<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200463] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200463">200463</a></dd>
<dt>Author</dt> <dd>weinig@apple.com</dd>
<dt>Date</dt> <dd>2016-05-05 11:23:47 -0700 (Thu, 05 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>On platforms that support it, use a SecTrustRef as the basis of CertificateInfo instead of a chain of SecCertificateRefs.
https://bugs.webkit.org/show_bug.cgi?id=157220
Reviewed by Darin Adler.
Source/WebCore:
* platform/network/cf/CertificateInfo.h:
(WebCore::CertificateInfo::CertificateInfo):
(WebCore::CertificateInfo::trust):
(WebCore::CertificateInfo::isEmpty):
(WebCore::CertificateInfo::setCertificateChain): Deleted.
(WebCore::CertificateInfo::certificateChain): Deleted.
* platform/network/mac/CertificateInfoMac.mm:
(WebCore::CertificateInfo::type):
(WebCore::CertificateInfo::certificateChain):
(WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate):
(WebCore::CertificateInfo::dump):
When supported, allow CertificateInfo to contain a SecTrustRef instead of a certificate chain. We keep
support for holding on to a certificate chain as well, since there is API that depends on this.
* platform/network/cocoa/ResourceResponseCocoa.mm:
(WebCore::ResourceResponse::platformCertificateInfo):
When supported, use the SecTrustRef from the error instead of extracting it's certificate chain.
Source/WebKit2:
* Shared/Authentication/mac/AuthenticationManager.mac.mm:
(WebKit::leafCertificate):
(WebKit::chain):
(WebKit::AuthenticationManager::tryUseCertificateInfoForChallenge):
When supported, get the SecCertificateRef from the SecTrustRef rather than the
stored certificate chain.
* Shared/cf/ArgumentCodersCF.cpp:
(IPC::typeFromCFTypeRef):
(IPC::encode):
(IPC::decode):
* Shared/cf/ArgumentCodersCF.h:
Add support for encoding/decoding SecTrustRef objects.
* Shared/mac/WebCoreArgumentCodersMac.mm:
(IPC::ArgumentCoder<CertificateInfo>::encode):
(IPC::ArgumentCoder<CertificateInfo>::decode):
Add support for encoding/decoding CertificateInfo's that contain SecTrustRef objects.
(IPC::encodeNSError):
(IPC::decodeNSError):
Simplify error encoding/decoding by not using an addition CertificateInfo object for encoding
the peerCertificateChain. Also, add the peerTrust to the userInfo that get's encoded/decoded.
* UIProcess/API/Cocoa/WKWebView.h:
* UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView serverTrust]):
(-[WKWebView certificateChain]):
Add new serverTrust API and deprecate certificateChain.
* UIProcess/Cocoa/NavigationState.mm:
(WebKit::NavigationState::willChangeCertificateInfo):
(WebKit::NavigationState::didChangeCertificateInfo):
Add support for KVO of -[WKWebView serverTrust].
Source/WTF:
* wtf/Platform.h:
Add support for HAVE(SEC_TRUST_SERIALIZATION).
* wtf/spi/cocoa/SecuritySPI.h:
Add SPI access to SecTrustSerialize and SecTrustDeserialize.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFwtfPlatformh">trunk/Source/WTF/wtf/Platform.h</a></li>
<li><a href="#trunkSourceWTFwtfspicocoaSecuritySPIh">trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkcfCertificateInfoh">trunk/Source/WebCore/platform/network/cf/CertificateInfo.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkcocoaResourceResponseCocoamm">trunk/Source/WebCore/platform/network/cocoa/ResourceResponseCocoa.mm</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkmacCertificateInfoMacmm">trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2SharedAPIcmacWKCertificateInfoMach">trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.h</a></li>
<li><a href="#trunkSourceWebKit2SharedAPIcmacWKCertificateInfoMacmm">trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.mm</a></li>
<li><a href="#trunkSourceWebKit2SharedAuthenticationmacAuthenticationManagermacmm">trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm</a></li>
<li><a href="#trunkSourceWebKit2SharedcfArgumentCodersCFcpp">trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp</a></li>
<li><a href="#trunkSourceWebKit2SharedcfArgumentCodersCFh">trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h</a></li>
<li><a href="#trunkSourceWebKit2SharedmacWebCoreArgumentCodersMacmm">trunk/Source/WebKit2/Shared/mac/WebCoreArgumentCodersMac.mm</a></li>
<li><a href="#trunkSourceWebKit2UIProcessAPICocoaWKWebViewh">trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.h</a></li>
<li><a href="#trunkSourceWebKit2UIProcessAPICocoaWKWebViewmm">trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm</a></li>
<li><a href="#trunkSourceWebKit2UIProcessCocoaNavigationStatemm">trunk/Source/WebKit2/UIProcess/Cocoa/NavigationState.mm</a></li>
<li><a href="#trunkSourceWebKit2WebProcessInjectedBundleAPICocoaWKWebProcessPlugInFramemm">trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFrame.mm</a></li>
<li><a href="#trunkSourceWebKit2WebProcessInjectedBundleAPICocoaWKWebProcessPlugInFramePrivateh">trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFramePrivate.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WTF/ChangeLog 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-05-02 Sam Weinig <sam@webkit.org>
+
+ On platforms that support it, use a SecTrustRef as the basis of CertificateInfo instead of a chain of SecCertificateRefs.
