chromeos/network/client_cert_util.cc - Issue 471183002: Migrate Slot ID of client certs in network configuration.

Side by Side Diff: chromeos/network/client_cert_util.cc

Issue 471183002: Migrate Slot ID of client certs in network configuration. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chromeos/network/client_cert_util.h"	5 #include "chromeos/network/client_cert_util.h"

6	6

7 #include <cert.h>	7 #include <cert.h>

8 #include <pk11pub.h>	8 #include <pk11pub.h>

9	9

10 #include <list>	10 #include <list>

(...skipping 79 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
90 principal.organization_unit_names.end(),	90 principal.organization_unit_names.end(),

91 pattern.organizational_unit()) ==	91 pattern.organizational_unit()) ==

92 principal.organization_unit_names.end()) {	92 principal.organization_unit_names.end()) {

93 return false;	93 return false;

94 }	94 }

95 }	95 }

96	96

97 return true;	97 return true;

98 }	98 }

99	99

100 std::string GetPkcs11IdFromEapCertId(const std::string& cert_id) {	100 std::string GetPkcs11AndSlotIdFromEapCertId(const std::string& cert_id,

	101 int* slot_id) {

	102 *slot_id = -1;

101 if (cert_id.empty())	103 if (cert_id.empty())

102 return std::string();	104 return std::string();

103	105

104 size_t delimiter_pos = cert_id.find(':');	106 size_t delimiter_pos = cert_id.find(':');

105 if (delimiter_pos == std::string::npos) {	107 if (delimiter_pos == std::string::npos) {

106 // No delimiter found, so \|cert_id\| only contains the PKCS11 id.	108 // No delimiter found, so \|cert_id\| only contains the PKCS11 id.

107 return cert_id;	109 return cert_id;

108 }	110 }

109 if (delimiter_pos + 1 >= cert_id.size()) {	111 if (delimiter_pos + 1 >= cert_id.size()) {

110 LOG(ERROR) << "Empty PKCS11 id in cert id.";	112 LOG(ERROR) << "Empty PKCS11 id in cert id.";

111 return std::string();	113 return std::string();

112 }	114 }

	115 int parsed_slot_id;

	116 if (base::StringToInt(cert_id.substr(0, delimiter_pos), &parsed_slot_id))

	117 *slot_id = parsed_slot_id;

	118 else

	119 LOG(ERROR) << "Slot ID is not an integer. Cert ID is: " << cert_id << ".";

113 return cert_id.substr(delimiter_pos + 1);	120 return cert_id.substr(delimiter_pos + 1);

114 }	121 }

115	122

	123 void GetShillProperties(const base::DictionaryValue& properties,

	124 ConfigType* cert_config_type,

	125 int* tpm_slot,

	126 std::string* pkcs11_id) {

	127 *cert_config_type = CONFIG_TYPE_NONE;

	128 *tpm_slot = -1;

	129 pkcs11_id->clear();

	130

	131 std::string type;

	132 properties.GetStringWithoutPathExpansion(shill::kTypeProperty, &type);

	133 std::string security;

	134 properties.GetStringWithoutPathExpansion(shill::kSecurityProperty, &security);

	135 if (type == shill::kTypeVPN) {

	136 // VPN Provider values are read from the "Provider" dictionary, not the

	137 // "Provider.Type", etc keys (which are used only to set the values).

	138 const base::DictionaryValue* provider_properties = NULL;

	139 std::string vpn_provider_type;

	140 if (!properties.GetDictionaryWithoutPathExpansion(shill::kProviderProperty,

	141 &provider_properties)) {

	142 LOG(ERROR) << "Missing provider properties.";

	143 return;

	144 }

	145 provider_properties->GetStringWithoutPathExpansion(shill::kTypeProperty,

	146 &vpn_provider_type);

	147 if (vpn_provider_type == shill::kProviderOpenVpn) {

	148 provider_properties->GetStringWithoutPathExpansion(

	149 shill::kOpenVPNClientCertIdProperty, pkcs11_id);

	150 *cert_config_type = CONFIG_TYPE_OPENVPN;

	151 } else if (vpn_provider_type == shill::kProviderL2tpIpsec) {

	152 std::string cert_slot;

	153 provider_properties->GetStringWithoutPathExpansion(

	154 shill::kL2tpIpsecClientCertSlotProperty, &cert_slot);

	155 if (!base::StringToInt(cert_slot, tpm_slot)) {

	156 LOG(ERROR) << "Cert slot is not an integer: " << cert_slot << ".";

	157 return;

	158 }

	159

	160 provider_properties->GetStringWithoutPathExpansion(

	161 shill::kL2tpIpsecClientCertIdProperty, pkcs11_id);

	162 *cert_config_type = CONFIG_TYPE_IPSEC;

	163 } else {

	164 LOG(ERROR) << "Unknown VPN type " << vpn_provider_type << ".";

	165 return;

