Chromium Code Reviews Chromium Code Reviews
Issue 20087002:
Add migration from CaCert NSS nicknames to PEM. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chromeos/network/network_cert_migrator.h" | |
| 6 | |
| 7 #include <cert.h> | |
| 8 #include <string> | |
| 9 | |
| 10 #include "base/location.h" | |
| 11 #include "base/metrics/histogram.h" | |
| 12 #include "chromeos/dbus/dbus_thread_manager.h" | |
| 13 #include "chromeos/dbus/shill_service_client.h" | |
| 14 #include "chromeos/network/network_handler_callbacks.h" | |
| 15 #include "chromeos/network/network_state.h" | |
| 16 #include "chromeos/network/network_state_handler.h" | |
| 17 #include "dbus/object_path.h" | |
| 18 #include "third_party/cros_system_api/dbus/service_constants.h" | |
| 19 | |
| 20 namespace chromeos { | |
| 21 | |
| 22 namespace { | |
| 23 | |
| 24 enum UMANetworkType { | |
| 25 UMA_NETWORK_TYPE_EAP, | |
| 26 UMA_NETWORK_TYPE_OPENVPN, | |
| 27 UMA_NETWORK_TYPE_IPSEC, | |
| 28 UMA_NETWORK_TYPE_SIZE, | |
| 29 }; | |
| 30 | |
| 31 // Copied from x509_certificate_model_nss.cc | |
| 32 std::string GetNickname(const net::X509Certificate& cert) { | |
| 33 if (!cert.os_cert_handle()->nickname) | |
| 34 return std::string(); | |
| 35 std::string name = cert.os_cert_handle()->nickname; | |
| 36 // Hack copied from mozilla: Cut off text before first :, which seems to | |
| 37 // just be the token name. | |
| 38 size_t colon_pos = name.find(':'); | |
| 39 if (colon_pos != std::string::npos) | |
| 40 name = name.substr(colon_pos + 1); | |
| 41 return name; | |
| 42 } | |
| 43 | |
| 44 } // namespace | |
| 45 | |
| 46 // Checks which of the given |networks| has one of the deprecated | |
| 47 // CaCertNssProperties set. If such a network already has a CaCertPEM property, | |
| 48 // then the NssProperty is cleared. Otherwise, the NssProperty is compared with | |
| 49 // the nickname of each certificate of |certs|. If a match is found, then the | |
| 50 // CaCertPemProperty is set and the NssProperty is cleared. Otherwise, the | |
| 51 // network is not modified. | |
| 52 class NetworkCertMigrator::MigrationTask | |
| 53 : public base::RefCounted<MigrationTask> { | |
| 54 public: | |
| 55 MigrationTask(const net::CertificateList& certs, | |
| 56 const base::WeakPtr<NetworkCertMigrator>& cert_handler) | |
|
stevenjb
2013/07/29 17:53:03
Calling a NetworkCertMigrator 'cert_handler' (when
pneubeck (no reviews)
2013/08/05 08:51:22
Done. Missed it during the renaming.
| |
| 57 : certs_(certs), cert_handler_(cert_handler) {} | |
|
stevenjb
2013/07/29 17:53:03
one member per line
pneubeck (no reviews)
2013/08/05 08:51:22
Done.
| |
| 58 | |
| 59 void Run(const NetworkStateHandler::NetworkStateList& networks) { | |
| 60 // Request properties for each network that has a CaCertNssProperty set | |
| 61 // according to the NetworkStateHandler. | |
| 62 for (NetworkStateHandler::NetworkStateList::const_iterator it = | |
| 63 networks.begin(); | |
| 64 it != networks.end(); | |
| 65 ++it) { | |
|
stevenjb
2013/07/29 17:53:03
nit: last 2 or 3 lines can be combined.
pneubeck (no reviews)
2013/08/05 08:51:22
Done.
