Changeset 243654 in webkit
- Timestamp:
- Mar 29, 2019 12:03:16 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 20 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r243653 r243654 1 2019-03-29 Takashi Komori <Takashi.Komori@sony.com> 2 3 [Curl] Add Server Trust Evaluation Support. 4 https://bugs.webkit.org/show_bug.cgi?id=191646 5 6 Reviewed by Fujii Hironori. 7 8 * platform/wincairo-wk1/TestExpectations: 9 * platform/wincairo/TestExpectations: 10 1 11 2019-03-29 Ryosuke Niwa <rniwa@webkit.org> 2 12 -
trunk/LayoutTests/platform/wincairo-wk1/TestExpectations
r242517 r243654 21 21 http/tests/security/cookies/third-party-cookie-blocking-xslt.xml [ Skip ] 22 22 23 # Server trust evaluation only supported in WK2. 24 http/tests/ssl/iframe-upgrade.https.html [ Skip ] 25 http/tests/ssl/mixedContent/insecure-websocket.html [ Failure ] 26 http/tests/ssl/upgrade-origin-usage.html [ Failure ] 27 23 28 # There is not NetworkProcess in WK1, so it can't crash. 24 29 http/tests/websocket/tests/hybi/network-process-crash-error.html [ Skip ] -
trunk/LayoutTests/platform/wincairo/TestExpectations
r243433 r243654 949 949 http/tests/security/cookies/third-party-cookie-blocking-user-action.html [ Pass ] 950 950 http/tests/security/cookies/third-party-cookie-blocking-xslt.xml [ Pass ] 951 952 http/tests/ssl/iframe-upgrade.https.html [ Skip ]953 http/tests/ssl/mixedContent/insecure-websocket.html [ Failure ]954 http/tests/ssl/upgrade-origin-usage.html [ Failure ]955 951 956 952 http/tests/ssl/media-stream [ Skip ] -
trunk/Source/WebCore/ChangeLog
r243653 r243654 1 2019-03-29 Takashi Komori <Takashi.Komori@sony.com> 2 3 [Curl] Add Server Trust Evaluation Support. 4 https://bugs.webkit.org/show_bug.cgi?id=191646 5 6 Reviewed by Fujii Hironori. 7 8 Tests: http/tests/ssl/iframe-upgrade.https.html 9 http/tests/ssl/mixedContent/insecure-websocket.html 10 http/tests/ssl/upgrade-origin-usage.html 11 12 * platform/network/curl/AuthenticationChallenge.h: 13 * platform/network/curl/AuthenticationChallengeCurl.cpp: 14 (WebCore::AuthenticationChallenge::AuthenticationChallenge): 15 (WebCore::AuthenticationChallenge::protectionSpaceForPasswordBased): 16 (WebCore::AuthenticationChallenge::protectionSpaceForServerTrust): 17 (WebCore::AuthenticationChallenge::protectionSpaceFromHandle): Deleted. 18 * platform/network/curl/CurlContext.cpp: 19 (WebCore::CurlHandle::disableServerTrustEvaluation): 20 * platform/network/curl/CurlContext.h: 21 * platform/network/curl/CurlRequest.cpp: 22 (WebCore::CurlRequest::setupTransfer): 23 * platform/network/curl/CurlRequest.h: 24 (WebCore::CurlRequest::disableServerTrustEvaluation): 25 1 26 2019-03-29 Ryosuke Niwa <rniwa@webkit.org> 2 27 -
trunk/Source/WebCore/platform/network/curl/AuthenticationChallenge.h
r239427 r243654 46 46 47 47 AuthenticationChallenge(const CurlResponse&, unsigned, const ResourceResponse&, AuthenticationClient* = nullptr); 48 AuthenticationChallenge(const URL&, const CertificateInfo&, const ResourceError&, AuthenticationClient* = nullptr); 49 48 50 AuthenticationClient* authenticationClient() const { return m_authenticationClient.get(); } 49 51 50 52 private: 51 53 ProtectionSpaceServerType protectionSpaceServerTypeFromURI(const URL&, bool isForProxy); 52 ProtectionSpace protectionSpaceFromHandle(const CurlResponse&, const ResourceResponse&); 54 ProtectionSpace protectionSpaceForPasswordBased(const CurlResponse&, const ResourceResponse&); 55 ProtectionSpace protectionSpaceForServerTrust(const URL&, const CertificateInfo&); 53 56 Optional<uint16_t> determineProxyPort(const URL&); 54 57 ProtectionSpaceAuthenticationScheme authenticationSchemeFromCurlAuth(long); -
