Chromium Code Reviews Chromium Code Reviews
Issue 22588002:
Refactor the client certificate code in chromeos/network/. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chromeos/network/network_connection_handler.cc |
| diff --git a/chromeos/network/network_connection_handler.cc b/chromeos/network/network_connection_handler.cc |
| index f7ec8932948ed9095cd386605c78fb1966af94ef..b4f5b39ee2e6f7f8ea6a0d82dcbbd984adfcf126 100644 |
| --- a/chromeos/network/network_connection_handler.cc |
| +++ b/chromeos/network/network_connection_handler.cc |
| @@ -11,7 +11,7 @@ |
| #include "chromeos/dbus/dbus_thread_manager.h" |
| #include "chromeos/dbus/shill_manager_client.h" |
| #include "chromeos/dbus/shill_service_client.h" |
| -#include "chromeos/network/certificate_pattern_matcher.h" |
| +#include "chromeos/network/client_cert_util.h" |
| #include "chromeos/network/managed_network_configuration_handler.h" |
| #include "chromeos/network/network_configuration_handler.h" |
| #include "chromeos/network/network_event_log.h" |
| @@ -401,82 +401,62 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect( |
| } |
| } |
| - // These will be set if they need to be configured, otherwise they will |
| - // be left empty and the properties will not be set. |
| - std::string pkcs11_id, tpm_slot, tpm_pin; |
| - |
| - // Check certificate properties in kUIDataProperty if configured. |
| - // Note: Wifi/VPNConfigView set these properties explicitly. |
| - scoped_ptr<NetworkUIData> ui_data = |
| - ManagedNetworkConfigurationHandler::GetUIData(service_properties); |
| - if (ui_data && ui_data->certificate_type() == CLIENT_CERT_TYPE_PATTERN) { |
| - // User must be logged in to connect to a network requiring a certificate. |
| - if (!logged_in_ || !cert_loader_) { |
| - ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired); |
| - return; |
| - } |
| - |
| - // If certificates have not been loaded yet, queue the connect request. |
| - if (!certificates_loaded_) { |
| - ConnectRequest* request = pending_request(service_path); |
| - DCHECK(request); |
| - NET_LOG_EVENT("Connect Request Queued", service_path); |
| - queued_connect_.reset(new ConnectRequest( |
| - service_path, request->success_callback, request->error_callback)); |
| - pending_requests_.erase(service_path); |
| - return; |
| - } |
| - |
| - // Ensure the certificate is available and configured. |
| - if (!CertificateIsConfigured(ui_data.get(), &pkcs11_id)) { |
| - ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired); |
| - return; |
| - } |
| - } |
| - |
| - // The network may not be 'Connectable' because the TPM properties are |
| - // not set up, so configure tpm slot/pin before connecting. |
| - if (cert_loader_) { |
| - tpm_slot = cert_loader_->tpm_token_slot(); |
| - tpm_pin = cert_loader_->tpm_user_pin(); |
| + client_cert::ConfigType client_cert_type = client_cert::CONFIG_TYPE_NONE; |
| + if (type == flimflam::kTypeVPN) { |
| + if (vpn_provider_type == flimflam::kProviderOpenVpn) |
| + client_cert_type = client_cert::CONFIG_TYPE_OPENVPN; |
| + else |
| + client_cert_type = client_cert::CONFIG_TYPE_IPSEC; |
| + } else if (type == flimflam::kTypeWifi) { |
| + client_cert_type = client_cert::CONFIG_TYPE_EAP; |
| } |
|
stevenjb
2013/08/09 17:03:29
nit: It might be nice to make this a helper in cli
pneubeck (no reviews)
2013/08/09 22:40:21
It's not used anywhere else currently. I'll leave
|
| base::DictionaryValue config_properties; |
| - |
| - if (type == flimflam::kTypeVPN) { |
| - if (vpn_provider_type == flimflam::kProviderOpenVpn) { |
| - if (!pkcs11_id.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kOpenVPNClientCertIdProperty, pkcs11_id); |
| - } |
| - if (!tpm_pin.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kOpenVPNPinProperty, tpm_pin); |
| - } |
| - } else { |
| - if (!pkcs11_id.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kL2tpIpsecClientCertIdProperty, pkcs11_id); |
| + if (client_cert_type != client_cert::CONFIG_TYPE_NONE) { |
| + // If the client certificate must be configured, this will be reset to a |
|
stevenjb
2013/08/09 17:03:29
nit: even though the call is 'reset', 'set' would
pneubeck (no reviews)
2013/08/09 22:40:21
Done.
