| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chromeos/network/client_cert_resolver.h" |
| 6 |
| 7 #include <cert.h> |
| 8 #include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA |
| 9 #include <pk11pub.h> |
| 10 |
| 11 #include <algorithm> |
| 12 #include <string> |
| 13 |
| 14 #include "base/stl_util.h" |
| 15 #include "base/task_runner.h" |
| 16 #include "base/threading/worker_pool.h" |
| 17 #include "base/time/time.h" |
| 18 #include "chromeos/cert_loader.h" |
| 19 #include "chromeos/dbus/dbus_thread_manager.h" |
| 20 #include "chromeos/dbus/shill_service_client.h" |
| 21 #include "chromeos/network/certificate_pattern.h" |
| 22 #include "chromeos/network/client_cert_util.h" |
| 23 #include "chromeos/network/managed_network_configuration_handler.h" |
| 24 #include "chromeos/network/network_state.h" |
| 25 #include "chromeos/network/network_state_handler.h" |
| 26 #include "chromeos/network/network_ui_data.h" |
| 27 #include "chromeos/network/onc/onc_constants.h" |
| 28 #include "dbus/object_path.h" |
| 29 #include "net/cert/x509_certificate.h" |
| 30 |
| 31 namespace chromeos { |
| 32 |
| 33 // Describes a network |network_path| for which a matching certificate |cert_id| |
| 34 // was found. |
| 35 struct ClientCertResolver::NetworkAndMatchingCert { |
| 36 NetworkAndMatchingCert(const std::string& network_path, |
| 37 client_cert::ConfigType config_type, |
| 38 const std::string& cert_id) |
| 39 : service_path(network_path), |
| 40 cert_config_type(config_type), |
| 41 pkcs11_id(cert_id) {} |
| 42 |
| 43 std::string service_path; |
| 44 client_cert::ConfigType cert_config_type; |
| 45 // The id of the matching certificate. |
| 46 std::string pkcs11_id; |
| 47 }; |
| 48 |
| 49 typedef std::vector<ClientCertResolver::NetworkAndMatchingCert> |
| 50 NetworkCertMatches; |
| 51 |
| 52 namespace { |
| 53 |
| 54 // Returns true if |vector| contains |value|. |
| 55 template <class T> |
| 56 bool ContainsValue(const std::vector<T>& vector, const T& value) { |
| 57 return find(vector.begin(), vector.end(), value) != vector.end(); |
| 58 } |
| 59 |
| 60 // Returns true if a private key for certificate |cert| is installed. |
| 61 bool HasPrivateKey(const net::X509Certificate& cert) { |
| 62 PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL); |
| 63 if (!slot) |
| 64 return false; |
| 65 |
| 66 PK11_FreeSlot(slot); |
| 67 return true; |
| 68 } |
| 69 |
| 70 // Describes a certificate which is issued by |issuer| (encoded as PEM). |
| 71 struct CertAndIssuer { |
| 72 CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate, |
| 73 const std::string& issuer) |
| 74 : cert(certificate), |
| 75 pem_encoded_issuer(issuer) {} |
| 76 |
| 77 scoped_refptr<net::X509Certificate> cert; |
| 78 std::string pem_encoded_issuer; |
| 79 }; |
| 80 |
| 81 bool CompareCertExpiration(const CertAndIssuer& a, |
| 82 const CertAndIssuer& b) { |
| 83 return (a.cert->valid_expiry() < b.cert->valid_expiry()); |
| 84 } |
| 85 |
| 86 // Describes a network that is configured with the certificate pattern |
| 87 // |client_cert_pattern|. |
| 88 struct NetworkAndCertPattern { |
| 89 NetworkAndCertPattern(const std::string& network_path, |
| 90 client_cert::ConfigType config_type, |
| 91 const CertificatePattern& pattern) |
| 92 : service_path(network_path), |
| 93 cert_config_type(config_type), |
| 94 client_cert_pattern(pattern) {} |
| 95 std::string service_path; |
| 96 client_cert::ConfigType cert_config_type; |
| 97 CertificatePattern client_cert_pattern; |
