<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[181317] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/181317">181317</a></dd>
<dt>Author</dt> <dd>mitz@apple.com</dd>
<dt>Date</dt> <dd>2015-03-10 00:34:06 -0700 (Tue, 10 Mar 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>
Source/WebCore:
WebCore part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
https://bugs.webkit.org/show_bug.cgi?id=142461
Reviewed by Sam Weinig.
* WebCore.xcodeproj/project.pbxproj: Added reference to SecuritySPI.h and sorted the
spi/cocoa group.
* platform/network/cf/CertificateInfo.h: Declared new member function
containsNonRootSHA1SignedCertificate.
* platform/network/mac/CertificateInfoMac.mm:
(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added. Checks if any but
the last certificate in the chain uses SHA-1 as its signature hash algorithm.
* platform/network/curl/CertificateInfo.h:
(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added notImplemented
implementation.
* platform/network/soup/CertificateInfo.h:
(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Ditto.
* platform/spi/cocoa/SecuritySPI.h: Added.
Source/WebKit2:
WebKit2 part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
https://bugs.webkit.org/show_bug.cgi?id=142461
Reviewed by Sam Weinig.
* UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView initWithFrame:configuration:]): Initialize
webPageConfiguration.treatsSHA1SignedCertificatesAsInsecure from the WKWebViewConfiguration.
* UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
Added _treatsSHA1SignedCertificatesAsInsecure ivar.
(-[WKWebViewConfiguration copyWithZone:]): Copy _treatsSHA1SignedCertificatesAsInsecure.
(-[WKWebViewConfiguration _treatsSHA1SignedCertificatesAsInsecure]): Added this getter.
(-[WKWebViewConfiguration _setTreatsSHA1SignedCertificatesAsInsecure:]): Added this setter.
* UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Declared new
_treatsSHA1SignedCertificatesAsInsecure property.
* UIProcess/PageLoadState.cpp:
(WebKit::PageLoadState::didCommitLoad): Use new hasInsecureContent parameter to initialize
hasInsecureContent parameter in the uncommitted state.
* UIProcess/PageLoadState.h:
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::WebPageProxy): Initialize new m_treatsSHA1CertificatesAsInsecure
member variable from the WebPageConfiguration.
(WebKit::WebPageProxy::didCommitLoadForFrame): Pass true for the new hasInsecureContent to
PageLoadState::didCommitLoad if we are treating SHA1-signed certificates as insecure and
the certificate info contains a non-root SHA1-signed certificate.
* UIProcess/WebPageProxy.h: Added m_treatsSHA1CertificatesAsInsecure member variable.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreWebCorexcodeprojprojectpbxproj">trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkcfCertificateInfoh">trunk/Source/WebCore/platform/network/cf/CertificateInfo.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkcurlCertificateInfoh">trunk/Source/WebCore/platform/network/curl/CertificateInfo.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkmacCertificateInfoMacmm">trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworksoupCertificateInfoh">trunk/Source/WebCore/platform/network/soup/CertificateInfo.h</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2UIProcessAPICocoaWKWebViewmm">trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm</a></li>
<li><a href="#trunkSourceWebKit2UIProcessAPICocoaWKWebViewConfigurationmm">trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm</a></li>
<li><a href="#trunkSourceWebKit2UIProcessAPICocoaWKWebViewConfigurationPrivateh">trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h</a></li>
<li><a href="#trunkSourceWebKit2UIProcessPageLoadStatecpp">trunk/Source/WebKit2/UIProcess/PageLoadState.cpp</a></li>
<li><a href="#trunkSourceWebKit2UIProcessPageLoadStateh">trunk/Source/WebKit2/UIProcess/PageLoadState.h</a></li>
<li><a href="#trunkSourceWebKit2UIProcessWebPageProxycpp">trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp</a></li>
<li><a href="#trunkSourceWebKit2UIProcessWebPageProxyh">trunk/Source/WebKit2/UIProcess/WebPageProxy.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreplatformspicocoaSecuritySPIh">trunk/Source/WebCore/platform/spi/cocoa/SecuritySPI.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebCore/ChangeLog 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,3 +1,29 @@
</span><ins>+2015-03-10 Dan Bernstein <mitz@apple.com>
+
+ WebCore part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
+ https://bugs.webkit.org/show_bug.cgi?id=142461
+
+ Reviewed by Sam Weinig.
