| OLD | NEW |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/onc/onc_certificate_importer_impl.h" | 5 #include "chromeos/network/onc/onc_certificate_importer_impl.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <keyhi.h> | 8 #include <keyhi.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 | 10 |
| 11 #include "base/base64.h" | 11 #include "base/base64.h" |
| 12 #include "base/bind.h" | |
| 13 #include "base/bind_helpers.h" | |
| 14 #include "base/callback.h" | |
| 15 #include "base/location.h" | |
| 16 #include "base/logging.h" | 12 #include "base/logging.h" |
| 17 #include "base/sequenced_task_runner.h" | |
| 18 #include "base/single_thread_task_runner.h" | |
| 19 #include "base/thread_task_runner_handle.h" | |
| 20 #include "base/values.h" | 13 #include "base/values.h" |
| 21 #include "chromeos/network/network_event_log.h" | 14 #include "chromeos/network/network_event_log.h" |
| 22 #include "chromeos/network/onc/onc_utils.h" | 15 #include "chromeos/network/onc/onc_utils.h" |
| 23 #include "components/onc/onc_constants.h" | 16 #include "components/onc/onc_constants.h" |
| 24 #include "crypto/scoped_nss_types.h" | 17 #include "crypto/scoped_nss_types.h" |
| 25 #include "net/base/crypto_module.h" | 18 #include "net/base/crypto_module.h" |
| 26 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 27 #include "net/cert/nss_cert_database.h" | 20 #include "net/cert/nss_cert_database.h" |
| 28 #include "net/cert/x509_certificate.h" | 21 #include "net/cert/x509_certificate.h" |
| 29 | 22 |
| 23 #define ONC_LOG_WARNING(message) \ |
| 24 NET_LOG_DEBUG("ONC Certificate Import Warning", message) |
| 25 #define ONC_LOG_ERROR(message) \ |
| 26 NET_LOG_ERROR("ONC Certificate Import Error", message) |
| 27 |
| 30 namespace chromeos { | 28 namespace chromeos { |
| 31 namespace onc { | 29 namespace onc { |
| 32 | 30 |
| 33 namespace { | |
| 34 | |
| 35 void CallBackOnOriginLoop( | |
| 36 const scoped_refptr<base::SingleThreadTaskRunner>& origin_loop, | |
| 37 const CertificateImporter::DoneCallback& callback, | |
| 38 bool success, | |
| 39 const net::CertificateList& onc_trusted_certificates) { | |
| 40 origin_loop->PostTask( | |
| 41 FROM_HERE, base::Bind(callback, success, onc_trusted_certificates)); | |
| 42 } | |
| 43 | |
| 44 } // namespace | |
| 45 | |
| 46 CertificateImporterImpl::CertificateImporterImpl( | 31 CertificateImporterImpl::CertificateImporterImpl( |
| 47 const scoped_refptr<base::SequencedTaskRunner>& io_task_runner, | |
| 48 net::NSSCertDatabase* target_nssdb) | 32 net::NSSCertDatabase* target_nssdb) |
| 49 : io_task_runner_(io_task_runner), | 33 : target_nssdb_(target_nssdb) { |
| 50 target_nssdb_(target_nssdb), | |
| 51 weak_factory_(this) { | |
| 52 CHECK(target_nssdb); | 34 CHECK(target_nssdb); |
| 53 } | 35 } |
| 54 | 36 |
| 55 CertificateImporterImpl::~CertificateImporterImpl() { | 37 bool CertificateImporterImpl::ImportCertificates( |
| 38 const base::ListValue& certificates, |
| 39 ::onc::ONCSource source, |
| 40 net::CertificateList* onc_trusted_certificates) { |
| 41 VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates"; |
| 42 |
| 43 // Web trust is only granted to certificates imported by the user. |
| 44 bool allow_trust_imports = source == ::onc::ONC_SOURCE_USER_IMPORT; |
| 45 if (!ParseAndStoreCertificates(allow_trust_imports, |
| 46 certificates, |
