| Index: chrome/browser/chromeos/cros/onc_network_parser.cc
|
| diff --git a/chrome/browser/chromeos/cros/onc_network_parser.cc b/chrome/browser/chromeos/cros/onc_network_parser.cc
|
| index d7b1889bbf58b75877976d587d847a61f43c33f1..5d146aa38e93548b4cd3bf8605956f43a67b55c0 100644
|
| --- a/chrome/browser/chromeos/cros/onc_network_parser.cc
|
| +++ b/chrome/browser/chromeos/cros/onc_network_parser.cc
|
| @@ -108,7 +108,8 @@ int OncNetworkParser::GetCertificatesSize() const {
|
| return certificates_ ? certificates_->GetSize() : 0;
|
| }
|
|
|
| -bool OncNetworkParser::ParseCertificate(int cert_index) {
|
| +scoped_refptr<net::X509Certificate> OncNetworkParser::ParseCertificate(
|
| + int cert_index) {
|
| CHECK(certificates_);
|
| CHECK(static_cast<size_t>(cert_index) < certificates_->GetSize());
|
| CHECK(cert_index >= 0);
|
| @@ -116,35 +117,39 @@ bool OncNetworkParser::ParseCertificate(int cert_index) {
|
| certificates_->GetDictionary(cert_index, &certificate);
|
| CHECK(certificate);
|
|
|
| - // Get out the attributes of the given cert.
|
| + // Get out the attributes of the given certificate.
|
| std::string guid;
|
| bool remove = false;
|
| if (!certificate->GetString("GUID", &guid) || guid.empty()) {
|
| LOG(WARNING) << "ONC File: certificate missing identifier at index"
|
| << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
|
|
| if (!certificate->GetBoolean("Remove", &remove))
|
| remove = false;
|
|
|
| net::CertDatabase cert_database;
|
| - if (remove)
|
| - return cert_database.DeleteCertAndKeyByLabel(guid);
|
| + if (remove) {
|
| + bool success = cert_database.DeleteCertAndKeyByLabel(guid);
|
| + DCHECK(success);
|
| + // TODO(gspencer): return removed certificate?
|
| + return NULL;
|
| + }
|
|
|
| - // Not removing, so let's get the data we need to add this cert.
|
| + // Not removing, so let's get the data we need to add this certificate.
|
| std::string cert_type;
|
| certificate->GetString("Type", &cert_type);
|
| if (cert_type == "Server" || cert_type == "Authority") {
|
| - return ParseServerOrCaCertificate(cert_index, cert_type, certificate);
|
| + return ParseServerOrCaCertificate(cert_index, cert_type, guid, certificate);
|
| }
|
| if (cert_type == "Client") {
|
| - return ParseClientCertificate(cert_index, certificate);
|
| + return ParseClientCertificate(cert_index, guid, certificate);
|
| }
|
|
|
| LOG(WARNING) << "ONC File: certificate of unknown type: " << cert_type
|
| << " at index " << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
|
|
| Network* OncNetworkParser::ParseNetwork(int n) {
|
| @@ -207,9 +212,11 @@ std::string OncNetworkParser::GetTypeFromDictionary(
|
| return type_string;
|
| }
|
|
|
| -bool OncNetworkParser::ParseServerOrCaCertificate(
|
| +scoped_refptr<net::X509Certificate>
|
| +OncNetworkParser::ParseServerOrCaCertificate(
|
| int cert_index,
|
| const std::string& cert_type,
|
| + const std::string& guid,
|
| base::DictionaryValue* certificate) {
|
| net::CertDatabase cert_database;
|
| bool web_trust = false;
|
| @@ -220,7 +227,7 @@ bool OncNetworkParser::ParseServerOrCaCertificate(
|
| if (!trust_list->GetString(i, &trust_type)) {
|
| LOG(WARNING) << "ONC File: certificate trust is invalid at index "
|
| << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
| if (trust_type == "Web") {
|
| web_trust = true;
|
| @@ -228,7 +235,7 @@ bool OncNetworkParser::ParseServerOrCaCertificate(
|
| LOG(WARNING) << "ONC File: certificate contains unknown "
|
| << "trust type: " << trust_type
|
| << " at index " << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
| }
|
| }
|
| @@ -238,23 +245,29 @@ bool OncNetworkParser::ParseServerOrCaCertificate(
|
| LOG(WARNING) << "ONC File: certificate missing appropriate "
|
| << "certificate data for type: " << cert_type
|
| << " at index " << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
|
|
| std::string decoded_x509;
|
