- Revision
- 199501
- Author
- [email protected]
- Date
- 2016-04-13 10:37:51 -0700 (Wed, 13 Apr 2016)
Log Message
Fix client certificate authentication with NetworkSession
https://bugs.webkit.org/show_bug.cgi?id=156527
<rdar://problem/25489156>
Patch by Alex Christensen <[email protected]> on 2016-04-13
Reviewed by Darin Adler.
* NetworkProcess/NetworkLoad.cpp:
(WebKit::NetworkLoad::continueCanAuthenticateAgainstProtectionSpace):
We only want to use serverTrustCredential for ServerTrustEvaluation authentication challenges, not
* Shared/Authentication/AuthenticationManager.cpp:
(WebKit::AuthenticationManager::tryUseCertificateInfoForChallenge):
(WebKit::AuthenticationManager::useCredentialForSingleChallenge):
* Shared/Authentication/AuthenticationManager.h:
* Shared/Authentication/mac/AuthenticationManager.mac.mm:
(WebKit::AuthenticationManager::tryUseCertificateInfoForChallenge):
Don't use challenge.sender with NSURLSession, which requires callbacks instead.
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (199500 => 199501)
--- trunk/Source/WebKit2/ChangeLog 2016-04-13 17:13:13 UTC (rev 199500)
+++ trunk/Source/WebKit2/ChangeLog 2016-04-13 17:37:51 UTC (rev 199501)
@@ -1,3 +1,22 @@
+2016-04-13 Alex Christensen <[email protected]>
+
+ Fix client certificate authentication with NetworkSession
+ https://bugs.webkit.org/show_bug.cgi?id=156527
+ <rdar://problem/25489156>
+
+ Reviewed by Darin Adler.
+
+ * NetworkProcess/NetworkLoad.cpp:
+ (WebKit::NetworkLoad::continueCanAuthenticateAgainstProtectionSpace):
+ We only want to use serverTrustCredential for ServerTrustEvaluation authentication challenges, not
+ * Shared/Authentication/AuthenticationManager.cpp:
+ (WebKit::AuthenticationManager::tryUseCertificateInfoForChallenge):
+ (WebKit::AuthenticationManager::useCredentialForSingleChallenge):
+ * Shared/Authentication/AuthenticationManager.h:
+ * Shared/Authentication/mac/AuthenticationManager.mac.mm:
+ (WebKit::AuthenticationManager::tryUseCertificateInfoForChallenge):
+ Don't use challenge.sender with NSURLSession, which requires callbacks instead.
+
2016-04-12 Daniel Bates <[email protected]>
REGRESSION (r198933): Unable to login to Google account from Internet Accounts preference pane
Modified: trunk/Source/WebKit2/NetworkProcess/NetworkLoad.cpp (199500 => 199501)
--- trunk/Source/WebKit2/NetworkProcess/NetworkLoad.cpp 2016-04-13 17:13:13 UTC (rev 199500)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkLoad.cpp 2016-04-13 17:37:51 UTC (rev 199501)
@@ -360,7 +360,7 @@
return;
}
- if (!m_challenge.protectionSpace().isPasswordBased()) {
+ if (m_challenge.protectionSpace().authenticationScheme() == ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested) {
completionHandler(AuthenticationChallengeDisposition::UseCredential, serverTrustCredential(m_challenge));
return;
}
Modified: trunk/Source/WebKit2/Shared/Authentication/AuthenticationManager.cpp (199500 => 199501)
--- trunk/Source/WebKit2/Shared/Authentication/AuthenticationManager.cpp 2016-04-13 17:13:13 UTC (rev 199500)
+++ trunk/Source/WebKit2/Shared/Authentication/AuthenticationManager.cpp 2016-04-13 17:37:51 UTC (rev 199501)
@@ -188,7 +188,7 @@
// Currently, only Mac knows how to respond to authentication challenges with certificate info.
