Bug 208806 - [Curl] WKCertificateInfoGetVerificationError function doesn't return an error code when the browser accesses https://wrong.host.badssl.com
Summary: [Curl] WKCertificateInfoGetVerificationError function doesn't return an error...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Takashi Komori
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-09 06:40 PDT by Takashi Komori
Modified: 2022-11-18 02:00 PST (History)
11 users (show)

See Also:

Attachments
Fix the return code WKCertificateInfoGetVerificationError function returns. (10.32 KB, patch)
2020-03-09 06:48 PDT, Takashi Komori 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Takashi Komori 2020-03-09 06:40:19 PDT 
wrong.host.badssl.com is test site which provides wrong cert.
When curl port accesses the site, browser warns the cert is wrong but when the browser calls WKCertificateInfoGetVerificationError, it doesn't return error code.

This is because the process of TLS verification has two stages below, and curl port checks only the result of the first stage.
stage 1) OpenSSL checks the validity of the certification itself and the certification chain.
stage 2) curl checks the content of the cert against common name.

wrong.host.badssl.com provides wildcard cert for *.badssl.com and the invalidity is checked on stage 2.
Now curl port doesn't use the result of stage 2, so WKCertificateInfoGetVerificationError function doesn't return error code.
Comment 1 Takashi Komori 2020-03-09 06:48:38 PDT 
Created attachment 393025 [details]
Fix the return code WKCertificateInfoGetVerificationError function returns.
Comment 2 Takashi Komori 2020-03-09 07:09:35 PDT 
(In reply to Takashi Komori from comment #1)
> Created attachment 393025 [details]
> Fix the return code WKCertificateInfoGetVerificationError function returns.

This patch fixes the bug by checking the result of the result of validation on curl layer using curl_easy_getinfo.

Unfortunately we couldn't make tests for this change.
We think tests for the patch should be added to API tests (TestWebKitAPI/Tests/WebKit/curl/Certificates.cpp), but the reproduction of this bug is difficult in API tests because it only occurs accessing sites which have wrong certs.

We added some code which shows return code of WKCertificateInfoGetVerificationError function on Server Trust Evaluation Request Dialog.
For now, checking non-zero return code on the dialog is the only way to check the patch is working.

If there is some good way to test the patch, please teach us.
Comment 3 Darin Adler 2020-03-09 09:55:09 PDT 
We could and probably should configure some erroneous certificates locally in the web server we use to run tests. Not sure the whole range of options we have to map DNS all to that single server with different certificates; I think it makes sense for WebKit testing to include that and it’s worth some effort.
Comment 4 Takashi Komori 2020-03-09 20:32:15 PDT 
(In reply to Darin Adler from comment #3)
> We could and probably should configure some erroneous certificates locally
> in the web server we use to run tests. Not sure the whole range of options
> we have to map DNS all to that single server with different certificates; I
> think it makes sense for WebKit testing to include that and it’s worth some
> effort.

We will try to find how to test bad certs. Thank you for your comment.
Comment 5 Kenji Shukuwa 2022-11-17 19:50:31 PST 
Pull request: https://github.com/WebKit/WebKit/pull/6618
Comment 6 EWS 2022-11-18 01:59:09 PST 
Committed 256827@main (58dd451692d4): <https://commits.webkit.org/256827@main>

Reviewed commits have been landed. Closing PR #6618 and removing active labels.
Comment 7 Radar WebKit Bug Importer 2022-11-18 02:00:17 PST 
<rdar://problem/102506886>