chromeos/network/onc/onc_certificate_importer_impl.cc - Issue 2859123003: Don't reject server and CA certs during device ONC validation

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chromeos/network/onc/onc_certificate_importer_impl.cc

Issue 2859123003: Don't reject server and CA certs during device ONC validation (Closed)

Patch Set: Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chromeos/network/onc/onc_certificate_importer_impl.cc

diff --git a/chromeos/network/onc/onc_certificate_importer_impl.cc b/chromeos/network/onc/onc_certificate_importer_impl.cc

index d36a4e5f60847eadc70f23b065791588f138cb43..ef37f4cffc3a8733a31a2d0923d2f9feedfc7509 100644

--- a/chromeos/network/onc/onc_certificate_importer_impl.cc

+++ b/chromeos/network/onc/onc_certificate_importer_impl.cc

@@ -102,10 +102,8 @@ void CertificateImporterImpl::ParseAndStoreCertificates(

VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;

- if (!ParseAndStoreCertificate(allow_trust_imports,

- *certificate,

- nssdb,

- &onc_trusted_certificates)) {

+ if (!ParseAndStoreCertificate(source, allow_trust_imports, *certificate,

+ nssdb, &onc_trusted_certificates)) {

success = false;

LOG(ERROR) << "Cannot parse certificate at index " << i;

} else {

@@ -126,6 +124,7 @@ void CertificateImporterImpl::RunDoneCallback(

}

bool CertificateImporterImpl::ParseAndStoreCertificate(

+ ::onc::ONCSource source,

bool allow_trust_imports,

const base::DictionaryValue& certificate,

net::NSSCertDatabase* nssdb,

@@ -139,11 +138,8 @@ bool CertificateImporterImpl::ParseAndStoreCertificate(

&cert_type);

if (cert_type == ::onc::certificate::kServer ||

cert_type == ::onc::certificate::kAuthority) {

- return ParseServerOrCaCertificate(allow_trust_imports,

- cert_type,

- guid,

- certificate,

- nssdb,

+ return ParseServerOrCaCertificate(source, allow_trust_imports, cert_type,

+ guid, certificate, nssdb,

onc_trusted_certificates);

} else if (cert_type == ::onc::certificate::kClient) {

return ParseClientCertificate(guid, certificate, nssdb);

@@ -154,12 +150,20 @@ bool CertificateImporterImpl::ParseAndStoreCertificate(

}

bool CertificateImporterImpl::ParseServerOrCaCertificate(

+ ::onc::ONCSource source,

bool allow_trust_imports,

const std::string& cert_type,

const std::string& guid,

const base::DictionaryValue& certificate,

net::NSSCertDatabase* nssdb,

net::CertificateList* onc_trusted_certificates) {

+ // Device policy can't import certificates.

+ if (source == ::onc::ONC_SOURCE_DEVICE_POLICY) {

+ // This isn't a parsing error.

+ LOG(WARNING) << "Refusing to import certificate from device policy.";

stevenjb 2017/05/17 16:18:20 nit: include the guid here.

pmarko 2017/05/18 12:21:41 Done.

+ return true;

+ }

bool web_trust_flag = false;

const base::ListValue* trust_list = NULL;

if (certificate.GetListWithoutPathExpansion(::onc::certificate::kTrustBits,

« no previous file with comments | « chromeos/network/onc/onc_certificate_importer_impl.h ('k') | chromeos/network/onc/onc_validator.cc » ('j') | no next file with comments »