Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(155)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chromeos/network/onc/onc_certificate_importer.cc

Issue 11970012: Add a check for server and CA certificates in device policies to the ONC validator. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Changed the wording in the spec. Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chromeos/network/onc/onc_certificate_importer.h ('k') | chromeos/network/onc/onc_certificate_importer_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chromeos/network/onc/onc_certificate_importer.cc
diff --git a/chromeos/network/onc/onc_certificate_importer.cc b/chromeos/network/onc/onc_certificate_importer.cc
index 451c6d950c422e2113688ec2722b0878178f879d..430be018a434df28afba000582723e96bbebf05d 100644
--- a/chromeos/network/onc/onc_certificate_importer.cc
+++ b/chromeos/network/onc/onc_certificate_importer.cc
@@ -34,11 +34,8 @@ const char kX509CertificateHeader[] = "X509 CERTIFICATE";
namespace chromeos {
namespace onc {
-CertificateImporter::CertificateImporter(
- ONCSource onc_source,
- bool allow_web_trust_from_policy)
- : onc_source_(onc_source),
- allow_web_trust_from_policy_(allow_web_trust_from_policy) {
+CertificateImporter::CertificateImporter(bool allow_web_trust)
+ : allow_web_trust_(allow_web_trust) {
}
CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
@@ -46,10 +43,8 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
size_t successful_imports = 0;
for (size_t i = 0; i < certificates.GetSize(); ++i) {
const base::DictionaryValue* certificate = NULL;
- if (!certificates.GetDictionary(i, &certificate)) {
- ONC_LOG_ERROR("Certificate data malformed");
- continue;
- }
+ certificates.GetDictionary(i, &certificate);
+ DCHECK(certificate != NULL);
VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
@@ -74,10 +69,8 @@ bool CertificateImporter::ParseAndStoreCertificate(
const base::DictionaryValue& certificate) {
// Get out the attributes of the given certificate.
std::string guid;
- if (!certificate.GetString(kGUID, &guid) || guid.empty()) {
- ONC_LOG_ERROR("Certificate missing GUID identifier");
- return false;
- }
+ certificate.GetString(kGUID, &guid);
+ DCHECK(!guid.empty());
bool remove = false;
if (certificate.GetBoolean(kRemove, &remove) && remove) {
@@ -94,11 +87,10 @@ bool CertificateImporter::ParseAndStoreCertificate(
certificate.GetString(certificate::kType, &cert_type);
if (cert_type == certificate::kServer || cert_type == certificate::kAuthority)
return ParseServerOrCaCertificate(cert_type, guid, certificate);
-
- if (cert_type == certificate::kClient)
+ else if (cert_type == certificate::kClient)
Greg Spencer (Chromium) 2013/01/18 17:39:36 Entire if clause should have braces.. if (...) {
pneubeck (no reviews) 2013/01/24 19:36:11 Done.
return ParseClientCertificate(guid, certificate);
- ONC_LOG_ERROR("Certificate of unknown type: " + cert_type);
+ NOTREACHED();
return false;
}
@@ -164,22 +156,14 @@ bool CertificateImporter::ParseServerOrCaCertificate(
const std::string& cert_type,
const std::string& guid,
const base::DictionaryValue& certificate) {
- // Device policy can't import certificates.
- if (onc_source_ == ONC_SOURCE_DEVICE_POLICY) {
- // This isn't a parsing error.
- ONC_LOG_WARNING("Refusing to import certificate from device policy.");
- return true;
- }
-
bool web_trust = false;
const base::ListValue* trust_list = NULL;
if (certificate.GetList(certificate::kTrust, &trust_list)) {
for (size_t i = 0; i < trust_list->GetSize(); ++i) {
std::string trust_type;
- if (!trust_list->GetString(i, &trust_type)) {
- ONC_LOG_ERROR("Certificate trust is invalid");
- return false;
- }
+ if (!trust_list->GetString(i, &trust_type))
+ NOTREACHED();
+
if (trust_type == certificate::kWeb) {
// "Web" implies that the certificate is to be trusted for SSL
// identification.
@@ -191,10 +175,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
}
}
- // Web trust is only granted to certificates imported for a managed user
- // on a managed device.
- if (onc_source_ == ONC_SOURCE_USER_POLICY &&
- web_trust && !allow_web_trust_from_policy_) {
+ if (web_trust && !allow_web_trust_) {
LOG(WARNING) << "Web trust not granted for certificate: " << guid;
web_trust = false;
}
« no previous file with comments | « chromeos/network/onc/onc_certificate_importer.h ('k') | chromeos/network/onc/onc_certificate_importer_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698