trunk/Source/WebCore/platform/network/curl/AuthenticationChallengeCurl.cpp
r239427 r243654 36 36 37 37 AuthenticationChallenge::AuthenticationChallenge(const CurlResponse& curlResponse, unsigned previousFailureCount, const ResourceResponse& response, AuthenticationClient* client) 38 : AuthenticationChallengeBase(protectionSpaceFromHandle(curlResponse, response), Credential(), previousFailureCount, response, ResourceError()) 38 : AuthenticationChallengeBase(protectionSpaceForPasswordBased(curlResponse, response), Credential(), previousFailureCount, response, ResourceError()) 39 , m_authenticationClient(client) 40 { 41 } 42 43 AuthenticationChallenge::AuthenticationChallenge(const URL& url, const CertificateInfo& certificateInfo, const ResourceError& resourceError, AuthenticationClient* client) 44 : AuthenticationChallengeBase(protectionSpaceForServerTrust(url, certificateInfo), Credential(), 0, ResourceResponse(), resourceError) 39 45 , m_authenticationClient(client) 40 46 { … … 52 58 } 53 59 54 ProtectionSpace AuthenticationChallenge::protectionSpaceF romHandle(const CurlResponse& curlResponse, const ResourceResponse& response)60 ProtectionSpace AuthenticationChallenge::protectionSpaceForPasswordBased(const CurlResponse& curlResponse, const ResourceResponse& response) 55 61 { 56 62 if (!response.isUnauthorized() && !response.isProxyAuthenticationRequired()) … … 63 69 auto authenticationScheme = authenticationSchemeFromCurlAuth(isProxyAuth ? curlResponse.availableProxyAuth : curlResponse.availableHttpAuth); 64 70 65 return ProtectionSpace(url.host().toString(), static_cast<int>(port ? *port : 0), serverType, parseRealm(response), authenticationScheme); 71 return ProtectionSpace(url.host().toString(), static_cast<int>(port.valueOr(0)), serverType, parseRealm(response), authenticationScheme); 72 } 73 74 ProtectionSpace AuthenticationChallenge::protectionSpaceForServerTrust(const URL& url, const CertificateInfo& certificateInfo) 75 { 76 auto port = determineProxyPort(url); 77 auto serverType = protectionSpaceServerTypeFromURI(url, false); 78 auto authenticationScheme = ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested; 79 80 return ProtectionSpace(url.host().toString(), static_cast<int>(port.valueOr(0)), serverType, String(), authenticationScheme, certificateInfo); 66 81 } 67 82 -
trunk/Source/WebCore/platform/network/curl/CurlContext.cpp
r242842 r243654 325 325 } 326 326 327 void CurlHandle::disableServerTrustEvaluation() 328 { 329 setSslVerifyPeer(CurlHandle::VerifyPeer::Disable); 330 setSslVerifyHost(CurlHandle::VerifyHost::LooseNameCheck); 331 } 332 327 333 CURLcode CurlHandle::willSetupSslCtx(void* sslCtx) 328 334 { -
trunk/Source/WebCore/platform/network/curl/CurlContext.h
r239427 r243654 254 254 void setHttpAuthUserPass(const String&, const String&, long authType = CURLAUTH_ANY); 255 255 256 void disableServerTrustEvaluation(); 256 257 void setCACertPath(const char*); 257 258 void setSslVerifyPeer(VerifyPeer); -
