAsInsecure;
    9091    RetainPtr<NSString> _groupIdentifier;
    9192    LazyInitialized<RetainPtr<NSString>> _applicationNameForUserAgent;
     
    127128    configuration._relatedWebView = _relatedWebView.get().get();
    128129    configuration._alternateWebViewForNavigationGestures = _alternateWebViewForNavigationGestures.get().get();
     130    configuration->_treatsSHA1SignedCertificatesAsInsecure = _treatsSHA1SignedCertificatesAsInsecure;
    129131#if PLATFORM(IOS)
    130132    configuration._contentProviderRegistry = self._contentProviderRegistry;
     
    283285}
    284286
     287- (BOOL)_treatsSHA1SignedCertificatesAsInsecure
     288{
     289    return _treatsSHA1SignedCertificatesAsInsecure;
     290}
     291
     292- (void)_setTreatsSHA1SignedCertificatesAsInsecure:(BOOL)insecure
     293{
     294    _treatsSHA1SignedCertificatesAsInsecure = insecure;
     295}
     296
    285297#if PLATFORM(IOS)
    286298- (BOOL)_allowsAlternateFullscreen
  • trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h

    r178975 r181317  
    11/*
    2  * Copyright (C) 2014 Apple Inc. All rights reserved.
     2 * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    4343@property (nonatomic, weak, setter=_setAlternateWebViewForNavigationGestures:) WKWebView *_alternateWebViewForNavigationGestures;
    4444
     45@property (nonatomic, setter=_setTreatsSHA1SignedCertificatesAsInsecure:) BOOL _treatsSHA1SignedCertificatesAsInsecure WK_AVAILABLE(NA, WK_IOS_TBA);
     46
    4547#if TARGET_OS_IPHONE
    4648@property (nonatomic, setter=_setAllowsAlternateFullscreen:) BOOL _allowsAlternateFullscreen WK_AVAILABLE(NA, WK_IOS_TBA);
  • trunk/Source/WebKit2/UIProcess/PageLoadState.cpp

    r179599 r181317  
    11/*
    2  * Copyright (C) 2013 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    268268}
    269269
    270 void PageLoadState::didCommitLoad(const Transaction::Token& token)
     270void PageLoadState::didCommitLoad(const Transaction::Token& token, bool hasInsecureContent)
    271271{
    272272    ASSERT_UNUSED(token, &token.m_pageLoadState == this);
     
    274274
    275275    m_uncommittedState.state = State::Committed;
    276     m_uncommittedState.hasInsecureContent = false;
     276    m_uncommittedState.hasInsecureContent = hasInsecureContent;
    277277
    278278    m_uncommittedState.url = m_uncommittedState.provisionalURL;
  • trunk/Source/WebKit2/UIProcess/PageLoadState.h

    r170776 r181317  
    11/*
    2  * Copyright (C) 2013 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    132132    void didFailProvisionalLoad(const Transaction::Token&);
    133133
    134     void didCommitLoad(const Transaction::Token&);
     134    void didCommitLoad(const Transaction::Token&, bool hasInsecureContent);
    135135    void didFinishLoad(const Transaction::Token&);
    136136    void didFailLoad(const Transaction::Token&);
  • trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp

    r181023 r181317  
    286286    , m_mainFrame(nullptr)
    287287    , m_userAgent(standardUserAgent())
     288    , m_treatsSHA1CertificatesAsInsecure(configuration.treatsSHA1SignedCertificatesAsInsecure)
    288289#if PLATFORM(IOS)
    289290    , m_hasReceivedLayerTreeTransactionAfterDidCommitLoad(true)
     
    28192820    auto transaction = m_pageLoadState.transaction();
    28202821
    2821     if (frame->isMainFrame())
    2822         m_pageLoadState.didCommitLoad(transaction);
     2822    if (frame->isMainFrame()) {
     2823        bool hasInsecureCertificateChain = m_treatsSHA1CertificatesAsInsecure && certificateInfo.containsNonRootSHA1SignedCertificate();
     2824        m_pageLoadState.didCommitLoad(transaction, hasInsecureCertificateChain);
     2825    }
    28232826
    28242827#if USE(APPKIT)
  • trunk/Source/WebKit2/UIProcess/WebPageProxy.h

    r181023 r181317  
    250250    WebPageProxy* relatedPage = nullptr;
    251251
     252    bool treatsSHA1SignedCertificatesAsInsecure = false;
     253
    252254    WebPreferencesStore::ValueMap preferenceValues;
    253255};
     
    14261428    String m_customTextEncodingName;
    14271429
     1430    bool m_treatsSHA1CertificatesAsInsecure;
     1431
    14281432    RefPtr<WebInspectorProxy> m_inspector;
    14291433
Note: See TracChangeset for help on using the changeset viewer.