+ https://bugs.webkit.org/show_bug.cgi?id=157220
+
+ Reviewed by Darin Adler.
+
+ * wtf/Platform.h:
+ Add support for HAVE(SEC_TRUST_SERIALIZATION).
+
+ * wtf/spi/cocoa/SecuritySPI.h:
+ Add SPI access to SecTrustSerialize and SecTrustDeserialize.
+
</ins><span class="cx"> 2016-05-04 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Add HLE locks and synchronic TTAS locks to the ToyLocks benchmark suite
</span></span></pre></div>
<a id="trunkSourceWTFwtfPlatformh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/Platform.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/Platform.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WTF/wtf/Platform.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -1146,6 +1146,9 @@
</span><span class="cx"> #endif
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+#if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || (PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000)
+#define HAVE_SEC_TRUST_SERIALIZATION 1
+#endif
</ins><span class="cx">
</span><span class="cx"> #if !defined(WTF_DEFAULT_EVENT_LOOP)
</span><span class="cx"> #define WTF_DEFAULT_EVENT_LOOP 1
</span></span></pre></div>
<a id="trunkSourceWTFwtfspicocoaSecuritySPIh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WTF/wtf/spi/cocoa/SecuritySPI.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx">
</span><span class="cx"> #include <Security/SecCertificatePriv.h>
</span><span class="cx"> #include <Security/SecTask.h>
</span><ins>+#include <Security/SecTrustPriv.h>
</ins><span class="cx">
</span><span class="cx"> #else
</span><span class="cx">
</span><span class="lines">@@ -57,4 +58,9 @@
</span><span class="cx"> EXTERN_C SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef);
</span><span class="cx"> EXTERN_C CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef, CFStringRef entitlement, CFErrorRef *);
</span><span class="cx">
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+EXTERN_C CF_RETURNS_RETAINED CFDataRef SecTrustSerialize(SecTrustRef, CFErrorRef *);
+EXTERN_C CF_RETURNS_RETAINED SecTrustRef SecTrustDeserialize(CFDataRef serializedTrust, CFErrorRef *);
+#endif
+
</ins><span class="cx"> #endif // SecuritySPI_h
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebCore/ChangeLog 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2016-05-02 Sam Weinig <sam@webkit.org>
+
+ On platforms that support it, use a SecTrustRef as the basis of CertificateInfo instead of a chain of SecCertificateRefs.
+ https://bugs.webkit.org/show_bug.cgi?id=157220
+
+ Reviewed by Darin Adler.
+
+ * platform/network/cf/CertificateInfo.h:
+ (WebCore::CertificateInfo::CertificateInfo):
+ (WebCore::CertificateInfo::trust):
+ (WebCore::CertificateInfo::isEmpty):
+ (WebCore::CertificateInfo::setCertificateChain): Deleted.
+ (WebCore::CertificateInfo::certificateChain): Deleted.
+ * platform/network/mac/CertificateInfoMac.mm:
+ (WebCore::CertificateInfo::type):
+ (WebCore::CertificateInfo::certificateChain):
+ (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate):
+ (WebCore::CertificateInfo::dump):
+ When supported, allow CertificateInfo to contain a SecTrustRef instead of a certificate chain. We keep
+ support for holding on to a certificate chain as well, since there is API that depends on this.
+
+ * platform/network/cocoa/ResourceResponseCocoa.mm:
+ (WebCore::ResourceResponse::platformCertificateInfo):
+ When supported, use the SecTrustRef from the error instead of extracting it's certificate chain.
