Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/options/cert_library.h" | 5 #include "chrome/browser/chromeos/options/cert_library.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | |
| 8 | 9 |
| 9 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| 10 #include "base/i18n/string_compare.h" | 11 #include "base/i18n/string_compare.h" |
| 11 #include "base/memory/weak_ptr.h" | 12 #include "base/memory/weak_ptr.h" |
| 12 #include "base/observer_list_threadsafe.h" | 13 #include "base/observer_list_threadsafe.h" |
| 13 #include "base/strings/string_number_conversions.h" | 14 #include "base/strings/string_number_conversions.h" |
| 14 #include "base/strings/string_util.h" | 15 #include "base/strings/string_util.h" |
| 15 #include "base/strings/utf_string_conversions.h" | 16 #include "base/strings/utf_string_conversions.h" |
| 16 #include "chrome/browser/browser_process.h" // g_browser_process | 17 #include "chrome/browser/browser_process.h" // g_browser_process |
| 17 #include "chrome/common/chrome_switches.h" | 18 #include "chrome/common/chrome_switches.h" |
| (...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 146 } | 147 } |
| 147 | 148 |
| 148 int CertLibrary::NumCertificates(CertType type) const { | 149 int CertLibrary::NumCertificates(CertType type) const { |
| 149 const net::CertificateList& cert_list = GetCertificateListForType(type); | 150 const net::CertificateList& cert_list = GetCertificateListForType(type); |
| 150 return static_cast<int>(cert_list.size()); | 151 return static_cast<int>(cert_list.size()); |
| 151 } | 152 } |
| 152 | 153 |
| 153 base::string16 CertLibrary::GetCertDisplayStringAt(CertType type, | 154 base::string16 CertLibrary::GetCertDisplayStringAt(CertType type, |
| 154 int index) const { | 155 int index) const { |
| 155 net::X509Certificate* cert = GetCertificateAt(type, index); | 156 net::X509Certificate* cert = GetCertificateAt(type, index); |
| 156 bool hardware_backed = IsCertHardwareBackedAt(type, index); | 157 bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert); |
| 157 return GetDisplayString(cert, hardware_backed); | 158 return GetDisplayString(cert, hardware_backed); |
| 158 } | 159 } |
| 159 | 160 |
| 160 std::string CertLibrary::GetServerCACertPEMAt(int index) const { | 161 std::string CertLibrary::GetServerCACertPEMAt(int index) const { |
| 161 return CertToPEM(*GetCertificateAt(CERT_TYPE_SERVER_CA, index)); | 162 return CertToPEM(*GetCertificateAt(CERT_TYPE_SERVER_CA, index)); |
| 162 } | 163 } |
| 163 | 164 |
| 164 std::string CertLibrary::GetUserCertPkcs11IdAt(int index, int* slot_id) const { | 165 std::string CertLibrary::GetUserCertPkcs11IdAt(int index, int* slot_id) const { |
| 165 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_USER, index); | 166 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_USER, index); |
| 166 return CertLoader::GetPkcs11IdAndSlotForCert(*cert, slot_id); | 167 return CertLoader::GetPkcs11IdAndSlotForCert(*cert, slot_id); |
| 167 } | 168 } |
| 168 | 169 |
| 169 bool CertLibrary::IsCertHardwareBackedAt(CertType type, int index) const { | 170 bool CertLibrary::IsCertSecureAt(CertType type, int index) const { |
|
August Huber
2016/11/28 18:29:39
What is the point of the name change?
Why are you
Kevin Cernekee
2016/11/28 20:09:06
They are as secure as possible, given the hardware
| |
| 170 net::X509Certificate* cert = GetCertificateAt(type, index); | 171 net::X509Certificate* cert = GetCertificateAt(type, index); |
| 171 return CertLoader::IsCertificateHardwareBacked(cert); | 172 bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert); |
| 173 if (hardware_backed) | |
| 174 return true; | |
| 175 | |
| 176 // An RSA private key is considered secure only if it is bound to the TPM, | |
| 177 // because all Chromebooks support this. | |
| 178 // Other key types such as ECSDA are not supported by all TPM hardware, so | |
| 179 // it doesn't make sense to force users to bind them to the device in | |
| 180 // order to use them for WiFi or VPN. | |
| 181 net::X509Certificate::PublicKeyType actual_key_type = | |
| 182 net::X509Certificate::kPublicKeyTypeUnknown; | |
| 183 size_t unused_key_size = 0; | |
| 184 net::X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(), | |
| 185 &unused_key_size, &actual_key_type); | |
| 186 return actual_key_type != net::X509Certificate::kPublicKeyTypeRSA; | |
| 172 } | 187 } |
| 173 | 188 |
| 174 int CertLibrary::GetServerCACertIndexByPEM( | 189 int CertLibrary::GetServerCACertIndexByPEM( |
| 175 const std::string& pem_encoded) const { | 190 const std::string& pem_encoded) const { |
| 176 int num_certs = NumCertificates(CERT_TYPE_SERVER_CA); | 191 int num_certs = NumCertificates(CERT_TYPE_SERVER_CA); |
| 177 for (int index = 0; index < num_certs; ++index) { | 192 for (int index = 0; index < num_certs; ++index) { |
| 178 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_SERVER_CA, index); | 193 net::X509Certificate* cert = GetCertificateAt(CERT_TYPE_SERVER_CA, index); |
| 179 if (CertToPEM(*cert) != pem_encoded) | 194 if (CertToPEM(*cert) != pem_encoded) |
| 180 continue; | 195 continue; |
| 181 return index; | 196 return index; |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 268 return user_certs_; | 283 return user_certs_; |
| 269 if (type == CERT_TYPE_SERVER) | 284 if (type == CERT_TYPE_SERVER) |
| 270 return server_certs_; | 285 return server_certs_; |
| 271 if (type == CERT_TYPE_SERVER_CA) | 286 if (type == CERT_TYPE_SERVER_CA) |
| 272 return server_ca_certs_; | 287 return server_ca_certs_; |
| 273 DCHECK(type == CERT_TYPE_DEFAULT); | 288 DCHECK(type == CERT_TYPE_DEFAULT); |
| 274 return certs_; | 289 return certs_; |
| 275 } | 290 } |
| 276 | 291 |
| 277 } // namespace chromeos | 292 } // namespace chromeos |
| OLD | NEW |