Make CertificateHandler a proper interface of CertificateImporter.

chromeos/network/onc/onc_certificate_importer_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chromeos/network/onc/onc_certificate_importer.h"
+#include "chromeos/network/onc/onc_certificate_importer_impl.h"
 
 #include <cert.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 
 #include "base/base64.h"
 #include "base/logging.h"
 #include "base/values.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/onc/onc_constants.h"
 #include "chromeos/network/onc/onc_utils.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/cert/nss_cert_database.h"
 #include "net/cert/x509_certificate.h"
 
 #define ONC_LOG_WARNING(message)                                \
   NET_LOG_DEBUG("ONC Certificate Import Warning", message)
 #define ONC_LOG_ERROR(message)                                  \
   NET_LOG_ERROR("ONC Certificate Import Error", message)
 
 namespace chromeos {
 namespace onc {
 
-CertificateImporter::CertificateImporter(bool allow_trust_imports)
-    : allow_trust_imports_(allow_trust_imports) {
+CertificateImporterImpl::CertificateImporterImpl() {
 }
 
-CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
+bool CertificateImporterImpl::ImportCertificates(
+    const base::ListValue& certificates,
+    onc::ONCSource source,
+    net::CertificateList* onc_trusted_certificates) {
+  VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates";
+
+  // Web trust is only granted to certificates imported by the user.
+  bool allow_trust_imports = source == onc::ONC_SOURCE_USER_IMPORT;
+  if (!ParseAndStoreCertificates(
+          allow_trust_imports, certificates, onc_trusted_certificates, NULL)) {
+    LOG(ERROR) << "Cannot parse some of the certificates in the ONC from "
+               << onc::GetSourceAsString(source);
+    return false;
+  }
+  return true;
+}
+
+bool CertificateImporterImpl::ParseAndStoreCertificates(
+    bool allow_trust_imports,
     const base::ListValue& certificates,
     net::CertificateList* onc_trusted_certificates,
     CertsByGUID* imported_server_and_ca_certs) {
-  size_t successful_imports = 0;
+  bool success = true;
   for (size_t i = 0; i < certificates.GetSize(); ++i) {
     const base::DictionaryValue* certificate = NULL;
     certificates.GetDictionary(i, &certificate);
     DCHECK(certificate != NULL);
 
     VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
 
-    if (!ParseAndStoreCertificate(*certificate, onc_trusted_certificates,
+    if (!ParseAndStoreCertificate(allow_trust_imports,
+                                  *certificate,
+                                  onc_trusted_certificates,
                                   imported_server_and_ca_certs)) {
+      success = false;
       ONC_LOG_ERROR(
           base::StringPrintf("Cannot parse certificate at index %zu", i));
     } else {
       VLOG(2) << "Successfully imported certificate at index " << i;
-      ++successful_imports;
     }
   }
-
-  if (successful_imports == certificates.GetSize()) {
-    return IMPORT_OK;
-  } else if (successful_imports == 0) {
-    return IMPORT_FAILED;
-  } else {
-    return IMPORT_INCOMPLETE;
-  }
+  return success;
 }
 
 // static
-void CertificateImporter::ListCertsWithNickname(const std::string& label,
+void CertificateImporterImpl::ListCertsWithNickname(const std::string& label,
                                                 net::CertificateList* result) {
   net::CertificateList all_certs;
   net::NSSCertDatabase::GetInstance()->ListCerts(&all_certs);
   result->clear();
   for (net::CertificateList::iterator iter = all_certs.begin();
        iter != all_certs.end(); ++iter) {
     if (iter->get()->os_cert_handle()->nickname) {
       // Separate the nickname stored in the certificate at the colon, since
       // NSS likes to store it as token:nickname.
       const char* delimiter =
@@ skipping 17 matching lines @@
       char* private_key_nickname = PK11_GetPrivateKeyNickname(private_key);
       if (private_key_nickname && std::string(label) == private_key_nickname)
         result->push_back(*iter);
       PORT_Free(private_key_nickname);
       SECKEY_DestroyPrivateKey(private_key);
     }
   }
 }
 