+
</ins><span class="cx"> 2016-05-04 Ada Chan <adachan@apple.com>
</span><span class="cx">
</span><span class="cx"> When exiting fullscreen, call a JS method immediately to implement the style changes for the presentation mode change right away
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkcfCertificateInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/cf/CertificateInfo.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/cf/CertificateInfo.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebCore/platform/network/cf/CertificateInfo.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -29,28 +29,59 @@
</span><span class="cx"> #include "PlatformExportMacros.h"
</span><span class="cx"> #include <wtf/RetainPtr.h>
</span><span class="cx">
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+#include <Security/SecTrust.h>
+#endif
+
</ins><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="cx"> class CertificateInfo {
</span><span class="cx"> public:
</span><del>- CertificateInfo() { }
- CertificateInfo(RetainPtr<CFArrayRef> certificateChain)
- : m_certificateChain(certificateChain)
- { }
</del><ins>+ CertificateInfo() = default;
+
+ enum class Type {
+ None,
+ CertificateChain,
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ Trust,
+#endif
+ };
</ins><span class="cx">
</span><del>- void setCertificateChain(CFArrayRef certificateChain) { m_certificateChain = certificateChain; }
- CFArrayRef certificateChain() const { return m_certificateChain.get(); }
</del><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ explicit CertificateInfo(RetainPtr<SecTrustRef>&& trust)
+ : m_trust(WTFMove(trust))
+ {
+ }
+
+ SecTrustRef trust() const { return m_trust.get(); }
+#endif
</ins><span class="cx">
</span><ins>+ CertificateInfo(RetainPtr<CFArrayRef>&& certificateChain)
+ : m_certificateChain(WTFMove(certificateChain))
+ {
+ }
+
+ WEBCORE_EXPORT CFArrayRef certificateChain() const;
+
+ WEBCORE_EXPORT Type type() const;
</ins><span class="cx"> WEBCORE_EXPORT bool containsNonRootSHA1SignedCertificate() const;
</span><span class="cx">
</span><ins>+ bool isEmpty() const { return type() == Type::None; }
+
+#if PLATFORM(COCOA)
+ static RetainPtr<CFArrayRef> certificateChainFromSecTrust(SecTrustRef);
+#endif
+
</ins><span class="cx"> #ifndef NDEBUG
</span><span class="cx"> void dump() const;
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- RetainPtr<CFArrayRef> m_certificateChain;
</del><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ RetainPtr<SecTrustRef> m_trust;
+#endif
+ mutable RetainPtr<CFArrayRef> m_certificateChain;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span><del>-
</del><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkcocoaResourceResponseCocoamm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/cocoa/ResourceResponseCocoa.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/cocoa/ResourceResponseCocoa.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebCore/platform/network/cocoa/ResourceResponseCocoa.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -99,12 +99,11 @@
</span><span class="cx"> return { };
</span><span class="cx"> }
</span><span class="cx">
</span><del>- CFIndex count = SecTrustGetCertificateCount(trust);
- auto certificateChain = CFArrayCreateMutable(0, count, &kCFTypeArrayCallBacks);
- for (CFIndex i = 0; i < count; i++)
- CFArrayAppendValue(certificateChain, SecTrustGetCertificateAtIndex(trust, i));
-
- return CertificateInfo(adoptCF(certificateChain));
</del><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ return CertificateInfo(trust);
+#else
+ return CertificateInfo(CertificateInfo::certificateChainFromSecTrust(trust));
+#endif
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> #if USE(CFNETWORK)
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkmacCertificateInfoMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebCore/platform/network/mac/CertificateInfoMac.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -31,35 +31,104 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+#if PLATFORM(COCOA)
+RetainPtr<CFArrayRef> CertificateInfo::certificateChainFromSecTrust(SecTrustRef trust)
+{
+ auto count = SecTrustGetCertificateCount(trust);
+ auto certificateChain = CFArrayCreateMutable(0, count, &kCFTypeArrayCallBacks);
+ for (CFIndex i = 0; i < count; i++)
+ CFArrayAppendValue(certificateChain, SecTrustGetCertificateAtIndex(trust, i));
+ return adoptCF((CFArrayRef)certificateChain);
+}
+#endif
+
+CertificateInfo::Type CertificateInfo::type() const
+{
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ if (m_trust)
+ return Type::Trust;
+#endif
+ if (m_certificateChain)
+ return Type::CertificateChain;
+ return Type::None;
+}
+
+CFArrayRef CertificateInfo::certificateChain() const
+{
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ if (m_certificateChain)
+ return m_certificateChain.get();
+
+ if (m_trust)
+ m_certificateChain = CertificateInfo::certificateChainFromSecTrust(m_trust.get());
+#endif
+
+ return m_certificateChain.get();
+}
+
</ins><span class="cx"> bool CertificateInfo::containsNonRootSHA1SignedCertificate() const
</span><span class="cx"> {
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ if (m_trust) {
+ // Allow only the root certificate (the last in the chain) to be SHA1.
+ for (CFIndex i = 0, size = SecTrustGetCertificateCount(trust()) - 1; i < size; ++i) {
+ auto certificate = SecTrustGetCertificateAtIndex(trust(), i);
+ if (SecCertificateGetSignatureHashAlgorithm(certificate) == kSecSignatureHashAlgorithmSHA1)
+ return true;
+ }
+
+ return false;
+ }
+#endif
+
</ins><span class="cx"> #if (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100) || PLATFORM(IOS)
</span><del>- if (!m_certificateChain)
</del><ins>+ if (m_certificateChain) {
+ // Allow only the root certificate (the last in the chain) to be SHA1.
