Merge pull request nwjs#2561 from fancycode/additional_trust_anchors

rogerwang · rogerwang · commit eb174f11dfd6 · 2014-11-13T14:47:48.000+08:00
Support setting additional root certificates on supported platforms.
diff --git a/src/net/shell_url_request_context_getter.cc b/src/net/shell_url_request_context_getter.cc
@@ -37,6 +37,8 @@
 #include "content/nw/src/nw_shell.h"
 #include "content/nw/src/shell_content_browser_client.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/multi_threaded_cert_verifier.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mapped_host_resolver.h"
 #include "net/ssl/ssl_config_service_defaults.h"
@@ -205,7 +207,14 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() {
     scoped_ptr<net::HostResolver> host_resolver(
         net::HostResolver::CreateDefaultResolver(NULL));
 
-    storage_->set_cert_verifier(net::CertVerifier::CreateDefault());
+    net::CertVerifyProc *verify_proc = net::CertVerifyProc::CreateDefault();
+    if (!verify_proc->SupportsAdditionalTrustAnchors()) {
+      LOG(WARNING)
+        << "Additional trust anchors not supported on the current platform!";
+    }
+    net::MultiThreadedCertVerifier *verifier = new net::MultiThreadedCertVerifier(verify_proc);
+    verifier->SetCertTrustAnchorProvider(this);
+    storage_->set_cert_verifier(verifier);
     storage_->set_transport_security_state(new net::TransportSecurityState);
 
     net::ProxyService* proxy_service;
@@ -296,6 +305,17 @@ net::HostResolver* ShellURLRequestContextGetter::host_resolver() {
   return url_request_context_->host_resolver();
 }
 
+void ShellURLRequestContextGetter::SetAdditionalTrustAnchors(const net::CertificateList& trust_anchors)
+{
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  trust_anchors_ = trust_anchors;
+}
+
+const net::CertificateList& ShellURLRequestContextGetter::GetAdditionalTrustAnchors() {
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  return trust_anchors_;
+}
+
 net::HttpAuthHandlerFactory* ShellURLRequestContextGetter::CreateDefaultAuthHandlerFactory(
     net::HostResolver* resolver) {
   net::HttpAuthFilterWhitelist* auth_filter_default_credentials = NULL;
diff --git a/src/net/shell_url_request_context_getter.h b/src/net/shell_url_request_context_getter.h
@@ -26,6 +26,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/browser/content_browser_client.h"
+#include "net/cert/cert_trust_anchor_provider.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "net/url_request/url_request_job_factory.h"
 
@@ -47,7 +48,7 @@ namespace content {
 
 class ShellBrowserContext;
 
- class ShellURLRequestContextGetter : public net::URLRequestContextGetter {
+ class ShellURLRequestContextGetter : public net::URLRequestContextGetter, public net::CertTrustAnchorProvider {
  public:
   ShellURLRequestContextGetter(
       bool ignore_certificate_errors,
@@ -69,6 +70,11 @@ class ShellBrowserContext;
 
   net::HostResolver* host_resolver();
 
+  void SetAdditionalTrustAnchors(const net::CertificateList& trust_anchors);
+
+  // net::CertTrustAnchorProvider implementation.
+  virtual const net::CertificateList& GetAdditionalTrustAnchors() OVERRIDE;
+
  protected:
   virtual ~ShellURLRequestContextGetter();
   net::HttpAuthHandlerFactory* CreateDefaultAuthHandlerFactory(net::HostResolver* resolver);
@@ -85,6 +91,7 @@ class ShellBrowserContext;
   std::string auth_delegate_whitelist_;
   std::string gssapi_library_name_;
   // std::vector<GURL> spdyproxy_auth_origins_;
+  net::CertificateList trust_anchors_;
 
   base::MessageLoop* io_loop_;
   base::MessageLoop* file_loop_;
diff --git a/src/shell_browser_context.cc b/src/shell_browser_context.cc
@@ -35,6 +35,7 @@
 #include "content/nw/src/common/shell_switches.h"
 #include "content/nw/src/net/shell_url_request_context_getter.h"
 #include "content/nw/src/nw_package.h"
+#include "net/cert/x509_certificate.h"
 
 #if defined(OS_WIN)
 #include "base/base_paths_win.h"
@@ -190,6 +191,36 @@ net::URLRequestContextGetter* ShellBrowserContext::CreateRequestContext(
       auth_schemes, auth_server_whitelist, auth_delegate_whitelist,
       gssapi_library_name);
 
+  const base::ListValue *additional_trust_anchors = NULL;
+  if (package_->root()->GetList("additional_trust_anchors", &additional_trust_anchors)) {
+    net::CertificateList trust_anchors;
+    for (size_t i=0; i<additional_trust_anchors->GetSize(); i++) {
+      std::string certificate_string;
+      if (!additional_trust_anchors->GetString(i, &certificate_string)) {
+        LOG(WARNING)
+          << "Could not get string from entry " << i;
+        continue;
+      }
+
+      net::CertificateList loaded =
+          net::X509Certificate::CreateCertificateListFromBytes(
+              certificate_string.c_str(), certificate_string.size(),
+              net::X509Certificate::FORMAT_AUTO);
+      if (loaded.empty() && !certificate_string.empty()) {
+        LOG(WARNING)
+          << "Could not load certificate from entry " << i;
+        continue;
+      }
+
+      trust_anchors.insert(trust_anchors.end(), loaded.begin(), loaded.end());
+    }
+    if (!trust_anchors.empty()) {
+      LOG(INFO)
+        << "Added " << trust_anchors.size() << " certificates to trust anchors.";
+      url_request_getter_->SetAdditionalTrustAnchors(trust_anchors);
+    }
+  }
+
   resource_context_->set_url_request_context_getter(url_request_getter_.get());
   return url_request_getter_.get();
 }