trunk/Source/WebCore/platform/network/curl/CurlRequest.cpp
r242842 r243654 214 214 } 215 215 216 if (m_shouldDisableServerTrustEvaluation) 217 m_curlHandle->disableServerTrustEvaluation(); 218 216 219 m_curlHandle->setHeaderCallbackFunction(didReceiveHeaderCallback, this); 217 220 m_curlHandle->setWriteCallbackFunction(didReceiveDataCallback, this); -
trunk/Source/WebCore/platform/network/curl/CurlRequest.h
r240958 r243654 32 32 #include "CurlRequestSchedulerClient.h" 33 33 #include "CurlResponse.h" 34 #include "CurlSSLVerifier.h"35 34 #include "NetworkLoadMetrics.h" 36 35 #include "ProtectionSpace.h" … … 76 75 WEBCORE_EXPORT void setAuthenticationScheme(ProtectionSpaceAuthenticationScheme); 77 76 WEBCORE_EXPORT void setUserPass(const String&, const String&); 77 void disableServerTrustEvaluation() { m_shouldDisableServerTrustEvaluation = true; } 78 78 void setStartTime(const MonotonicTime& startTime) { m_requestStartTime = startTime; } 79 79 … … 174 174 String m_password; 175 175 unsigned long m_authType { CURLAUTH_ANY }; 176 bool m_shouldDisableServerTrustEvaluation { false }; 176 177 bool m_shouldSuspend { false }; 177 178 bool m_enableMultipart { false }; -
trunk/Source/WebKit/ChangeLog
r243643 r243654 1 2019-03-29 Takashi Komori <Takashi.Komori@sony.com> 2 3 [Curl] Add Server Trust Evaluation Support. 4 https://bugs.webkit.org/show_bug.cgi?id=191646 5 6 Reviewed by Fujii Hironori. 7 8 Tests: http/tests/ssl/iframe-upgrade.https.html 9 http/tests/ssl/mixedContent/insecure-websocket.html 10 http/tests/ssl/upgrade-origin-usage.html 11 12 * NetworkProcess/curl/NetworkDataTaskCurl.cpp: 13 (WebKit::NetworkDataTaskCurl::curlDidFailWithError): 14 (WebKit::NetworkDataTaskCurl::tryServerTrustEvaluation): 15 (WebKit::NetworkDataTaskCurl::restartWithCredential): 16 * NetworkProcess/curl/NetworkDataTaskCurl.h: 17 1 18 2019-03-29 Cathie Chen <cathiechen@igalia.com> 2 19 -
trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp
r242842 r243654 190 190 } 191 191 192 void NetworkDataTaskCurl::curlDidFailWithError(CurlRequest& , const ResourceError& resourceError)192 void NetworkDataTaskCurl::curlDidFailWithError(CurlRequest& request, const ResourceError& resourceError) 193 193 { 194 194 if (state() == State::Canceling || state() == State::Completed || (!m_client && !isDownload())) 195 195 return; 196 197 if (resourceError.isSSLCertVerificationError()) { 198 tryServerTrustEvaluation(AuthenticationChallenge(request.resourceRequest().url(), request.certificateInfo(), resourceError)); 199 return; 200 } 196 201 197 202 m_client->didCompleteWithError(resourceError); … … 399 404 } 400 405 406 void NetworkDataTaskCurl::tryServerTrustEvaluation(AuthenticationChallenge&& challenge) 407 { 408 m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) { 409 if (m_state == State::Canceling || m_state == State::Completed) 410 return; 411 412 if (disposition == AuthenticationChallengeDisposition::UseCredential && !credential.isEmpty()) { 413 auto requestCredential = m_curlRequest ? Credential(m_curlRequest->user(), m_curlRequest->password(), CredentialPersistenceNone) : Credential(); 414 restartWithCredential(challenge.protectionSpace(), requestCredential); 