+
+ * WebCore.xcodeproj/project.pbxproj: Added reference to SecuritySPI.h and sorted the
+ spi/cocoa group.
+
+ * platform/network/cf/CertificateInfo.h: Declared new member function
+ containsNonRootSHA1SignedCertificate.
+
+ * platform/network/mac/CertificateInfoMac.mm:
+ (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added. Checks if any but
+ the last certificate in the chain uses SHA-1 as its signature hash algorithm.
+
+ * platform/network/curl/CertificateInfo.h:
+ (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Added notImplemented
+ implementation.
+
+ * platform/network/soup/CertificateInfo.h:
+ (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate): Ditto.
+
+ * platform/spi/cocoa/SecuritySPI.h: Added.
+
</ins><span class="cx"> 2015-03-09 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> [iOS] Sweep all collected objects on critical memory pressure
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1325,6 +1325,7 @@
</span><span class="cx"> 339B5B63131DAA3200F48D02 /* CookiesStrategy.h in Headers */ = {isa = PBXBuildFile; fileRef = 339B5B62131DAA3200F48D02 /* CookiesStrategy.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 33D0212D131DB37B004091A8 /* CookieStorage.h in Headers */ = {isa = PBXBuildFile; fileRef = E13F01EA1270E10D00DFBA71 /* CookieStorage.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 3571883EEF618793751E4089 /* RenderMathMLMenclose.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 3662F984047CEDBE5DDDAFAA /* RenderMathMLMenclose.cpp */; };
</span><ins>+ 3717833A1AACDCF7000910E3 /* SecuritySPI.h in Headers */ = {isa = PBXBuildFile; fileRef = 371783391AACDCF7000910E3 /* SecuritySPI.h */; };
</ins><span class="cx"> 3717D7E817ECC591003C276D /* extract-localizable-strings.pl in Copy Scripts */ = {isa = PBXBuildFile; fileRef = 3717D7E517ECC3A6003C276D /* extract-localizable-strings.pl */; };
</span><span class="cx"> 371A67CB11C6C7DB00047B8B /* HyphenationCF.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 371A67CA11C6C7DB00047B8B /* HyphenationCF.cpp */; };
</span><span class="cx"> 371E65CC13661EDC00BEEDB0 /* PageSerializer.h in Headers */ = {isa = PBXBuildFile; fileRef = 371E65CB13661EDC00BEEDB0 /* PageSerializer.h */; };
</span><span class="lines">@@ -8425,6 +8426,7 @@
</span><span class="cx"> 3390CA530FFC157B00921962 /* NotificationCenter.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = NotificationCenter.idl; sourceTree = "<group>"; };
</span><span class="cx"> 339B5B62131DAA3200F48D02 /* CookiesStrategy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CookiesStrategy.h; sourceTree = "<group>"; };
</span><span class="cx"> 3662F984047CEDBE5DDDAFAA /* RenderMathMLMenclose.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = RenderMathMLMenclose.cpp; path = rendering/mathml/RenderMathMLMenclose.cpp; sourceTree = SOURCE_ROOT; };
</span><ins>+ 371783391AACDCF7000910E3 /* SecuritySPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecuritySPI.h; sourceTree = "<group>"; };
</ins><span class="cx"> 3717D7E517ECC3A6003C276D /* extract-localizable-strings.pl */ = {isa = PBXFileReference; lastKnownFileType = text.script.perl; path = "extract-localizable-strings.pl"; sourceTree = "<group>"; };
</span><span class="cx"> 371A67CA11C6C7DB00047B8B /* HyphenationCF.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HyphenationCF.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 371E65CB13661EDC00BEEDB0 /* PageSerializer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PageSerializer.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -16387,6 +16389,7 @@
</span><span class="cx"> 653EF83719A043AE0052202C /* cocoa */ = {
</span><span class="cx"> isa = PBXGroup;
</span><span class="cx"> children = (
</span><ins>+ CD4097FF1A8C855F004C65E9 /* CFNSURLConnectionSPI.h */,
</ins><span class="cx"> 1C5E980F1A02CEFA002DB55F /* CoreTextSPI.h */,
</span><span class="cx"> CE12524A1A16C79B00864480 /* DispatchSPI.h */,
</span><span class="cx"> CE1252441A16C22500864480 /* DynamicLinkerSPI.h */,
</span><span class="lines">@@ -16402,9 +16405,9 @@