+ for (CFIndex i = 0, size = CFArrayGetCount(m_certificateChain.get()) - 1; i < size; ++i) {
+ auto certificate = (SecCertificateRef)CFArrayGetValueAtIndex(m_certificateChain.get(), i);
+ if (SecCertificateGetSignatureHashAlgorithm(certificate) == kSecSignatureHashAlgorithmSHA1)
+ return true;
+ }
</ins><span class="cx"> return false;
</span><del>-
- for (CFIndex i = 0, size = CFArrayGetCount(m_certificateChain.get()) - 1; i < size; ++i) {
- SecCertificateRef certificate = (SecCertificateRef)CFArrayGetValueAtIndex(m_certificateChain.get(), i);
- if (SecCertificateGetSignatureHashAlgorithm(certificate) == kSecSignatureHashAlgorithmSHA1)
- return true;
</del><span class="cx"> }
</span><del>- return false;
</del><span class="cx"> #else
</span><span class="cx"> notImplemented();
</span><ins>+#endif
+
</ins><span class="cx"> return false;
</span><del>-#endif
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> #ifndef NDEBUG
</span><span class="cx"> void CertificateInfo::dump() const
</span><span class="cx"> {
</span><del>- unsigned entries = m_certificateChain ? CFArrayGetCount(m_certificateChain.get()) : 0;
</del><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ if (m_trust) {
+ CFIndex entries = SecTrustGetCertificateCount(trust());
</ins><span class="cx">
</span><del>- NSLog(@"CertificateInfo\n");
- NSLog(@" Entries: %d\n", entries);
- for (unsigned i = 0; i < entries; ++i) {
- RetainPtr<CFStringRef> summary = adoptCF(SecCertificateCopySubjectSummary((SecCertificateRef)CFArrayGetValueAtIndex(m_certificateChain.get(), i)));
- NSLog(@" %@", (NSString *)summary.get());
</del><ins>+ NSLog(@"CertificateInfo SecTrust\n");
+ NSLog(@" Entries: %ld\n", entries);
+ for (CFIndex i = 0; i < entries; ++i) {
+ RetainPtr<CFStringRef> summary = adoptCF(SecCertificateCopySubjectSummary(SecTrustGetCertificateAtIndex(trust(), i)));
+ NSLog(@" %@", (NSString *)summary.get());
+ }
+
+ return;
</ins><span class="cx"> }
</span><ins>+#endif
+ if (m_certificateChain) {
+ CFIndex entries = CFArrayGetCount(m_certificateChain.get());
+
+ NSLog(@"CertificateInfo (Certificate Chain)\n");
+ NSLog(@" Entries: %ld\n", entries);
+ for (CFIndex i = 0; i < entries; ++i) {
+ RetainPtr<CFStringRef> summary = adoptCF(SecCertificateCopySubjectSummary((SecCertificateRef)CFArrayGetValueAtIndex(m_certificateChain.get(), i)));
+ NSLog(@" %@", (NSString *)summary.get());
+ }
+
+ return;
+ }
+
+ NSLog(@"CertificateInfo (Empty)\n");
</ins><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/ChangeLog 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -1,3 +1,45 @@
</span><ins>+2016-05-02 Sam Weinig <sam@webkit.org>
+
+ On platforms that support it, use a SecTrustRef as the basis of CertificateInfo instead of a chain of SecCertificateRefs.
+ https://bugs.webkit.org/show_bug.cgi?id=157220
+
+ Reviewed by Darin Adler.
+
+ * Shared/Authentication/mac/AuthenticationManager.mac.mm:
+ (WebKit::leafCertificate):
+ (WebKit::chain):
+ (WebKit::AuthenticationManager::tryUseCertificateInfoForChallenge):
+ When supported, get the SecCertificateRef from the SecTrustRef rather than the
+ stored certificate chain.
+
+ * Shared/cf/ArgumentCodersCF.cpp:
+ (IPC::typeFromCFTypeRef):
+ (IPC::encode):
+ (IPC::decode):
+ * Shared/cf/ArgumentCodersCF.h:
+ Add support for encoding/decoding SecTrustRef objects.
+
+ * Shared/mac/WebCoreArgumentCodersMac.mm:
+ (IPC::ArgumentCoder<CertificateInfo>::encode):
+ (IPC::ArgumentCoder<CertificateInfo>::decode):
+ Add support for encoding/decoding CertificateInfo's that contain SecTrustRef objects.
+
+ (IPC::encodeNSError):
+ (IPC::decodeNSError):
+ Simplify error encoding/decoding by not using an addition CertificateInfo object for encoding
+ the peerCertificateChain. Also, add the peerTrust to the userInfo that get's encoded/decoded.
+
+ * UIProcess/API/Cocoa/WKWebView.h:
+ * UIProcess/API/Cocoa/WKWebView.mm:
+ (-[WKWebView serverTrust]):
+ (-[WKWebView certificateChain]):
+ Add new serverTrust API and deprecate certificateChain.
+
+ * UIProcess/Cocoa/NavigationState.mm:
+ (WebKit::NavigationState::willChangeCertificateInfo):
+ (WebKit::NavigationState::didChangeCertificateInfo):
+ Add support for KVO of -[WKWebView serverTrust].
