Don't reject server and CA certs during device ONC validation

Don't reject server and CA certs during device ONC validation

Server and CA certs are not rejected during device ONC validation
anymore. They are still not imported into the NSS database because:
- no OncCertificateImporter instance exists for device policy
- OncCertificateImporter has an additional check to prevent importing
  server or ca certs from device policy.
Still, these certs should pass ONC validation so they can be used to
verify the radius server certificate when connecting to EAP-TLS networks on the sign-in screen.

Detail: http://go/chromeos-devicewide-eaptls-radiuscert

BUG=655266
TEST=Manual test, chromeos_unittests --gtest_filter=ONCValidatorTest*

Review-Url: https://codereview.chromium.org/2859123003
Cr-Commit-Position: refs/heads/master@{#472790}
Committed: https://chromium.googlesource.com/chromium/src/+/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8

[pmarko, 2017-05-17 09:39:03]

Description was changed from

==========
Don't reject server and CA certs during device ONC validation

Server and CA certs are not rejected during device ONC validation
anymore. They are still not imported into the NSS database because:
- no OncCertificateImporter instance exists for device policy
- OncCertificateImporter has an additional check to prevent importing
  server or ca certs from device policy.
Still, these certs should pass ONC validation so they can be used to
verify the radius server certificate when connecting to EAP-TLS networks
on the sign-in screen.

BUG=655266
==========

to

==========
Don't reject server and CA certs during device ONC validation

Server and CA certs are not rejected during device ONC validation
anymore. They are still not imported into the NSS database because:
- no OncCertificateImporter instance exists for device policy
- OncCertificateImporter has an additional check to prevent importing
  server or ca certs from device policy.
Still, these certs should pass ONC validation so they can be used to
verify the radius server certificate when connecting to EAP-TLS networks on the
sign-in screen.

Detail: http://go/chromeos-devicewide-eaptls-radiuscert

BUG=655266
TEST=Manual test, chromeos_unittests --gtest_filter=ONCValidatorTest*
==========

[pmarko, 2017-05-17 09:40:20]

pmarko@chromium.org changed reviewers:
+ emaxx@chromium.org, stevenjb@chromium.org

[pmarko, 2017-05-17 09:40:21]

Hi Maksim and Steven,

please take a look at this change. It allows device policy to specify
certificates passed to shill for verifying that the EAP-TLS network we're
connecting to is legitimate.

[stevenjb, 2017-05-17 16:18:20]

https://codereview.chromium.org/2859123003/diff/1/chromeos/network/onc/onc_ce...
File chromeos/network/onc/onc_certificate_importer_impl.cc (right):

https://codereview.chromium.org/2859123003/diff/1/chromeos/network/onc/onc_ce...
chromeos/network/onc/onc_certificate_importer_impl.cc:163: LOG(WARNING) <<
"Refusing to import certificate from device policy.";
nit: include the guid here.

[stevenjb, 2017-05-17 16:18:29]

lgtm

[emaxx, 2017-05-17 20:31:21]

lgtm

[pmarko, 2017-05-18 12:21:42]

Thanks!

https://codereview.chromium.org/2859123003/diff/1/chromeos/network/onc/onc_ce...
File chromeos/network/onc/onc_certificate_importer_impl.cc (right):

https://codereview.chromium.org/2859123003/diff/1/chromeos/network/onc/onc_ce...
chromeos/network/onc/onc_certificate_importer_impl.cc:163: LOG(WARNING) <<
"Refusing to import certificate from device policy.";
On 2017/05/17 16:18:20, stevenjb wrote:
> nit: include the guid here.

Done.

[pmarko, 2017-05-18 12:21:47]

The CQ bit was checked by pmarko@chromium.org

[pmarko, 2017-05-18 12:21:48]

The patchset sent to the CQ was uploaded after l-g-t-m from
stevenjb@chromium.org, emaxx@chromium.org
Link to the patchset: https://codereview.chromium.org/2859123003/#ps20001
(title: "Addressed comments.")

[commit-bot: I haz the power, 2017-05-18 12:22:37]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-18 13:28:25]

CQ is committing da patch.

Bot data: {"patchset_id": 20001, "attempt_start_ts": 1495110107954300,
"parent_rev": "f5de69bdf1d350ce1bc8b4500b542ef3bc1ebe5e", "commit_rev":
"4cc64c6cdb93dcded1e43a51792a2bf7f89714d8"}

[commit-bot: I haz the power, 2017-05-18 13:28:42]

Description was changed from

==========
Don't reject server and CA certs during device ONC validation

Server and CA certs are not rejected during device ONC validation
anymore. They are still not imported into the NSS database because:
- no OncCertificateImporter instance exists for device policy
- OncCertificateImporter has an additional check to prevent importing
  server or ca certs from device policy.
Still, these certs should pass ONC validation so they can be used to
verify the radius server certificate when connecting to EAP-TLS networks on the
sign-in screen.

Detail: http://go/chromeos-devicewide-eaptls-radiuscert

BUG=655266
TEST=Manual test, chromeos_unittests --gtest_filter=ONCValidatorTest*
==========

to

==========
Don't reject server and CA certs during device ONC validation

Server and CA certs are not rejected during device ONC validation
anymore. They are still not imported into the NSS database because:
- no OncCertificateImporter instance exists for device policy
- OncCertificateImporter has an additional check to prevent importing
  server or ca certs from device policy.
Still, these certs should pass ONC validation so they can be used to
verify the radius server certificate when connecting to EAP-TLS networks on the
sign-in screen.

Detail: http://go/chromeos-devicewide-eaptls-radiuscert

BUG=655266
TEST=Manual test, chromeos_unittests --gtest_filter=ONCValidatorTest*

Review-Url: https://codereview.chromium.org/2859123003
Cr-Commit-Position: refs/heads/master@{#472790}
Committed:
https://chromium.googlesource.com/chromium/src/+/4cc64c6cdb93dcded1e43a51792a...
==========

[commit-bot: I haz the power, 2017-05-18 13:28:43]

Committed patchset #2 (id:20001) as
https://chromium.googlesource.com/chromium/src/+/4cc64c6cdb93dcded1e43a51792a...