</span><span class="cx"> CE1252461A16C2C200864480 /* NSPointerFunctionsSPI.h */,
</span><span class="cx"> CE1252521A1BEC0600864480 /* NSStringSPI.h */,
</span><span class="cx"> CE1252541A1BEC0E00864480 /* NSURLDownloadSPI.h */,
</span><del>- CD4097FF1A8C855F004C65E9 /* CFNSURLConnectionSPI.h */,
</del><span class="cx"> 653EF83819A043AE0052202C /* NSURLFileTypeMappingsSPI.h */,
</span><span class="cx"> CE12523C1A1676CD00864480 /* QuartzCoreSPI.h */,
</span><ins>+ 371783391AACDCF7000910E3 /* SecuritySPI.h */,
</ins><span class="cx"> CEC337AC1A46071F009B8523 /* ServersSPI.h */,
</span><span class="cx"> A19D93451A9FEC7200B46C24 /* WebFilterEvaluatorSPI.h */,
</span><span class="cx"> );
</span><span class="lines">@@ -23801,6 +23804,7 @@
</span><span class="cx"> 6550B6A2099DF0270090D781 /* Comment.h in Headers */,
</span><span class="cx"> E1FE137518402A6700892F13 /* CommonCryptoUtilities.h in Headers */,
</span><span class="cx"> 37C236111097EE7700EF9F72 /* ComplexTextController.h in Headers */,
</span><ins>+ 3717833A1AACDCF7000910E3 /* SecuritySPI.h in Headers */,
</ins><span class="cx"> 316FE1160E6E1DA700BF6088 /* CompositeAnimation.h in Headers */,
</span><span class="cx"> 93309DDD099E64920056E581 /* CompositeEditCommand.h in Headers */,
</span><span class="cx"> 79F2F5A21091939A000D87CB /* CompositionEvent.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkcfCertificateInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/cf/CertificateInfo.h (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/cf/CertificateInfo.h 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebCore/platform/network/cf/CertificateInfo.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -40,6 +40,8 @@
</span><span class="cx"> void setCertificateChain(CFArrayRef certificateChain) { m_certificateChain = certificateChain; }
</span><span class="cx"> CFArrayRef certificateChain() const { return m_certificateChain.get(); }
</span><span class="cx">
</span><ins>+ WEBCORE_EXPORT bool containsNonRootSHA1SignedCertificate() const;
+
</ins><span class="cx"> #ifndef NDEBUG
</span><span class="cx"> void dump() const;
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkcurlCertificateInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/curl/CertificateInfo.h (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/curl/CertificateInfo.h 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebCore/platform/network/curl/CertificateInfo.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -26,12 +26,15 @@
</span><span class="cx"> #ifndef CertificateInfo_h
</span><span class="cx"> #define CertificateInfo_h
</span><span class="cx">
</span><ins>+#include "NotImplemented.h"
+
</ins><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="cx"> class CertificateInfo {
</span><span class="cx"> public:
</span><span class="cx"> CertificateInfo() { }
</span><span class="cx">
</span><ins>+ bool containsNonRootSHA1SignedCertificate() const { notImplemented(); return false; }
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkmacCertificateInfoMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2010 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2010, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,8 +26,26 @@
</span><span class="cx"> #import "config.h"
</span><span class="cx"> #import "CertificateInfo.h"
</span><span class="cx">
</span><ins>+#import "NotImplemented.h"
+#import "SecuritySPI.h"
+
</ins><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+bool CertificateInfo::containsNonRootSHA1SignedCertificate() const
+{
+#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 90000
+ for (CFIndex i = 0, size = CFArrayGetCount(m_certificateChain.get()) - 1; i < size; ++i) {
+ SecCertificateRef certificate = (SecCertificateRef)CFArrayGetValueAtIndex(m_certificateChain.get(), i);
+ if (SecCertificateGetSignatureHashAlgorithm(certificate) == kSecSignatureHashAlgorithmSHA1)
+ return true;
+ }
+ return false;
+#else
+ notImplemented();
+ return false;
+#endif
+}
+
</ins><span class="cx"> #ifndef NDEBUG
</span><span class="cx"> void CertificateInfo::dump() const