#if !HAVE(SEC_IDENTITY)
-bool AuthenticationManager::tryUseCertificateInfoForChallenge(const WebCore::AuthenticationChallenge&, const CertificateInfo&)
+bool AuthenticationManager::tryUseCertificateInfoForChallenge(const WebCore::AuthenticationChallenge&, const CertificateInfo&, ChallengeCompletionHandler)
{
return false;
}
@@ -207,14 +207,20 @@
auto challenge = m_challenges.take(challengeID);
ASSERT(!challenge.challenge.isNull());
- if (tryUseCertificateInfoForChallenge(challenge.challenge, certificateInfo))
+#if USE(NETWORK_SESSION)
+ auto completionHandler = challenge.completionHandler;
+#else
+ ChallengeCompletionHandler completionHandler = nullptr;
+#endif
+
+ if (tryUseCertificateInfoForChallenge(challenge.challenge, certificateInfo, completionHandler))
return;
AuthenticationClient* coreClient = challenge.challenge.authenticationClient();
#if USE(NETWORK_SESSION)
// If there is a completion handler, then there is no AuthenticationClient.
// FIXME: Remove the use of AuthenticationClient in WebKit2 once NETWORK_SESSION is used for all loads.
- if (challenge.completionHandler) {
+ if (completionHandler) {
ASSERT(!coreClient);
challenge.completionHandler(AuthenticationChallengeDisposition::UseCredential, credential);
return;
Modified: trunk/Source/WebKit2/Shared/Authentication/AuthenticationManager.h (199500 => 199501)
--- trunk/Source/WebKit2/Shared/Authentication/AuthenticationManager.h 2016-04-13 17:13:13 UTC (rev 199500)
+++ trunk/Source/WebKit2/Shared/Authentication/AuthenticationManager.h 2016-04-13 17:37:51 UTC (rev 199501)
@@ -94,7 +94,7 @@
// IPC::MessageReceiver
void didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) override;
- bool tryUseCertificateInfoForChallenge(const WebCore::AuthenticationChallenge&, const WebCore::CertificateInfo&);
+ bool tryUseCertificateInfoForChallenge(const WebCore::AuthenticationChallenge&, const WebCore::CertificateInfo&, ChallengeCompletionHandler);
uint64_t addChallengeToChallengeMap(const Challenge&);
bool shouldCoalesceChallenge(uint64_t pageID, uint64_t challengeID, const WebCore::AuthenticationChallenge&) const;
Modified: trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm (199500 => 199501)
--- trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm 2016-04-13 17:13:13 UTC (rev 199500)
+++ trunk/Source/WebKit2/Shared/Authentication/mac/AuthenticationManager.mac.mm 2016-04-13 17:37:51 UTC (rev 199501)
@@ -37,7 +37,7 @@
namespace WebKit {
// FIXME: This function creates an identity from a certificate, which should not be needed. We should pass an identity over IPC (as we do on iOS).
-bool AuthenticationManager::tryUseCertificateInfoForChallenge(const AuthenticationChallenge& challenge, const CertificateInfo& certificateInfo)
+bool AuthenticationManager::tryUseCertificateInfoForChallenge(const AuthenticationChallenge& challenge, const CertificateInfo& certificateInfo, ChallengeCompletionHandler completionHandler)
{
CFArrayRef chain = certificateInfo.certificateChain();
if (!chain)
@@ -50,7 +50,10 @@
OSStatus result = SecIdentityCreateWithCertificate(NULL, (SecCertificateRef)CFArrayGetValueAtIndex(chain, 0), &identity);
if (result != errSecSuccess) {
LOG_ERROR("Unable to create SecIdentityRef with certificate - %i", result);
- [challenge.sender() cancelAuthenticationChallenge:challenge.nsURLAuthenticationChallenge()];
+ if (completionHandler)
+ completionHandler(AuthenticationChallengeDisposition::Cancel, { });
+ else
+ [challenge.sender() cancelAuthenticationChallenge:challenge.nsURLAuthenticationChallenge()];
return true;
}
@@ -61,7 +64,10 @@
certificates:nsChain
persistence:NSURLCredentialPersistenceNone];
- [challenge.sender() useCredential:credential forAuthenticationChallenge:challenge.nsURLAuthenticationChallenge()];
+ if (completionHandler)
+ completionHandler(AuthenticationChallengeDisposition::UseCredential, Credential(credential));
+ else
+ [challenge.sender() useCredential:credential forAuthenticationChallenge:challenge.nsURLAuthenticationChallenge()];
return true;
}
