Resolve certificate references in ONC by PEM.

chrome/browser/chromeos/cros/network_library.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/network_library.h"
 
 #include "base/i18n/icu_encoding_detection.h"
 #include "base/i18n/icu_string_conversions.h"
 #include "base/i18n/time_formatting.h"
 #include "base/json/json_writer.h"  // for debug output only.
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/utf_string_conversion_utils.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/native_network_constants.h"
 #include "chrome/browser/chromeos/cros/native_network_parser.h"
 #include "chrome/browser/chromeos/cros/network_library_impl_cros.h"
 #include "chrome/browser/chromeos/cros/network_library_impl_stub.h"
 #include "chrome/common/net/x509_certificate_model.h"
+#include "chromeos/network/cert_loader.h"
 #include "chromeos/network/certificate_pattern.h"
 #include "chromeos/network/certificate_pattern_matcher.h"
 #include "chromeos/network/cros_network_functions.h"
 #include "chromeos/network/network_state_handler.h"
+#include "chromeos/network/onc/onc_utils.h"
 #include "content/public/browser/browser_thread.h"
 #include "grit/ash_strings.h"
 #include "grit/generated_resources.h"
 #include "net/base/url_util.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 #include "ui/base/l10n/l10n_util.h"
 
 using content::BrowserThread;
 
 ////////////////////////////////////////////////////////////////////////////////
@@ skipping 551 matching lines @@
       provider_type_(PROVIDER_TYPE_L2TP_IPSEC_PSK),
       // Assume PSK and user passphrase are not available initially
       psk_passphrase_required_(true),
       user_passphrase_required_(true),
       weak_pointer_factory_(this) {
 }
 
 VirtualNetwork::~VirtualNetwork() {}
 
 void VirtualNetwork::EraseCredentials() {
-  WipeString(&ca_cert_nss_);
+  WipeString(&ca_cert_fingerprint_);
   WipeString(&psk_passphrase_);
   WipeString(&client_cert_id_);
   WipeString(&user_passphrase_);
 }
 
 void VirtualNetwork::CalculateUniqueId() {
   std::string provider_type(ProviderTypeToString(provider_type_));
   set_unique_id(provider_type + "|" + server_hostname_);
 }
 
 bool VirtualNetwork::RequiresUserProfile() const {
   return true;
 }
 
 void VirtualNetwork::AttemptConnection(const base::Closure& connect) {
   if (client_cert_type() == CLIENT_CERT_TYPE_PATTERN) {
     MatchCertificatePattern(true, connect);
   } else {
     connect.Run();
   }
 }
 
 void VirtualNetwork::CopyCredentialsFromRemembered(Network* remembered) {
   CHECK_EQ(remembered->type(), TYPE_VPN);
   VirtualNetwork* remembered_vpn = static_cast<VirtualNetwork*>(remembered);
   VLOG(1) << "Copy VPN credentials: " << name()
           << " username: " << remembered_vpn->username();
-  if (ca_cert_nss_.empty())
-    ca_cert_nss_ = remembered_vpn->ca_cert_nss();
+  if (ca_cert_fingerprint_.empty())
+    ca_cert_fingerprint_ = remembered_vpn->ca_cert_fingerprint();
   if (psk_passphrase_.empty())
     psk_passphrase_ = remembered_vpn->psk_passphrase();
   if (client_cert_id_.empty())
     client_cert_id_ = remembered_vpn->client_cert_id();
   if (username_.empty())
     username_ = remembered_vpn->username();
   if (user_passphrase_.empty())
     user_passphrase_ = remembered_vpn->user_passphrase();
 }
 
@@ skipping 70 matching lines @@
 }
 
 bool VirtualNetwork::IsPSKPassphraseRequired() const {
   return psk_passphrase_required_ && psk_passphrase_.empty();
 }
 
 bool VirtualNetwork::IsUserPassphraseRequired() const {
   return user_passphrase_required_ && user_passphrase_.empty();
 }
 
-void VirtualNetwork::SetCACertNSS(const std::string& ca_cert_nss) {
-  if (provider_type_ == PROVIDER_TYPE_OPEN_VPN) {
-    SetStringProperty(
-        flimflam::kOpenVPNCaCertNSSProperty, ca_cert_nss, &ca_cert_nss_);
-  } else {
-    SetStringProperty(
-        flimflam::kL2tpIpsecCaCertNssProperty, ca_cert_nss, &ca_cert_nss_);
-  }
+void VirtualNetwork::SetCACertFingerprint(
+    const std::string& ca_cert_fingerprint) {
+  VLOG(1) << "SetCACertFingerprint " << ca_cert_fingerprint;
+  std::string pem_encoded_cert = onc::GetPEMEncodedCertFromFingerprint(
+      NetworkHandler::Get()->cert_loader()->cert_list(), ca_cert_fingerprint);
+  if (pem_encoded_cert.empty())

[stevenjb, 2013/06/27 16:50:04]

warning or error?