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworksoupCertificateInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/soup/CertificateInfo.h (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/soup/CertificateInfo.h 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebCore/platform/network/soup/CertificateInfo.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #ifndef CertificateInfo_h
</span><span class="cx"> #define CertificateInfo_h
</span><span class="cx">
</span><ins>+#include "NotImplemented.h"
</ins><span class="cx"> #include <libsoup/soup.h>
</span><span class="cx"> #include <wtf/gobject/GRefPtr.h>
</span><span class="cx">
</span><span class="lines">@@ -48,6 +49,8 @@
</span><span class="cx"> GTlsCertificateFlags tlsErrors() const { return m_tlsErrors; }
</span><span class="cx"> void setTLSErrors(GTlsCertificateFlags tlsErrors) { m_tlsErrors = tlsErrors; }
</span><span class="cx">
</span><ins>+ bool containsNonRootSHA1SignedCertificate() const { notImplemented(); return false; }
+
</ins><span class="cx"> private:
</span><span class="cx"> GRefPtr<GTlsCertificate> m_certificate;
</span><span class="cx"> GTlsCertificateFlags m_tlsErrors;
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformspicocoaSecuritySPIh"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/platform/spi/cocoa/SecuritySPI.h (0 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/spi/cocoa/SecuritySPI.h (rev 0)
+++ trunk/Source/WebCore/platform/spi/cocoa/SecuritySPI.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -0,0 +1,52 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SecuritySPI_h
+#define SecuritySPI_h
+
+#if USE(APPLE_INTERNAL_SDK)
+#include <Security/SecCertificatePriv.h>
+#else
+
+typedef uint32_t SecSignatureHashAlgorithm;
+enum {
+ kSecSignatureHashAlgorithmUnknown = 0,
+ kSecSignatureHashAlgorithmMD2 = 1,
+ kSecSignatureHashAlgorithmMD4 = 2,
+ kSecSignatureHashAlgorithmMD5 = 3,
+ kSecSignatureHashAlgorithmSHA1 = 4,
+ kSecSignatureHashAlgorithmSHA224 = 5,
+ kSecSignatureHashAlgorithmSHA256 = 6,
+ kSecSignatureHashAlgorithmSHA384 = 7,
+ kSecSignatureHashAlgorithmSHA512 = 8
+};
+
+#endif
+
+#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100) || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 90000)
+EXTERN_C SecSignatureHashAlgorithm SecCertificateGetSignatureHashAlgorithm(SecCertificateRef certificate);
+#endif
+
+#endif // SecuritySPI_h
</ins></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/ChangeLog 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,3 +1,36 @@
</span><ins>+2015-03-10 Dan Bernstein <mitz@apple.com>
+
+ WebKit2 part of <rdar://problem/20086546> [Cocoa] Add an option to treat certificate chains with SHA1-signed certificates as insecure
+ https://bugs.webkit.org/show_bug.cgi?id=142461
+
+ Reviewed by Sam Weinig.
+
+ * UIProcess/API/Cocoa/WKWebView.mm:
+ (-[WKWebView initWithFrame:configuration:]): Initialize
+ webPageConfiguration.treatsSHA1SignedCertificatesAsInsecure from the WKWebViewConfiguration.
+
+ * UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
+ Added _treatsSHA1SignedCertificatesAsInsecure ivar.
+ (-[WKWebViewConfiguration copyWithZone:]): Copy _treatsSHA1SignedCertificatesAsInsecure.
+ (-[WKWebViewConfiguration _treatsSHA1SignedCertificatesAsInsecure]): Added this getter.
+ (-[WKWebViewConfiguration _setTreatsSHA1SignedCertificatesAsInsecure:]): Added this setter.
+
+ * UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Declared new
+ _treatsSHA1SignedCertificatesAsInsecure property.
+
+ * UIProcess/PageLoadState.cpp:
+ (WebKit::PageLoadState::didCommitLoad): Use new hasInsecureContent parameter to initialize
+ hasInsecureContent parameter in the uncommitted state.
+ * UIProcess/PageLoadState.h:
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::WebPageProxy): Initialize new m_treatsSHA1CertificatesAsInsecure
+ member variable from the WebPageConfiguration.
+ (WebKit::WebPageProxy::didCommitLoadForFrame): Pass true for the new hasInsecureContent to
+ PageLoadState::didCommitLoad if we are treating SHA1-signed certificates as insecure and
+ the certificate info contains a non-root SHA1-signed certificate.
