WebKit Bugzilla
Attachment 360503 Details for
Bug 193355
: Adopt new SPI to evaluate server certificate trust
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-193355-20190129145425.patch (text/plain), 26.45 KB, created by
youenn fablet
on 2019-01-29 14:54:26 PST
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
youenn fablet
Created:
2019-01-29 14:54:26 PST
Size:
26.45 KB
patch
obsolete
>Subversion Revision: 240583 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 30a40ff4d0cdae8612a11d2b357fb746ca41af7a..9ad5b6b3bef22f550a8e0af6e44b1fe97b17e963 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,20 @@ >+2019-01-29 Youenn Fablet <youenn@apple.com> >+ >+ Adopt new SPI to evaluate server certificate trust >+ https://bugs.webkit.org/show_bug.cgi?id=193355 >+ >+ Reviewed by Alex Christensen. >+ >+ Use new SPI provided in NSURLSession to evaluate server certificates. >+ If successful, let loading proceed as usual. >+ Otherwise, go to the UIProcess to ask for a decision on continuing the load or not. >+ >+ * NetworkProcess/cocoa/NetworkSessionCocoa.h: >+ * NetworkProcess/cocoa/NetworkSessionCocoa.mm: >+ (canNSURLSessionTrustEvaluate): >+ (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]): >+ (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge): >+ > 2019-01-28 Antoine Quint <graouts@apple.com> > > Limit user-agent interactions based on the touch-action property on iOS >diff --git a/Source/WTF/wtf/Platform.h b/Source/WTF/wtf/Platform.h >index aa21c5f2a8c4a119b352d75a68f0fe1f650911db..50ea2135f48909e9fa9281ed459dd11725bcd5da 100644 >--- a/Source/WTF/wtf/Platform.h >+++ b/Source/WTF/wtf/Platform.h >@@ -1480,6 +1480,10 @@ > #define HAVE_CFNETWORK_OVERRIDE_SESSION_COOKIE_ACCEPT_POLICY 1 > #endif > >+#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500) || (PLATFORM(IOS_FAMILY) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000) >+#define HAVE_CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE 1 >+#endif >+ > #if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500) || (PLATFORM(IOS_FAMILY) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000) > #define HAVE_CFNETWORK_NEGOTIATED_SSL_PROTOCOL_CIPHER 1 > #endif >diff --git a/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h b/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h >index 9e211a660f3e996cf626fa2893539c9a0cb87864..2fd482d8f482fd7a17f8a3ff5bc6e90ee46af99d 100644 >--- a/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h >+++ b/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h >@@ -231,6 +231,12 @@ typedef NS_ENUM(NSInteger, NSURLSessionCompanionProxyPreference) { > @end > #endif > >+#if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE) >+@interface NSURLSession (SPI) >++ (void)_strictTrustEvaluate:(NSURLAuthenticationChallenge *)challenge queue:(dispatch_queue_t)queue completionHandler:(void (^)(NSURLAuthenticationChallenge *challenge, OSStatus trustResult))cb; >+@end >+#endif >+ > extern NSString * const NSURLAuthenticationMethodOAuth; > > #endif // defined(__OBJC__) >diff --git a/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h b/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h >index 0d671c29ca0977995aab49ecfd622819f610cd6b..18621a48e334ee3e48b3fd30470e578ba864aeff 100644 >--- a/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h >+++ b/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h >@@ -62,6 +62,8 @@ public: > > static bool allowsSpecificHTTPSCertificateForHost(const WebCore::AuthenticationChallenge&); > >+ void continueDidReceiveChallenge(const WebCore::AuthenticationChallenge&, NetworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&); >+ > private: > NetworkSessionCocoa(NetworkProcess&, NetworkSessionCreationParameters&&); > >diff --git a/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm b/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm >index 4a1d79210afa596e4b0fafce818ff4f682b38b4a..ec523b6b188f0cd52944ad7bf53367fae06306c9 100644 >--- a/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm >+++ b/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm >@@ -521,6 +521,30 @@ - (void)URLSession:(NSURLSession *)session