| 98 }; |
| 99 |
| 100 // A unary predicate that returns true if the given CertAndIssuer matches the |
| 101 // certificate pattern of the NetworkAndCertPattern. |
| 102 struct MatchCertWithPattern { |
| 103 MatchCertWithPattern(const NetworkAndCertPattern& pattern) |
| 104 : net_and_pattern(pattern) {} |
| 105 |
| 106 bool operator()(const CertAndIssuer& cert_and_issuer) { |
| 107 const CertificatePattern& pattern = net_and_pattern.client_cert_pattern; |
| 108 if (!pattern.issuer().Empty() && |
| 109 !client_cert::CertPrincipalMatches(pattern.issuer(), |
| 110 cert_and_issuer.cert->issuer())) { |
| 111 return false; |
| 112 } |
| 113 if (!pattern.subject().Empty() && |
| 114 !client_cert::CertPrincipalMatches(pattern.subject(), |
| 115 cert_and_issuer.cert->subject())) { |
| 116 return false; |
| 117 } |
| 118 |
| 119 const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems(); |
| 120 if (!issuer_ca_pems.empty() && |
| 121 !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) { |
| 122 return false; |
| 123 } |
| 124 return true; |
| 125 } |
| 126 |
| 127 NetworkAndCertPattern net_and_pattern; |
| 128 }; |
| 129 |
| 130 // Searches for matches between |networks| and |certs| and writes matches to |
| 131 // |matches|. Because this calls NSS functions and is potentially slow, it must |
| 132 // be run on a worker thread. |
| 133 void FindCertificateMatches(const net::CertificateList& certs, |
| 134 std::vector<NetworkAndCertPattern>* networks, |
| 135 NetworkCertMatches* matches) { |
| 136 // Filter all client certs and determines each certificate's issuer, which is |
| 137 // required for the pattern matching. |
| 138 std::vector<CertAndIssuer> client_certs; |
| 139 for (net::CertificateList::const_iterator it = certs.begin(); |
| 140 it != certs.end(); ++it) { |
| 141 const net::X509Certificate& cert = **it; |
| 142 if (cert.valid_expiry().is_null() || cert.HasExpired() || |
| 143 !HasPrivateKey(cert)) { |
| 144 continue; |
| 145 } |
| 146 scoped_refptr<net::X509Certificate> issuer = |
| 147 net::X509Certificate::CreateFromHandle( |
| 148 CERT_FindCertIssuer( |
| 149 cert.os_cert_handle(), PR_Now(), certUsageAnyCA), |
| 150 net::X509Certificate::OSCertHandles()); |
| 151 if (!issuer) { |
| 152 LOG(ERROR) << "Couldn't find cert issuer."; |
| 153 continue; |
| 154 } |
| 155 std::string pem_encoded_issuer; |
| 156 if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(), |
| 157 &pem_encoded_issuer)) { |
| 158 LOG(ERROR) << "Couldn't PEM-encode certificate."; |
| 159 continue; |
| 160 } |
| 161 client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer)); |
| 162 } |
| 163 |
| 164 std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration); |
| 165 |
| 166 for (std::vector<NetworkAndCertPattern>::const_iterator it = |
| 167 networks->begin(); |
| 168 it != networks->end(); ++it) { |
| 169 std::vector<CertAndIssuer>::iterator cert_it = std::find_if( |
| 170 client_certs.begin(), client_certs.end(), MatchCertWithPattern(*it)); |
| 171 if (cert_it == client_certs.end()) { |
| 172 LOG(WARNING) << "Couldn't find a matching client cert for network " |
| 173 << it->service_path; |
| 174 continue; |
| 175 } |
| 176 std::string pkcs11_id = CertLoader::GetPkcs11IdForCert(*cert_it->cert); |
| 177 if (pkcs11_id.empty()) { |
| 178 LOG(ERROR) << "Couldn't determine PKCS#11 ID."; |
| 179 continue; |
| 180 } |
| 181 matches->push_back(ClientCertResolver::NetworkAndMatchingCert( |
| 182 it->service_path, it->cert_config_type, pkcs11_id)); |
| 183 } |