+ * UIProcess/WebPageProxy.h: Added m_treatsSHA1CertificatesAsInsecure member variable.
+
</ins><span class="cx"> 2015-03-09 Geoffrey Garen <ggaren@apple.com>
</span><span class="cx">
</span><span class="cx"> bmalloc: tryFastMalloc shouldn't crash
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessAPICocoaWKWebViewmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -291,6 +291,7 @@
</span><span class="cx"> webPageConfiguration.visitedLinkProvider = [_configuration _visitedLinkProvider]->_visitedLinkProvider.get();
</span><span class="cx"> webPageConfiguration.websiteDataStore = &[_configuration _websiteDataStore]->_websiteDataStore->websiteDataStore();
</span><span class="cx"> webPageConfiguration.sessionID = webPageConfiguration.websiteDataStore->sessionID();
</span><ins>+ webPageConfiguration.treatsSHA1SignedCertificatesAsInsecure = [_configuration _treatsSHA1SignedCertificatesAsInsecure];
</ins><span class="cx">
</span><span class="cx"> RefPtr<WebKit::WebPageGroup> pageGroup;
</span><span class="cx"> NSString *groupIdentifier = configuration._groupIdentifier;
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessAPICocoaWKWebViewConfigurationmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -87,6 +87,7 @@
</span><span class="cx"> LazyInitialized<RetainPtr<_WKWebsiteDataStore>> _websiteDataStore;
</span><span class="cx"> WebKit::WeakObjCPtr<WKWebView> _relatedWebView;
</span><span class="cx"> WebKit::WeakObjCPtr<WKWebView> _alternateWebViewForNavigationGestures;
</span><ins>+ BOOL _treatsSHA1SignedCertificatesAsInsecure;
</ins><span class="cx"> RetainPtr<NSString> _groupIdentifier;
</span><span class="cx"> LazyInitialized<RetainPtr<NSString>> _applicationNameForUserAgent;
</span><span class="cx">
</span><span class="lines">@@ -126,6 +127,7 @@
</span><span class="cx"> configuration._websiteDataStore = self._websiteDataStore;
</span><span class="cx"> configuration._relatedWebView = _relatedWebView.get().get();
</span><span class="cx"> configuration._alternateWebViewForNavigationGestures = _alternateWebViewForNavigationGestures.get().get();
</span><ins>+ configuration->_treatsSHA1SignedCertificatesAsInsecure = _treatsSHA1SignedCertificatesAsInsecure;
</ins><span class="cx"> #if PLATFORM(IOS)
</span><span class="cx"> configuration._contentProviderRegistry = self._contentProviderRegistry;
</span><span class="cx"> #endif
</span><span class="lines">@@ -282,6 +284,16 @@
</span><span class="cx"> _groupIdentifier = groupIdentifier;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+- (BOOL)_treatsSHA1SignedCertificatesAsInsecure
+{
+ return _treatsSHA1SignedCertificatesAsInsecure;
+}
+
+- (void)_setTreatsSHA1SignedCertificatesAsInsecure:(BOOL)insecure
+{
+ _treatsSHA1SignedCertificatesAsInsecure = insecure;
+}
+
</ins><span class="cx"> #if PLATFORM(IOS)
</span><span class="cx"> - (BOOL)_allowsAlternateFullscreen
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessAPICocoaWKWebViewConfigurationPrivateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -42,6 +42,8 @@
</span><span class="cx">
</span><span class="cx"> @property (nonatomic, weak, setter=_setAlternateWebViewForNavigationGestures:) WKWebView *_alternateWebViewForNavigationGestures;
</span><span class="cx">
</span><ins>+@property (nonatomic, setter=_setTreatsSHA1SignedCertificatesAsInsecure:) BOOL _treatsSHA1SignedCertificatesAsInsecure WK_AVAILABLE(NA, WK_IOS_TBA);
+
</ins><span class="cx"> #if TARGET_OS_IPHONE
</span><span class="cx"> @property (nonatomic, setter=_setAllowsAlternateFullscreen:) BOOL _allowsAlternateFullscreen WK_AVAILABLE(NA, WK_IOS_TBA);
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessPageLoadStatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/PageLoadState.cpp (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/PageLoadState.cpp 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/PageLoadState.cpp 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -267,13 +267,13 @@
</span><span class="cx"> m_uncommittedState.unreachableURL = m_lastUnreachableURL;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void PageLoadState::didCommitLoad(const Transaction::Token& token)
