electron/patches/chromium/network_service_allow_remote_certificate_verification_logic.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <[email protected]>
Date: Wed, 8 May 2019 17:25:55 -0700
Subject: network_service_allow_remote_certificate_verification_logic.patch

This adds a callback from the network service that's used to implement
session.setCertificateVerifyCallback.

diff --git a/services/network/network_context.cc b/services/network/network_context.cc
index f29891cb543999a5ed83ceb8130661ddbde5f1a6..a07176cf0fd3c7160922e7f9919e775cb3b6fe71 100644
--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -114,6 +114,11 @@
 #include "services/network/url_loader.h"
 #include "services/network/url_request_context_builder_mojo.h"
 
+// Electron
+#include "net/cert/caching_cert_verifier.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/multi_threaded_cert_verifier.h"
+
 #if BUILDFLAG(IS_CT_SUPPORTED)
 #include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
 #include "components/certificate_transparency/chrome_require_ct_delegate.h"
@@ -325,6 +330,79 @@ std::string HashesToBase64String(const net::HashValueVector& hashes) {
 
 }  // namespace
 
+class RemoteCertVerifier : public net::CertVerifier {
+ public:
+  RemoteCertVerifier(std::unique_ptr<net::CertVerifier> upstream): upstream_(std::move(upstream)) {
+  }
+  ~RemoteCertVerifier() override = default;
+
+  void Bind(
+      mojo::PendingRemote<mojom::CertVerifierClient> client_info) {
+    client_.reset();
+    if (client_info.is_valid()) {
+      client_.Bind(std::move(client_info));
+    }
+  }
+
+  // CertVerifier implementation
+  int Verify(const RequestParams& params,
+             net::CertVerifyResult* verify_result,
+             net::CompletionOnceCallback callback,
+             std::unique_ptr<Request>* out_req,
+             const net::NetLogWithSource& net_log) override {
+    out_req->reset();
+
+    net::CompletionOnceCallback callback2 = base::BindOnce(
+        &RemoteCertVerifier::OnRequestFinished, base::Unretained(this),
+        params, std::move(callback), verify_result);
+    int result = upstream_->Verify(params, verify_result,
+                                   std::move(callback2), out_req, net_log);
+    if (result != net::ERR_IO_PENDING) {
+      // Synchronous completion
+    }
+
+    return result;
+  }
+
+
+  void SetConfig(const Config& config) override {
+    upstream_->SetConfig(config);
+  }
+
+  void OnRequestFinished(const RequestParams& params, net::CompletionOnceCallback callback, net::CertVerifyResult* verify_result, int error) {
+    if (client_.is_bound()) {
+      client_->Verify(error, *verify_result, params.certificate(),
+          params.hostname(), params.flags(), params.ocsp_response(),
+          base::BindOnce(&RemoteCertVerifier::OnRemoteResponse,
+            base::Unretained(this), params, verify_result, error,
+            std::move(callback)));
+    } else {
+      std::move(callback).Run(error);
+    }
+  }
+
+  void OnRemoteResponse(
+      const RequestParams& params,
+      net::CertVerifyResult* verify_result,
+      int error,
+      net::CompletionOnceCallback callback,
+      int error2,
+      const net::CertVerifyResult& verify_result2) {
+    if (error2 == net::ERR_ABORTED) {
+      // use the default
+      std::move(callback).Run(error);
+    } else {
+      // use the override
+      verify_result->Reset();
+      verify_result->verified_cert = verify_result2.verified_cert;
+      std::move(callback).Run(error2);
+    }
+  }
+ private:
+  std::unique_ptr<net::CertVerifier> upstream_;
+  mojo::Remote<mojom::CertVerifierClient> client_;
+};
+
 constexpr uint32_t NetworkContext::kMaxOutstandingRequestsPerProcess;
 
 NetworkContext::PendingCertVerify::PendingCertVerify() = default;
@@ -519,6 +597,13 @@ void NetworkContext::SetClient(
   client_.Bind(std::move(client));
 }
 
+void NetworkContext::SetCertVerifierClient(
+    mojo::PendingRemote<mojom::CertVerifierClient> client) {
+  if (remote_cert_verifier_) {
+    remote_cert_verifier_->Bind(std::move(client));
+  }
+}
+
 void NetworkContext::CreateURLLoaderFactory(
     mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,
     mojom::URLLoaderFactoryParamsPtr params) {
@@ -1729,8 +1814,9 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
          "NetworkContext should pass CertVerifierServiceRemoteParams.";
 
   std::unique_ptr<net::CertVerifier> cert_verifier;
+  std::unique_ptr<net::CertVerifier> temp_verifier;
   if (g_cert_verifier_for_testing) {
-    cert_verifier = std::make_unique<WrappedTestingCertVerifier>();
+    temp_verifier = std::make_unique<WrappedTestingCertVerifier>();
   } else {
     if (params_->cert_verifier_params &&
         params_->cert_verifier_params->is_remote_params()) {
@@ -1763,14 +1849,14 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
         cert_net_fetcher_ =
             base::MakeRefCounted<net::CertNetFetcherURLRequest>();
 
