Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

chromeos/network/onc/onc_certificate_importer.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/onc/onc_certificate_importer.h"
 
 #include <cert.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 
@@ skipping 16 matching lines @@
 // The PEM block header used for DER certificates
 const char kCertificateHeader[] = "CERTIFICATE";
 // This is an older PEM marker for DER certificates.
 const char kX509CertificateHeader[] = "X509 CERTIFICATE";
 
 }  // namespace
 
 namespace chromeos {
 namespace onc {
 
-CertificateImporter::CertificateImporter(bool allow_web_trust)
-    : allow_web_trust_(allow_web_trust) {
+CertificateImporter::CertificateImporter(bool allow_trust_imports)
+    : allow_trust_imports_(allow_trust_imports) {
 }
 
 CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
-    const base::ListValue& certificates) {
+    const base::ListValue& certificates,
+    net::CertificateList* onc_trusted_certificates) {
   size_t successful_imports = 0;
   for (size_t i = 0; i < certificates.GetSize(); ++i) {
     const base::DictionaryValue* certificate = NULL;
     certificates.GetDictionary(i, &certificate);
     DCHECK(certificate != NULL);
 
     VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
 
-    if (!ParseAndStoreCertificate(*certificate)) {
+    if (!ParseAndStoreCertificate(*certificate, onc_trusted_certificates)) {
       ONC_LOG_ERROR(
           base::StringPrintf("Cannot parse certificate at index %zu", i));
     } else {
       VLOG(2) << "Successfully imported certificate at index " << i;
       ++successful_imports;
     }
   }
 
   if (successful_imports == certificates.GetSize()) {
     return IMPORT_OK;
   } else if (successful_imports == 0) {
     return IMPORT_FAILED;
   } else {
     return IMPORT_INCOMPLETE;
   }
 }
 
-bool CertificateImporter::ParseAndStoreCertificate(
-    const base::DictionaryValue& certificate) {
-  // Get out the attributes of the given certificate.
-  std::string guid;
-  certificate.GetString(certificate::kGUID, &guid);
-  DCHECK(!guid.empty());
-
-  bool remove = false;
-  if (certificate.GetBoolean(kRemove, &remove) && remove) {
-    if (!DeleteCertAndKeyByNickname(guid)) {
-      ONC_LOG_ERROR("Unable to delete certificate");
-      return false;
-    } else {
-      return true;
-    }
-  }
-
-  // Not removing, so let's get the data we need to add this certificate.
-  std::string cert_type;
-  certificate.GetString(certificate::kType, &cert_type);
-  if (cert_type == certificate::kServer ||
-      cert_type == certificate::kAuthority) {
-    return ParseServerOrCaCertificate(cert_type, guid, certificate);
-  } else if (cert_type == certificate::kClient) {
-    return ParseClientCertificate(guid, certificate);
-  }
-
-  NOTREACHED();
-  return false;
-}
-
 // static
 void CertificateImporter::ListCertsWithNickname(const std::string& label,
                                                 net::CertificateList* result) {
   net::CertificateList all_certs;
   net::NSSCertDatabase::GetInstance()->ListCerts(&all_certs);
   result->clear();
   for (net::CertificateList::iterator iter = all_certs.begin();
        iter != all_certs.end(); ++iter) {
     if (iter->get()->os_cert_handle()->nickname) {
       // Separate the nickname stored in the certificate at the colon, since
@@ skipping 38 matching lines @@
     // Luckily there should only be one cert with a particular
     // label, and the cert not being found is one of the few reasons the
     // delete could fail, but still...  The other choice is to return
     // failure immediately, but that doesn't seem to do what is intended.
     if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(iter->get()))
       result = false;
   }
   return result;
 }
 
