chromeos/network/client_cert_resolver.cc - Issue 2828713002: Enable client certificate patterns in device ONC policy

Unified Diff: chromeos/network/client_cert_resolver.cc

Issue 2828713002: Enable client certificate patterns in device ONC policy (Closed)

Patch Set: Addressed comments. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: chromeos/network/client_cert_resolver.cc

diff --git a/chromeos/network/client_cert_resolver.cc b/chromeos/network/client_cert_resolver.cc

index 788e5ee9a5ea503119ed1f308210ebad9cd9c0f8..1d99f14c60564158f20279a740745a8e20c90552 100644

--- a/chromeos/network/client_cert_resolver.cc

+++ b/chromeos/network/client_cert_resolver.cc

@@ -191,25 +191,32 @@ std::vector<CertAndIssuer> CreateSortedCertAndIssuerList(

// Searches for matches between |networks| and |certs| and writes matches to

// |matches|. Because this calls NSS functions and is potentially slow, it must

// be run on a worker thread.

-void FindCertificateMatches(const net::CertificateList& certs,

+void FindCertificateMatches(const net::CertificateList& all_certs,

+ const net::CertificateList& system_certs,

std::vector<NetworkAndCertPattern>* networks,

base::Time now,

NetworkCertMatches* matches) {

- std::vector<CertAndIssuer> client_certs(

- CreateSortedCertAndIssuerList(certs, now));

+ std::vector<CertAndIssuer> all_client_certs(

+ CreateSortedCertAndIssuerList(all_certs, now));

+ std::vector<CertAndIssuer> system_client_certs(

+ CreateSortedCertAndIssuerList(system_certs, now));

for (std::vector<NetworkAndCertPattern>::const_iterator it =

networks->begin();

it != networks->end(); ++it) {

- std::vector<CertAndIssuer>::iterator cert_it =

- std::find_if(client_certs.begin(),

- client_certs.end(),

- MatchCertWithPattern(it->cert_config.pattern));

+ // Use only certs from the system token if the source of the client cert

+ // pattern is device policy.

+ std::vector<CertAndIssuer>* client_certs =

+ it->cert_config.onc_source == ::onc::ONC_SOURCE_DEVICE_POLICY

+ ? &system_client_certs

+ : &all_client_certs;

+ auto cert_it = std::find_if(client_certs->begin(), client_certs->end(),

+ MatchCertWithPattern(it->cert_config.pattern));

std::string pkcs11_id;

int slot_id = -1;

std::string identity;

- if (cert_it == client_certs.end()) {

+ if (cert_it == client_certs->end()) {

VLOG(1) << "Couldn't find a matching client cert for network "

<< it->service_path;

// Leave |pkcs11_id| empty to indicate that no cert was found for this

@@ -325,15 +332,23 @@ bool ClientCertResolver::IsAnyResolveTaskRunning() const {

// static

bool ClientCertResolver::ResolveCertificatePatternSync(

const client_cert::ConfigType client_cert_type,

- const CertificatePattern& pattern,

+ const client_cert::ClientCertConfig& client_cert_config,

base::DictionaryValue* shill_properties) {

- // Prepare and sort the list of known client certs.

- std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(

- CertLoader::Get()->cert_list(), base::Time::Now()));

+ // Prepare and sort the list of known client certs. Use only certs from the

+ // system token if the source of the client cert pattern is device policy.

+ std::vector<CertAndIssuer> client_certs;

+ if (client_cert_config.onc_source == ::onc::ONC_SOURCE_DEVICE_POLICY) {

+ client_certs = CreateSortedCertAndIssuerList(

+ CertLoader::Get()->system_certs(), base::Time::Now());

+ } else {

+ client_certs = CreateSortedCertAndIssuerList(CertLoader::Get()->all_certs(),

+ base::Time::Now());

+ }

// Search for a certificate matching the pattern.

- std::vector<CertAndIssuer>::iterator cert_it = std::find_if(

- client_certs.begin(), client_certs.end(), MatchCertWithPattern(pattern));

+ std::vector<CertAndIssuer>::iterator cert_it =

+ std::find_if(client_certs.begin(), client_certs.end(),

+ MatchCertWithPattern(client_cert_config.pattern));

if (cert_it == client_certs.end()) {

VLOG(1) << "Couldn't find a matching client cert";

@@ -452,9 +467,10 @@ void ClientCertResolver::ResolveNetworks(

if (network->profile_path().empty())

continue;

+ onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;

const base::DictionaryValue* policy =

managed_network_config_handler_->FindPolicyByGuidAndProfile(

- network->guid(), network->profile_path());

+ network->guid(), network->profile_path(), &onc_source);

if (!policy) {

VLOG(1) << "The policy for network " << network->path() << " with GUID "

@@ -466,7 +482,7 @@ void ClientCertResolver::ResolveNetworks(

VLOG(2) << "Inspecting network " << network->path();

client_cert::ClientCertConfig cert_config;

- OncToClientCertConfig(*policy, &cert_config);

+ OncToClientCertConfig(onc_source, *policy, &cert_config);

// Skip networks that don't have a ClientCertPattern.

if (cert_config.client_cert_type != ::onc::client_cert::kPattern)

@@ -495,11 +511,13 @@ void ClientCertResolver::ResolveNetworks(

resolve_task_running_ = true;

NetworkCertMatches* matches = new NetworkCertMatches;

base::PostTaskWithTraitsAndReply(

- FROM_HERE, base::TaskTraits()

- .WithShutdownBehavior(

- base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN)

- .MayBlock(),

- base::Bind(&FindCertificateMatches, CertLoader::Get()->cert_list(),

+ FROM_HERE,

+ base::TaskTraits()

+ .WithShutdownBehavior(

+ base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN)

+ .MayBlock(),

+ base::Bind(&FindCertificateMatches, CertLoader::Get()->all_certs(),

+ CertLoader::Get()->system_certs(),

base::Owned(networks_to_resolve.release()), Now(), matches),

base::Bind(&ClientCertResolver::ConfigureCertificates,

weak_ptr_factory_.GetWeakPtr(), base::Owned(matches)));

« chromeos/cert_loader.cc ('K') | « chromeos/network/client_cert_resolver.h ('k') | chromeos/network/client_cert_resolver_unittest.cc » ('j') | no next file with comments »