</del><ins>+void PageLoadState::didCommitLoad(const Transaction::Token& token, bool hasInsecureContent)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT_UNUSED(token, &token.m_pageLoadState == this);
</span><span class="cx"> ASSERT(m_uncommittedState.state == State::Provisional);
</span><span class="cx">
</span><span class="cx"> m_uncommittedState.state = State::Committed;
</span><del>- m_uncommittedState.hasInsecureContent = false;
</del><ins>+ m_uncommittedState.hasInsecureContent = hasInsecureContent;
</ins><span class="cx">
</span><span class="cx"> m_uncommittedState.url = m_uncommittedState.provisionalURL;
</span><span class="cx"> m_uncommittedState.provisionalURL = String();
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessPageLoadStateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/PageLoadState.h (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/PageLoadState.h 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/PageLoadState.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -131,7 +131,7 @@
</span><span class="cx"> void didReceiveServerRedirectForProvisionalLoad(const Transaction::Token&, const String& url);
</span><span class="cx"> void didFailProvisionalLoad(const Transaction::Token&);
</span><span class="cx">
</span><del>- void didCommitLoad(const Transaction::Token&);
</del><ins>+ void didCommitLoad(const Transaction::Token&, bool hasInsecureContent);
</ins><span class="cx"> void didFinishLoad(const Transaction::Token&);
</span><span class="cx"> void didFailLoad(const Transaction::Token&);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessWebPageProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -285,6 +285,7 @@
</span><span class="cx"> , m_websiteDataStore(*configuration.websiteDataStore)
</span><span class="cx"> , m_mainFrame(nullptr)
</span><span class="cx"> , m_userAgent(standardUserAgent())
</span><ins>+ , m_treatsSHA1CertificatesAsInsecure(configuration.treatsSHA1SignedCertificatesAsInsecure)
</ins><span class="cx"> #if PLATFORM(IOS)
</span><span class="cx"> , m_hasReceivedLayerTreeTransactionAfterDidCommitLoad(true)
</span><span class="cx"> , m_firstLayerTreeTransactionIdAfterDidCommitLoad(0)
</span><span class="lines">@@ -2818,8 +2819,10 @@
</span><span class="cx">
</span><span class="cx"> auto transaction = m_pageLoadState.transaction();
</span><span class="cx">
</span><del>- if (frame->isMainFrame())
- m_pageLoadState.didCommitLoad(transaction);
</del><ins>+ if (frame->isMainFrame()) {
+ bool hasInsecureCertificateChain = m_treatsSHA1CertificatesAsInsecure && certificateInfo.containsNonRootSHA1SignedCertificate();
+ m_pageLoadState.didCommitLoad(transaction, hasInsecureCertificateChain);
+ }
</ins><span class="cx">
</span><span class="cx"> #if USE(APPKIT)
</span><span class="cx"> // FIXME (bug 59111): didCommitLoadForFrame comes too late when restoring a page from b/f cache, making us disable secure event mode in password fields.
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessWebPageProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/WebPageProxy.h (181316 => 181317)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/WebPageProxy.h 2015-03-10 07:15:52 UTC (rev 181316)
+++ trunk/Source/WebKit2/UIProcess/WebPageProxy.h 2015-03-10 07:34:06 UTC (rev 181317)
</span><span class="lines">@@ -249,6 +249,8 @@
</span><span class="cx">
</span><span class="cx"> WebPageProxy* relatedPage = nullptr;
</span><span class="cx">
</span><ins>+ bool treatsSHA1SignedCertificatesAsInsecure = false;
+
</ins><span class="cx"> WebPreferencesStore::ValueMap preferenceValues;
</span><span class="cx"> };
</span><span class="cx">
</span><span class="lines">@@ -1425,6 +1427,8 @@
</span><span class="cx"> String m_customUserAgent;
</span><span class="cx"> String m_customTextEncodingName;
</span><span class="cx">
</span><ins>+ bool m_treatsSHA1CertificatesAsInsecure;
+
</ins><span class="cx"> RefPtr<WebInspectorProxy> m_inspector;
</span><span class="cx">
</span><span class="cx"> #if ENABLE(FULLSCREEN_API)
</span></span></pre>
</div>
</div>
</body>
</html>