|
| + // string. |
| + scoped_ptr<std::string> pkcs11_id; |
| + |
| + // Check certificate properties in kUIDataProperty if configured. |
| + // Note: Wifi/VPNConfigView set these properties explicitly, in which case |
| + // only the TPM must be configured. |
| + scoped_ptr<NetworkUIData> ui_data = |
| + ManagedNetworkConfigurationHandler::GetUIData(service_properties); |
| + if (ui_data && ui_data->certificate_type() == CLIENT_CERT_TYPE_PATTERN) { |
| + // User must be logged in to connect to a network requiring a certificate. |
| + if (!logged_in_ || !cert_loader_) { |
| + ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired); |
| + return; |
| } |
| - if (!tpm_slot.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kL2tpIpsecClientCertSlotProperty, tpm_slot); |
| + |
| + // If certificates have not been loaded yet, queue the connect request. |
| + if (!certificates_loaded_) { |
| + ConnectRequest* request = pending_request(service_path); |
| + DCHECK(request); |
| + NET_LOG_EVENT("Connect Request Queued", service_path); |
| + queued_connect_.reset(new ConnectRequest( |
| + service_path, request->success_callback, request->error_callback)); |
| + pending_requests_.erase(service_path); |
| + return; |
| } |
| - if (!tpm_pin.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kL2tpIpsecPinProperty, tpm_pin); |
| + |
| + pkcs11_id.reset(new std::string); |
| + // Ensure the certificate is available and configured. |
| + if (!cert_loader_->IsHardwareBacked() || |
| + !CertificateIsConfigured(ui_data.get(), pkcs11_id.get())) { |
|
stevenjb
2013/08/09 17:03:29
nit: This is kind of a weird way to set a scoped_p
pneubeck (no reviews)
2013/08/09 22:40:21
Done.
|
| + ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired); |
| + return; |
| } |
| } |
| - } else if (type == flimflam::kTypeWifi) { |
| - if (!pkcs11_id.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kEapCertIdProperty, pkcs11_id); |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kEapKeyIdProperty, pkcs11_id); |
| - } |
| - if (!tpm_pin.empty()) { |
| - config_properties.SetStringWithoutPathExpansion( |
| - flimflam::kEapPinProperty, tpm_pin); |
| + |
| + // The network may not be 'Connectable' because the TPM properties are not |
| + // set up, so configure tpm slot/pin before connecting. |
| + if (cert_loader_ && cert_loader_->IsHardwareBacked()) { |
| + client_cert::SetShillProperties(client_cert_type, |
| + cert_loader_->tpm_token_slot(), |
| + cert_loader_->tpm_user_pin(), |
| + pkcs11_id.get(), |
| + &config_properties); |
| } |
| } |
| @@ -630,13 +610,12 @@ bool NetworkConnectionHandler::CertificateIsConfigured(NetworkUIData* ui_data, |
| std::string* pkcs11_id) { |
| if (ui_data->certificate_pattern().Empty()) |
| return false; |
| - |
| // Find the matching certificate. |
| scoped_refptr<net::X509Certificate> matching_cert = |
| - certificate_pattern::GetCertificateMatch(ui_data->certificate_pattern()); |
| + client_cert::GetCertificateMatch(ui_data->certificate_pattern()); |
| if (!matching_cert.get()) |
| return false; |
| - *pkcs11_id = cert_loader_->GetPkcs11IdForCert(*matching_cert.get()); |
| + *pkcs11_id = CertLoader::GetPkcs11IdForCert(*matching_cert.get()); |
| return true; |
| } |