415 return; 416 } 417 418 cancel(); 419 m_client->didCompleteWithError(challenge.error()); 420 }); 421 } 422 401 423 void NetworkDataTaskCurl::restartWithCredential(const ProtectionSpace& protectionSpace, const Credential& credential) 402 424 { … … 409 431 m_curlRequest->setAuthenticationScheme(protectionSpace.authenticationScheme()); 410 432 m_curlRequest->setUserPass(credential.user(), credential.password()); 433 if (protectionSpace.authenticationScheme() == ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested) 434 m_curlRequest->disableServerTrustEvaluation(); 411 435 m_curlRequest->setStartTime(m_startTime); 412 436 m_curlRequest->start(); -
trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.h
r242517 r243654 79 79 void restartWithCredential(const WebCore::ProtectionSpace&, const WebCore::Credential&); 80 80 81 void tryServerTrustEvaluation(WebCore::AuthenticationChallenge&&); 82 81 83 void appendCookieHeader(WebCore::ResourceRequest&); 82 84 void handleCookieHeaders(const WebCore::ResourceRequest&, const WebCore::CurlResponse&); -
trunk/Tools/ChangeLog
r243643 r243654 1 2019-03-29 Takashi Komori <Takashi.Komori@sony.com> 2 3 [Curl] Add Server Trust Evaluation Support. 4 https://bugs.webkit.org/show_bug.cgi?id=191646 5 6 Reviewed by Fujii Hironori. 7 8 Implemented MiniBrowser UI for asking if user trusts the server. 9 10 * MiniBrowser/win/Common.cpp: 11 (askServerTrustEvaluation): 12 (replaceString): 13 * MiniBrowser/win/Common.h: 14 * MiniBrowser/win/MiniBrowserLib.rc: 15 * MiniBrowser/win/MiniBrowserLibResource.h: 16 * MiniBrowser/win/WebKitBrowserWindow.cpp: 17 (createPEMString): 18 (WebKitBrowserWindow::didReceiveAuthenticationChallenge): 19 (WebKitBrowserWindow::canTrustServerCertificate): 20 * MiniBrowser/win/WebKitBrowserWindow.h: 21 1 22 2019-03-29 Cathie Chen <cathiechen@igalia.com> 2 23 -
trunk/Tools/MiniBrowser/win/Common.cpp
r242984 r243654 232 232 } 233 233 234 bool askServerTrustEvaluation(HWND hwnd, const std::wstring& pems) 235 { 236 class ServerTrustEvaluationDialog : public Dialog { 237 public: 238 ServerTrustEvaluationDialog(const std::wstring& pems) 239 : m_pems { pems } 240 { 241 SendMessage(GetDlgItem(this->hDlg(), IDC_SERVER_TRUST_TEXT), WM_SETFONT, (WPARAM)GetStockObject(ANSI_FIXED_FONT), TRUE); 242 } 243 244 protected: 245 std::wstring m_pems; 246 247 void setup() 248 { 249 setText(IDC_SERVER_TRUST_TEXT, m_pems); 250 } 251 252 void ok() final 253 { 254 255 } 256 }; 257 258 ServerTrustEvaluationDialog dialog { pems }; 259 return dialog.run(hInst, hwnd, IDD_SERVER_TRUST); 260 } 261 234 262 CommandLineOptions parseCommandLine() 235 263 { … … 257 285 return options; 258 286 } 287 288 std::wstring replaceString(std::wstring src, const std::wstring& oldValue, const std::wstring& newValue) 289 { 290 if (src.empty() || oldValue.empty()) 291 return src; 292 293 size_t pos = 0; 294 while ((pos = src.find(oldValue, pos)) != src.npos) { 295 src.replace(pos, oldValue.length(), newValue); 296 pos += newValue.length(); 297 } 298 299 return src; 300 } -
trunk/Tools/MiniBrowser/win/Common.h
r242984 r243654 71 71 bool askProxySettings(HWND, ProxySettings&); 72 72 73 bool askServerTrustEvaluation(HWND, const std::wstring& pems); 74 std::wstring replaceString(std::wstring src, const std::wstring& oldValue, const std::wstring& newValue); 75 73 76 extern HINSTANCE hInst; 74 77 extern POINT s_windowPosition; -