[pneubeck (no reviews), 2013/06/28 17:40:06]

Done.

+    return;
+
+  ca_cert_fingerprint_ = ca_cert_fingerprint;
+
+  base::ListValue pem_list;
+  pem_list.AppendString(pem_encoded_cert);
+
+  const char* shill_property;
+  if (provider_type_ == PROVIDER_TYPE_OPEN_VPN)
+    shill_property = shill::kOpenVPNCaCertPemProperty;
+  else
+    shill_property = shill::kL2tpIpsecCaCertPemProperty;
+  SetValueProperty(shill_property, pem_list);
 }
 
 void VirtualNetwork::SetL2TPIPsecPSKCredentials(
     const std::string& psk_passphrase,
     const std::string& username,
     const std::string& user_passphrase,
     const std::string& group_name) {
   if (!psk_passphrase.empty()) {
     SetStringProperty(flimflam::kL2tpIpsecPskProperty,
                       psk_passphrase, &psk_passphrase_);
@@ skipping 370 matching lines @@
   // Send the change to shill. If the format is valid, it will propagate to
   // passphrase_ with a service update.
   SetOrClearStringProperty(flimflam::kPassphraseProperty, passphrase, NULL);
 }
 
 // See src/third_party/shill/doc/service-api.txt for properties that
 // shill will forget when SaveCredentials is false.
 void WifiNetwork::EraseCredentials() {
   WipeString(&passphrase_);
   WipeString(&user_passphrase_);
+  WipeString(&eap_server_ca_cert_fingerprint_);
   WipeString(&eap_client_cert_pkcs11_id_);
   WipeString(&eap_identity_);
   WipeString(&eap_anonymous_identity_);
   WipeString(&eap_passphrase_);
 }
 
 void WifiNetwork::SetIdentity(const std::string& identity) {
   SetStringProperty(flimflam::kIdentityProperty, identity, &identity_);
 }
 
@@ skipping 53 matching lines @@
       SetStringProperty(flimflam::kEapPhase2AuthProperty,
                         flimflam::kEapPhase2AuthTTLSPAP, NULL);
       break;
     case EAP_PHASE_2_AUTH_CHAP:
       SetStringProperty(flimflam::kEapPhase2AuthProperty,
                         flimflam::kEapPhase2AuthTTLSCHAP, NULL);
       break;
   }
 }
 
-void WifiNetwork::SetEAPServerCaCertNssNickname(
-    const std::string& nss_nickname) {
-  VLOG(1) << "SetEAPServerCaCertNssNickname " << nss_nickname;
-  SetOrClearStringProperty(flimflam::kEapCaCertNssProperty,
-                           nss_nickname, &eap_server_ca_cert_nss_nickname_);
+void WifiNetwork::SetEAPServerCaCertFingerprint(
+    const std::string& ca_cert_fingerprint) {
+  VLOG(1) << "SetEAPServerCaCertFingerprint " << ca_cert_fingerprint;
+  std::string pem_encoded_cert = onc::GetPEMEncodedCertFromFingerprint(
+      NetworkHandler::Get()->cert_loader()->cert_list(), ca_cert_fingerprint);
+  if (pem_encoded_cert.empty())

[stevenjb, 2013/06/27 16:50:04]

warning or error?

[pneubeck (no reviews), 2013/06/28 17:40:06]

Done.

+    return;
+
+  eap_server_ca_cert_fingerprint_ = ca_cert_fingerprint;
+  SetStringProperty(shill::kEapCaCertPemProperty, pem_encoded_cert, NULL);
 }
 
 void WifiNetwork::SetEAPClientCertPkcs11Id(const std::string& pkcs11_id) {
   VLOG(1) << "SetEAPClientCertPkcs11Id " << pkcs11_id;
   SetOrClearStringProperty(
       flimflam::kEapCertIdProperty, pkcs11_id, &eap_client_cert_pkcs11_id_);
   // shill requires both CertID and KeyID for TLS connections, despite
   // the fact that by convention they are the same ID.
   SetOrClearStringProperty(flimflam::kEapKeyIdProperty, pkcs11_id, NULL);
 }
@@ skipping 198 matching lines @@
   NetworkLibrary* impl;
   if (stub)
     impl = new NetworkLibraryImplStub();
   else
     impl = new NetworkLibraryImplCros();
   impl->Init();
   return impl;
 }
 
 }  // namespace chromeos