+
</ins><span class="cx"> 2016-05-05 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><span class="cx"> Remove workaround added in r200391 (rdar://problem/25992976)
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedAPIcmacWKCertificateInfoMach"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #define WKCertificateInfoMac_h
</span><span class="cx">
</span><span class="cx"> #include <CoreFoundation/CoreFoundation.h>
</span><ins>+#include <Security/SecTrust.h>
</ins><span class="cx"> #include <WebKit/WKBase.h>
</span><span class="cx">
</span><span class="cx"> #ifdef __cplusplus
</span><span class="lines">@@ -34,6 +35,9 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> WK_EXPORT WKCertificateInfoRef WKCertificateInfoCreateWithCertficateChain(CFArrayRef certificateChain);
</span><ins>+WK_EXPORT SecTrustRef WKCertificateInfoGetServerTrust(WKCertificateInfoRef certificateInfo);
+
+// Deprecated
</ins><span class="cx"> WK_EXPORT CFArrayRef WKCertificateInfoGetCertificateChain(WKCertificateInfoRef certificateInfo);
</span><span class="cx">
</span><span class="cx"> #ifdef __cplusplus
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedAPIcmacWKCertificateInfoMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/Shared/API/c/mac/WKCertificateInfoMac.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -42,3 +42,12 @@
</span><span class="cx"> {
</span><span class="cx"> return toImpl(certificateInfoRef)->certificateInfo().certificateChain();
</span><span class="cx"> }
</span><ins>+
+SecTrustRef WKCertificateInfoGetServerTrust(WKCertificateInfoRef certificateInfoRef)
+{
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ return toImpl(certificateInfoRef)->certificateInfo().trust();
+#else
+ return nullptr;
+#endif
+}
</ins></span></pre></div>
<a id="trunkSourceWebKit2SharedAuthenticationmacAuthenticationManagermacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -36,18 +36,44 @@
</span><span class="cx">
</span><span class="cx"> namespace WebKit {
</span><span class="cx">
</span><ins>+static SecCertificateRef leafCertificate(const CertificateInfo& certificateInfo)
+{
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ return SecTrustGetCertificateAtIndex(certificateInfo.trust(), 0);
+#else
+ ASSERT(CFArrayGetCount(certificateInfo.certificateChain()));
+ return (SecCertificateRef)CFArrayGetValueAtIndex(certificateInfo.certificateChain(), 0);
+#endif
+}
+
+static NSArray *chain(const CertificateInfo& certificateInfo)
+{
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ CFIndex count = SecTrustGetCertificateCount(certificateInfo.trust());
+ if (count < 2)
+ return nil;
+
+ NSMutableArray *array = [NSMutableArray array];
+ for (CFIndex i = 1; i < count; ++i)
+ [array addObject:(id)SecTrustGetCertificateAtIndex(certificateInfo.trust(), i)];
+
+ return array;
+#else
+ CFIndex chainCount = CFArrayGetCount(certificateInfo.certificateChain());
+ return chainCount > 1 ? [(NSArray *)certificateInfo.certificateChain() subarrayWithRange:NSMakeRange(1, chainCount - 1)] : nil;
+#endif
+}
+
+
</ins><span class="cx"> // FIXME: This function creates an identity from a certificate, which should not be needed. We should pass an identity over IPC (as we do on iOS).
</span><span class="cx"> bool AuthenticationManager::tryUseCertificateInfoForChallenge(const AuthenticationChallenge& challenge, const CertificateInfo& certificateInfo, ChallengeCompletionHandler completionHandler)
</span><span class="cx"> {
</span><del>- CFArrayRef chain = certificateInfo.certificateChain();
- if (!chain)
</del><ins>+ if (certificateInfo.isEmpty())
</ins><span class="cx"> return false;
</span><del>-
- ASSERT(CFArrayGetCount(chain));
</del><span class="cx">
</span><span class="cx"> // The passed-in certificate chain includes the identity certificate at index 0, and additional certificates starting at index 1.