-      cert_verifier = CreateCertVerifier(creation_params, cert_net_fetcher_);
+      temp_verifier = CreateCertVerifier(creation_params, cert_net_fetcher_);
     }
 
     // Whether the cert verifier is remote or in-process, we should wrap it in
     // caching and coalescing layers to avoid extra verifications and IPCs.
-    cert_verifier = std::make_unique<net::CachingCertVerifier>(
+    temp_verifier = std::make_unique<net::CachingCertVerifier>(
         std::make_unique<net::CoalescingCertVerifier>(
-            std::move(cert_verifier)));
+            std::move(temp_verifier)));
 
 #if defined(OS_CHROMEOS)
     cert_verifier_with_trust_anchors_ =
@@ -1779,13 +1865,27 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
     UpdateAdditionalCertificates(
         std::move(params_->initial_additional_certificates));
     cert_verifier_with_trust_anchors_->InitializeOnIOThread(
-        std::move(cert_verifier));
-    cert_verifier = base::WrapUnique(cert_verifier_with_trust_anchors_);
+        std::move(temp_verifier));
+    temp_verifier = base::WrapUnique(cert_verifier_with_trust_anchors_);
 #endif  // defined(OS_CHROMEOS)
+    if (!temp_verifier) {
+#if !defined(OS_LINUX)
+      temp_verifier = std::make_unique<net::MultiThreadedCertVerifier>(
+          net::CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher_)));
+#else
+      temp_verifier = std::make_unique<net::MultiThreadedCertVerifier>(
+          net::CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher_)));
+#endif
+    }
+    auto remote_cert_verifier = std::make_unique<RemoteCertVerifier>(std::move(temp_verifier));
+    remote_cert_verifier_ = remote_cert_verifier.get();
+    cert_verifier = std::make_unique<net::CachingCertVerifier>(std::move(remote_cert_verifier));
   }
 
-  builder.SetCertVerifier(IgnoreErrorsCertVerifier::MaybeWrapCertVerifier(
-      *command_line, nullptr, std::move(cert_verifier)));
+  cert_verifier = IgnoreErrorsCertVerifier::MaybeWrapCertVerifier(
+      *command_line, nullptr, std::move(cert_verifier));
+
+  builder.SetCertVerifier(std::move(cert_verifier));
 
   std::unique_ptr<NetworkServiceNetworkDelegate> network_delegate =
       std::make_unique<NetworkServiceNetworkDelegate>(
diff --git a/services/network/network_context.h b/services/network/network_context.h
index 6989b0367ea1abcd46a110b738adc18227ab6846..dd65d1560daa8fde7d76e0dec8e1cdcb6c76b318 100644
--- a/services/network/network_context.h
+++ b/services/network/network_context.h
@@ -86,6 +86,7 @@ class DomainReliabilityMonitor;
 
 namespace network {
 class CertVerifierWithTrustAnchors;
+class RemoteCertVerifier;
 class CookieManager;
 class ExpectCTReporter;
 class HostResolver;
@@ -190,6 +191,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
   void CreateURLLoaderFactory(
       mojo::PendingReceiver<mojom::URLLoaderFactory> receiver,
       mojom::URLLoaderFactoryParamsPtr params) override;
+  void SetCertVerifierClient(
+      mojo::PendingRemote<mojom::CertVerifierClient> client) override;
   void ResetURLLoaderFactories() override;
   void GetCookieManager(
       mojo::PendingReceiver<mojom::CookieManager> receiver) override;
@@ -657,6 +660,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
   std::unique_ptr<network::NSSTempCertsCacheChromeOS> nss_temp_certs_cache_;
 #endif
 
+  RemoteCertVerifier* remote_cert_verifier_ = nullptr;
+
   // CertNetFetcher used by the context's CertVerifier. May be nullptr if
   // CertNetFetcher is not used by the current platform, or if the actual
   // net::CertVerifier is instantiated outside of the network service.
diff --git a/services/network/public/mojom/network_context.mojom b/services/network/public/mojom/network_context.mojom
index 6d5110add0e37fee81337a79f33c7b9266a2a9b0..577c2b431ae8026b34fa1d881b0b29db478dc213 100644
--- a/services/network/public/mojom/network_context.mojom
+++ b/services/network/public/mojom/network_context.mojom
@@ -214,6 +214,17 @@ struct CTPolicy {
   array<string> excluded_legacy_spkis;
 };
 
+interface CertVerifierClient {
+  Verify(
+    int32 default_error,
+    CertVerifyResult default_result,
+    X509Certificate certificate,
+    string hostname,
+    int32 flags,
+    string? ocsp_response
+  ) => (int32 error_code, CertVerifyResult result);
+};
+
 // Parameters for constructing a network context.
 struct NetworkContextParams {
   // Name used by memory tools to identify the context.
@@ -856,6 +867,9 @@ interface NetworkContext {
   // Sets a client for this network context.
   SetClient(pending_remote<NetworkContextClient> client);
 
+  // Sets a certificate verifier client for this network context.
+  SetCertVerifierClient(pending_remote<CertVerifierClient>? client);
+
   // Creates a new URLLoaderFactory with the given |params|.
   CreateURLLoaderFactory(pending_receiver<URLLoaderFactory> url_loader_factory,
                          URLLoaderFactoryParams params);