| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/host/token_validator_base.h" | 5 #include "remoting/host/token_validator_base.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include "base/base64.h" | 9 #include "base/base64.h" |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 25 matching lines...) Expand all Loading... |
| 36 #include "net/url_request/url_request.h" | 36 #include "net/url_request/url_request.h" |
| 37 #include "net/url_request/url_request_context.h" | 37 #include "net/url_request/url_request_context.h" |
| 38 #include "net/url_request/url_request_status.h" | 38 #include "net/url_request/url_request_status.h" |
| 39 #include "url/gurl.h" | 39 #include "url/gurl.h" |
| 40 | 40 |
| 41 namespace { | 41 namespace { |
| 42 | 42 |
| 43 const int kBufferSize = 4096; | 43 const int kBufferSize = 4096; |
| 44 const char kCertIssuerWildCard[] = "*"; | 44 const char kCertIssuerWildCard[] = "*"; |
| 45 | 45 |
| 46 // The certificate is valid if: |
| 47 // * The certificate issuer matches exactly |issuer| or the |issuer| is a |
| 48 // wildcard. And |
| 49 // * |now| is within [valid_start, valid_expiry]. |
| 50 bool IsCertificateValid(const std::string& issuer, |
| 51 const base::Time& now, |
| 52 const scoped_refptr<net::X509Certificate>& cert) { |
| 53 return (issuer == kCertIssuerWildCard || |
| 54 issuer == cert->issuer().common_name) && |
| 55 cert->valid_start() <= now && cert->valid_expiry() > now; |
| 56 } |
| 57 |
| 58 // Returns true if the certificate |c1| is worse than |c2|. |
| 59 // |
| 60 // Criteria: |
| 61 // 1. An invalid certificate is always worse than a valid certificate. |
| 62 // 2. Invalid certificates are equally bad, in which case false will be |
| 63 // returned. |
| 64 // 3. A certificate with earlier |valid_start| time is worse. |
| 65 // 4. When |valid_start| are the same, the certificate with earlier |
| 66 // |valid_expiry| is worse. |
| 67 bool WorseThan(const std::string& issuer, |
| 68 const base::Time& now, |
| 69 const scoped_refptr<net::X509Certificate>& c1, |
| 70 const scoped_refptr<net::X509Certificate>& c2) { |
| 71 if (!IsCertificateValid(issuer, now, c2)) |
| 72 return false; |
| 73 |
| 74 if (!IsCertificateValid(issuer, now, c1)) |
| 75 return true; |
| 76 |
| 77 if (c1->valid_start() != c2->valid_start()) |
| 78 return c1->valid_start() < c2->valid_start(); |
| 79 |
| 80 return c1->valid_expiry() < c2->valid_expiry(); |
| 81 } |
| 82 |
| 46 } // namespace | 83 } // namespace |
| 47 | 84 |
| 48 namespace remoting { | 85 namespace remoting { |
| 49 | 86 |
| 50 TokenValidatorBase::TokenValidatorBase( | 87 TokenValidatorBase::TokenValidatorBase( |
| 51 const ThirdPartyAuthConfig& third_party_auth_config, | 88 const ThirdPartyAuthConfig& third_party_auth_config, |
| 52 const std::string& token_scope, | 89 const std::string& token_scope, |
| 53 scoped_refptr<net::URLRequestContextGetter> request_context_getter) | 90 scoped_refptr<net::URLRequestContextGetter> request_context_getter) |
| 54 : third_party_auth_config_(third_party_auth_config), | 91 : third_party_auth_config_(third_party_auth_config), |
| 55 token_scope_(token_scope), | 92 token_scope_(token_scope), |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 167 base::Bind(&TokenValidatorBase::OnCertificatesSelected, | 204 base::Bind(&TokenValidatorBase::OnCertificatesSelected, |
| 168 weak_factory_.GetWeakPtr(), base::Owned(selected_certs), | 205 weak_factory_.GetWeakPtr(), base::Owned(selected_certs), |
| 169 base::Owned(client_cert_store))); | 206 base::Owned(client_cert_store))); |
| 170 } | 207 } |