| 47 onc_trusted_certificates, |
| 48 NULL)) { |
| 49 LOG(ERROR) << "Cannot parse some of the certificates in the ONC from " |
| 50 << onc::GetSourceAsString(source); |
| 51 return false; |
| 52 } |
| 53 return true; |
| 56 } | 54 } |
| 57 | 55 |
| 58 void CertificateImporterImpl::ImportCertificates( | 56 bool CertificateImporterImpl::ParseAndStoreCertificates( |
| 57 bool allow_trust_imports, |
| 59 const base::ListValue& certificates, | 58 const base::ListValue& certificates, |
| 60 ::onc::ONCSource source, | 59 net::CertificateList* onc_trusted_certificates, |
| 61 const DoneCallback& done_callback) { | 60 CertsByGUID* imported_server_and_ca_certs) { |
| 62 VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates"; | |
| 63 // |done_callback| must only be called as long as |this| still exists. | |
| 64 // Thereforce, call back to |this|. This check of |this| must happen last and | |
| 65 // on the origin thread. | |
| 66 DoneCallback callback_to_this = | |
| 67 base::Bind(&CertificateImporterImpl::RunDoneCallback, | |
| 68 weak_factory_.GetWeakPtr(), | |
| 69 done_callback); | |
| 70 | |
| 71 // |done_callback| must be called on the origin thread. | |
| 72 DoneCallback callback_on_origin_loop = | |
| 73 base::Bind(&CallBackOnOriginLoop, | |
| 74 base::ThreadTaskRunnerHandle::Get(), | |
| 75 callback_to_this); | |
| 76 | |
| 77 // This is the actual function that imports the certificates. | |
| 78 base::Closure import_certs_callback = | |
| 79 base::Bind(&ParseAndStoreCertificates, | |
| 80 source, | |
| 81 callback_on_origin_loop, | |
| 82 base::Owned(certificates.DeepCopy()), | |
| 83 target_nssdb_); | |
| 84 | |
| 85 // The NSSCertDatabase must be accessed on |io_task_runner_| | |
| 86 io_task_runner_->PostTask(FROM_HERE, import_certs_callback); | |
| 87 } | |
| 88 | |
| 89 // static | |
| 90 void CertificateImporterImpl::ParseAndStoreCertificates( | |
| 91 ::onc::ONCSource source, | |
| 92 const DoneCallback& done_callback, | |
| 93 base::ListValue* certificates, | |
| 94 net::NSSCertDatabase* nssdb) { | |
| 95 // Web trust is only granted to certificates imported by the user. | |
| 96 bool allow_trust_imports = source == ::onc::ONC_SOURCE_USER_IMPORT; | |
| 97 net::CertificateList onc_trusted_certificates; | |
| 98 bool success = true; | 61 bool success = true; |
| 99 for (size_t i = 0; i < certificates->GetSize(); ++i) { | 62 for (size_t i = 0; i < certificates.GetSize(); ++i) { |
| 100 const base::DictionaryValue* certificate = NULL; | 63 const base::DictionaryValue* certificate = NULL; |
| 101 certificates->GetDictionary(i, &certificate); | 64 certificates.GetDictionary(i, &certificate); |
| 102 DCHECK(certificate != NULL); | 65 DCHECK(certificate != NULL); |
| 103 | 66 |
| 104 VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate; | 67 VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate; |
| 105 | 68 |
| 106 if (!ParseAndStoreCertificate(allow_trust_imports, | 69 if (!ParseAndStoreCertificate(allow_trust_imports, |
| 107 *certificate, | 70 *certificate, |
| 108 nssdb, | 71 onc_trusted_certificates, |
| 109 &onc_trusted_certificates)) { | 72 imported_server_and_ca_certs)) { |
| 110 success = false; | 73 success = false; |
| 111 LOG(ERROR) << "Cannot parse certificate at index " << i; | 74 ONC_LOG_ERROR( |
| 75 base::StringPrintf("Cannot parse certificate at index %zu", i)); |
