| Index: chromeos/network/onc/onc_certificate_importer.cc
|
| diff --git a/chrome/browser/chromeos/network_settings/onc_certificate_importer.cc b/chromeos/network/onc/onc_certificate_importer.cc
|
| similarity index 71%
|
| rename from chrome/browser/chromeos/network_settings/onc_certificate_importer.cc
|
| rename to chromeos/network/onc/onc_certificate_importer.cc
|
| index 4c5f1986e1b0c68ebef8b657700c352dc73dd024..b8d47111ed4832e560b40f3d3ffeedc80ba9abf9 100644
|
| --- a/chrome/browser/chromeos/network_settings/onc_certificate_importer.cc
|
| +++ b/chromeos/network/onc/onc_certificate_importer.cc
|
| @@ -2,7 +2,7 @@
|
| // Use of this source code is governed by a BSD-style license that can be
|
| // found in the LICENSE file.
|
|
|
| -#include "chrome/browser/chromeos/network_settings/onc_certificate_importer.h"
|
| +#include "chromeos/network/onc/onc_certificate_importer.h"
|
|
|
| #include <cert.h>
|
| #include <keyhi.h>
|
| @@ -10,14 +10,17 @@
|
|
|
| #include "base/base64.h"
|
| #include "base/logging.h"
|
| -#include "chrome/browser/chromeos/cros/onc_constants.h"
|
| -#include "grit/generated_resources.h"
|
| +#include "base/values.h"
|
| +#include "chromeos/network/network_event_log.h"
|
| +#include "chromeos/network/onc/onc_constants.h"
|
| #include "net/base/crypto_module.h"
|
| #include "net/base/net_errors.h"
|
| #include "net/base/nss_cert_database.h"
|
| #include "net/base/pem_tokenizer.h"
|
| #include "net/base/x509_certificate.h"
|
| -#include "ui/base/l10n/l10n_util.h"
|
| +
|
| +#define ONC_LOG_WARNING(message) NET_LOG_WARNING("ONC", message)
|
| +#define ONC_LOG_ERROR(message) NET_LOG_ERROR("ONC", message)
|
|
|
| namespace {
|
|
|
| @@ -32,57 +35,48 @@ namespace chromeos {
|
| namespace onc {
|
|
|
| CertificateImporter::CertificateImporter(
|
| - NetworkUIData::ONCSource onc_source,
|
| + ONCSource onc_source,
|
| bool allow_web_trust_from_policy)
|
| : onc_source_(onc_source),
|
| allow_web_trust_from_policy_(allow_web_trust_from_policy) {
|
| }
|
|
|
| -bool CertificateImporter::ParseAndStoreCertificates(
|
| - const base::ListValue& certificates, std::string* error) {
|
| - error_.clear();
|
| +CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
|
| + const base::ListValue& certificates) {
|
| for (size_t i = 0; i < certificates.GetSize(); ++i) {
|
| const base::DictionaryValue* certificate = NULL;
|
| if (!certificates.GetDictionary(i, &certificate)) {
|
| - if (error) {
|
| - *error = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MALFORMED);
|
| - }
|
| - return false;
|
| + ONC_LOG_ERROR("Certificate data malformed");
|
| + return i > 0 ? IMPORT_INCOMPLETE : IMPORT_FAILED;
|
| }
|
|
|
| if (VLOG_IS_ON(2))
|
| VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
|
|
|
| - if (ParseAndStoreCertificate(*certificate)) {
|
| - VLOG(2) << "Successfully imported certificate at index " << i;
|
| - continue;
|
| + if (!ParseAndStoreCertificate(*certificate)) {
|
| + ONC_LOG_ERROR(
|
| + base::StringPrintf("Cannot parse certificate at index %zu", i));
|
| + return i > 0 ? IMPORT_INCOMPLETE : IMPORT_FAILED;
|
| }
|
|
|
| - LOG(WARNING) << "Cannot parse certificate at index " << i << ": " << error_;
|
| - if (error)
|
| - *error = error_;
|
| - return false;
|
| + VLOG(2) << "Successfully imported certificate at index " << i;
|
| }
|
| - return true;
|
| + return IMPORT_OK;
|
| }
|
|
|
| bool CertificateImporter::ParseAndStoreCertificate(
|
| const base::DictionaryValue& certificate) {
|
| -
|
| // Get out the attributes of the given certificate.