| |
| 66 if (!(*it)->HasCACertNSS()) | |
| 67 continue; | |
| 68 const std::string& service_path = (*it)->path(); | |
| 69 DBusThreadManager::Get()->GetShillServiceClient()->GetProperties( | |
| 70 dbus::ObjectPath(service_path), | |
| 71 base::Bind(&network_handler::GetPropertiesCallback, | |
| 72 base::Bind(&MigrationTask::MigrateNetwork, this), | |
| 73 network_handler::ErrorCallback(), | |
| 74 service_path)); | |
| 75 } | |
| 76 } | |
| 77 | |
| 78 void MigrateNetwork(const std::string& service_path, | |
| 79 const base::DictionaryValue& properties) { | |
| 80 if (!cert_handler_) { | |
| 81 VLOG(2) << "NetworkCertMigrator already destroyed. Aborting migration."; | |
| 82 return; | |
| 83 } | |
| 84 | |
| 85 std::string nss_key, pem_key, nickname; | |
| 86 const base::ListValue* pem_property = NULL; | |
| 87 UMANetworkType uma_type = UMA_NETWORK_TYPE_SIZE; | |
| 88 | |
| 89 GetNssAndPemProperties( | |
| 90 properties, &nss_key, &pem_key, &pem_property, &nickname, &uma_type); | |
| 91 if (nickname.empty()) | |
| 92 return; // Didn't find any nickname. | |
| 93 | |
| 94 VLOG(2) << "Found NSS nickname to migrate. Property: " << nss_key | |
| 95 << ", network: " << service_path; | |
| 96 UMA_HISTOGRAM_ENUMERATION( | |
| 97 "Network.MigrationNssToPem", uma_type, UMA_NETWORK_TYPE_SIZE); | |
| 98 | |
| 99 if (pem_property && !pem_property->empty()) { | |
| 100 VLOG(2) << "PEM already exists, clearing NSS property."; | |
| 101 ClearNssProperty(service_path, nss_key); | |
| 102 return; | |
| 103 } | |
| 104 | |
| 105 scoped_refptr<net::X509Certificate> cert = | |
| 106 FindCertificateWithNickname(nickname); | |
| 107 if (!cert) { | |
| 108 VLOG(2) << "No matching cert found."; | |
| 109 return; | |
| 110 } | |
| 111 | |
| 112 std::string pem_encoded; | |
| 113 if (!net::X509Certificate::GetPEMEncoded(cert->os_cert_handle(), | |
| 114 &pem_encoded)) { | |
| 115 LOG(ERROR) << "PEM encoding failed."; | |
| 116 return; | |
| 117 } | |
| 118 | |
| 119 SetNssAndPemProperties(service_path, nss_key, pem_key, pem_encoded); | |
| 120 } | |
| 121 | |
| 122 void GetNssAndPemProperties(const base::DictionaryValue& shill_properties, | |
| 123 std::string* nss_key, | |
| 124 std::string* pem_key, | |
| 125 const base::ListValue** pem_property, | |
| 126 std::string* nickname, | |
| 127 UMANetworkType* uma_type) { | |
| 128 struct NssPem { | |
| 129 const char* read_prefix; | |
| 130 const char* nss_key; | |
| 131 const char* pem_key; | |
| 132 UMANetworkType uma_type; | |
| 133 } const kNssPemMap[] = { | |
| 134 {NULL, flimflam::kEapCaCertNssProperty, shill::kEapCaCertPemProperty, | |
| 135 UMA_NETWORK_TYPE_EAP}, | |
|
stevenjb
2013/07/29 17:53:03
' ' after { and before }
pneubeck (no reviews)
2013/08/05 08:51:22
Optional according to the style guide. Done.
| |
| 136 {flimflam::kProviderProperty, flimflam::kL2tpIpsecCaCertNssProperty, | |
| 137 shill::kL2tpIpsecCaCertPemProperty, UMA_NETWORK_TYPE_IPSEC}, | |
| 138 {flimflam::kProviderProperty, flimflam::kOpenVPNCaCertNSSProperty, | |
| 139 shill::kOpenVPNCaCertPemProperty, UMA_NETWORK_TYPE_OPENVPN}, }; | |
|
stevenjb
2013/07/29 17:53:03
last } on separate line
pneubeck (no reviews)
2013/08/05 08:51:22
Done.
| |
| 140 | |
| 141 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kNssPemMap); ++i) { | |
| 142 const base::DictionaryValue* dict = &shill_properties; | |
| 143 if (kNssPemMap[i].read_prefix) { | |
| 144 shill_properties.GetDictionaryWithoutPathExpansion( | |
| 145 kNssPemMap[i].read_prefix, &dict); | |
| 146 if (!dict) | |
| 147 continue; | |
| 148 } | |
| 149 dict->GetStringWithoutPathExpansion(kNssPemMap[i].nss_key, nickname); | |
| 150 if (!nickname->empty()) { | |
| 151 *nss_key = kNssPemMap[i].nss_key; | |
| 152 *pem_key = kNssPemMap[i].pem_key; | |
| 153 *uma_type = kNssPemMap[i].uma_type; | |
| 154 dict->GetListWithoutPathExpansion(kNssPemMap[i].pem_key, pem_property); | |
| 155 return; | |
| 156 } | |
| 157 } | |
| 158 } | |
| 159 | |
| 160 void ClearNssProperty(const std::string& service_path, | |
| 161 const std::string& nss_key) { | |
| 162 DBusThreadManager::Get()->GetShillServiceClient() | |
| 163 ->SetProperty(dbus::ObjectPath(service_path), | |