| 184 } |
| 185 |
| 186 // Determines the type of the CertificatePattern configuration, i.e. is it a |
| 187 // pattern within an EAP, IPsec or OpenVPN configuration. |
| 188 client_cert::ConfigType OncToClientCertConfigurationType( |
| 189 const base::DictionaryValue& network_config) { |
| 190 using namespace ::chromeos::onc; |
| 191 |
| 192 const base::DictionaryValue* wifi = NULL; |
| 193 network_config.GetDictionaryWithoutPathExpansion(network_config::kWiFi, |
| 194 &wifi); |
| 195 if (wifi) { |
| 196 const base::DictionaryValue* eap = NULL; |
| 197 wifi->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap); |
| 198 if (!eap) |
| 199 return client_cert::CONFIG_TYPE_NONE; |
| 200 return client_cert::CONFIG_TYPE_EAP; |
| 201 } |
| 202 |
| 203 const base::DictionaryValue* vpn = NULL; |
| 204 network_config.GetDictionaryWithoutPathExpansion(network_config::kVPN, &vpn); |
| 205 if (vpn) { |
| 206 const base::DictionaryValue* openvpn = NULL; |
| 207 vpn->GetDictionaryWithoutPathExpansion(vpn::kOpenVPN, &openvpn); |
| 208 if (openvpn) |
| 209 return client_cert::CONFIG_TYPE_OPENVPN; |
| 210 |
| 211 const base::DictionaryValue* ipsec = NULL; |
| 212 vpn->GetDictionaryWithoutPathExpansion(vpn::kIPsec, &ipsec); |
| 213 if (ipsec) |
| 214 return client_cert::CONFIG_TYPE_IPSEC; |
| 215 |
| 216 return client_cert::CONFIG_TYPE_NONE; |
| 217 } |
| 218 |
| 219 const base::DictionaryValue* ethernet = NULL; |
| 220 network_config.GetDictionaryWithoutPathExpansion(network_config::kEthernet, |
| 221 ðernet); |
| 222 if (ethernet) { |
| 223 const base::DictionaryValue* eap = NULL; |
| 224 ethernet->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap); |
| 225 if (eap) |
| 226 return client_cert::CONFIG_TYPE_EAP; |
| 227 return client_cert::CONFIG_TYPE_NONE; |
| 228 } |
| 229 |
| 230 return client_cert::CONFIG_TYPE_NONE; |
| 231 } |
| 232 |
| 233 void LogError(const std::string& service_path, |
| 234 const std::string& dbus_error_name, |
| 235 const std::string& dbus_error_message) { |
| 236 network_handler::ShillErrorCallbackFunction( |
| 237 "ClientCertResolver.SetProperties failed", |
| 238 service_path, |
| 239 network_handler::ErrorCallback(), |
| 240 dbus_error_name, |
| 241 dbus_error_message); |
| 242 } |
| 243 |
| 244 bool ClientCertificatesLoaded() { |
| 245 if(!CertLoader::Get()->certificates_loaded()) { |
| 246 VLOG(1) << "Certificates not loaded yet."; |
| 247 return false; |
| 248 } |
| 249 if (!CertLoader::Get()->IsHardwareBacked()) { |
| 250 VLOG(1) << "TPM is not available."; |
| 251 return false; |
| 252 } |
| 253 return true; |
| 254 } |
| 255 |
| 256 } // namespace |
| 257 |
| 258 ClientCertResolver::ClientCertResolver() |
| 259 : network_state_handler_(NULL), |
| 260 managed_network_config_handler_(NULL), |
| 261 weak_ptr_factory_(this) { |
| 262 } |
| 263 |
| 264 ClientCertResolver::~ClientCertResolver() { |
| 265 if (network_state_handler_) |
| 266 network_state_handler_->RemoveObserver(this, FROM_HERE); |
| 267 if (CertLoader::IsInitialized()) |
| 268 CertLoader::Get()->RemoveObserver(this); |
| 269 if (managed_network_config_handler_) |
| 270 managed_network_config_handler_->RemoveObserver(this); |
| 271 } |
| 272 |
| 273 void ClientCertResolver::Init( |
| 274 NetworkStateHandler* network_state_handler, |
| 275 ManagedNetworkConfigurationHandler* managed_network_config_handler) { |
| 276 DCHECK(network_state_handler); |
| 277 network_state_handler_ = network_state_handler; |
| 278 network_state_handler_->AddObserver(this, FROM_HERE); |