| 112 } else { | 76 } else { |
| 113 VLOG(2) << "Successfully imported certificate at index " << i; | 77 VLOG(2) << "Successfully imported certificate at index " << i; |
| 114 } | 78 } |
| 115 } | 79 } |
| 116 | 80 return success; |
| 117 done_callback.Run(success, onc_trusted_certificates); | |
| 118 } | 81 } |
| 119 | 82 |
| 120 // static | 83 // static |
| 121 void CertificateImporterImpl::ListCertsWithNickname( | 84 void CertificateImporterImpl::ListCertsWithNickname( |
| 122 const std::string& label, | 85 const std::string& label, |
| 123 net::CertificateList* result, | 86 net::CertificateList* result, |
| 124 net::NSSCertDatabase* target_nssdb) { | 87 net::NSSCertDatabase* target_nssdb) { |
| 125 net::CertificateList all_certs; | 88 net::CertificateList all_certs; |
| 126 // TODO(tbarzic): Use async |ListCerts|. | 89 // TODO(tbarzic): Use async |ListCerts|. |
| 127 target_nssdb->ListCertsSync(&all_certs); | 90 target_nssdb->ListCertsSync(&all_certs); |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 173 // Luckily there should only be one cert with a particular | 136 // Luckily there should only be one cert with a particular |
| 174 // label, and the cert not being found is one of the few reasons the | 137 // label, and the cert not being found is one of the few reasons the |
| 175 // delete could fail, but still... The other choice is to return | 138 // delete could fail, but still... The other choice is to return |
| 176 // failure immediately, but that doesn't seem to do what is intended. | 139 // failure immediately, but that doesn't seem to do what is intended. |
| 177 if (!target_nssdb->DeleteCertAndKey(iter->get())) | 140 if (!target_nssdb->DeleteCertAndKey(iter->get())) |
| 178 result = false; | 141 result = false; |
| 179 } | 142 } |
| 180 return result; | 143 return result; |
| 181 } | 144 } |
| 182 | 145 |
| 183 void CertificateImporterImpl::RunDoneCallback( | |
| 184 const CertificateImporter::DoneCallback& callback, | |
| 185 bool success, | |
| 186 const net::CertificateList& onc_trusted_certificates) { | |
| 187 if (!success) | |
| 188 NET_LOG_ERROR("ONC Certificate Import Error", ""); | |
| 189 callback.Run(success, onc_trusted_certificates); | |
| 190 } | |
| 191 | |
| 192 bool CertificateImporterImpl::ParseAndStoreCertificate( | 146 bool CertificateImporterImpl::ParseAndStoreCertificate( |
| 193 bool allow_trust_imports, | 147 bool allow_trust_imports, |
| 194 const base::DictionaryValue& certificate, | 148 const base::DictionaryValue& certificate, |
| 195 net::NSSCertDatabase* nssdb, | 149 net::CertificateList* onc_trusted_certificates, |
| 196 net::CertificateList* onc_trusted_certificates) { | 150 CertsByGUID* imported_server_and_ca_certs) { |
| 197 // Get out the attributes of the given certificate. | 151 // Get out the attributes of the given certificate. |
| 198 std::string guid; | 152 std::string guid; |
| 199 certificate.GetStringWithoutPathExpansion(::onc::certificate::kGUID, &guid); | 153 certificate.GetStringWithoutPathExpansion(::onc::certificate::kGUID, &guid); |
| 200 DCHECK(!guid.empty()); | 154 DCHECK(!guid.empty()); |
| 201 | 155 |
| 202 bool remove = false; | 156 bool remove = false; |
| 203 if (certificate.GetBooleanWithoutPathExpansion(::onc::kRemove, &remove) && | 157 if (certificate.GetBooleanWithoutPathExpansion(::onc::kRemove, &remove) && |