</span><span class="cx"> SecIdentityRef identity;
</span><del>- OSStatus result = SecIdentityCreateWithCertificate(NULL, (SecCertificateRef)CFArrayGetValueAtIndex(chain, 0), &identity);
</del><ins>+ OSStatus result = SecIdentityCreateWithCertificate(NULL, leafCertificate(certificateInfo), &identity);
</ins><span class="cx"> if (result != errSecSuccess) {
</span><span class="cx"> LOG_ERROR("Unable to create SecIdentityRef with certificate - %i", result);
</span><span class="cx"> if (completionHandler)
</span><span class="lines">@@ -57,13 +83,7 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- CFIndex chainCount = CFArrayGetCount(chain);
- NSArray *nsChain = chainCount > 1 ? [(NSArray *)chain subarrayWithRange:NSMakeRange(1, chainCount - 1)] : nil;
-
- NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity
- certificates:nsChain
- persistence:NSURLCredentialPersistenceNone];
-
</del><ins>+ NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:chain(certificateInfo) persistence:NSURLCredentialPersistenceNone];
</ins><span class="cx"> if (completionHandler)
</span><span class="cx"> completionHandler(AuthenticationChallengeDisposition::UseCredential, Credential(credential));
</span><span class="cx"> else
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedcfArgumentCodersCFcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.cpp 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include "DataReference.h"
</span><span class="cx"> #include <WebCore/CFURLExtras.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><ins>+#include <wtf/spi/cocoa/SecuritySPI.h>
</ins><span class="cx">
</span><span class="cx"> #if USE(FOUNDATION)
</span><span class="cx"> #import <Foundation/Foundation.h>
</span><span class="lines">@@ -87,6 +88,9 @@
</span><span class="cx"> #if HAVE(SEC_ACCESS_CONTROL)
</span><span class="cx"> SecAccessControl,
</span><span class="cx"> #endif
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ SecTrust,
+#endif
</ins><span class="cx"> Null,
</span><span class="cx"> Unknown,
</span><span class="cx"> };
</span><span class="lines">@@ -129,6 +133,10 @@
</span><span class="cx"> if (typeID == SecAccessControlGetTypeID())
</span><span class="cx"> return SecAccessControl;
</span><span class="cx"> #endif
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ if (typeID == SecTrustGetTypeID())
+ return SecTrust;
+#endif
</ins><span class="cx">
</span><span class="cx"> ASSERT_NOT_REACHED();
</span><span class="cx"> return Unknown;
</span><span class="lines">@@ -182,6 +190,11 @@
</span><span class="cx"> encode(encoder, (SecAccessControlRef)typeRef);
</span><span class="cx"> return;
</span><span class="cx"> #endif
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ case SecTrust:
+ encode(encoder, (SecTrustRef)typeRef);
+ return;
+#endif
</ins><span class="cx"> case Null:
</span><span class="cx"> return;
</span><span class="cx"> case Unknown:
</span><span class="lines">@@ -289,6 +302,15 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ case SecTrust: {
+ RetainPtr<SecTrustRef> trust;
+ if (!decode(decoder, trust))
+ return false;
+ result = adoptCF(trust.leakRef());
+ return true;
+ }
+#endif
</ins><span class="cx"> case Null:
</span><span class="cx"> result = tokenNullTypeRef();
</span><span class="cx"> return true;
</span><span class="lines">@@ -741,7 +763,41 @@
</span><span class="cx">
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><ins>+#endif
</ins><span class="cx">
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+void encode(ArgumentEncoder& encoder, SecTrustRef trust)
+{
+ auto data = adoptCF(SecTrustSerialize(trust, nullptr));
+ if (!data) {
+ encoder << false;
+ return;
+ }
+
+ encoder << true;
+ IPC::encode(encoder, data.get());
+}
+
+bool decode(ArgumentDecoder& decoder, RetainPtr<SecTrustRef>& result)
+{
+ bool hasTrust;
+ if (!decoder.decode(hasTrust))
+ return false;
+
+ if (!hasTrust)
+ return true;
+
+ RetainPtr<CFDataRef> trustData;
+ if (!IPC::decode(decoder, trustData))
+ return false;
+
+ auto trust = adoptCF(SecTrustDeserialize(trustData.get(), nullptr));
+ if (!trust)
+ return false;
+
+ result = WTFMove(trust);
+ return true;
+}
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> } // namespace IPC
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedcfArgumentCodersCFh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/Shared/cf/ArgumentCodersCF.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #define ArgumentCodersCF_h
</span><span class="cx">
</span><span class="cx"> #include <Security/SecCertificate.h>
</span><ins>+#include <Security/SecTrust.h>
</ins><span class="cx"> #include <wtf/RetainPtr.h>
</span><span class="cx">
</span><span class="cx"> #if HAVE(SEC_KEYCHAIN)
</span><span class="lines">@@ -94,6 +95,12 @@
</span><span class="cx"> bool decode(ArgumentDecoder&, RetainPtr<SecAccessControlRef>& result);
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+// SecTrustRef
+void encode(ArgumentEncoder&, SecTrustRef);
+bool decode(ArgumentDecoder&, RetainPtr<SecTrustRef>&);
+#endif
+
</ins><span class="cx"> #if PLATFORM(IOS)
</span><span class="cx"> void setAllowsDecodingSecKeyRef(bool);
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedmacWebCoreArgumentCodersMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/mac/WebCoreArgumentCodersMac.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/mac/WebCoreArgumentCodersMac.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/Shared/mac/WebCoreArgumentCodersMac.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -163,31 +163,53 @@
</span><span class="cx">
</span><span class="cx"> void ArgumentCoder<CertificateInfo>::encode(ArgumentEncoder& encoder, const CertificateInfo& certificateInfo)
</span><span class="cx"> {
</span><del>- CFArrayRef certificateChain = certificateInfo.certificateChain();
- if (!certificateChain) {
- encoder << false;
- return;
</del><ins>+ encoder.encodeEnum(certificateInfo.type());
+
+ switch (certificateInfo.type()) {
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ case CertificateInfo::Type::Trust:
+ IPC::encode(encoder, certificateInfo.trust());
+ break;
+#endif
+ case CertificateInfo::Type::CertificateChain:
+ IPC::encode(encoder, certificateInfo.certificateChain());
+ break;
+ case CertificateInfo::Type::None:
+ // Do nothing.