| 279 |
| 280 DCHECK(managed_network_config_handler); |
| 281 managed_network_config_handler_ = managed_network_config_handler; |
| 282 managed_network_config_handler_->AddObserver(this); |
| 283 |
| 284 CertLoader::Get()->AddObserver(this); |
| 285 } |
| 286 |
| 287 void ClientCertResolver::SetSlowTaskRunnerForTest( |
| 288 const scoped_refptr<base::TaskRunner>& task_runner) { |
| 289 slow_task_runner_for_test_ = task_runner; |
| 290 } |
| 291 |
| 292 void ClientCertResolver::NetworkListChanged() { |
| 293 VLOG(2) << "NetworkListChanged."; |
| 294 if (!ClientCertificatesLoaded()) |
| 295 return; |
| 296 // Configure only networks that were not configured before. |
| 297 |
| 298 // We'll drop networks from |resolved_networks_|, which are not known anymore. |
| 299 std::set<std::string> old_resolved_networks; |
| 300 old_resolved_networks.swap(resolved_networks_); |
| 301 |
| 302 NetworkStateList networks; |
| 303 network_state_handler_->GetNetworkList(&networks); |
| 304 |
| 305 NetworkStateList networks_to_check; |
| 306 for (NetworkStateList::const_iterator it = networks.begin(); |
| 307 it != networks.end(); ++it) { |
| 308 // If this network is not managed, it cannot have a ClientCertPattern. |
| 309 // We do this check here additionally to ResolveNetworks because it's cheap |
| 310 // and prevents |resolved_networks_| from becoming too large. |
| 311 if ((*it)->guid().empty()) |
| 312 continue; |
| 313 |
| 314 const std::string& service_path = (*it)->path(); |
| 315 if (ContainsKey(old_resolved_networks, service_path)) { |
| 316 resolved_networks_.insert(service_path); |
| 317 continue; |
| 318 } |
| 319 networks_to_check.push_back(*it); |
| 320 } |
| 321 |
| 322 ResolveNetworks(networks_to_check); |
| 323 } |
| 324 |
| 325 void ClientCertResolver::OnCertificatesLoaded( |
| 326 const net::CertificateList& cert_list, |
| 327 bool initial_load) { |
| 328 VLOG(2) << "OnCertificatesLoaded."; |
| 329 if (!ClientCertificatesLoaded()) |
| 330 return; |
| 331 // Compare all networks with all certificates. |
| 332 NetworkStateList networks; |
| 333 network_state_handler_->GetNetworkList(&networks); |
| 334 ResolveNetworks(networks); |
| 335 } |
| 336 |
| 337 void ClientCertResolver::PolicyApplied(const std::string& service_path) { |
| 338 VLOG(2) << "PolicyApplied " << service_path; |
| 339 if (!ClientCertificatesLoaded()) |
| 340 return; |
| 341 // Compare this network with all certificates. |
| 342 const NetworkState* network = |
| 343 network_state_handler_->GetNetworkState(service_path); |
| 344 if (!network) { |
| 345 LOG(ERROR) << "service path '" << service_path << "' unknown."; |
| 346 return; |
| 347 } |
| 348 NetworkStateList networks; |
| 349 networks.push_back(network); |
| 350 ResolveNetworks(networks); |
| 351 } |
| 352 |
| 353 void ClientCertResolver::ResolveNetworks( |
| 354 const NetworkStateList& networks) { |
| 355 scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern( |
| 356 new std::vector<NetworkAndCertPattern>); |
| 357 |
| 358 // Filter networks with ClientCertPattern. As ClientCertPatterns can only be |
| 359 // set by policy, we check there. |
| 360 for (NetworkStateList::const_iterator it = networks.begin(); |
| 361 it != networks.end(); ++it) { |
| 362 const NetworkState* network = *it; |
| 363 |
| 364 // In any case, don't check this network again in NetworkListChanged. |
| 365 resolved_networks_.insert(network->path()); |
| 366 |
| 367 // If this network is not managed, it cannot have a ClientCertPattern. |