| 204 remove) { | 158 remove) { |
| 205 if (!DeleteCertAndKeyByNickname(guid, nssdb)) { | 159 if (!DeleteCertAndKeyByNickname(guid, target_nssdb_)) { |
| 206 LOG(ERROR) << "Unable to delete certificate"; | 160 ONC_LOG_ERROR("Unable to delete certificate"); |
| 207 return false; | 161 return false; |
| 208 } else { | 162 } else { |
| 209 return true; | 163 return true; |
| 210 } | 164 } |
| 211 } | 165 } |
| 212 | 166 |
| 213 // Not removing, so let's get the data we need to add this certificate. | 167 // Not removing, so let's get the data we need to add this certificate. |
| 214 std::string cert_type; | 168 std::string cert_type; |
| 215 certificate.GetStringWithoutPathExpansion(::onc::certificate::kType, | 169 certificate.GetStringWithoutPathExpansion(::onc::certificate::kType, |
| 216 &cert_type); | 170 &cert_type); |
| 217 if (cert_type == ::onc::certificate::kServer || | 171 if (cert_type == ::onc::certificate::kServer || |
| 218 cert_type == ::onc::certificate::kAuthority) { | 172 cert_type == ::onc::certificate::kAuthority) { |
| 219 return ParseServerOrCaCertificate(allow_trust_imports, | 173 return ParseServerOrCaCertificate(allow_trust_imports, |
| 220 cert_type, | 174 cert_type, |
| 221 guid, | 175 guid, |
| 222 certificate, | 176 certificate, |
| 223 nssdb, | 177 onc_trusted_certificates, |
| 224 onc_trusted_certificates); | 178 imported_server_and_ca_certs); |
| 225 } else if (cert_type == ::onc::certificate::kClient) { | 179 } else if (cert_type == ::onc::certificate::kClient) { |
| 226 return ParseClientCertificate(guid, certificate, nssdb); | 180 return ParseClientCertificate(guid, certificate); |
| 227 } | 181 } |
| 228 | 182 |
| 229 NOTREACHED(); | 183 NOTREACHED(); |
| 230 return false; | 184 return false; |
| 231 } | 185 } |
| 232 | 186 |
| 233 bool CertificateImporterImpl::ParseServerOrCaCertificate( | 187 bool CertificateImporterImpl::ParseServerOrCaCertificate( |
| 234 bool allow_trust_imports, | 188 bool allow_trust_imports, |
| 235 const std::string& cert_type, | 189 const std::string& cert_type, |
| 236 const std::string& guid, | 190 const std::string& guid, |
| 237 const base::DictionaryValue& certificate, | 191 const base::DictionaryValue& certificate, |
| 238 net::NSSCertDatabase* nssdb, | 192 net::CertificateList* onc_trusted_certificates, |
| 239 net::CertificateList* onc_trusted_certificates) { | 193 CertsByGUID* imported_server_and_ca_certs) { |
| 240 bool web_trust_flag = false; | 194 bool web_trust_flag = false; |
| 241 const base::ListValue* trust_list = NULL; | 195 const base::ListValue* trust_list = NULL; |
| 242 if (certificate.GetListWithoutPathExpansion(::onc::certificate::kTrustBits, | 196 if (certificate.GetListWithoutPathExpansion(::onc::certificate::kTrustBits, |
| 243 &trust_list)) { | 197 &trust_list)) { |
| 244 for (base::ListValue::const_iterator it = trust_list->begin(); | 198 for (base::ListValue::const_iterator it = trust_list->begin(); |
| 245 it != trust_list->end(); ++it) { | 199 it != trust_list->end(); ++it) { |
| 246 std::string trust_type; | 200 std::string trust_type; |
| 247 if (!(*it)->GetAsString(&trust_type)) | 201 if (!(*it)->GetAsString(&trust_type)) |
| 248 NOTREACHED(); | 202 NOTREACHED(); |
| 249 | 203 |
| 250 if (trust_type == ::onc::certificate::kWeb) { | 204 if (trust_type == ::onc::certificate::kWeb) { |
