Chromium Code Reviews Chromium Code Reviews
Issue 2859123003:
Don't reject server and CA certs during device ONC validation (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/onc/onc_certificate_importer_impl.h" | 5 #include "chromeos/network/onc/onc_certificate_importer_impl.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <keyhi.h> | 8 #include <keyhi.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 #include <stddef.h> | 10 #include <stddef.h> |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 95 bool allow_trust_imports = source == ::onc::ONC_SOURCE_USER_IMPORT; | 95 bool allow_trust_imports = source == ::onc::ONC_SOURCE_USER_IMPORT; |
| 96 net::CertificateList onc_trusted_certificates; | 96 net::CertificateList onc_trusted_certificates; |
| 97 bool success = true; | 97 bool success = true; |
| 98 for (size_t i = 0; i < certificates->GetSize(); ++i) { | 98 for (size_t i = 0; i < certificates->GetSize(); ++i) { |
| 99 const base::DictionaryValue* certificate = NULL; | 99 const base::DictionaryValue* certificate = NULL; |
| 100 certificates->GetDictionary(i, &certificate); | 100 certificates->GetDictionary(i, &certificate); |
| 101 DCHECK(certificate != NULL); | 101 DCHECK(certificate != NULL); |
| 102 | 102 |
| 103 VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate; | 103 VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate; |
| 104 | 104 |
| 105 if (!ParseAndStoreCertificate(allow_trust_imports, | 105 if (!ParseAndStoreCertificate(source, allow_trust_imports, *certificate, |
| 106 *certificate, | 106 nssdb, &onc_trusted_certificates)) { |
| 107 nssdb, | |
| 108 &onc_trusted_certificates)) { | |
| 109 success = false; | 107 success = false; |
| 110 LOG(ERROR) << "Cannot parse certificate at index " << i; | 108 LOG(ERROR) << "Cannot parse certificate at index " << i; |
| 111 } else { | 109 } else { |
| 112 VLOG(2) << "Successfully imported certificate at index " << i; | 110 VLOG(2) << "Successfully imported certificate at index " << i; |
| 113 } | 111 } |
| 114 } | 112 } |
| 115 | 113 |
| 116 done_callback.Run(success, onc_trusted_certificates); | 114 done_callback.Run(success, onc_trusted_certificates); |
| 117 } | 115 } |
| 118 | 116 |
| 119 void CertificateImporterImpl::RunDoneCallback( | 117 void CertificateImporterImpl::RunDoneCallback( |
| 120 const CertificateImporter::DoneCallback& callback, | 118 const CertificateImporter::DoneCallback& callback, |
| 121 bool success, | 119 bool success, |
| 122 const net::CertificateList& onc_trusted_certificates) { | 120 const net::CertificateList& onc_trusted_certificates) { |
| 123 if (!success) | 121 if (!success) |
| 124 NET_LOG_ERROR("ONC Certificate Import Error", ""); | 122 NET_LOG_ERROR("ONC Certificate Import Error", ""); |
| 125 callback.Run(success, onc_trusted_certificates); | 123 callback.Run(success, onc_trusted_certificates); |
| 126 } | 124 } |
| 127 | 125 |
| 128 bool CertificateImporterImpl::ParseAndStoreCertificate( | 126 bool CertificateImporterImpl::ParseAndStoreCertificate( |
| 127 ::onc::ONCSource source, | |
| 129 bool allow_trust_imports, | 128 bool allow_trust_imports, |
| 130 const base::DictionaryValue& certificate, | 129 const base::DictionaryValue& certificate, |
| 131 net::NSSCertDatabase* nssdb, | 130 net::NSSCertDatabase* nssdb, |
| 132 net::CertificateList* onc_trusted_certificates) { | 131 net::CertificateList* onc_trusted_certificates) { |
| 133 std::string guid; | 132 std::string guid; |
| 134 certificate.GetStringWithoutPathExpansion(::onc::certificate::kGUID, &guid); | 133 certificate.GetStringWithoutPathExpansion(::onc::certificate::kGUID, &guid); |
| 135 DCHECK(!guid.empty()); | 134 DCHECK(!guid.empty()); |
| 136 | 135 |