+bool CertificateImporter::ParseAndStoreCertificate(
+    const base::DictionaryValue& certificate,
+    net::CertificateList* onc_trusted_certificates) {
+  // Get out the attributes of the given certificate.
+  std::string guid;
+  certificate.GetString(certificate::kGUID, &guid);
+  DCHECK(!guid.empty());
+
+  bool remove = false;
+  if (certificate.GetBoolean(kRemove, &remove) && remove) {
+    if (!DeleteCertAndKeyByNickname(guid)) {
+      ONC_LOG_ERROR("Unable to delete certificate");
+      return false;
+    } else {
+      return true;
+    }
+  }
+
+  // Not removing, so let's get the data we need to add this certificate.
+  std::string cert_type;
+  certificate.GetString(certificate::kType, &cert_type);
+  if (cert_type == certificate::kServer ||
+      cert_type == certificate::kAuthority) {
+    return ParseServerOrCaCertificate(
+        cert_type, guid, certificate, onc_trusted_certificates);
+  } else if (cert_type == certificate::kClient) {
+    return ParseClientCertificate(guid, certificate);
+  }
+
+  NOTREACHED();
+  return false;
+}
+
 bool CertificateImporter::ParseServerOrCaCertificate(
     const std::string& cert_type,
     const std::string& guid,
-    const base::DictionaryValue& certificate) {
-  bool web_trust = false;
+    const base::DictionaryValue& certificate,
+    net::CertificateList* onc_trusted_certificates) {
+  bool web_trust_flag = false;
   const base::ListValue* trust_list = NULL;
   if (certificate.GetList(certificate::kTrust, &trust_list)) {
     for (size_t i = 0; i < trust_list->GetSize(); ++i) {
       std::string trust_type;
       if (!trust_list->GetString(i, &trust_type))
         NOTREACHED();
 
       if (trust_type == certificate::kWeb) {
         // "Web" implies that the certificate is to be trusted for SSL
         // identification.
-        web_trust = true;
+        web_trust_flag = true;
       } else {
         ONC_LOG_ERROR("Certificate contains unknown trust type " + trust_type);
         return false;
       }
     }
   }
 
-  if (web_trust && !allow_web_trust_) {
-    LOG(WARNING) << "Web trust not granted for certificate: " << guid;
-    web_trust = false;
+  bool import_with_ssl_trust = false;
+  if (web_trust_flag) {
+    if (!allow_trust_imports_)
+      LOG(WARNING) << "Web trust not granted for certificate: " << guid;
+    else
+      import_with_ssl_trust = true;
   }
 
   std::string x509_data;
   if (!certificate.GetString(certificate::kX509, &x509_data) ||
       x509_data.empty()) {
     ONC_LOG_ERROR(
         "Certificate missing appropriate certificate data for type: " +
         cert_type);
     return false;
   }
@@ skipping 75 matching lines @@
   ListCertsWithNickname(guid, &certs);
   if (!certs.empty()) {
     ONC_LOG_ERROR("Certificate GUID is already in use: " + guid);
     return false;
   }
 
   net::CertificateList cert_list;
   cert_list.push_back(x509_cert);
   net::NSSCertDatabase::ImportCertFailureList failures;
   bool success = false;
-  net::NSSCertDatabase::TrustBits trust = web_trust ?
+  net::NSSCertDatabase::TrustBits trust = import_with_ssl_trust ?
                                           net::NSSCertDatabase::TRUSTED_SSL :
                                           net::NSSCertDatabase::TRUST_DEFAULT;
   if (cert_type == certificate::kServer) {
     success = cert_database->ImportServerCert(cert_list, trust, &failures);
   } else {  // Authority cert
     success = cert_database->ImportCACerts(cert_list, trust, &failures);
   }
 
   if (!failures.empty()) {
     ONC_LOG_ERROR("Error (" + net::ErrorToString(failures[0].net_error) +
             ") importing " + cert_type + " certificate");
     return false;
   }
   if (!success) {
     ONC_LOG_ERROR("Unknown error importing " + cert_type + " certificate.");
     return false;
   }
 
+  if (web_trust_flag && onc_trusted_certificates)
+    onc_trusted_certificates->push_back(x509_cert);
+
   return true;
 }
 
 bool CertificateImporter::ParseClientCertificate(
     const std::string& guid,
     const base::DictionaryValue& certificate) {
   std::string pkcs12_data;
   if (!certificate.GetString(certificate::kPKCS12, &pkcs12_data) ||
       pkcs12_data.empty()) {
     ONC_LOG_ERROR("PKCS12 data is missing for client certificate.");
@@ skipping 42 matching lines @@
     PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str()));
     SECKEY_DestroyPrivateKey(private_key);
   } else {
     ONC_LOG_WARNING("Unable to find private key for certificate.");
   }
   return true;
 }
 
 }  // namespace onc
 }  // namespace chromeos