| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/client_cert_util.h" | 5 #include "chromeos/network/client_cert_util.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 | 9 |
| 10 #include <list> | 10 #include <list> |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 principal.organization_unit_names.end(), | 90 principal.organization_unit_names.end(), |
| 91 pattern.organizational_unit()) == | 91 pattern.organizational_unit()) == |
| 92 principal.organization_unit_names.end()) { | 92 principal.organization_unit_names.end()) { |
| 93 return false; | 93 return false; |
| 94 } | 94 } |
| 95 } | 95 } |
| 96 | 96 |
| 97 return true; | 97 return true; |
| 98 } | 98 } |
| 99 | 99 |
| 100 std::string GetPkcs11IdFromEapCertId(const std::string& cert_id) { | 100 std::string GetPkcs11AndSlotIdFromEapCertId(const std::string& cert_id, |
| 101 int* slot_id) { |
| 102 *slot_id = -1; |
| 101 if (cert_id.empty()) | 103 if (cert_id.empty()) |
| 102 return std::string(); | 104 return std::string(); |
| 103 | 105 |
| 104 size_t delimiter_pos = cert_id.find(':'); | 106 size_t delimiter_pos = cert_id.find(':'); |
| 105 if (delimiter_pos == std::string::npos) { | 107 if (delimiter_pos == std::string::npos) { |
| 106 // No delimiter found, so |cert_id| only contains the PKCS11 id. | 108 // No delimiter found, so |cert_id| only contains the PKCS11 id. |
| 107 return cert_id; | 109 return cert_id; |
| 108 } | 110 } |
| 109 if (delimiter_pos + 1 >= cert_id.size()) { | 111 if (delimiter_pos + 1 >= cert_id.size()) { |
| 110 LOG(ERROR) << "Empty PKCS11 id in cert id."; | 112 LOG(ERROR) << "Empty PKCS11 id in cert id."; |
| 111 return std::string(); | 113 return std::string(); |
| 112 } | 114 } |
| 115 int parsed_slot_id; |
| 116 if (base::StringToInt(cert_id.substr(0, delimiter_pos), &parsed_slot_id)) |
| 117 *slot_id = parsed_slot_id; |
| 118 else |
| 119 LOG(ERROR) << "Slot ID is not an integer. Cert ID is: " << cert_id << "."; |
| 113 return cert_id.substr(delimiter_pos + 1); | 120 return cert_id.substr(delimiter_pos + 1); |
| 114 } | 121 } |
| 115 | 122 |
| 123 void GetClientCertFromShillProperties( |
| 124 const base::DictionaryValue& shill_properties, |
| 125 ConfigType* cert_config_type, |
| 126 int* tpm_slot, |
| 127 std::string* pkcs11_id) { |
| 128 *cert_config_type = CONFIG_TYPE_NONE; |
| 129 *tpm_slot = -1; |
| 130 pkcs11_id->clear(); |
| 131 |
| 132 // Look for VPN specific client certificate properties. |
| 133 // |
| 134 // VPN Provider values are read from the "Provider" dictionary, not the |
| 135 // "Provider.Type", etc keys (which are used only to set the values). |
| 136 const base::DictionaryValue* provider_properties = NULL; |
| 137 if (shill_properties.GetDictionaryWithoutPathExpansion( |
| 138 shill::kProviderProperty, &provider_properties)) { |
| 139 // Look for OpenVPN specific properties. |
| 140 if (provider_properties->GetStringWithoutPathExpansion( |
| 141 shill::kOpenVPNClientCertIdProperty, pkcs11_id)) { |
| 142 *cert_config_type = CONFIG_TYPE_OPENVPN; |
| 143 return; |
| 144 } |
| 145 // Look for L2TP-IPsec specific properties. |
| 146 if (provider_properties->GetStringWithoutPathExpansion( |
| 147 shill::kL2tpIpsecClientCertIdProperty, pkcs11_id)) { |
| 148 std::string cert_slot; |
| 149 provider_properties->GetStringWithoutPathExpansion( |
| 150 shill::kL2tpIpsecClientCertSlotProperty, &cert_slot); |
| 151 if (!cert_slot.empty() && !base::StringToInt(cert_slot, tpm_slot)) { |
| 152 LOG(ERROR) << "Cert slot is not an integer: " << cert_slot << "."; |
| 153 return; |
| 154 } |
| 155 |
| 156 *cert_config_type = CONFIG_TYPE_IPSEC; |
| 157 } |
| 158 return; |
| 159 } |
| 160 |
| 161 // Look for EAP specific client certificate properties, which can either be |
| 162 // part of a WiFi or EthernetEAP configuration. |
| 163 std::string cert_id; |
| 164 if (shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 165 &cert_id)) { |
| 166 // Shill requires both CertID and KeyID for TLS connections, despite the |
| 167 // fact that by convention they are the same ID, because one identifies |
| 168 // the certificate and the other the private key. |
| 169 std::string key_id; |
| 170 shill_properties.GetStringWithoutPathExpansion(shill::kEapKeyIdProperty, |
| 171 &key_id); |
| 172 // Assume the configuration to be invalid, if the two IDs are not identical. |
| 173 if (cert_id != key_id) { |
| 174 LOG(ERROR) << "EAP CertID differs from KeyID"; |
| 175 return; |
| 176 } |
| 177 *pkcs11_id = GetPkcs11AndSlotIdFromEapCertId(cert_id, tpm_slot); |
| 178 *cert_config_type = CONFIG_TYPE_EAP; |
| 179 } |
| 180 } |
| 181 |
| 116 void SetShillProperties(const ConfigType cert_config_type, | 182 void SetShillProperties(const ConfigType cert_config_type, |
| 117 const int tpm_slot, | 183 const int tpm_slot, |
| 118 const std::string& pkcs11_id, | 184 const std::string& pkcs11_id, |
| 119 base::DictionaryValue* properties) { | 185 base::DictionaryValue* properties) { |
| 120 switch (cert_config_type) { | 186 switch (cert_config_type) { |
| 121 case CONFIG_TYPE_NONE: { | 187 case CONFIG_TYPE_NONE: { |
| 122 return; | 188 return; |
| 123 } | 189 } |
| 124 case CONFIG_TYPE_OPENVPN: { | 190 case CONFIG_TYPE_OPENVPN: { |
| 125 properties->SetStringWithoutPathExpansion(shill::kOpenVPNPinProperty, | 191 properties->SetStringWithoutPathExpansion(shill::kOpenVPNPinProperty, |
| (...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 284 return !cert_id.empty() && !key_id.empty() && !identity.empty(); | 350 return !cert_id.empty() && !key_id.empty() && !identity.empty(); |
| 285 } | 351 } |
| 286 } | 352 } |
| 287 NOTREACHED(); | 353 NOTREACHED(); |
| 288 return false; | 354 return false; |
| 289 } | 355 } |
| 290 | 356 |
| 291 } // namespace client_cert | 357 } // namespace client_cert |
| 292 | 358 |
| 293 } // namespace chromeos | 359 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 471183002:
Migrate Slot ID of client certs in network configuration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src