| 368 if (network->guid().empty()) |
| 369 continue; |
| 370 |
| 371 if (network->profile_path().empty()) { |
| 372 LOG(ERROR) << "Network " << network->path() |
| 373 << " has a GUID but not profile path"; |
| 374 continue; |
| 375 } |
| 376 const base::DictionaryValue* policy = |
| 377 managed_network_config_handler_->FindPolicyByGuidAndProfile( |
| 378 network->guid(), network->profile_path()); |
| 379 |
| 380 if (!policy) { |
| 381 VLOG(1) << "The policy for network " << network->path() << " with GUID " |
| 382 << network->guid() << " is not available yet."; |
| 383 // Skip this network for now. Once the policy is loaded, PolicyApplied() |
| 384 // will retry. |
| 385 continue; |
| 386 } |
| 387 |
| 388 VLOG(2) << "Inspecting network " << network->path(); |
| 389 // TODO(pneubeck): Access the ClientCertPattern without relying on |
| 390 // NetworkUIData, which also parses other things that we don't need here. |
| 391 // The ONCSource is irrelevant here. |
| 392 scoped_ptr<NetworkUIData> ui_data( |
| 393 NetworkUIData::CreateFromONC(onc::ONC_SOURCE_NONE, *policy)); |
| 394 |
| 395 // Skip networks that don't have a ClientCertPattern. |
| 396 if (ui_data->certificate_type() != CLIENT_CERT_TYPE_PATTERN) |
| 397 continue; |
| 398 |
| 399 client_cert::ConfigType config_type = |
| 400 OncToClientCertConfigurationType(*policy); |
| 401 if (config_type == client_cert::CONFIG_TYPE_NONE) { |
| 402 LOG(ERROR) << "UIData contains a CertificatePattern, but the policy " |
| 403 << "doesn't. Network: " << network->path(); |
| 404 continue; |
| 405 } |
| 406 |
| 407 networks_with_pattern->push_back(NetworkAndCertPattern( |
| 408 network->path(), config_type, ui_data->certificate_pattern())); |
| 409 } |
| 410 if (networks_with_pattern->empty()) |
| 411 return; |
| 412 |
| 413 VLOG(2) << "Start task for resolving client cert patterns."; |
| 414 base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); |
| 415 if (!task_runner) |
| 416 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); |
| 417 |
| 418 NetworkCertMatches* matches = new NetworkCertMatches; |
| 419 task_runner->PostTaskAndReply( |
| 420 FROM_HERE, |
| 421 base::Bind(&FindCertificateMatches, |
| 422 CertLoader::Get()->cert_list(), |
| 423 base::Owned(networks_with_pattern.release()), |
| 424 matches), |
| 425 base::Bind(&ClientCertResolver::ConfigureCertificates, |
| 426 weak_ptr_factory_.GetWeakPtr(), |
| 427 base::Owned(matches))); |
| 428 } |
| 429 |
| 430 void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) { |
| 431 for (NetworkCertMatches::const_iterator it = matches->begin(); |
| 432 it != matches->end(); ++it) { |
| 433 VLOG(1) << "Configuring certificate of network " << it->service_path; |
| 434 CertLoader* cert_loader = CertLoader::Get(); |
| 435 base::DictionaryValue shill_properties; |
| 436 client_cert::SetShillProperties(it->cert_config_type, |
| 437 cert_loader->tpm_token_slot(), |
| 438 cert_loader->tpm_user_pin(), |
| 439 &it->pkcs11_id, |
| 440 &shill_properties); |
| 441 DBusThreadManager::Get()->GetShillServiceClient()-> |
| 442 SetProperties(dbus::ObjectPath(it->service_path), |
| 443 shill_properties, |
| 444 base::Bind(&base::DoNothing), |
| 445 base::Bind(&LogError, it->service_path)); |
| 446 network_state_handler_->RequestUpdateForNetwork(it->service_path); |
| 447 } |
| 448 } |
| 449 |
| 450 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 22327005:
Automatically resolve ClientCertificatePatterns. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src