| 137 std::string cert_type; | 136 std::string cert_type; |
| 138 certificate.GetStringWithoutPathExpansion(::onc::certificate::kType, | 137 certificate.GetStringWithoutPathExpansion(::onc::certificate::kType, |
| 139 &cert_type); | 138 &cert_type); |
| 140 if (cert_type == ::onc::certificate::kServer || | 139 if (cert_type == ::onc::certificate::kServer || |
| 141 cert_type == ::onc::certificate::kAuthority) { | 140 cert_type == ::onc::certificate::kAuthority) { |
| 142 return ParseServerOrCaCertificate(allow_trust_imports, | 141 return ParseServerOrCaCertificate(source, allow_trust_imports, cert_type, |
| 143 cert_type, | 142 guid, certificate, nssdb, |
| 144 guid, | |
| 145 certificate, | |
| 146 nssdb, | |
| 147 onc_trusted_certificates); | 143 onc_trusted_certificates); |
| 148 } else if (cert_type == ::onc::certificate::kClient) { | 144 } else if (cert_type == ::onc::certificate::kClient) { |
| 149 return ParseClientCertificate(guid, certificate, nssdb); | 145 return ParseClientCertificate(guid, certificate, nssdb); |
| 150 } | 146 } |
| 151 | 147 |
| 152 NOTREACHED(); | 148 NOTREACHED(); |
| 153 return false; | 149 return false; |
| 154 } | 150 } |
| 155 | 151 |
| 156 bool CertificateImporterImpl::ParseServerOrCaCertificate( | 152 bool CertificateImporterImpl::ParseServerOrCaCertificate( |
| 153 ::onc::ONCSource source, | |
| 157 bool allow_trust_imports, | 154 bool allow_trust_imports, |
| 158 const std::string& cert_type, | 155 const std::string& cert_type, |
| 159 const std::string& guid, | 156 const std::string& guid, |
| 160 const base::DictionaryValue& certificate, | 157 const base::DictionaryValue& certificate, |
| 161 net::NSSCertDatabase* nssdb, | 158 net::NSSCertDatabase* nssdb, |
| 162 net::CertificateList* onc_trusted_certificates) { | 159 net::CertificateList* onc_trusted_certificates) { |
| 160 // Device policy can't import certificates. | |
| 161 if (source == ::onc::ONC_SOURCE_DEVICE_POLICY) { | |
| 162 // This isn't a parsing error. | |
| 163 LOG(WARNING) << "Refusing to import certificate from device policy."; | |
|
stevenjb
2017/05/17 16:18:20
nit: include the guid here.
pmarko
2017/05/18 12:21:41
Done.
| |
| 164 return true; | |
| 165 } | |
| 166 | |
| 163 bool web_trust_flag = false; | 167 bool web_trust_flag = false; |
| 164 const base::ListValue* trust_list = NULL; | 168 const base::ListValue* trust_list = NULL; |
| 165 if (certificate.GetListWithoutPathExpansion(::onc::certificate::kTrustBits, | 169 if (certificate.GetListWithoutPathExpansion(::onc::certificate::kTrustBits, |
| 166 &trust_list)) { | 170 &trust_list)) { |
| 167 for (base::ListValue::const_iterator it = trust_list->begin(); | 171 for (base::ListValue::const_iterator it = trust_list->begin(); |
| 168 it != trust_list->end(); ++it) { | 172 it != trust_list->end(); ++it) { |
| 169 std::string trust_type; | 173 std::string trust_type; |
| 170 if (!it->GetAsString(&trust_type)) | 174 if (!it->GetAsString(&trust_type)) |
| 171 NOTREACHED(); | 175 NOTREACHED(); |
| 172 | 176 |
| (...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 320 PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str())); | 324 PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str())); |
| 321 SECKEY_DestroyPrivateKey(private_key); | 325 SECKEY_DestroyPrivateKey(private_key); |
| 322 } else { | 326 } else { |
| 323 LOG(WARNING) << "Unable to find private key for certificate."; | 327 LOG(WARNING) << "Unable to find private key for certificate."; |
| 324 } | 328 } |
| 325 return true; | 329 return true; |
| 326 } | 330 } |
| 327 | 331 |
| 328 } // namespace onc | 332 } // namespace onc |
| 329 } // namespace chromeos | 333 } // namespace chromeos |
| OLD | NEW |