 // static
-bool CertificateImporter::DeleteCertAndKeyByNickname(const std::string& label) {
+bool CertificateImporterImpl::DeleteCertAndKeyByNickname(
+    const std::string& label) {
   net::CertificateList cert_list;
   ListCertsWithNickname(label, &cert_list);
   bool result = true;
   for (net::CertificateList::iterator iter = cert_list.begin();
        iter != cert_list.end(); ++iter) {
     // If we fail, we try and delete the rest still.
     // TODO(gspencer): this isn't very "transactional".  If we fail on some, but
     // not all, then it's possible to leave things in a weird state.
     // Luckily there should only be one cert with a particular
     // label, and the cert not being found is one of the few reasons the
     // delete could fail, but still...  The other choice is to return
     // failure immediately, but that doesn't seem to do what is intended.
     if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(iter->get()))
       result = false;
   }
   return result;
 }
 
-bool CertificateImporter::ParseAndStoreCertificate(
+bool CertificateImporterImpl::ParseAndStoreCertificate(
+    bool allow_trust_imports,
     const base::DictionaryValue& certificate,
     net::CertificateList* onc_trusted_certificates,
     CertsByGUID* imported_server_and_ca_certs) {
   // Get out the attributes of the given certificate.
   std::string guid;
   certificate.GetStringWithoutPathExpansion(certificate::kGUID, &guid);
   DCHECK(!guid.empty());
 
   bool remove = false;
   if (certificate.GetBooleanWithoutPathExpansion(kRemove, &remove) && remove) {
     if (!DeleteCertAndKeyByNickname(guid)) {
       ONC_LOG_ERROR("Unable to delete certificate");
       return false;
     } else {
       return true;
     }
   }
 
   // Not removing, so let's get the data we need to add this certificate.
   std::string cert_type;
   certificate.GetStringWithoutPathExpansion(certificate::kType, &cert_type);
   if (cert_type == certificate::kServer ||
       cert_type == certificate::kAuthority) {
-    return ParseServerOrCaCertificate(cert_type, guid, certificate,
+    return ParseServerOrCaCertificate(allow_trust_imports,
+                                      cert_type,
+                                      guid,
+                                      certificate,
                                       onc_trusted_certificates,
                                       imported_server_and_ca_certs);
   } else if (cert_type == certificate::kClient) {
     return ParseClientCertificate(guid, certificate);
   }
 
   NOTREACHED();
   return false;
 }
 
-bool CertificateImporter::ParseServerOrCaCertificate(
+bool CertificateImporterImpl::ParseServerOrCaCertificate(
+    bool allow_trust_imports,
     const std::string& cert_type,
     const std::string& guid,
     const base::DictionaryValue& certificate,
     net::CertificateList* onc_trusted_certificates,
     CertsByGUID* imported_server_and_ca_certs) {
   bool web_trust_flag = false;
   const base::ListValue* trust_list = NULL;
   if (certificate.GetListWithoutPathExpansion(certificate::kTrustBits,
                                               &trust_list)) {
     for (base::ListValue::const_iterator it = trust_list->begin();
@@ skipping 10 matching lines @@
         // Trust bits should only increase trust and never restrict. Thus,
         // ignoring unknown bits should be safe.
         ONC_LOG_WARNING("Certificate contains unknown trust type " +
                         trust_type);
       }
     }
   }
 
   bool import_with_ssl_trust = false;
   if (web_trust_flag) {
-    if (!allow_trust_imports_)
+    if (!allow_trust_imports)
       ONC_LOG_WARNING("Web trust not granted for certificate: " + guid);
     else
       import_with_ssl_trust = true;
   }
 
   std::string x509_data;
   if (!certificate.GetStringWithoutPathExpansion(certificate::kX509,
                                                  &x509_data) ||
       x509_data.empty()) {
     ONC_LOG_ERROR(
@@ skipping 63 matching lines @@
 
   if (web_trust_flag && onc_trusted_certificates)
     onc_trusted_certificates->push_back(x509_cert);
 
   if (imported_server_and_ca_certs)
     (*imported_server_and_ca_certs)[guid] = x509_cert;
 
   return true;
 }
 
-bool CertificateImporter::ParseClientCertificate(
+bool CertificateImporterImpl::ParseClientCertificate(
     const std::string& guid,
     const base::DictionaryValue& certificate) {
   std::string pkcs12_data;
   if (!certificate.GetStringWithoutPathExpansion(certificate::kPKCS12,
                                                  &pkcs12_data) ||
       pkcs12_data.empty()) {
     ONC_LOG_ERROR("PKCS12 data is missing for client certificate.");
     return false;
   }
 
@@ skipping 40 matching lines @@
     PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str()));
     SECKEY_DestroyPrivateKey(private_key);
   } else {
     ONC_LOG_WARNING("Unable to find private key for certificate.");
   }
   return true;
 }
 
 }  // namespace onc
 }  // namespace chromeos