Resolve certificate references in ONC by PEM.

chrome/browser/chromeos/cros/native_network_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/native_network_parser.h"
 
 #include <string>
 
+#include "base/logging.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/cros/native_network_constants.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
+#include "chromeos/network/onc/onc_utils.h"
+#include "net/cert/x509_certificate.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
 // Local constants.
 namespace {
 
 const char kPostMethod[] = "post";
 
 EnumMapper<PropertyIndex>::Pair property_index_table[] = {
@@ skipping 16 matching lines @@
   { flimflam::kCheckPortalListProperty, PROPERTY_INDEX_CHECK_PORTAL_LIST },
   { flimflam::kConnectableProperty, PROPERTY_INDEX_CONNECTABLE },
   { flimflam::kConnectedTechnologiesProperty,
     PROPERTY_INDEX_CONNECTED_TECHNOLOGIES },
   { flimflam::kDefaultTechnologyProperty, PROPERTY_INDEX_DEFAULT_TECHNOLOGY },
   { flimflam::kDeviceProperty, PROPERTY_INDEX_DEVICE },
   { flimflam::kDevicesProperty, PROPERTY_INDEX_DEVICES },
   { flimflam::kEapAnonymousIdentityProperty,
     PROPERTY_INDEX_EAP_ANONYMOUS_IDENTITY },
   { flimflam::kEapCaCertIdProperty, PROPERTY_INDEX_EAP_CA_CERT_ID },
-  { flimflam::kEapCaCertNssProperty, PROPERTY_INDEX_EAP_CA_CERT_NSS },
-  { flimflam::kEapCaCertProperty, PROPERTY_INDEX_EAP_CA_CERT },
+  { shill::kEapCaCertPemProperty, PROPERTY_INDEX_EAP_CA_CERT_PEM },
   { flimflam::kEapCertIdProperty, PROPERTY_INDEX_EAP_CERT_ID },
   { flimflam::kEapClientCertNssProperty, PROPERTY_INDEX_EAP_CLIENT_CERT_NSS },
   { flimflam::kEapClientCertProperty, PROPERTY_INDEX_EAP_CLIENT_CERT },
   { flimflam::kEapIdentityProperty, PROPERTY_INDEX_EAP_IDENTITY },
   { flimflam::kEapKeyIdProperty, PROPERTY_INDEX_EAP_KEY_ID },
   { flimflam::kEapKeyMgmtProperty, PROPERTY_INDEX_EAP_KEY_MGMT },
   { flimflam::kEapMethodProperty, PROPERTY_INDEX_EAP_METHOD },
   { flimflam::kEapPasswordProperty, PROPERTY_INDEX_EAP_PASSWORD },
   { flimflam::kEapPhase2AuthProperty, PROPERTY_INDEX_EAP_PHASE_2_AUTH },
   { flimflam::kEapPinProperty, PROPERTY_INDEX_EAP_PIN },
@@ skipping 12 matching lines @@
   { flimflam::kHardwareRevisionProperty, PROPERTY_INDEX_HARDWARE_REVISION },
   { flimflam::kHomeProviderProperty, PROPERTY_INDEX_HOME_PROVIDER },
   { flimflam::kHostProperty, PROPERTY_INDEX_HOST },
   { flimflam::kIccidProperty, PROPERTY_INDEX_ICCID },
   { flimflam::kIdentityProperty, PROPERTY_INDEX_IDENTITY },
   { flimflam::kImeiProperty, PROPERTY_INDEX_IMEI },
   { flimflam::kImsiProperty, PROPERTY_INDEX_IMSI },
   { flimflam::kIsActiveProperty, PROPERTY_INDEX_IS_ACTIVE },
   { flimflam::kL2tpIpsecAuthenticationType,
     PROPERTY_INDEX_IPSEC_AUTHENTICATIONTYPE },
-  { flimflam::kL2tpIpsecCaCertNssProperty,
-    PROPERTY_INDEX_L2TPIPSEC_CA_CERT_NSS },
+  { shill::kL2tpIpsecCaCertPemProperty,
+    PROPERTY_INDEX_L2TPIPSEC_CA_CERT_PEM },
   { flimflam::kL2tpIpsecClientCertIdProperty,
