Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(893)

Side by Side Diff: chrome/browser/chromeos/cros/onc_network_parser.cc

Issue 10868076: Only import certificates with Web trust from ONC if the user is managed and matches the enterprise … (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fixed upload Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/chromeos/cros/onc_network_parser.h" 5 #include "chrome/browser/chromeos/cros/onc_network_parser.h"
6 6
7 #include <keyhi.h> 7 #include <keyhi.h>
8 #include <pk11pub.h> 8 #include <pk11pub.h>
9 9
10 #include "base/base64.h" 10 #include "base/base64.h"
(...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after
275 275
276 } // namespace 276 } // namespace
277 277
278 // -------------------- OncNetworkParser -------------------- 278 // -------------------- OncNetworkParser --------------------
279 279
280 OncNetworkParser::OncNetworkParser(const std::string& onc_blob, 280 OncNetworkParser::OncNetworkParser(const std::string& onc_blob,
281 const std::string& passphrase, 281 const std::string& passphrase,
282 NetworkUIData::ONCSource onc_source) 282 NetworkUIData::ONCSource onc_source)
283 : NetworkParser(get_onc_mapper()), 283 : NetworkParser(get_onc_mapper()),
284 onc_source_(onc_source), 284 onc_source_(onc_source),
285 allow_web_trust_from_policy_(false),
285 network_configs_(NULL), 286 network_configs_(NULL),
286 certificates_(NULL) { 287 certificates_(NULL) {
287 VLOG(2) << __func__ << ": OncNetworkParser called on " << onc_blob; 288 VLOG(2) << __func__ << ": OncNetworkParser called on " << onc_blob;
288 JSONStringValueSerializer deserializer(onc_blob); 289 JSONStringValueSerializer deserializer(onc_blob);
289 deserializer.set_allow_trailing_comma(true); 290 deserializer.set_allow_trailing_comma(true);
290 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, &parse_error_)); 291 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, &parse_error_));
291 292
292 if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) { 293 if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) {
293 LOG(WARNING) << "OncNetworkParser received bad ONC file: " << parse_error_; 294 LOG(WARNING) << "OncNetworkParser received bad ONC file: " << parse_error_;
294 } else { 295 } else {
(...skipping 647 matching lines...) Expand 10 before | Expand all | Expand 10 after
942 // have removed the existing cert above. 943 // have removed the existing cert above.
943 net::CertificateList certs; 944 net::CertificateList certs;
944 ListCertsWithNickname(guid, &certs); 945 ListCertsWithNickname(guid, &certs);
945 if (!certs.empty()) { 946 if (!certs.empty()) {
946 LOG(WARNING) << "Cert GUID is already in use: " << guid; 947 LOG(WARNING) << "Cert GUID is already in use: " << guid;
947 parse_error_ = l10n_util::GetStringUTF8( 948 parse_error_ = l10n_util::GetStringUTF8(
948 IDS_NETWORK_CONFIG_ERROR_CERT_GUID_COLLISION); 949 IDS_NETWORK_CONFIG_ERROR_CERT_GUID_COLLISION);
949 return NULL; 950 return NULL;
950 } 951 }
951 952
953 // Web trust is only granted to certificates imported for a managed user on
954 // a managed device.
955 if ((onc_source_ == NetworkUIData::ONC_SOURCE_DEVICE_POLICY ||
Mattias Nissler (ping if slow) 2012/09/04 09:57:04 only for onc_source_ == USER_POLICY
Joao da Silva 2012/09/04 12:52:55 Done. For DEVICE_POLICY this is now bailing out wi
956 onc_source_ == NetworkUIData::ONC_SOURCE_USER_POLICY) &&
957 web_trust && !allow_web_trust_from_policy_) {
958 LOG(WARNING) << "Web trust not granted for certificate with guid " << guid;
959 web_trust = false;
960 }
961
952 net::CertificateList cert_list; 962 net::CertificateList cert_list;
953 cert_list.push_back(x509_cert); 963 cert_list.push_back(x509_cert);
954 net::CertDatabase::ImportCertFailureList failures; 964 net::CertDatabase::ImportCertFailureList failures;
955 bool success = false; 965 bool success = false;
956 net::CertDatabase::TrustBits trust = web_trust ? 966 net::CertDatabase::TrustBits trust = web_trust ?
957 net::CertDatabase::TRUSTED_SSL : 967 net::CertDatabase::TRUSTED_SSL :
958 net::CertDatabase::TRUST_DEFAULT; 968 net::CertDatabase::TRUST_DEFAULT;
959 if (cert_type == "Server") { 969 if (cert_type == "Server") {
960 success = cert_database.ImportServerCert(cert_list, trust, &failures); 970 success = cert_database.ImportServerCert(cert_list, trust, &failures);
961 } else { // Authority cert 971 } else { // Authority cert
(...skipping 1049 matching lines...) Expand 10 before | Expand all | Expand 10 after
2011 // on the value of AuthenticationType. 2021 // on the value of AuthenticationType.
2012 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK }, 2022 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK },
2013 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN }, 2023 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN },
2014 }; 2024 };
2015 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser, 2025 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser,
2016 (table, arraysize(table), PROVIDER_TYPE_MAX)); 2026 (table, arraysize(table), PROVIDER_TYPE_MAX));
2017 return parser.Get(type); 2027 return parser.Get(type);
2018 } 2028 }
2019 2029
2020 } // namespace chromeos 2030 } // namespace chromeos
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698