trunk/Tools/MiniBrowser/win/MiniBrowserLib.rc
r238051 r243654 281 281 END 282 282 283 IDD_SERVER_TRUST DIALOGEX 0, 0, 319, 184 284 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU 285 CAPTION "Server Trust Evaluation Request" 286 FONT 8, "MS Shell Dlg", 400, 0, 0x1 287 BEGIN 288 DEFPUSHBUTTON "Yes",IDOK,197,163,50,14 289 PUSHBUTTON "No",IDCANCEL,262,163,50,14 290 LTEXT "Certificate information",IDC_STATIC,7,7,294,17 291 EDITTEXT IDC_SERVER_TRUST_TEXT,7,24,305,130,ES_MULTILINE | ES_READONLY | WS_VSCROLL | WS_HSCROLL | NOT WS_TABSTOP 292 END 293 283 294 284 295 #ifdef APSTUDIO_INVOKED … … 358 369 BOTTOMMARGIN, 169 359 370 END 371 372 IDD_SERVER_TRUST, DIALOG 373 BEGIN 374 LEFTMARGIN, 7 375 RIGHTMARGIN, 312 376 TOPMARGIN, 7 377 BOTTOMMARGIN, 177 378 END 360 379 END 361 380 #endif // APSTUDIO_INVOKED -
trunk/Tools/MiniBrowser/win/MiniBrowserLibResource.h
r238051 r243654 58 58 #define IDM_DEBUG_INFO_LAYER 177 59 59 #define IDD_PROXY 178 60 #define IDD_SERVER_TRUST 179 60 61 #define IDC_EMPTY_URL_CACHE 1000 61 62 #define IDC_RETURN_FREE_MEMORY 1001 … … 119 120 #define IDC_PROXY_EXCLUDE 1060 120 121 #define IDC_PROXY_DISABLE 1061 122 #define IDC_SERVER_TRUST_TEXT 1062 121 123 #define IDM_NEW_WEBKIT_WINDOW 32776 122 124 #define IDM_NEW_WEBKITLEGACY_WINDOW 32777 … … 125 127 126 128 // Next default values for new objects 127 // 129 // 128 130 #ifdef APSTUDIO_INVOKED 129 131 #ifndef APSTUDIO_READONLY_SYMBOLS 130 132 #define _APS_NO_MFC 1 131 #define _APS_NEXT_RESOURCE_VALUE 1 79133 #define _APS_NEXT_RESOURCE_VALUE 180 132 134 #define _APS_NEXT_COMMAND_VALUE 32779 133 #define _APS_NEXT_CONTROL_VALUE 106 2135 #define _APS_NEXT_CONTROL_VALUE 1063 134 136 #define _APS_NEXT_SYMED_VALUE 110 135 137 #endif -
trunk/Tools/MiniBrowser/win/WebKitBrowserWindow.cpp
r242984 r243654 30 30 #include <WebKit/WKAuthenticationChallenge.h> 31 31 #include <WebKit/WKAuthenticationDecisionListener.h> 32 #include <WebKit/WKCertificateInfoCurl.h> 32 33 #include <WebKit/WKCredential.h> 33 34 #include <WebKit/WKInspector.h> 34 35 #include <WebKit/WKProtectionSpace.h> 36 #include <WebKit/WKProtectionSpaceCurl.h> 35 37 #include <WebKit/WKWebsiteDataStoreRefCurl.h> 36 38 #include <vector> … … 57 59 size_t actualLength = WideCharToMultiByte(CP_UTF8, 0, src, srcLength, buffer.data(), length, nullptr, nullptr); 58 60 return { buffer.data(), actualLength }; 61 } 62 63 std::wstring createPEMString(WKProtectionSpaceRef protectionSpace) 64 { 65 auto certificateInfo = WKProtectionSpaceCopyCertificateInfo(protectionSpace); 66 auto chainSize = WKCertificateInfoGetCertificateChainSize(certificateInfo); 67 68 std::wstring pems; 69 70 for (auto i = 0; i < chainSize; i++) { 71 auto certificate = adoptWK(WKCertificateInfoCopyCertificateAtIndex(certificateInfo, i)); 72 auto size = WKDataGetSize(certificate.get()); 73 auto data = WKDataGetBytes(certificate.get()); 74 75 for (size_t i = 0; i < size; i++) 76 pems.push_back(data[i]); 77 } 78 79 return replaceString(pems, L"\n", L"\r\n"); 59 80 } 60 81 … … 287 308 auto protectionSpace = WKAuthenticationChallengeGetProtectionSpace(challenge); 288 309 auto decisionListener = WKAuthenticationChallengeGetDecisionListener(challenge); 289 290 WKRetainPtr<WKStringRef> realm(WKProtectionSpaceCopyRealm(protectionSpace)); 291 if (auto credential = askCredential(thisWindow.hwnd(), createString(realm.get()))) { 292 WKRetainPtr<WKStringRef> username = createWKString(credential->username); 293 WKRetainPtr<WKStringRef> password = createWKString(credential->password); 294 WKRetainPtr<WKCredentialRef> wkCredential(AdoptWK, WKCredentialCreate(username.get(), password.get(), kWKCredentialPersistenceForSession)); 295 WKAuthenticationDecisionListenerUseCredential(decisionListener, wkCredential.get()); 296 return; 310 auto authenticationScheme = WKProtectionSpaceGetAuthenticationScheme(protectionSpace); 311 312 if (authenticationScheme == kWKProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested) { 313 if (thisWindow.canTrustServerCertificate(protectionSpace)) { 314 WKRetainPtr<WKStringRef> username = createWKString("accept server trust"); 315 WKRetainPtr<WKStringRef> password = createWKString(""); 316 WKRetainPtr<WKCredentialRef> wkCredential(AdoptWK, WKCredentialCreate(username.get(), password.get(), kWKCredentialPersistenceForSession)); 317 WKAuthenticationDecisionListenerUseCredential(decisionListener, wkCredential.get()); 318 return; 319 } 320 } else { 321 WKRetainPtr<WKStringRef> realm(WKProtectionSpaceCopyRealm(protectionSpace)); 322 323 if (auto credential = askCredential(thisWindow.hwnd(), createString(realm.get()))) { 324 WKRetainPtr<WKStringRef> username = createWKString(credential->username); 325 WKRetainPtr<WKStringRef> password = createWKString(credential->password); 326 WKRetainPtr<WKCredentialRef> wkCredential(AdoptWK, WKCredentialCreate(username.get(), password.get(), kWKCredentialPersistenceForSession)); 327 WKAuthenticationDecisionListenerUseCredential(decisionListener, wkCredential.get()); 328 return; 329 } 297 330 } 298 331 299 332 WKAuthenticationDecisionListenerUseCredential(decisionListener, nullptr); 333 } 334 335 bool WebKitBrowserWindow::canTrustServerCertificate(WKProtectionSpaceRef protectionSpace) 336 { 337 auto host = createString(adoptWK(WKProtectionSpaceCopyHost(protectionSpace)).get()); 338 auto pem = createPEMString(protectionSpace); 339 340 auto it = m_acceptedServerTrustCerts.find(host); 341 if (it != m_acceptedServerTrustCerts.end() && it->second == pem) 342 return true; 343 344 if (askServerTrustEvaluation(hwnd(), pem)) { 345 m_acceptedServerTrustCerts.emplace(host, pem); 346 return true; 347 } 348 349 return false; 300 350 } 301 351 -
trunk/Tools/MiniBrowser/win/WebKitBrowserWindow.h
r242984 r243654 29 29 #include <WebKit/WKRetainPtr.h> 30 30 #include <WebKit/WebKit2_C.h> 31 #include <unordered_map> 31 32 32 33 class WebKitBrowserWindow : public BrowserWindow { … … 62 63 void updateProxySettings(); 63 64 65 bool canTrustServerCertificate(WKProtectionSpaceRef); 66 64 67 static void didFinishNavigation(WKPageRef, WKNavigationRef, WKTypeRef, const void*); 65 68 static void didCommitNavigation(WKPageRef, WKNavigationRef, WKTypeRef, const void*); … … 71 74 HWND m_urlBarWnd { nullptr }; 72 75 ProxySettings m_proxy { }; 76 std::unordered_map<std::wstring, std::wstring> m_acceptedServerTrustCerts; 73 77 };
Note: See TracChangeset
for help on using the changeset viewer.