[Curl] Allow passing contents of Root CA data directly.
authorBasuke.Suzuki@sony.com <Basuke.Suzuki@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Jun 2018 02:58:26 +0000 (02:58 +0000)
committerBasuke.Suzuki@sony.com <Basuke.Suzuki@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Jun 2018 02:58:26 +0000 (02:58 +0000)
https://bugs.webkit.org/show_bug.cgi?id=185782

Currently the data must be in a file and set by its path. This patch
allow application to set root CA data by passing binary data directly.

Reviewed by Yusuke Suzuki.

No new tests. Tested internally.

* platform/network/curl/CurlRequest.cpp:
(WebCore::CurlRequest::setupTransfer):
* platform/network/curl/CurlSSLHandle.cpp:
(WebCore::CurlSSLHandle::CurlSSLHandle):
(WebCore::CurlSSLHandle::getCACertPathEnv):
(WebCore::CurlSSLHandle::setCACertPath):
(WebCore::CurlSSLHandle::setCACertData):
(WebCore::CurlSSLHandle::clearCACertInfo):
* platform/network/curl/CurlSSLHandle.h:
(WebCore::CurlSSLHandle::getCipherList const):
(WebCore::CurlSSLHandle::getSignatureAlgorithmsList const):
(WebCore::CurlSSLHandle::getCurvesList const):
(WebCore::CurlSSLHandle::setCipherList):
(WebCore::CurlSSLHandle::setSignatureAlgorithmsList):
(WebCore::CurlSSLHandle::setCurvesList):
(WebCore::CurlSSLHandle::setIgnoreSSLErrors):
(WebCore::CurlSSLHandle::getCACertInfo const):
(WebCore::CurlSSLHandle::getCACertPath const): Deleted.
(WebCore::CurlSSLHandle::setCACertPath): Deleted.
* platform/network/curl/CurlSSLVerifier.cpp:
(WebCore::CurlSSLVerifier::CurlSSLVerifier):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233002 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/platform/network/curl/CurlRequest.cpp
Source/WebCore/platform/network/curl/CurlSSLHandle.cpp
Source/WebCore/platform/network/curl/CurlSSLHandle.h
Source/WebCore/platform/network/curl/CurlSSLVerifier.cpp

index 1e5a7e3..b576465 100644 (file)
@@ -1,3 +1,37 @@
+2018-06-19  Basuke Suzuki  <Basuke.Suzuki@sony.com>
+
+        [Curl] Allow passing contents of Root CA data directly.
+        https://bugs.webkit.org/show_bug.cgi?id=185782
+
+        Currently the data must be in a file and set by its path. This patch
+        allow application to set root CA data by passing binary data directly.
+
+        Reviewed by Yusuke Suzuki.
+
+        No new tests. Tested internally.
+
+        * platform/network/curl/CurlRequest.cpp:
+        (WebCore::CurlRequest::setupTransfer):
+        * platform/network/curl/CurlSSLHandle.cpp:
+        (WebCore::CurlSSLHandle::CurlSSLHandle):
+        (WebCore::CurlSSLHandle::getCACertPathEnv):
+        (WebCore::CurlSSLHandle::setCACertPath):
+        (WebCore::CurlSSLHandle::setCACertData):
+        (WebCore::CurlSSLHandle::clearCACertInfo):
+        * platform/network/curl/CurlSSLHandle.h:
+        (WebCore::CurlSSLHandle::getCipherList const):
+        (WebCore::CurlSSLHandle::getSignatureAlgorithmsList const):
+        (WebCore::CurlSSLHandle::getCurvesList const):
+        (WebCore::CurlSSLHandle::setCipherList):
+        (WebCore::CurlSSLHandle::setSignatureAlgorithmsList):
+        (WebCore::CurlSSLHandle::setCurvesList):
+        (WebCore::CurlSSLHandle::setIgnoreSSLErrors):
+        (WebCore::CurlSSLHandle::getCACertInfo const):
+        (WebCore::CurlSSLHandle::getCACertPath const): Deleted.
+        (WebCore::CurlSSLHandle::setCACertPath): Deleted.
+        * platform/network/curl/CurlSSLVerifier.cpp:
+        (WebCore::CurlSSLVerifier::CurlSSLVerifier):
+
 2018-06-19  Dean Jackson  <dino@apple.com>
 
         ARKit badge drop shadow updates its blur radius based on page zoom
index 6e07060..b6b5dfd 100644 (file)
@@ -233,7 +233,8 @@ CURL* CurlRequest::setupTransfer()
         m_curlHandle->setSslKeyPassword(sslClientCertificate->second.utf8().data());
     }
 
-    m_curlHandle->setCACertPath(sslHandle.getCACertPath().utf8().data());
+    if (auto path = WTF::get_if<String>(sslHandle.getCACertInfo()))
+        m_curlHandle->setCACertPath(path->utf8().data());
 
     if (m_shouldSuspend)
         setRequestPaused(true);
index e84f776..4c5c0e8 100644 (file)
 namespace WebCore {
 
 CurlSSLHandle::CurlSSLHandle()
-    : m_caCertPath(getCACertPathEnv())
 {
-    char* ignoreSSLErrors = getenv("WEBKIT_IGNORE_SSL_ERRORS");
-    if (ignoreSSLErrors)
-        m_ignoreSSLErrors = true;
+    auto caCertPath = getCACertPathEnv();
+    if (!caCertPath.isEmpty())
+        setCACertPath(WTFMove(caCertPath));
 
