Resolve certificate references in ONC by PEM.

chromeos/network/onc/onc_utils.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/onc/onc_utils.h"
 
 #include "base/base64.h"
 #include "base/json/json_reader.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/values.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/onc/onc_mapper.h"
 #include "chromeos/network/onc/onc_signature.h"
 #include "chromeos/network/onc/onc_utils.h"
 #include "chromeos/network/onc/onc_validator.h"
 #include "crypto/encryptor.h"
 #include "crypto/hmac.h"
 #include "crypto/symmetric_key.h"
+#include "net/base/hash_value.h"
 #include "net/cert/pem_tokenizer.h"
+#include "net/cert/x509_certificate.h"
 
 #define ONC_LOG_WARNING(message) NET_LOG_WARNING("ONC", message)
 #define ONC_LOG_ERROR(message) NET_LOG_ERROR("ONC", message)
 
 namespace chromeos {
 namespace onc {
 
 namespace {
 
 const char kUnableToDecrypt[] = "Unable to decrypt encrypted ONC";
@@ skipping 308 matching lines @@
 
   base::ListValue* validated_networks = NULL;
   if (toplevel_onc->GetListWithoutPathExpansion(
           toplevel_config::kNetworkConfigurations, &validated_networks)) {
     network_configs->Swap(validated_networks);
   }
 
   return success;
 }
 
+std::string GetHexFingerprintOfCert(const net::X509Certificate& cert) {
+  net::SHA1HashValue fingerprint = cert.fingerprint();
+  return base::HexEncode(fingerprint.data, sizeof(fingerprint.data));
+}
+
+net::X509Certificate* FindCertByFingerprint(
+    const net::CertificateList& cert_list, const std::string& fingerprint) {
+  net::X509Certificate* found = NULL;
+  for (net::CertificateList::const_iterator it = cert_list.begin();
+       it != cert_list.end(); ++it) {
+    if (GetHexFingerprintOfCert(**it) != fingerprint)
+      continue;
+    if (found != NULL) {
+      LOG(ERROR) << "Fingerprint not unique in list.";
+      return NULL;
+    }
+    found = it->get();
+  }
+  return found;
+}
+
+std::string GetPEMEncodedCertFromFingerprint(
+    const net::CertificateList& cert_list,
+    const std::string& fingerprint) {
+  net::X509Certificate* cert = FindCertByFingerprint(cert_list, fingerprint);
+  if (!cert) {
+    LOG(ERROR) << "Couldn't find a certificate with fingerprint "
+               << fingerprint;
+    return std::string();
+  }
+
+  std::string pem_encoded_cert;
+  if (!net::X509Certificate::GetPEMEncoded(cert->os_cert_handle(),
+                                           &pem_encoded_cert)) {
+    LOG(ERROR) << "Couldn't PEM-encode certificate with fingerprint "
+               << fingerprint;
+    return std::string();
+  }
+
+  return pem_encoded_cert;
+}
+
 scoped_refptr<net::X509Certificate> DecodePEMCertificate(
-    const std::string& pem_encoded,
-    const std::string& nickname) {
+    const std::string& pem_encoded) {
   // The PEM block header used for DER certificates
   static const char kCertificateHeader[] = "CERTIFICATE";
   // This is an older PEM marker for DER certificates.
   static const char kX509CertificateHeader[] = "X509 CERTIFICATE";
 
   std::vector<std::string> pem_headers;
   pem_headers.push_back(kCertificateHeader);
   pem_headers.push_back(kX509CertificateHeader);
 
   net::PEMTokenizer pem_tokenizer(pem_encoded, pem_headers);
   std::string decoded;
   if (pem_tokenizer.GetNext()) {
     decoded = pem_tokenizer.data();
   } else {
     // If we failed to read the data as a PEM file, then try plain base64 decode
     // in case the PEM marker strings are missing. For this to work, there has
     // to be no white space, and it has to only contain the base64-encoded data.
     if (!base::Base64Decode(pem_encoded, &decoded)) {
       LOG(ERROR) << "Unable to base64 decode X509 data: " << pem_encoded;
       return scoped_refptr<net::X509Certificate>();
     }
   }
 
   scoped_refptr<net::X509Certificate> cert =
-      net::X509Certificate::CreateFromBytesWithNickname(decoded.data(),
-                                                        decoded.size(),
-                                                        nickname.c_str());
+      net::X509Certificate::CreateFromBytes(decoded.data(), decoded.size());
   LOG_IF(ERROR, !cert) << "Couldn't create certificate from X509 data: "
                        << decoded;
   return cert;
 }
 