+ break;
</ins><span class="cx"> }
</span><del>-
- encoder << true;
- IPC::encode(encoder, certificateChain);
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ArgumentCoder<CertificateInfo>::decode(ArgumentDecoder& decoder, CertificateInfo& certificateInfo)
</span><span class="cx"> {
</span><del>- bool hasCertificateChain;
- if (!decoder.decode(hasCertificateChain))
</del><ins>+ CertificateInfo::Type certificateInfoType;
+ if (!decoder.decodeEnum(certificateInfoType))
</ins><span class="cx"> return false;
</span><span class="cx">
</span><del>- if (!hasCertificateChain)
</del><ins>+ switch (certificateInfoType) {
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ case CertificateInfo::Type::Trust: {
+ RetainPtr<SecTrustRef> trust;
+ if (!IPC::decode(decoder, trust))
+ return false;
+
+ certificateInfo = CertificateInfo(WTFMove(trust));
</ins><span class="cx"> return true;
</span><ins>+ }
+#endif
+ case CertificateInfo::Type::CertificateChain: {
+ RetainPtr<CFArrayRef> certificateChain;
+ if (!IPC::decode(decoder, certificateChain))
+ return false;
</ins><span class="cx">
</span><del>- RetainPtr<CFArrayRef> certificateChain;
- if (!IPC::decode(decoder, certificateChain))
- return false;
</del><ins>+ certificateInfo = CertificateInfo(WTFMove(certificateChain));
+ return true;
+ }
+ case CertificateInfo::Type::None:
+ // Do nothing.
+ break;
+ }
</ins><span class="cx">
</span><del>- certificateInfo.setCertificateChain(certificateChain.get());
-
</del><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -219,10 +241,8 @@
</span><span class="cx"> }());
</span><span class="cx">
</span><span class="cx"> CFDictionarySetValue(filteredUserInfo.get(), @"NSErrorClientCertificateChainKey", clientIdentityAndCertificates);
</span><del>- };
</del><ins>+ }
</ins><span class="cx">
</span><del>- IPC::encode(encoder, filteredUserInfo.get());
-
</del><span class="cx"> id peerCertificateChain = [userInfo objectForKey:@"NSErrorPeerCertificateChainKey"];
</span><span class="cx"> if (!peerCertificateChain) {
</span><span class="cx"> if (SecTrustRef peerTrust = (SecTrustRef)[userInfo objectForKey:NSURLErrorFailingURLPeerTrustErrorKey]) {
</span><span class="lines">@@ -233,8 +253,16 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> ASSERT(!peerCertificateChain || [peerCertificateChain isKindOfClass:[NSArray class]]);
</span><del>- encoder << CertificateInfo((CFArrayRef)peerCertificateChain);
</del><ins>+ if (peerCertificateChain)
+ CFDictionarySetValue(filteredUserInfo.get(), @"NSErrorPeerCertificateChainKey", peerCertificateChain);
</ins><span class="cx">
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
+ if (SecTrustRef peerTrust = (SecTrustRef)[userInfo objectForKey:NSURLErrorFailingURLPeerTrustErrorKey])
+ CFDictionarySetValue(filteredUserInfo.get(), NSURLErrorFailingURLPeerTrustErrorKey, peerTrust);
+#endif
+
+ IPC::encode(encoder, filteredUserInfo.get());
+
</ins><span class="cx"> if (id underlyingError = [userInfo objectForKey:NSUnderlyingErrorKey]) {
</span><span class="cx"> ASSERT([underlyingError isKindOfClass:[NSError class]]);
</span><span class="cx"> encoder << true;
</span><span class="lines">@@ -269,15 +297,6 @@
</span><span class="cx"> if (!IPC::decode(decoder, userInfo))
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- CertificateInfo certificate;
- if (!decoder.decode(certificate))
- return false;
-
- if (certificate.certificateChain()) {
- userInfo = adoptCF(CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(userInfo.get()) + 1, userInfo.get()));
- CFDictionarySetValue((CFMutableDictionaryRef)userInfo.get(), CFSTR("NSErrorPeerCertificateChainKey"), (CFArrayRef)certificate.certificateChain());
- }
-
</del><span class="cx"> bool hasUnderlyingError = false;
</span><span class="cx"> if (!decoder.decode(hasUnderlyingError))
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessAPICocoaWKWebViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -164,12 +164,11 @@
</span><span class="cx"> */
</span><span class="cx"> @property (nonatomic, readonly) BOOL hasOnlySecureContent;
</span><span class="cx">
</span><del>-/*! @abstract An array of SecCertificateRef objects forming the certificate
- chain for the currently committed navigation.
- @discussion The certificates are ordered from leaf (at index 0) to anchor.
- @link WKWebView @/link is key-value observing (KVO) compliant for this property.
</del><ins>+/*! @abstract A SecTrustRef for the currently committed navigation.
+ @discussion @link WKWebView @/link is key-value observing (KVO) compliant
+ for this property.