| 164 nss_key, | |
| 165 base::StringValue(std::string()), | |
| 166 base::Bind(&base::DoNothing), | |
| 167 base::Bind(&network_handler::ShillErrorCallbackFunction, | |
| 168 "MigrationTask.SetProperty failed", | |
| 169 service_path, | |
| 170 network_handler::ErrorCallback())); | |
| 171 cert_handler_->network_state_handler_ | |
| 172 ->RequestUpdateForNetwork(service_path); | |
| 173 } | |
| 174 | |
| 175 scoped_refptr<net::X509Certificate> FindCertificateWithNickname( | |
| 176 const std::string& nickname) { | |
| 177 for (net::CertificateList::iterator it = certs_.begin(); it != certs_.end(); | |
| 178 ++it) { | |
| 179 if (nickname == GetNickname(**it)) | |
| 180 return *it; | |
| 181 } | |
| 182 return NULL; | |
| 183 } | |
| 184 | |
| 185 void SetNssAndPemProperties(const std::string& service_path, | |
| 186 const std::string& nss_key, | |
| 187 const std::string& pem_key, | |
| 188 const std::string& pem_encoded_cert) { | |
| 189 base::DictionaryValue new_properties; | |
| 190 new_properties.SetStringWithoutPathExpansion(nss_key, std::string()); | |
| 191 scoped_ptr<base::ListValue> ca_cert_pems(new base::ListValue); | |
| 192 ca_cert_pems->AppendString(pem_encoded_cert); | |
| 193 new_properties.SetWithoutPathExpansion(pem_key, ca_cert_pems.release()); | |
| 194 | |
| 195 DBusThreadManager::Get()->GetShillServiceClient() | |
| 196 ->SetProperties(dbus::ObjectPath(service_path), | |
| 197 new_properties, | |
| 198 base::Bind(&base::DoNothing), | |
| 199 base::Bind(&network_handler::ShillErrorCallbackFunction, | |
| 200 "MigrationTask.SetProperties failed", | |
| 201 service_path, | |
| 202 network_handler::ErrorCallback())); | |
| 203 cert_handler_->network_state_handler_ | |
| 204 ->RequestUpdateForNetwork(service_path); | |
| 205 } | |
| 206 | |
| 207 private: | |
| 208 friend class base::RefCounted<MigrationTask>; | |
| 209 virtual ~MigrationTask() { | |
| 210 } | |
| 211 | |
| 212 net::CertificateList certs_; | |
| 213 base::WeakPtr<NetworkCertMigrator> cert_handler_; | |
| 214 }; | |
| 215 | |
| 216 NetworkCertMigrator::NetworkCertMigrator() | |
| 217 : network_state_handler_(NULL), weak_ptr_factory_(this) {} | |
|
stevenjb
2013/07/29 17:53:03
one member per line
pneubeck (no reviews)
2013/08/05 08:51:22
Done.
| |
| 218 | |
| 219 NetworkCertMigrator::~NetworkCertMigrator() { | |
| 220 if (network_state_handler_) | |
| 221 network_state_handler_->RemoveObserver(this, FROM_HERE); | |
| 222 if (CertLoader::IsInitialized()) | |
| 223 CertLoader::Get()->RemoveObserver(this); | |
| 224 } | |
| 225 | |
| 226 void NetworkCertMigrator::Init(NetworkStateHandler* network_state_handler) { | |
| 227 DCHECK(network_state_handler); | |
| 228 network_state_handler_ = network_state_handler; | |
| 229 network_state_handler_->AddObserver(this, FROM_HERE); | |
| 230 | |
| 231 DCHECK(CertLoader::IsInitialized()); | |
| 232 CertLoader::Get()->AddObserver(this); | |
| 233 } | |
| 234 | |
| 235 void NetworkCertMigrator::NetworkListChanged() { | |
| 236 if (!CertLoader::Get()->certificates_loaded()) { | |
| 237 VLOG(2) << "Certs not loaded yet."; | |
| 238 return; | |
| 239 } | |
| 240 // Run the migration process from deprecated CaCertNssProperties to CaCertPem. | |
| 241 VLOG(2) << "Start NSS nickname to PEM migration."; | |
| 242 scoped_refptr<MigrationTask> helper(new MigrationTask( | |
| 243 CertLoader::Get()->cert_list(), weak_ptr_factory_.GetWeakPtr())); | |
| 244 NetworkStateHandler::NetworkStateList networks; | |
| 245 network_state_handler_->GetNetworkList(&networks); | |
|
stevenjb
2013/07/29 17:53:03
This is going to happen a lot with the way Shill a
pneubeck (no reviews)
2013/08/05 08:51:22
As discussed, we can change this to FavoriteState/
| |
| 246 helper->Run(networks); | |
| 247 } | |
| 248 | |
| 249 void NetworkCertMigrator::OnCertificatesLoaded( | |
| 250 const net::CertificateList& cert_list, | |
| 251 bool initial_load) { | |
| 252 // Maybe there are networks referring to certs (by NSS nickname) that were not | |
| 253 // loaded before but are now. | |
| 254 NetworkListChanged(); | |
| 255 } | |
| 256 | |
| 257 } // namespace chromeos | |
| OLD | NEW |