dataTask:(NSURLSessionDataTask *)data > completionHandler(proposedResponse); > } > >+#if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE) >+static bool canNSURLSessionTrustEvaluate() >+{ >+ return [NSURLSession respondsToSelector:@selector(_strictTrustEvaluate: queue: completionHandler:)]; >+} >+ >+static inline void processServerTrustEvaluation(NetworkSessionCocoa *session, NSURLAuthenticationChallenge *challenge, OSStatus trustResult, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler) >+{ >+ if (trustResult == noErr) { >+ completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); >+ return; >+ } >+ >+ session->continueDidReceiveChallenge(challenge, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable { >+ // FIXME: UIProcess should send us back non nil credentials but the credential IPC encoder currently only serializes ns credentials for username/password. >+ if (disposition == WebKit::AuthenticationChallengeDisposition::UseCredential && !credential.nsCredential()) { >+ completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust: secTrust.get()]); >+ return; >+ } >+ completionHandler(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential()); >+ }); >+} >+#endif >+ > - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler > { > if (!_session) { >@@ -543,61 +567,23 @@ - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didRece > return completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); > > // Handle server trust evaluation at platform-level if requested, for performance reasons and to use ATS defaults. >- if (!_session->networkProcess().canHandleHTTPSServerTrustEvaluation()) >- return completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil); >- } >- >- if (auto* networkDataTask = [self existingTask:task]) { >- WebCore::AuthenticationChallenge authenticationChallenge(challenge); >- auto completionHandlerCopy = Block_copy(completionHandler); >- auto sessionID = _session->sessionID(); >- auto challengeCompletionHandler = [networkProcess = makeRef(_session->networkProcess()), completionHandlerCopy, sessionID, authenticationChallenge, taskIdentifier, partition = networkDataTask->partition()](WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) >- { >-#if !LOG_DISABLED >- LOG(NetworkSession, "%llu didReceiveChallenge completionHandler %d", taskIdentifier, disposition); >-#else >- UNUSED_PARAM(taskIdentifier); >-#endif >-#if !USE(CREDENTIAL_STORAGE_WITH_NETWORK_SESSION) >- UNUSED_PARAM(sessionID); >- UNUSED_PARAM(authenticationChallenge); >-#else >- if (credential.persistence() == WebCore::CredentialPersistenceForSession && authenticationChallenge.protectionSpace().isPasswordBased()) { >- >- WebCore::Credential nonPersistentCredential(credential.user(), credential.password(), WebCore::CredentialPersistenceNone); >- URL urlToStore; >- if (authenticationChallenge.failureResponse().httpStatusCode() == 401) >- urlToStore = authenticationChallenge.failureResponse().url(); >- if (auto storageSession = networkProcess->storageSession(sessionID)) >- storageSession->credentialStorage().set(partition, nonPersistentCredential, authenticationChallenge.protectionSpace(), urlToStore); >- else >- ASSERT_NOT_REACHED(); >- >- completionHandlerCopy(toNSURLSessionAuthChallengeDisposition(disposition), nonPersistentCredential.nsCredential()); >- } else >-#endif >- completionHandlerCopy(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential()); >- Block_release(completionHandlerCopy); >- }; >- networkDataTask->didReceiveChallenge(challenge, WTFMove(challengeCompletionHandler)); >- } else { >- auto downloadID = _session->downloadID(taskIdentifier); >- if (downloadID.downloadID()) { >- if (auto* download = _session->networkProcess().downloadManager().download(downloadID)) { >- // Received an authentication challenge for a download being resumed. >- WebCore::AuthenticationChallenge authenticationChallenge { challenge }; >- auto completionHandlerCopy = Block_copy(completionHandler); >- auto challengeCompletionHandler = [completionHandlerCopy, authenticationChallenge](WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) { >- completionHandlerCopy(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential()); >- Block_release(completionHandlerCopy); >- }; >- download->didReceiveChallenge(challenge, WTFMove(challengeCompletionHandler)); >+ if (!