     PROPERTY_INDEX_L2TPIPSEC_CLIENT_CERT_ID },
   { flimflam::kL2tpIpsecClientCertSlotProp,
     PROPERTY_INDEX_L2TPIPSEC_CLIENT_CERT_SLOT },
   { flimflam::kL2tpIpsecIkeVersion, PROPERTY_INDEX_IPSEC_IKEVERSION },
   { flimflam::kL2tpIpsecPinProperty, PROPERTY_INDEX_L2TPIPSEC_PIN },
   { flimflam::kL2tpIpsecPskProperty, PROPERTY_INDEX_L2TPIPSEC_PSK },
   { flimflam::kL2tpIpsecPskRequiredProperty,
     PROPERTY_INDEX_L2TPIPSEC_PSK_REQUIRED },
   { flimflam::kL2tpIpsecPasswordProperty, PROPERTY_INDEX_L2TPIPSEC_PASSWORD },
@@ skipping 49 matching lines @@
     PROPERTY_INDEX_UNINITIALIZED_TECHNOLOGIES },
   { flimflam::kUsageURLProperty, PROPERTY_INDEX_USAGE_URL },
   { flimflam::kOpenVPNClientCertIdProperty,
     PROPERTY_INDEX_OPEN_VPN_CLIENT_CERT_ID },
   { flimflam::kOpenVPNAuthProperty, PROPERTY_INDEX_OPEN_VPN_AUTH },
   { flimflam::kOpenVPNAuthRetryProperty, PROPERTY_INDEX_OPEN_VPN_AUTHRETRY },
   { flimflam::kOpenVPNAuthNoCacheProperty,
     PROPERTY_INDEX_OPEN_VPN_AUTHNOCACHE },
   { flimflam::kOpenVPNAuthUserPassProperty,
     PROPERTY_INDEX_OPEN_VPN_AUTHUSERPASS },
-  { flimflam::kOpenVPNCaCertNSSProperty, PROPERTY_INDEX_OPEN_VPN_CACERT },
+  { shill::kOpenVPNCaCertPemProperty, PROPERTY_INDEX_OPEN_VPN_CA_CERT_PEM },
   { flimflam::kOpenVPNClientCertSlotProperty,
     PROPERTY_INDEX_OPEN_VPN_CLIENT_CERT_SLOT },
   { flimflam::kOpenVPNCipherProperty, PROPERTY_INDEX_OPEN_VPN_CIPHER },
   { flimflam::kOpenVPNCompLZOProperty, PROPERTY_INDEX_OPEN_VPN_COMPLZO },
   { flimflam::kOpenVPNCompNoAdaptProperty,
     PROPERTY_INDEX_OPEN_VPN_COMPNOADAPT },
   { flimflam::kOpenVPNKeyDirectionProperty,
     PROPERTY_INDEX_OPEN_VPN_KEYDIRECTION },
   { flimflam::kOpenVPNMgmtEnableProperty,
     PROPERTY_INDEX_OPEN_VPN_MGMT_ENABLE },
@@ skipping 1063 matching lines @@
       wifi_network->set_eap_anonymous_identity(eap_anonymous_identity);
       return true;
     }
     case PROPERTY_INDEX_EAP_CERT_ID: {
       std::string eap_client_cert_pkcs11_id;
       if (!value.GetAsString(&eap_client_cert_pkcs11_id))
         break;
       wifi_network->set_eap_client_cert_pkcs11_id(eap_client_cert_pkcs11_id);
       return true;
     }
-    case PROPERTY_INDEX_EAP_CA_CERT_NSS: {
-      std::string eap_server_ca_cert_nss_nickname;
-      if (!value.GetAsString(&eap_server_ca_cert_nss_nickname))
+    case PROPERTY_INDEX_EAP_CA_CERT_PEM: {
+      std::string eap_server_ca_cert_pem;
+      if (!value.GetAsString(&eap_server_ca_cert_pem))
         break;
-      wifi_network->set_eap_server_ca_cert_nss_nickname(
-          eap_server_ca_cert_nss_nickname);
+
+      scoped_refptr<net::X509Certificate> cert =
+          onc::DecodePEMCertificate(eap_server_ca_cert_pem);

[stevenjb, 2013/06/21 22:47:13]

How expensive is this? It would be better to defer any parsing, etc, especially
since we're in the process of replacing this code; I'd really prefer not to make
NetworkState dependent on net::X509Certificate.