+namespace {
+
+bool ResolveCertRef(
+    const std::map<std::string,
+                   scoped_refptr<net::X509Certificate> >& certs_by_guid,
+    const std::string& key_guid_ref,
+    const std::string& key_fingerprint,
+    base::DictionaryValue* dict) {
+  std::string guid_ref;
+  if (!dict->GetStringWithoutPathExpansion(key_guid_ref, &guid_ref))
+    return true;
+  std::map<std::string, scoped_refptr<net::X509Certificate> >::const_iterator
+      it = certs_by_guid.find(guid_ref);
+  if (it == certs_by_guid.end()) {
+    LOG(ERROR) << "Couldn't resolve certificate reference " << guid_ref;
+    return false;
+  }
+
+  dict->SetStringWithoutPathExpansion(
+      key_fingerprint,
+      GetHexFingerprintOfCert(*it->second));
+  return true;
+}
+
+bool ResolveServerCertRefsInObject(
+    const std::map<std::string,
+                   scoped_refptr<net::X509Certificate> >& certs_by_guid,
+    const OncValueSignature& signature,
+    base::DictionaryValue* onc_object) {
+  if (&signature == &kEAPSignature) {
+    if (!ResolveCertRef(certs_by_guid, eap::kServerCARef,
+                        eap::kServerCAFingerprint, onc_object)) {
+      return false;
+    }
+  } else if (&signature == &kL2TPSignature ||
+             &signature == &kOpenVPNSignature) {
+    if (!ResolveCertRef(certs_by_guid, vpn::kServerCARef,
+                        vpn::kServerCAFingerprint, onc_object) ||
+        !ResolveCertRef(certs_by_guid, vpn::kServerCertRef,
+                        vpn::kServerCertFingerprint, onc_object)) {
+      return false;;
+    }
+  }
+
+  // Recurse into nested objects.
+  for (base::DictionaryValue::Iterator it(*onc_object); !it.IsAtEnd();
+       it.Advance()) {
+    base::DictionaryValue* inner_object = NULL;
+    if (!onc_object->GetDictionaryWithoutPathExpansion(it.key(), &inner_object))
+      continue;
+
+    const OncFieldSignature* field_signature =
+        GetFieldSignature(signature, it.key());
+    if (!field_signature)
+      continue;
+
+    if (!ResolveServerCertRefsInObject(certs_by_guid,
+                                       *field_signature->value_signature,
+                                       inner_object)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+}  // namespace
+
+bool ResolveServerCertRefsInNetworks(
+    const std::map<std::string,
+                   scoped_refptr<net::X509Certificate> >& certs_by_guid,
+    base::ListValue* network_configs) {
+  bool success = true;
+  for (base::ListValue::iterator it = network_configs->begin();
+       it != network_configs->end(); ) {
+    base::DictionaryValue* network = NULL;
+    (*it)->GetAsDictionary(&network);
+    if (!ResolveServerCertRefsInNetwork(certs_by_guid, network)) {
+      std::string guid;
+      network->GetStringWithoutPathExpansion(network_config::kGUID, &guid);
+      // This might happen even with correct validation, if the referenced
+      // certificate couldn't be imported.
+      LOG(ERROR) << "Couldn't resolve some certificate reference of network "
+                 << guid;
+      it = network_configs->Erase(it, NULL);
+      success = false;
+      continue;
+    }
+    ++it;
+  }
+  return success;
+}
+
+bool ResolveServerCertRefsInNetwork(
+    const std::map<std::string,
+                   scoped_refptr<net::X509Certificate> >& certs_by_guid,
+    base::DictionaryValue* network_config) {
+  return ResolveServerCertRefsInObject(certs_by_guid,
+                                       kNetworkConfigurationSignature,
+                                       network_config);
+}
+
 }  // namespace onc
 }  // namespace chromeos