_session->networkProcess().canHandleHTTPSServerTrustEvaluation()) { >+#if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE) >+ if (canNSURLSessionTrustEvaluate()) { >+ auto* networkDataTask = [self existingTask:task]; >+ auto decisionHandler = makeBlockPtr([_session = _session.copyRef(), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = RefPtr<NetworkDataTaskCocoa>(networkDataTask)](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable { >+ processServerTrustEvaluation(_session.get(), challenge, trustResult, taskIdentifier, networkDataTask.get(), WTFMove(completionHandler)); >+ }); >+ [NSURLSession _strictTrustEvaluate:challenge queue:[NSOperationQueue mainQueue].underlyingQueue completionHandler:decisionHandler.get()]; > return; > } >+#endif >+ return completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil); > } >- LOG(NetworkSession, "%llu didReceiveChallenge completionHandler (cancel)", taskIdentifier); >- completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); > } >+ _session->continueDidReceiveChallenge(challenge, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable { >+ completionHandler(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential()); >+ }); > } > > - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didCompleteWithError:(NSError *)error >@@ -1053,4 +1039,52 @@ bool NetworkSessionCocoa::allowsSpecificHTTPSCertificateForHost(const WebCore::A > return certificatesMatch(trust.get(), challenge.nsURLAuthenticationChallenge().protectionSpace.serverTrust); > } > >+void NetworkSessionCocoa::continueDidReceiveChallenge(const WebCore::AuthenticationChallenge& challenge, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler) >+{ >+ if (!networkDataTask) { >+ auto downloadID = this->downloadID(taskIdentifier); >+ if (downloadID.downloadID()) { >+ if (auto* download = networkProcess().downloadManager().download(downloadID)) { >+ WebCore::AuthenticationChallenge authenticationChallenge { challenge }; >+ // Received an authentication challenge for a download being resumed. >+ download->didReceiveChallenge(authenticationChallenge, WTFMove(completionHandler)); >+ return; >+ } >+ } >+ LOG(NetworkSession, "%llu didReceiveChallenge completionHandler (cancel)", taskIdentifier); >+ completionHandler(AuthenticationChallengeDisposition::Cancel, { }); >+ return; >+ } >+ >+ auto sessionID = this->sessionID(); >+ WebCore::AuthenticationChallenge authenticationChallenge { challenge }; >+ auto challengeCompletionHandler = [completionHandler = WTFMove(completionHandler), networkProcess = makeRef(networkProcess()), sessionID, authenticationChallenge, taskIdentifier, partition = networkDataTask->partition()](WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable { >+#if !LOG_DISABLED >+ LOG(NetworkSession, "%llu didReceiveChallenge completionHandler %d", taskIdentifier, disposition); >+#else >+ UNUSED_PARAM(taskIdentifier); >+#endif >+#if !USE(CREDENTIAL_STORAGE_WITH_NETWORK_SESSION) >+ UNUSED_PARAM(sessionID); >+ UNUSED_PARAM(authenticationChallenge); >+#else >+ if (credential.persistence() == WebCore::CredentialPersistenceForSession && authenticationChallenge.protectionSpace().isPasswordBased()) { >+ WebCore::Credential nonPersistentCredential(credential.user(), credential.password(), WebCore::CredentialPersistenceNone); >+ URL urlToStore; >+ if (authenticationChallenge.failureResponse().httpStatusCode() == 401) >+ urlToStore = authenticationChallenge.failureResponse().url(); >+ if (auto storageSession = networkProcess->storageSession(sessionID)) >+ storageSession->credentialStorage().set(partition, nonPersistentCredential, authenticationChallenge.protectionSpace(), urlToStore); >+ else >+ ASSERT_NOT_REACHED(); >+ >+ completionHandler(disposition, nonPersistentCredential); >+ return; >+ } >+#endif >+ completionHandler(disposition, credential); >+ }; >+ networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), WTFMove(challengeCompletionHandler)); >+} >+ > } >diff --git a/Tools/ChangeLog b/Tools/ChangeLog >index e40de57fdf38c64eb85e7a33acc03a4da1ad17a9..480117236662f81e731caba479c165af65f03a5d 100644 >--- a/Tools/ChangeLog >+++ b/Tools/ChangeLog >@@ -1,3 +1,29 @@ >+2019-01-29 Youenn Fablet <youenn@apple.com> >+ >+ Adopt new SPI to evaluate server certificate trust >+ https://bugs.webkit.org/show_bug.cgi?id=193355 >+ >+ Reviewed by Alex Christensen. >+ >+ Add infrastructure to handle HTTPS server trust evaluation testing. >+ >+ * WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl: >+ * WebKitTestRunner/InjectedBundle/TestRunner.cpp: >+ (WTR::TestRunner::setCanHandleHTTPSServerTrustEvaluation): >+ (WTR::TestRunner::canDoServerTrustEvaluationInNetworkProcess): >+ (WTR::TestRunner::serverTrustEvaluationCallbackCallsCount): >+ * WebKitTestRunner/InjectedBundle/TestRunner.h: >+ * WebKitTestRunner/TestController.cpp: >+ (WTR::TestController::resetPreferencesToConsistentValues): >+ (WTR::TestController::didReceiveAuthenticationChallenge): >+ (WTR::TestController::canDoServerTrustEvaluationInNetworkProcess const): >+ * WebKitTestRunner/TestController.h: >+ (WTR::TestController::serverTrustEvaluationCallbackCallsCount const): >+ * WebKitTestRunner/TestInvocation.cpp: >+ (WTR::TestInvocation::didReceiveSynchronousMessageFromInjectedBundle): >+ * WebKitTestRunner/cocoa/TestControllerCocoa.mm: >+ (WTR::TestController::canDoServerTrustEvaluationInNetworkProcess const): >+ > 2019-01-28 Zalan Bujtas <zalan@apple.com> > > [LFC][MarginCollapsing][Quirks] Quirk margin values get propagated through margin collapsing >diff --git a/Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl b/Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl >index f15550f530ed0f3d519478022695201e902cbab3..f671a0abe7e65bd71542df20fd77818a697eed1f 100644 >--- a/Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl >+++ b/Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl >@@ -338,6 +338,10 @@ interface TestRunner { > void terminateNetworkProcess(); > void terminateServiceWorkerProcess(); > >+ void setCanHandleHTTPSServerTrustEvaluation(boolean canHandle); >+ readonly attribute boolean canDoServerTrustEvaluationInNetworkProcess; >+ readonly attribute unsigned long serverTrustEvaluationCallbackCallsCount; >+ > readonly attribute boolean didCancelClientRedirect; > > void removeAllSessionCredentials(object callback); >diff --git a/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp b/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp >index 100ab7c40f738929d926ce8469f106732d207d68..a659d169aef2ff0f6fd2dd7806137e2631a4e526 100644 >--- a/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp >+++ b/Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp >@@ -2690,4 +2690,29 @@ bool TestRunner::keyExistsInKeychain(JSStringRef attrLabel, JSStringRef applicat > return WKBooleanGetValue(adoptWK(static_cast<WKBooleanRef>(returnData)).get()); > } > >+void TestRunner::setCanHandleHTTPSServerTrustEvaluation(bool canHandle) >+{ >+ WKRetainPtr<WKStringRef> messageName(AdoptWK, WKStringCreateWithUTF8CString("SetCanHandleHTTPSServerTrustEvaluation")); >+ WKRetainPtr<WKBooleanRef> messageBody(AdoptWK, WKBooleanCreate(canHandle)); >+ WKBundlePostSynchronousMessage(InjectedBundle::singleton().bundle(), messageName.get(), messageBody.get(), nullptr); >+} >+ >+bool TestRunner::canDoServerTrustEvaluationInNetworkProcess() >+{ >+ WKRetainPtr<WKStringRef> messageName(AdoptWK, WKStringCreateWithUTF8CString("CanDoServerTrustEvaluationInNetworkProcess")); >+ WKTypeRef returnData = nullptr; >+ WKBundlePagePostSynchronousMessageForTesting(InjectedBundle::singleton().page()->page(), messageName.get(), nullptr, &returnData); >+ ASSERT(WKGetTypeID(returnData) == WKBooleanGetTypeID()); >+ return WKBooleanGetValue(adoptWK(static_cast<WKBooleanRef>(returnData)).get()); >+} >+ >+unsigned long TestRunner::serverTrustEvaluationCallbackCallsCount() >+{ >+ WKRetainPtr<WKStringRef> messageName(AdoptWK, WKStringCreateWithUTF8CString("ServerTrustEvaluationCallbackCallsCount")); >+ WKTypeRef returnData = nullptr; >+ WKBundlePagePostSynchronousMessageForTesting(InjectedBundle::singleton().page()->page(), messageName.get(), nullptr, &returnData); >+ ASSERT(WKGetTypeID(returnData) == WKUInt64GetTypeID()); >+ return WKUInt64GetValue(adoptWK(static_cast<WKUInt64Ref>(returnData)).get()); >+} >+ > } // namespace WTR >diff --git a/Tools/WebKitTestRunner/InjectedBundle/TestRunner.h b/Tools/WebKitTestRunner/InjectedBundle/TestRunner.h >index a401999f412e9bd3932ab81c84b7773d5df073f3..94a9a153fdef7c6c10ac744ad267f5c67c526792 100644 >--- a/Tools/WebKitTestRunner/InjectedBundle/TestRunner.h >+++ b/Tools/WebKitTestRunner/InjectedBundle/TestRunner.h >@@ -481,6 +481,10 @@ public: > void cleanUpKeychain(JSStringRef attrLabel); > bool keyExistsInKeychain(JSStringRef attrLabel, JSStringRef applicationTagBase64); > >+ void setCanHandleHTTPSServerTrustEvaluation(bool canHandle); >+ bool canDoServerTrustEvaluationInNetworkProcess(); >+ unsigned long serverTrustEvaluationCallbackCallsCount(); >+ > private: > TestRunner(); > >diff --git a/Tools/WebKitTestRunner/TestController.cpp b/Tools/WebKitTestRunner/TestController.cpp >index 0cff71956db9c428bb517b4d6cd3accb941be4d8..92e160a615890d336924c560f433ab0ed255a944 100644 >--- a/Tools/WebKitTestRunner/TestController.cpp >+++ b/Tools/WebKitTestRunner/TestController.cpp >@@ -824,6 +824,8 @@ void TestController::resetPreferencesToConsistentValues(const TestOptions& optio > > WKPreferencesSetWebSQLDisabled(preferences, false); > >+ m_serverTrustEvaluationCallbackCallsCount = 0; >+ > platformResetPreferencesToConsistentValues(); > } > >@@ -2060,6 +2062,8 @@ void TestController::didReceiveAuthenticationChallenge(WKPageRef page, WKAuthent > // Any non-empty credential signals to accept the server trust. Since the cross-platform API > // doesn't expose a way to create a credential from server trust, we use a password credential. > >+ m_serverTrustEvaluationCallbackCallsCount++; >+ > WKRetainPtr<WKCredentialRef> credential = adoptWK(WKCredentialCreate(toWK("accept server trust").get(), toWK("").get(), kWKCredentialPersistenceNone)); > WKAuthenticationDecisionListenerUseCredential(decisionListener, credential.get()); > return; >@@ -3223,6 +3227,12 @@ bool TestController::keyExistsInKeychain(const String&, const String&) > { > return false; > } >+ >+bool TestController::canDoServerTrustEvaluationInNetworkProcess() const >+{ >+ return false; >+} >+ > #endif > > void TestController::sendDisplayConfigurationChangedMessageForTesting() >diff --git a/Tools/WebKitTestRunner/TestController.h b/Tools/WebKitTestRunner/TestController.h >index 2058c79ecfaa5dce314fa62850f7dcbd0ba3fa27..25ec904be42b2cdc3094e1ebeab3d7f97d4a95e2 100644 >--- a/Tools/WebKitTestRunner/TestController.h >+++ b/Tools/WebKitTestRunner/TestController.h >@@ -281,6 +281,9 @@ public: > UIKeyboardInputMode *overriddenKeyboardInputMode() const { return m_overriddenKeyboardInputMode.get(); } > #endif > >+ bool canDoServerTrustEvaluationInNetworkProcess() const; >+ uint64_t serverTrustEvaluationCallbackCallsCount() const { return m_serverTrustEvaluationCallbackCallsCount; } >+ > private: > WKRetainPtr<WKPageConfigurationRef> generatePageConfiguration(WKContextConfigurationRef); > WKRetainPtr<WKContextConfigurationRef> generateContextConfiguration() const; >@@ -534,6 +537,8 @@ private: > { } > }; > HashMap<uint64_t, AbandonedDocumentInfo> m_abandonedDocumentInfo; >+ >+ uint64_t m_serverTrustEvaluationCallbackCallsCount { 0 }; > }; > > struct TestCommand { >diff --git a/Tools/WebKitTestRunner/TestInvocation.cpp b/Tools/WebKitTestRunner/TestInvocation.cpp >index 1fedd8b1f1efd56973a4e3c1377c2f16b3a832c1..429ce29b520118df248a031af7e45382b3587474 100644 >--- a/Tools/WebKitTestRunner/TestInvocation.cpp >+++ b/Tools/WebKitTestRunner/TestInvocation.cpp >@@ -1522,6 +1522,23 @@ WKRetainPtr<WKTypeRef> TestInvocation::didReceiveSynchronousMessageFromInjectedB > return result; > } > >+ if (WKStringIsEqualToUTF8CString(messageName, "SetCanHandleHTTPSServerTrustEvaluation")) { >+ ASSERT(WKGetTypeID(messageBody) == WKBooleanGetTypeID()); >+ auto canHandle = WKBooleanGetValue(static_cast<WKBooleanRef>(messageBody)); >+ WKContextSetCanHandleHTTPSServerTrustEvaluation(TestController::singleton().context(), canHandle); >+ return nullptr; >+ } >+ >+ if (WKStringIsEqualToUTF8CString(messageName, "CanDoServerTrustEvaluationInNetworkProcess")) { >+ WKRetainPtr<WKTypeRef> result(AdoptWK, WKBooleanCreate(TestController::singleton().canDoServerTrustEvaluationInNetworkProcess())); >+ return result; >+ } >+ >+ if (WKStringIsEqualToUTF8CString(messageName, "ServerTrustEvaluationCallbackCallsCount")) { >+ WKRetainPtr<WKTypeRef> result(AdoptWK, WKUInt64Create(TestController::singleton().serverTrustEvaluationCallbackCallsCount())); >+ return result; >+ } >+ > ASSERT_NOT_REACHED(); > return nullptr; > } >diff --git a/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm b/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm >index 363a2c6e114d57d8baf1781df61a1364c520c209..08b46b113f4c18ca04b7caa2a49258fbd4f2f535 100644 >--- a/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm >+++ b/Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm >@@ -405,4 +405,13 @@ void TestController::allowCacheStorageQuotaIncrease() > #endif > } > >+bool TestController::canDoServerTrustEvaluationInNetworkProcess() const >+{ >+#if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE) >+ return true; >+#else >+ return false; >+#endif >+} >+ > } // namespace WTR >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 4dc94e86f7a6b197487fef703807dfcee2eac20d..bc59b9798fc3846c80577aa653234ef68ac46218 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,13 @@ >+2019-01-29 Youenn Fablet <youenn@apple.com> >+ >+ Adopt new SPI to evaluate server certificate trust >+ https://bugs.webkit.org/show_bug.cgi?id=193355 >+ >+ Reviewed by Alex Christensen. >+ >+ * http/tests/ssl/certificate-validation-expected.txt: Added. >+ * http/tests/ssl/certificate-validation.html: Added. >+ > 2019-01-28 Antoine Quint <graouts@apple.com> > > Limit user-agent interactions based on the touch-action property on iOS >diff --git a/LayoutTests/http/tests/ssl/certificate-validation-expected.txt b/LayoutTests/http/tests/ssl/certificate-validation-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..da84a0577eef9a2c50ea497d2dfc570f27f63d24 >--- /dev/null >+++ b/LayoutTests/http/tests/ssl/certificate-validation-expected.txt >@@ -0,0 +1,3 @@ >+ >+PASS Certificate validation in Network Process >+ >diff --git a/LayoutTests/http/tests/ssl/certificate-validation.html b/LayoutTests/http/tests/ssl/certificate-validation.html >new file mode 100644 >index 0000000000000000000000000000000000000000..30e63d2765ef27ba11e688b0b5542601074662ff >--- /dev/null >+++ b/LayoutTests/http/tests/ssl/certificate-validation.html >@@ -0,0 +1,46 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<title>Certificate validation in Network Process</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+</head> >+<body> >+<script> >+function with_iframe(url) { >+ return new Promise(function(resolve) { >+ var frame = document.createElement('iframe'); >+ frame.className = 'test-iframe'; >+ frame.src = url; >+ frame.onload = function() { resolve(frame); }; >+ document.body.appendChild(frame); >+ }); >+} >+ >+async function doTest() >+{ >+ assert_true(!!window.testRunner, "Test requires testRunner"); >+ >+ if (!window.testRunner.canDoServerTrustEvaluationInNetworkProcess) >+ return; >+ >+ window.testRunner.setAllowsAnySSLCertificate(false); >+ // This should trigger network process server trust evaluation. >+ window.testRunner.setCanHandleHTTPSServerTrustEvaluation(false); >+ >+ // Crash network process to make sure we create new HTTPS connections. >+ window.testRunner.terminateNetworkProcess(); >+ >+ const currentCallbackCounts = window.testRunner.serverTrustEvaluationCallbackCallsCount; >+ >+ const iframe = await with_iframe("https://localhost:8443"); >+ iframe.remove(); >+ >+ assert_equals(window.testRunner.serverTrustEvaluationCallbackCallsCount - currentCallbackCounts, 1); >+} >+ >+doTest().then(done, (e) => { assert_unreached("test failed: " + e); done(); }); >+ >+</script> >+</body> >+</html>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=360503">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193355
:
358919
|
360386
|
360478
|
360497
| 360503