|
| std::string guid;
|
| if (!certificate.GetString(kGUID, &guid) || guid.empty()) {
|
| - LOG(WARNING) << "Certificate missing GUID identifier";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_GUID_MISSING);
|
| + ONC_LOG_ERROR("Certificate missing GUID identifier");
|
| return false;
|
| }
|
|
|
| bool remove = false;
|
| if (certificate.GetBoolean(kRemove, &remove) && remove) {
|
| if (!DeleteCertAndKeyByNickname(guid)) {
|
| - error_ = l10n_util::GetStringUTF8(IDS_NETWORK_CONFIG_ERROR_CERT_DELETE);
|
| + ONC_LOG_WARNING("Unable to delete certificate");
|
| return false;
|
| } else {
|
| return true;
|
| @@ -98,8 +92,7 @@ bool CertificateImporter::ParseAndStoreCertificate(
|
| if (cert_type == certificate::kClient)
|
| return ParseClientCertificate(guid, certificate);
|
|
|
| - LOG(WARNING) << "ONC File: certificate of unknown type: " << cert_type;
|
| - error_ = l10n_util::GetStringUTF8(IDS_NETWORK_CONFIG_ERROR_CERT_TYPE_MISSING);
|
| + ONC_LOG_ERROR("Certificate of unknown type: " + cert_type);
|
| return false;
|
| }
|
|
|
| @@ -166,9 +159,9 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| const std::string& guid,
|
| const base::DictionaryValue& certificate) {
|
| // Device policy can't import certificates.
|
| - if (onc_source_ == NetworkUIData::ONC_SOURCE_DEVICE_POLICY) {
|
| - LOG(WARNING) << "Refusing to import certificate from device policy";
|
| - // This isn't a parsing error, so just return NULL here.
|
| + if (onc_source_ == ONC_SOURCE_DEVICE_POLICY) {
|
| + // This isn't a parsing error.
|
| + ONC_LOG_WARNING("Refusing to import certificate from device policy.");
|
| return true;
|
| }
|
|
|
| @@ -178,9 +171,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| for (size_t i = 0; i < trust_list->GetSize(); ++i) {
|
| std::string trust_type;
|
| if (!trust_list->GetString(i, &trust_type)) {
|
| - LOG(WARNING) << "ONC File: certificate trust is invalid";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_INVALID);
|
| + ONC_LOG_ERROR("Certificate trust is invalid");
|
| return false;
|
| }
|
| if (trust_type == certificate::kWeb) {
|
| @@ -188,10 +179,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| // identification.
|
| web_trust = true;
|
| } else {
|
| - LOG(WARNING) << "ONC File: certificate contains unknown "
|
| - << "trust type: " << trust_type;
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_UNKNOWN);
|
| + ONC_LOG_ERROR("Certificate contains unknown trust type " + trust_type);
|
| return false;
|
| }
|
| }
|
| @@ -199,7 +187,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
|
|
| // Web trust is only granted to certificates imported for a managed user
|
| // on a managed device.
|
| - if (onc_source_ == NetworkUIData::ONC_SOURCE_USER_POLICY &&
|
| + if (onc_source_ == ONC_SOURCE_USER_POLICY &&
|
| web_trust && !allow_web_trust_from_policy_) {
|
| LOG(WARNING) << "Web trust not granted for certificate: " << guid;
|
| web_trust = false;
|
| @@ -208,10 +196,9 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| std::string x509_data;
|
| if (!certificate.GetString(certificate::kX509, &x509_data) ||
|
| x509_data.empty()) {
|
| - LOG(WARNING) << "ONC File: certificate missing appropriate "
|
| - << "certificate data for type: " << cert_type;
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MISSING);
|
| + ONC_LOG_ERROR(
|
| + "Certificate missing appropriate certificate data for type: " +
|
| + cert_type);
|
| return false;
|
| }
|
|
|
| @@ -229,10 +216,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| // strings. For this to work, there has to be no white space, and it has to
|
| // only contain the base64-encoded data.
|
| if (!base::Base64Decode(x509_data, &decoded_x509)) {
|
| - LOG(WARNING) << "Unable to base64 decode X509 data: \""
|
| - << x509_data << "\".";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MALFORMED);
|
| + ONC_LOG_ERROR("Unable to base64 decode X509 data: " + x509_data);
|
| return false;
|
| }
|
| } else {
|
| @@ -245,9 +229,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| decoded_x509.size(),
|
| guid.c_str());
|
| if (!x509_cert.get()) {
|
| - LOG(WARNING) << "Unable to create X509 certificate from bytes.";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MALFORMED);
|
| + ONC_LOG_ERROR("Unable to create X509 certificate from bytes.");
|
| return false;
|
| }
|
|
|
| @@ -273,7 +255,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance();
|
| if (x509_cert->os_cert_handle()->isperm) {
|
| if (!cert_database->DeleteCertAndKey(x509_cert.get())) {
|
| - error_ = l10n_util::GetStringUTF8(IDS_NETWORK_CONFIG_ERROR_CERT_DELETE);
