Use correct slot id for client certs in network config.

chromeos/network/network_connection_handler.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/network_connection_handler.h"
 
 #include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/message_loop/message_loop_proxy.h"
 #include "base/strings/string_number_conversions.h"
 #include "chromeos/cert_loader.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_manager_client.h"
 #include "chromeos/dbus/shill_service_client.h"
 #include "chromeos/network/certificate_pattern.h"
+#include "chromeos/network/client_cert_resolver.h"
 #include "chromeos/network/client_cert_util.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/network_handler_callbacks.h"
 #include "chromeos/network/network_profile_handler.h"
 #include "chromeos/network/network_state.h"
 #include "chromeos/network/network_state_handler.h"
 #include "chromeos/network/shill_property_util.h"
-#include "chromeos/tpm_token_loader.h"
 #include "dbus/object_path.h"
 #include "net/cert/x509_certificate.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
 namespace {
 
 void InvokeErrorCallback(const std::string& service_path,
                          const network_handler::ErrorCallback& error_callback,
@@ skipping 429 matching lines @@
       ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
       return;
     }
     // If certificates have not been loaded yet, queue the connect request.
     if (!certificates_loaded_) {
       NET_LOG_EVENT("Certificates not loaded", "");
       QueueConnectRequest(service_path);
       return;
     }
 
-    // If the client certificate must be configured, this will be set to a
-    // non-empty string.
-    std::string pkcs11_id;
-
     // Check certificate properties from policy.
-    // Note: Wifi/VPNConfigView set the KeyID and CertID properties directly,
-    // in which case only the TPM must be configured.
     if (cert_config_from_policy.client_cert_type ==
         onc::client_cert::kPattern) {
-      pkcs11_id = CertificateIsConfigured(cert_config_from_policy.pattern);
-      // Ensure the certificate is available and configured.
-      if (!cert_loader_->IsHardwareBacked() || pkcs11_id.empty()) {
+      if (!ClientCertResolver::ResolveCertificatePatternSync(
+              client_cert_type,
+              cert_config_from_policy.pattern,
+              &config_properties)) {
         ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
         return;
       }
     } else if (check_error_state &&
                !client_cert::IsCertificateConfigured(client_cert_type,
                                                      service_properties)) {
       // Network may not be configured.
       ErrorCallbackForPendingRequest(service_path, kErrorConfigurationRequired);
       return;
     }
-
-    // The network may not be 'Connectable' because the TPM properties are not
-    // set up, so configure tpm slot/pin before connecting.
-    if (cert_loader_ && cert_loader_->IsHardwareBacked()) {
-      // Pass NULL if pkcs11_id is empty, so that it doesn't clear any
-      // previously configured client cert.
-      client_cert::SetShillProperties(
-          client_cert_type,
-          base::IntToString(cert_loader_->TPMTokenSlotID()),
-          TPMTokenLoader::Get()->tpm_user_pin(),
-          pkcs11_id.empty() ? NULL : &pkcs11_id,
-          &config_properties);
-    }
   }
 
   if (type == shill::kTypeVPN) {
     // VPN may require a username, and/or passphrase to be set. (Check after
     // ensuring that any required certificates are configured).
     DCHECK(provider_properties);
     if (VPNRequiresCredentials(
             service_path, vpn_provider_type, *provider_properties)) {
       NET_LOG_USER("VPN Requires Credentials", service_path);
       ErrorCallbackForPendingRequest(service_path, kErrorConfigurationRequired);
@@ skipping 217 matching lines @@
   InvokeErrorCallback(service_path, error_callback, error_name);
 }
 
 void NetworkConnectionHandler::CheckAllPendingRequests() {
   for (std::map<std::string, ConnectRequest>::iterator iter =
            pending_requests_.begin(); iter != pending_requests_.end(); ++iter) {
     CheckPendingRequest(iter->first);
   }
 }
 
-std::string NetworkConnectionHandler::CertificateIsConfigured(
-    const CertificatePattern& pattern) {
-  if (pattern.Empty())
-    return std::string();
-  // Find the matching certificate.
-  scoped_refptr<net::X509Certificate> matching_cert =
-      client_cert::GetCertificateMatch(pattern, cert_loader_->cert_list());
-  if (!matching_cert.get())
-    return std::string();
-  return CertLoader::GetPkcs11IdForCert(*matching_cert.get());
-}
-
 void NetworkConnectionHandler::ErrorCallbackForPendingRequest(
     const std::string& service_path,
     const std::string& error_name) {
   ConnectRequest* request = GetPendingRequest(service_path);
   if (!request) {
     NET_LOG_ERROR("ErrorCallbackForPendingRequest with no pending request.",
                   service_path);
     return;
   }
   // Remove the entry before invoking the callback in case it triggers a retry.
@@ skipping 82 matching lines @@
 
     NET_LOG_EVENT("Disconnect Forced by Policy", network->path());
     CallShillDisconnect(
         network->path(), base::Closure(), network_handler::ErrorCallback());
   }
 
   ConnectToBestNetworkAfterLogin();
 }
 
 }  // namespace chromeos