[pneubeck (no reviews), 2013/06/24 08:12:31]

It is less expensive than the certificate import (happens during policy
application). The PEM decoding and fingerprint calculation shouldn't be
expensive. However, the certificate talks to NSS (e.g. CERT_NewTempCertificate)
and might be a bit slow (not sure).

What alternative would you propose? Storing the PEM also doesn't look ideal by
wasting more memory.

Btw.
I think this issue indicates that it's in general a bad idea to store
configuration in Shill and then read it back.

+      if (!cert.get()) {
+        LOG(ERROR) << "Unable to create certificate from PEM encoding.";
+        return false;
+      }
+
+      wifi_network->set_eap_server_ca_cert_fingerprint(
+          onc::GetHexFingerprintOfCert(*cert));
       return true;
     }
     case PROPERTY_INDEX_EAP_USE_SYSTEM_CAS: {
       bool eap_use_system_cas;
       if (!value.GetAsBoolean(&eap_use_system_cas))
         break;
       wifi_network->set_eap_use_system_cas(eap_use_system_cas);
       return true;
     }
     case PROPERTY_INDEX_EAP_PASSWORD: {
       std::string eap_passphrase;
       if (!value.GetAsString(&eap_passphrase))
         break;
       wifi_network->set_eap_passphrase(eap_passphrase);
       return true;
     }
-    case PROPERTY_INDEX_EAP_CA_CERT: {
-      std::string eap_cert_nickname;
-      if (!value.GetAsString(&eap_cert_nickname))
-        break;
-      wifi_network->set_eap_server_ca_cert_nss_nickname(eap_cert_nickname);
-      return true;
-    }
     case PROPERTY_INDEX_WIFI_AUTH_MODE:
     case PROPERTY_INDEX_WIFI_PHY_MODE:
     case PROPERTY_INDEX_EAP_CLIENT_CERT:
     case PROPERTY_INDEX_EAP_CLIENT_CERT_NSS:
     case PROPERTY_INDEX_EAP_PRIVATE_KEY:
     case PROPERTY_INDEX_EAP_PRIVATE_KEY_PASSWORD:
     case PROPERTY_INDEX_EAP_KEY_ID:
     case PROPERTY_INDEX_EAP_CA_CERT_ID:
     case PROPERTY_INDEX_EAP_PIN:
     case PROPERTY_INDEX_EAP_KEY_MGMT:
@@ skipping 93 matching lines @@
       network->set_name(name);
       return true;
     }
     case PROPERTY_INDEX_TYPE: {
       std::string provider_type_string;
       if (!value.GetAsString(&provider_type_string))
         break;
       network->set_provider_type(ParseProviderType(provider_type_string));
       return true;
     }
-    case PROPERTY_INDEX_L2TPIPSEC_CA_CERT_NSS:
-    case PROPERTY_INDEX_OPEN_VPN_CACERT: {
-      std::string ca_cert_nss;
-      if (!value.GetAsString(&ca_cert_nss))
+    case PROPERTY_INDEX_L2TPIPSEC_CA_CERT_PEM:
+    case PROPERTY_INDEX_OPEN_VPN_CA_CERT_PEM: {
+      std::string ca_cert_pem;
+      if (!value.GetAsString(&ca_cert_pem))
         break;
-      network->set_ca_cert_nss(ca_cert_nss);
+
+      scoped_refptr<net::X509Certificate> cert =
+          onc::DecodePEMCertificate(ca_cert_pem);

[stevenjb, 2013/06/21 22:47:13]

Same comment about decoding here.

+      if (!cert.get()) {
+        LOG(ERROR) << "Unable to create certificate from PEM encoding.";
+        return false;
+      }
+
+      network->set_ca_cert_fingerprint(onc::GetHexFingerprintOfCert(*cert));
       return true;
     }
     case PROPERTY_INDEX_L2TPIPSEC_PSK: {
       std::string psk_passphrase;
       if (!value.GetAsString(&psk_passphrase))
         break;
       network->set_psk_passphrase(psk_passphrase);
       return true;
     }
     case PROPERTY_INDEX_L2TPIPSEC_PSK_REQUIRED: {
@@ skipping 55 matching lines @@
        PROVIDER_TYPE_MAX));
   return &parser;
 }
 
 ProviderType NativeVirtualNetworkParser::ParseProviderType(
     const std::string& type) {
   return provider_type_mapper()->Get(type);
 }
 
 }  // namespace chromeos