| 171 | 208 |
| 172 void TokenValidatorBase::OnCertificatesSelected( | 209 void TokenValidatorBase::OnCertificatesSelected( |
| 173 net::CertificateList* selected_certs, | 210 net::CertificateList* selected_certs, |
| 174 net::ClientCertStore* unused) { | 211 net::ClientCertStore* unused) { |
| 175 const std::string& issuer = | 212 const std::string& issuer = |
| 176 third_party_auth_config_.token_validation_cert_issuer; | 213 third_party_auth_config_.token_validation_cert_issuer; |
| 177 if (request_) { | 214 |
| 178 for (size_t i = 0; i < selected_certs->size(); ++i) { | 215 base::Time now = base::Time::Now(); |
| 179 net::X509Certificate* cert = (*selected_certs)[i].get(); | 216 |
| 180 if (issuer == kCertIssuerWildCard || | 217 auto best_match_position = |
| 181 issuer == cert->issuer().common_name) { | 218 std::max_element(selected_certs->begin(), selected_certs->end(), |
| 182 request_->ContinueWithCertificate( | 219 std::bind(&WorseThan, issuer, now, std::placeholders::_1, |
| 183 cert, net::FetchClientCertPrivateKey(cert).get()); | 220 std::placeholders::_2)); |
| 184 return; | 221 |
| 185 } | 222 if (best_match_position == selected_certs->end() || |
| 186 } | 223 !IsCertificateValid(issuer, now, *best_match_position)) { |
| 187 request_->ContinueWithCertificate(nullptr, nullptr); | 224 ContinueWithCertificate(nullptr, nullptr); |
| 225 } else { |
| 226 ContinueWithCertificate( |
| 227 best_match_position->get(), |
| 228 net::FetchClientCertPrivateKey(best_match_position->get()).get()); |
| 188 } | 229 } |
| 189 } | 230 } |
| 190 | 231 |
| 232 void TokenValidatorBase::ContinueWithCertificate( |
| 233 net::X509Certificate* client_cert, |
| 234 net::SSLPrivateKey* client_private_key) { |
| 235 if (request_) { |
| 236 request_->ContinueWithCertificate(client_cert, client_private_key); |
| 237 } |
| 238 } |
| 239 |
| 191 bool TokenValidatorBase::IsValidScope(const std::string& token_scope) { | 240 bool TokenValidatorBase::IsValidScope(const std::string& token_scope) { |
| 192 // TODO(rmsousa): Deal with reordering/subsets/supersets/aliases/etc. | 241 // TODO(rmsousa): Deal with reordering/subsets/supersets/aliases/etc. |
| 193 return token_scope == token_scope_; | 242 return token_scope == token_scope_; |
| 194 } | 243 } |
| 195 | 244 |
| 196 std::string TokenValidatorBase::ProcessResponse(int net_result) { | 245 std::string TokenValidatorBase::ProcessResponse(int net_result) { |
| 197 // Verify that we got a successful response. | 246 // Verify that we got a successful response. |
| 198 if (net_result != net::OK) { | 247 if (net_result != net::OK) { |
| 199 LOG(ERROR) << "Error validating token, err=" << net_result; | 248 LOG(ERROR) << "Error validating token, err=" << net_result; |
| 200 return std::string(); | 249 return std::string(); |
| (...skipping 22 matching lines...) Expand all Loading... |
| 223 return std::string(); | 272 return std::string(); |
| 224 } | 273 } |
| 225 | 274 |
| 226 std::string shared_secret; | 275 std::string shared_secret; |
| 227 // Everything is valid, so return the shared secret to the caller. | 276 // Everything is valid, so return the shared secret to the caller. |
| 228 dict->GetStringWithoutPathExpansion("access_token", &shared_secret); | 277 dict->GetStringWithoutPathExpansion("access_token", &shared_secret); |
| 229 return shared_secret; | 278 return shared_secret; |
| 230 } | 279 } |
| 231 | 280 |
| 232 } // namespace remoting | 281 } // namespace remoting |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2369193002:
[Remoting Host] Select Latest Valid Cert (Closed)