|
| + ONC_LOG_ERROR("Unable to delete X509 certificate.");
|
| return false;
|
| }
|
|
|
| @@ -284,9 +266,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| decoded_x509.size(),
|
| guid.c_str());
|
| if (!x509_cert.get()) {
|
| - LOG(WARNING) << "Unable to create X509 certificate from bytes.";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MALFORMED);
|
| + ONC_LOG_ERROR("Unable to create X509 certificate from bytes.");
|
| return false;
|
| }
|
| DCHECK(!x509_cert->os_cert_handle()->isperm);
|
| @@ -298,9 +278,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| net::CertificateList certs;
|
| ListCertsWithNickname(guid, &certs);
|
| if (!certs.empty()) {
|
| - LOG(WARNING) << "Cert GUID is already in use: " << guid;
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_GUID_COLLISION);
|
| + ONC_LOG_ERROR("Certificate GUID is already in use: " + guid);
|
| return false;
|
| }
|
|
|
| @@ -317,16 +295,12 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| success = cert_database->ImportCACerts(cert_list, trust, &failures);
|
|
|
| if (!failures.empty()) {
|
| - LOG(WARNING) << "ONC File: Error ("
|
| - << net::ErrorToString(failures[0].net_error)
|
| - << ") importing " << cert_type << " certificate";
|
| - error_ = l10n_util::GetStringUTF8(IDS_NETWORK_CONFIG_ERROR_CERT_IMPORT);
|
| + ONC_LOG_ERROR("Error (" + net::ErrorToString(failures[0].net_error) +
|
| + ") importing " + cert_type + " certificate");
|
| return false;
|
| }
|
| if (!success) {
|
| - LOG(WARNING) << "ONC File: Unknown error importing " << cert_type
|
| - << " certificate";
|
| - error_ = l10n_util::GetStringUTF8(IDS_NETWORK_CONFIG_ERROR_UNKNOWN);
|
| + ONC_LOG_ERROR("Unknown error importing " + cert_type + " certificate.");
|
| return false;
|
| }
|
|
|
| @@ -339,19 +313,14 @@ bool CertificateImporter::ParseClientCertificate(
|
| std::string pkcs12_data;
|
| if (!certificate.GetString(certificate::kPKCS12, &pkcs12_data) ||
|
| pkcs12_data.empty()) {
|
| - LOG(WARNING) << "ONC File: PKCS12 data is missing for Client "
|
| - << "certificate";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MISSING);
|
| + ONC_LOG_ERROR("PKCS12 data is missing for client certificate.");
|
| return false;
|
| }
|
|
|
| std::string decoded_pkcs12;
|
| if (!base::Base64Decode(pkcs12_data, &decoded_pkcs12)) {
|
| - LOG(WARNING) << "Unable to base64 decode PKCS#12 data: \""
|
| - << pkcs12_data << "\".";
|
| - error_ = l10n_util::GetStringUTF8(
|
| - IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MALFORMED);
|
| + ONC_LOG_ERROR(
|
| + "Unable to base64 decode PKCS#12 data: \"" + pkcs12_data + "\".");
|
| return false;
|
| }
|
|
|
| @@ -360,23 +329,22 @@ bool CertificateImporter::ParseClientCertificate(
|
| scoped_refptr<net::CryptoModule> module(cert_database->GetPrivateModule());
|
| net::CertificateList imported_certs;
|
|
|
| - int result = cert_database->ImportFromPKCS12(
|
| + int import_result = cert_database->ImportFromPKCS12(
|
| module.get(), decoded_pkcs12, string16(), false, &imported_certs);
|
| - if (result != net::OK) {
|
| - LOG(WARNING) << "ONC File: Unable to import Client certificate"
|
| - << " (error " << net::ErrorToString(result) << ").";
|
| - error_ = l10n_util::GetStringUTF8(IDS_NETWORK_CONFIG_ERROR_CERT_IMPORT);
|
| + if (import_result != net::OK) {
|
| + ONC_LOG_ERROR("Unable to import client certificate (error " +
|
| + net::ErrorToString(import_result) + ").");
|
| return false;
|
| }
|
|
|
| if (imported_certs.size() == 0) {
|
| - LOG(WARNING) << "ONC File: PKCS12 data contains no importable certificates";
|
| + ONC_LOG_WARNING("PKCS12 data contains no importable certificates.");
|
| return true;
|
| }
|
|
|
| if (imported_certs.size() != 1) {
|
| - LOG(WARNING) << "ONC File: PKCS12 data contains more than one certificate."
|
| - << "Only the first one will be imported.";
|
| + ONC_LOG_WARNING("ONC File: PKCS12 data contains more than one certificate. "
|
| + "Only the first one will be imported.");
|
| }
|
|
|
| scoped_refptr<net::X509Certificate> cert_result = imported_certs[0];
|
| @@ -391,7 +359,7 @@ bool CertificateImporter::ParseClientCertificate(
|
| PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str()));
|
| SECKEY_DestroyPrivateKey(private_key);
|
| } else {
|
| - LOG(WARNING) << "ONC File: Unable to find private key for cert";
|
| + ONC_LOG_WARNING("Unable to find private key for certificate.");
|
| }
|
| return true;
|
| }
|
|
|
Chromium Code Reviews
Issue 11299236:
This moves the ONC parsing code into chromeos/network/onc (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src