| if (!base::Base64Decode(x509_data, &decoded_x509)) {
|
| LOG(WARNING) << "Unable to base64 decode X509 data: \""
|
| << x509_data << "\".";
|
| - return false;
|
| + return NULL;
|
| }
|
|
|
| - scoped_refptr<net::X509Certificate> x509_cert(
|
| - net::X509Certificate::CreateFromBytes(decoded_x509.c_str(),
|
| - decoded_x509.size()));
|
| + scoped_refptr<net::X509Certificate> x509_cert =
|
| + net::X509Certificate::CreateFromBytesWithNickname(
|
| + decoded_x509.c_str(),
|
| + decoded_x509.size(),
|
| + guid.c_str());
|
| if (!x509_cert.get()) {
|
| LOG(WARNING) << "Unable to create X509 certificate from bytes.";
|
| - return false;
|
| + return NULL;
|
| }
|
| +
|
| + if (!x509_cert->SetLabel(guid))
|
| + return NULL;
|
| +
|
| net::CertificateList cert_list;
|
| cert_list.push_back(x509_cert);
|
| net::CertDatabase::ImportCertFailureList failures;
|
| @@ -272,18 +285,27 @@ bool OncNetworkParser::ParseServerOrCaCertificate(
|
| << net::ErrorToString(failures[0].net_error)
|
| << ") importing " << cert_type << " certificate at index "
|
| << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
| if (!success) {
|
| LOG(WARNING) << "ONC File: Unknown error importing " << cert_type
|
| << " certificate at index " << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
| - return true;
|
| +
|
| + // Have to set the label again, because PKCS#11 seems to want to set
|
| + // it to token:nickname. We have to set it the first time so that
|
| + // it gets properly imported into the low-level token inside of
|
| + // ImportCACerts or ImportServerCert.
|
| + if (!x509_cert->SetLabel(guid))
|
| + return NULL;
|
| +
|
| + return x509_cert;
|
| }
|
|
|
| -bool OncNetworkParser::ParseClientCertificate(
|
| +scoped_refptr<net::X509Certificate> OncNetworkParser::ParseClientCertificate(
|
| int cert_index,
|
| + const std::string& guid,
|
| base::DictionaryValue* certificate) {
|
| net::CertDatabase cert_database;
|
| std::string pkcs12_data;
|
| @@ -291,27 +313,45 @@ bool OncNetworkParser::ParseClientCertificate(
|
| pkcs12_data.empty()) {
|
| LOG(WARNING) << "ONC File: PKCS12 data is missing for Client "
|
| << "certificate at index " << cert_index;
|
| - return false;
|
| + return NULL;
|
| }
|
|
|
| std::string decoded_pkcs12;
|
| if (!base::Base64Decode(pkcs12_data, &decoded_pkcs12)) {
|
| LOG(WARNING) << "Unable to base64 decode PKCS#12 data: \""
|
| << pkcs12_data << "\".";
|
| - return false;
|
| + return NULL;
|
| }
|
|
|
| // Since this has a private key, always use the private module.
|
| scoped_refptr<net::CryptoModule> module(cert_database.GetPrivateModule());
|
| + net::CertificateList imported_certs;
|
| int result = cert_database.ImportFromPKCS12(
|
| - module.get(), decoded_pkcs12, string16(), false);
|
| + module.get(), decoded_pkcs12, string16(), false, &imported_certs);
|
| if (result != net::OK) {
|
| LOG(WARNING) << "ONC File: Unable to import Client certificate at index "
|
| << cert_index
|
| << " (error " << net::ErrorToString(result) << ").";
|
| - return false;
|
| + return NULL;
|
| }
|
| - return true;
|
| +
|
| + if (imported_certs.size() == 0ul) {
|
| + LOG(WARNING) << "ONC File: PKCS12 data contains no importable certificates"
|
| + << " at index " << cert_index;
|
| + return NULL;
|
| + }
|
| +
|
| + if (imported_certs.size() != 1ul) {
|
| + LOG(WARNING) << "ONC File: PKCS12 data at index " << cert_index
|
| + << " contains more than one certificate. Only the first one will"
|
| + << " be imported.";
|
| + }
|
| +
|
| + scoped_refptr<net::X509Certificate> cert_result = imported_certs[0];
|
| + if (!cert_result->SetLabel(guid))
|
| + return NULL;
|
| +
|
| + return cert_result;
|
| }
|
|
|
| // -------------------- OncWirelessNetworkParser --------------------
|
|
|
Chromium Code Reviews
Issue 8566056:
This applies GUIDs to certificate and key nicknames when (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src