	166 }

	167 } else if (security == shill::kSecurity8021x) {
	Paul Stewart 2014/08/14 20:09:17 I think you're missing the 802.1x WEP case? You a I think you're missing the 802.1x WEP case? You also may want to be careful that you're not in an 802.1x but not TLS case here. pneubeck (no reviews) 2014/08/14 23:06:00 802.1x WEP is still not supported by Chrome as its Show quoted text On 2014/08/14 20:09:17, Paul Stewart wrote: > I think you're missing the 802.1x WEP case? 802.1x WEP is still not supported by Chrome as its priority was never considered high enough: crbug.com/127070. Show quoted text > You also may want to be careful > that you're not in an 802.1x but not TLS case here. I could add a if (pkcs11_id.empty()) condition to each assignment to \|cert_config_type\|. That would take care of the cases where actually no client cert was configured. To handle EthernetEAP this would also need a \|\| type == shill::kTypeEthernetEap Alteneratively, I could drop the checks for Type and Security and instead probe each of the Cert/Key/Slot properties and the first existent will reveal what kind of network it is. I.e. something like: if (provider_properties) { // Network must be a VPN if (provider_properties->GetStringWithoutPathExpansion(..OpenVPNClientCertId...)) { // Must be a OpenVPN cert_config_type = CONFIG_TYPE_OPENVPN; } else if (...Get...(..Ipsec..)) { // Must be a Ipsec VPN ... } } else if (properties.Get...(kEapCertIdProperty, &cert_id)) { // Must be a network with EAP config and client certificate (e.g. WPA 802.1x or Ethernet 802.1x). ... } pneubeck (no reviews)* 2014/08/15 13:15:21 Done. Show quoted text On 2014/08/14 23:06:00, pneubeck wrote: > On 2014/08/14 20:09:17, Paul Stewart wrote: > > I think you're missing the 802.1x WEP case? > 802.1x WEP is still not supported by Chrome as its priority was never considered > high enough: crbug.com/127070. > > > You also may want to be careful > > that you're not in an 802.1x but not TLS case here. > I could add a > if (pkcs11_id.empty()) > condition to each assignment to \|cert_config_type\|. > That would take care of the cases where actually no client cert was configured. > > To handle EthernetEAP this would also need a > \|\| type == shill::kTypeEthernetEap > > > Alteneratively, I could drop the checks for Type and Security and instead probe > each of the Cert/Key/Slot properties and the first existent will reveal what > kind of network it is. > I.e. something like: > > if (provider_properties) { > // Network must be a VPN > > if > (provider_properties->GetStringWithoutPathExpansion(..OpenVPNClientCertId...)) { > // Must be a OpenVPN > *cert_config_type = CONFIG_TYPE_OPENVPN; > } else if (...Get...(..Ipsec..)) { > // Must be a Ipsec VPN > ... > } > } else if (properties.Get...(kEapCertIdProperty, &cert_id)) { > // Must be a network with EAP config and client certificate (e.g. WPA 802.1x > or Ethernet 802.1x). > ... > } Done.
	168 // Shill requires both CertID and KeyID for TLS connections, despite the

	169 // fact that by convention they are the same ID, because one identifies

	170 // the certificate and the other the private key.

	171 std::string cert_id;

	172 properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty,

	173 &cert_id);

	174 std::string key_id;

	175 properties.GetStringWithoutPathExpansion(shill::kEapKeyIdProperty, &key_id);

	176 // Assume the configuration to be invalid, if the two IDs are not identical.

	177 if (cert_id != key_id) {

	178 LOG(ERROR) << "EAP CertID differs from KeyID";

	179 return;

	180 }

	181 *pkcs11_id = GetPkcs11AndSlotIdFromEapCertId(cert_id, tpm_slot);

	182 *cert_config_type = CONFIG_TYPE_EAP;

	183 } else {

	184 LOG(ERROR) << "Network type " << type << ".";

	185 return;

	186 }

	187 }

	188

116 void SetShillProperties(const ConfigType cert_config_type,	189 void SetShillProperties(const ConfigType cert_config_type,

117 const int tpm_slot,	190 const int tpm_slot,

118 const std::string& pkcs11_id,	191 const std::string& pkcs11_id,

119 base::DictionaryValue* properties) {	192 base::DictionaryValue* properties) {

120 switch (cert_config_type) {	193 switch (cert_config_type) {

121 case CONFIG_TYPE_NONE: {	194 case CONFIG_TYPE_NONE: {

122 return;	195 return;

123 }	196 }

124 case CONFIG_TYPE_OPENVPN: {	197 case CONFIG_TYPE_OPENVPN: {

125 properties->SetStringWithoutPathExpansion(shill::kOpenVPNPinProperty,	198 properties->SetStringWithoutPathExpansion(shill::kOpenVPNPinProperty,

(...skipping 158 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
284 return !cert_id.empty() && !key_id.empty() && !identity.empty();	357 return !cert_id.empty() && !key_id.empty() && !identity.empty();

285 }	358 }

286 }	359 }

287 NOTREACHED();	360 NOTREACHED();

288 return false;	361 return false;

289 }	362 }

290	363

291 } // namespace client_cert	364 } // namespace client_cert

292	365

293 } // namespace chromeos	366 } // namespace chromeos

OLD	NEW

« chromeos/network/client_cert_util.h ('K') | « chromeos/network/client_cert_util.h ('k') | chromeos/network/network_cert_migrator.h » ('j') | chromeos/network/network_cert_migrator.cc » ('J')