+2018-10-23 Claudio Saavedra <csaavedra@igalia.com>
+
+ [WPE][GTK] Pass full certificate chain in CertificateInfo coder
+ https://bugs.webkit.org/show_bug.cgi?id=190789
+
+ Reviewed by Michael Catanzaro.
+
+ When the network process serializes certificate data to other
+ processes through the argument coders, the certificate chain, if
+ present, is lost. In practice this means that applications using
+ the public API to process certificate info have no details on the
+ certificate chain, other than the very basics included in the
+ certificate. Serialize the entire chain if available in the
+ certificate.
+
+ * Shared/soup/WebCoreArgumentCodersSoup.cpp:
+ (IPC::ArgumentCoder<CertificateInfo>::encode): Encode the
+ certificate chain if present.
+ (IPC::ArgumentCoder<CertificateInfo>::decode): Decode the
+ entire certificate chain and rebuild it.
+
2018-10-22 Keith Rollin <krollin@apple.com>
Use Location = "Relative to Build Products" rather than "Relative to Group"
void ArgumentCoder<CertificateInfo>::encode(Encoder& encoder, const CertificateInfo& certificateInfo)
{
if (!certificateInfo.certificate()) {
- encoder << false;
+ encoder << 0;
return;
}
+ uint32_t chainLength = 0;
+ GTlsCertificate* certificate = certificateInfo.certificate();
GByteArray* certificateData = 0;
- g_object_get(G_OBJECT(certificateInfo.certificate()), "certificate", &certificateData, NULL);
- if (!certificateData) {
- encoder << false;
+ Vector<GByteArray*> certificatesDataList;
+
+ do {
+ g_object_get(G_OBJECT(certificate), "certificate", &certificateData, NULL);
+
+ if (!certificateData)
+ break;
+
+ certificatesDataList.append(certificateData);
+ chainLength++;
+
+ certificate = g_tls_certificate_get_issuer(certificate);
+ } while (certificate);
+
+ encoder << chainLength;
+
+ if (!chainLength)
return;
+
+ // Encode starting from the root certificate.
+ for (uint32_t i = chainLength; i > 0; i--) {
+ GRefPtr<GByteArray> certificate = adoptGRef(certificatesDataList[i - 1]);
+ encoder.encodeVariableLengthByteArray(IPC::DataReference(certificate->data, certificate->len));
}
- encoder << true;
- GRefPtr<GByteArray> certificate = adoptGRef(certificateData);
- encoder.encodeVariableLengthByteArray(IPC::DataReference(certificate->data, certificate->len));
encoder << static_cast<uint32_t>(certificateInfo.tlsErrors());
}
bool ArgumentCoder<CertificateInfo>::decode(Decoder& decoder, CertificateInfo& certificateInfo)
{
- bool hasCertificate;
- if (!decoder.decode(hasCertificate))
+ uint32_t chainLength;
+ if (!decoder.decode(chainLength))
return false;
- if (!hasCertificate)
+ if (!chainLength)
return true;
- IPC::DataReference certificateDataReference;
- if (!decoder.decodeVariableLengthByteArray(certificateDataReference))
- return false;
+ GTlsCertificate* issuer = nullptr;
+ GTlsBackend* backend = g_tls_backend_get_default();
+ GRefPtr<GTlsCertificate> certificate;
+ for (uint32_t i = 0; i < chainLength; i++) {
+ IPC::DataReference certificateDataReference;
+ if (!decoder.decodeVariableLengthByteArray(certificateDataReference))
+ return false;
- GByteArray* certificateData = g_byte_array_sized_new(certificateDataReference.size());
- certificateData = g_byte_array_append(certificateData, certificateDataReference.data(), certificateDataReference.size());
- GRefPtr<GByteArray> certificateBytes = adoptGRef(certificateData);
+ GByteArray* certificateData = g_byte_array_sized_new(certificateDataReference.size());
+ certificateData = g_byte_array_append(certificateData, certificateDataReference.data(), certificateDataReference.size());
+ GRefPtr<GByteArray> certificateBytes = adoptGRef(certificateData);
- GTlsBackend* backend = g_tls_backend_get_default();
- GRefPtr<GTlsCertificate> certificate = adoptGRef(G_TLS_CERTIFICATE(g_initable_new(
- g_tls_backend_get_certificate_type(backend), 0, 0, "certificate", certificateBytes.get(), nullptr)));
- certificateInfo.setCertificate(certificate.get());
+ certificate = adoptGRef(G_TLS_CERTIFICATE(g_initable_new(
+ g_tls_backend_get_certificate_type(backend), 0, 0, "certificate", certificateBytes.get(), "issuer", issuer, nullptr)));
+
+ issuer = certificate.get();
+ }
uint32_t tlsErrors;
if (!decoder.decode(tlsErrors))
return false;
+
+ certificateInfo.setCertificate(certificate.get());
certificateInfo.setTLSErrors(static_cast<GTlsCertificateFlags>(tlsErrors));
return true;
+2018-10-23 Claudio Saavedra <csaavedra@igalia.com>
+
+ [WPE][GTK] Pass full certificate chain in CertificateInfo coder
+ https://bugs.webkit.org/show_bug.cgi?id=190789
+
+ Reviewed by Michael Catanzaro.
+
+ When the network process serializes certificate data to other
+ processes through the argument coders, the certificate chain, if
+ present, is lost. In practice this means that applications using
+ the public API to process certificate info have no details on the
+ certificate chain, other than the very basics included in the
+ certificate. Serialize the entire chain if available in the
+ certificate.
+
+ * TestWebKitAPI/Tests/WebKitGLib/TestSSL.cpp:
+ (testSSL): Test that the self-signed certificate has no bogus
+ issuer certificate.
+
2018-10-22 Tim Horton <timothy_horton@apple.com>
REGRESSION (r237331): InteractionDeadlockAfterCrash API test fails
git://git.webkit.org / WebKit-https.git / commitdiff