 #if NEED_OPENSSL_THREAD_SUPPORT
     ThreadSupport::setup();
@@ -67,8 +66,8 @@ String CurlSSLHandle::getCACertPathEnv()
         RetainPtr<CFURLRef> certURLRef = adoptCF(CFBundleCopyResourceURL(webKitBundleRef, CFSTR("cacert"), CFSTR("pem"), CFSTR("certificates")));
         if (certURLRef) {
             char path[MAX_PATH];
-            CFURLGetFileSystemRepresentation(certURLRef.get(), false, reinterpret_cast<UInt8*>(path), MAX_PATH);
-            return String(path);
+            if (CFURLGetFileSystemRepresentation(certURLRef.get(), false, reinterpret_cast<UInt8*>(path), MAX_PATH) && *path)
+                return String(path);
         }
     }
 #endif
@@ -76,6 +75,23 @@ String CurlSSLHandle::getCACertPathEnv()
     return String();
 }
 
+void CurlSSLHandle::setCACertPath(String&& caCertPath)
+{
+    RELEASE_ASSERT(!caCertPath.isEmpty());
+    m_caCertInfo = WTFMove(caCertPath);
+}
+
+void CurlSSLHandle::setCACertData(Vector<char>&& caCertData)
+{
+    RELEASE_ASSERT(!caCertData.isEmpty());
+    m_caCertInfo = WTFMove(caCertData);
+}
+
+void CurlSSLHandle::clearCACertInfo()
+{
+    m_caCertInfo = WTF::Monostate { };
+}
+
 void CurlSSLHandle::setHostAllowsAnyHTTPSCertificate(const String& hostName)
 {
     LockHolder mutex(m_mutex);
index 1ff8457..6d57f53 100644 (file)
@@ -31,6 +31,7 @@
 #include <wtf/ListHashSet.h>
 #include <wtf/NeverDestroyed.h>
 #include <wtf/Noncopyable.h>
+#include <wtf/Variant.h>
 #include <wtf/text/StringHash.h>
 
 // all version of LibreSSL and OpenSSL prior to 1.1.0 need thread support
@@ -48,26 +49,31 @@ class CurlSSLHandle {
     using ClientCertificate = std::pair<String, String>;
 
 public:
+    using CACertInfo = Variant<Monostate, String, Vector<char>>;
+
     CurlSSLHandle();
 
-    String getCipherList() const { return m_cipherList; }
-    String getSignatureAlgorithmsList() const { return m_signatureAlgorithmsList; }
-    String getCurvesList() const { return m_curvesList; }
+    const String& getCipherList() const { return m_cipherList; }
+    const String& getSignatureAlgorithmsList() const { return m_signatureAlgorithmsList; }
+    const String& getCurvesList() const { return m_curvesList; }
 
-    void setCipherList(String&& cipherList) { m_cipherList = WTFMove(cipherList); }
-    void setSignatureAlgorithmsList(String&& signatureAlgorithmsList) { m_signatureAlgorithmsList = WTFMove(signatureAlgorithmsList); }
-    void setCurvesList(String&& curvesList) { m_curvesList = WTFMove(curvesList); }
+    WEBCORE_EXPORT void setCipherList(String&& data) { m_cipherList = WTFMove(data); }
+    WEBCORE_EXPORT void setSignatureAlgorithmsList(String&& data) { m_signatureAlgorithmsList = WTFMove(data); }
+    WEBCORE_EXPORT void setCurvesList(String&& data) { m_curvesList = WTFMove(data); }
 
     bool shouldIgnoreSSLErrors() const { return m_ignoreSSLErrors; }
+    WEBCORE_EXPORT void setIgnoreSSLErrors(bool flag) { m_ignoreSSLErrors = flag; }
 
-    String getCACertPath() const { return m_caCertPath; }
-    void setCACertPath(String&& caCertPath) { m_caCertPath = WTFMove(caCertPath); }
+    const CACertInfo& getCACertInfo() const { return m_caCertInfo; }
+    WEBCORE_EXPORT void setCACertPath(String&&);
+    WEBCORE_EXPORT void setCACertData(Vector<char>&&);
+    WEBCORE_EXPORT void clearCACertInfo();
 
     WEBCORE_EXPORT void setHostAllowsAnyHTTPSCertificate(const String&);
     bool isAllowedHTTPSCertificateHost(const String&);
     bool canIgnoredHTTPSCertificate(const String&, const ListHashSet<String>&);
 
-    void setClientCertificateInfo(const String&, const String&, const String&);
+    WEBCORE_EXPORT void setClientCertificateInfo(const String&, const String&, const String&);
     std::optional<ClientCertificate> getSSLClientCertificate(const String&);
 
 private:
@@ -100,13 +106,12 @@ private:
 
     String getCACertPathEnv();
 
-    bool m_ignoreSSLErrors { false };
-
     String m_cipherList;
     String m_signatureAlgorithmsList;
     String m_curvesList;
+    CACertInfo m_caCertInfo;
 
-    String m_caCertPath;
+    bool m_ignoreSSLErrors { false };
 
     Lock m_mutex;
     HashMap<String, ListHashSet<String>, ASCIICaseInsensitiveHash> m_allowedHosts;
index 8475e5c..3209c8b 100644 (file)
@@ -44,6 +44,11 @@ CurlSSLVerifier::CurlSSLVerifier(CurlHandle* curlHandle, const String& hostName,
     SSL_CTX_set_app_data(ctx, this);
     SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(ctx), certVerifyCallback);
 
+#if defined(LIBRESSL_VERSION_NUMBER)
+    if (auto data = WTF::get_if<Vector<char>>(sslHandle.getCACertInfo()))
+        SSL_CTX_load_verify_mem(ctx, static_cast<void*>(const_cast<char*>(data->data())), data->size());
+#endif
+
 #if (!defined(LIBRESSL_VERSION_NUMBER))
     auto signatureAlgorithmsList = sslHandle.getSignatureAlgorithmsList();
     if (!signatureAlgorithmsList.isEmpty())