</ins><span class="cx"> */
</span><del>-@property (nonatomic, readonly, copy) NSArray *certificateChain WK_AVAILABLE(10_11, 9_0);
</del><ins>+@property (nonatomic, readonly, nullable) SecTrustRef serverTrust WK_AVAILABLE(WK_MAC_TBA, WK_IOS_TBA);
</ins><span class="cx">
</span><span class="cx"> /*! @abstract A Boolean value indicating whether there is a back item in
</span><span class="cx"> the back-forward list that can be navigated to.
</span><span class="lines">@@ -305,6 +304,12 @@
</span><span class="cx">
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+@interface WKWebView (WKDeprecated)
+
+@property (nonatomic, readonly, copy) NSArray *certificateChain WK_DEPRECATED(10_11, WK_MAC_TBA, 9_0, WK_IOS_TBA, "Please use serverTrust");
+
+@end
+
</ins><span class="cx"> NS_ASSUME_NONNULL_END
</span><span class="cx">
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessAPICocoaWKWebViewmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -721,13 +721,17 @@
</span><span class="cx"> return _page->pageLoadState().hasOnlySecureContent();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-- (NSArray *)certificateChain
</del><ins>+- (SecTrustRef)serverTrust
</ins><span class="cx"> {
</span><ins>+#if HAVE(SEC_TRUST_SERIALIZATION)
</ins><span class="cx"> auto certificateInfo = _page->pageLoadState().certificateInfo();
</span><span class="cx"> if (!certificateInfo)
</span><del>- return @[ ];
</del><ins>+ return nil;
</ins><span class="cx">
</span><del>- return (NSArray *)certificateInfo->certificateInfo().certificateChain() ?: @[ ];
</del><ins>+ return certificateInfo->certificateInfo().trust();
+#else
+ return nil;
+#endif
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> - (BOOL)canGoBack
</span><span class="lines">@@ -4491,6 +4495,19 @@
</span><span class="cx"> @end
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+@implementation WKWebView (WKDeprecated)
+
+- (NSArray *)certificateChain
+{
+ auto certificateInfo = _page->pageLoadState().certificateInfo();
+ if (!certificateInfo)
+ return @[ ];
+
+ return (NSArray *)certificateInfo->certificateInfo().certificateChain() ?: @[ ];
+}
+
+@end
+
</ins><span class="cx"> #if PLATFORM(IOS) && USE(APPLE_INTERNAL_SDK)
</span><span class="cx"> #import <WebKitAdditions/WKWebViewAdditions.mm>
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessCocoaNavigationStatemm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/Cocoa/NavigationState.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/Cocoa/NavigationState.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/UIProcess/Cocoa/NavigationState.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -902,12 +902,14 @@
</span><span class="cx">
</span><span class="cx"> void NavigationState::willChangeCertificateInfo()
</span><span class="cx"> {
</span><ins>+ [m_webView willChangeValueForKey:@"serverTrust"];
</ins><span class="cx"> [m_webView willChangeValueForKey:@"certificateChain"];
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void NavigationState::didChangeCertificateInfo()
</span><span class="cx"> {
</span><span class="cx"> [m_webView didChangeValueForKey:@"certificateChain"];
</span><ins>+ [m_webView didChangeValueForKey:@"serverTrust"];
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void NavigationState::willChangeWebProcessIsResponsive()
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessInjectedBundleAPICocoaWKWebProcessPlugInFramemm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFrame.mm (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFrame.mm 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFrame.mm 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -122,6 +122,15 @@
</span><span class="cx"> return (NSArray *)_frame->certificateInfo().certificateChain();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+- (SecTrustRef)_serverTrust
+{
+#if HAVE(SEC_TRUST_SERIALIZATION)
+ return _frame->certificateInfo().trust();
+#else
+ return nil;
+#endif
+}
+
</ins><span class="cx"> - (NSURL *)_provisionalURL
</span><span class="cx"> {
</span><span class="cx"> return [NSURL _web_URLWithWTFString:_frame->provisionalURL()];
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessInjectedBundleAPICocoaWKWebProcessPlugInFramePrivateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFramePrivate.h (200462 => 200463)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFramePrivate.h 2016-05-05 18:14:48 UTC (rev 200462)
+++ trunk/Source/WebKit2/WebProcess/InjectedBundle/API/Cocoa/WKWebProcessPlugInFramePrivate.h 2016-05-05 18:23:47 UTC (rev 200463)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx">
</span><span class="cx"> @property (nonatomic, readonly) BOOL _hasCustomContentProvider;
</span><span class="cx"> @property (nonatomic, readonly) NSArray *_certificateChain;
</span><ins>+@property (nonatomic, readonly) SecTrustRef _serverTrust;
</ins><span class="cx"> @property (nonatomic, readonly) NSURL *_provisionalURL;
</span><span class="cx">
</span><span class="cx"> @property (nonatomic, readonly) WKWebProcessPlugInFrame *_parentFrame;
</span></span></pre>
</div>
</div>
</body>
</html>