| 251 // "Web" implies that the certificate is to be trusted for SSL | 205 // "Web" implies that the certificate is to be trusted for SSL |
| 252 // identification. | 206 // identification. |
| 253 web_trust_flag = true; | 207 web_trust_flag = true; |
| 254 } else { | 208 } else { |
| 255 // Trust bits should only increase trust and never restrict. Thus, | 209 // Trust bits should only increase trust and never restrict. Thus, |
| 256 // ignoring unknown bits should be safe. | 210 // ignoring unknown bits should be safe. |
| 257 LOG(WARNING) << "Certificate contains unknown trust type " | 211 ONC_LOG_WARNING("Certificate contains unknown trust type " + |
| 258 << trust_type; | 212 trust_type); |
| 259 } | 213 } |
| 260 } | 214 } |
| 261 } | 215 } |
| 262 | 216 |
| 263 bool import_with_ssl_trust = false; | 217 bool import_with_ssl_trust = false; |
| 264 if (web_trust_flag) { | 218 if (web_trust_flag) { |
| 265 if (!allow_trust_imports) | 219 if (!allow_trust_imports) |
| 266 LOG(WARNING) << "Web trust not granted for certificate: " << guid; | 220 ONC_LOG_WARNING("Web trust not granted for certificate: " + guid); |
| 267 else | 221 else |
| 268 import_with_ssl_trust = true; | 222 import_with_ssl_trust = true; |
| 269 } | 223 } |
| 270 | 224 |
| 271 std::string x509_data; | 225 std::string x509_data; |
| 272 if (!certificate.GetStringWithoutPathExpansion(::onc::certificate::kX509, | 226 if (!certificate.GetStringWithoutPathExpansion(::onc::certificate::kX509, |
| 273 &x509_data) || | 227 &x509_data) || |
| 274 x509_data.empty()) { | 228 x509_data.empty()) { |
| 275 LOG(ERROR) << "Certificate missing appropriate certificate data for type: " | 229 ONC_LOG_ERROR( |
| 276 << cert_type; | 230 "Certificate missing appropriate certificate data for type: " + |
| 231 cert_type); |
| 277 return false; | 232 return false; |
| 278 } | 233 } |
| 279 | 234 |
| 280 scoped_refptr<net::X509Certificate> x509_cert = | 235 scoped_refptr<net::X509Certificate> x509_cert = |
| 281 DecodePEMCertificate(x509_data); | 236 DecodePEMCertificate(x509_data); |
| 282 if (!x509_cert.get()) { | 237 if (!x509_cert.get()) { |
| 283 LOG(ERROR) << "Unable to create certificate from PEM encoding, type: " | 238 ONC_LOG_ERROR("Unable to create certificate from PEM encoding, type: " + |
| 284 << cert_type; | 239 cert_type); |
| 285 return false; | 240 return false; |
| 286 } | 241 } |
| 287 | 242 |
| 288 net::NSSCertDatabase::TrustBits trust = (import_with_ssl_trust ? | 243 net::NSSCertDatabase::TrustBits trust = (import_with_ssl_trust ? |
| 289 net::NSSCertDatabase::TRUSTED_SSL : | 244 net::NSSCertDatabase::TRUSTED_SSL : |
| 290 net::NSSCertDatabase::TRUST_DEFAULT); | 245 net::NSSCertDatabase::TRUST_DEFAULT); |
| 291 | 246 |
| 292 if (x509_cert->os_cert_handle()->isperm) { | 247 if (x509_cert->os_cert_handle()->isperm) { |
| 293 net::CertType net_cert_type = | 248 net::CertType net_cert_type = |
| 294 cert_type == ::onc::certificate::kServer ? net::SERVER_CERT | 249 cert_type == ::onc::certificate::kServer ? net::SERVER_CERT |
| 295 : net::CA_CERT; | 250 : net::CA_CERT; |
| 296 VLOG(1) << "Certificate is already installed."; | 251 VLOG(1) << "Certificate is already installed."; |
| 297 net::NSSCertDatabase::TrustBits missing_trust_bits = | 252 net::NSSCertDatabase::TrustBits missing_trust_bits = |
| 298 trust & ~nssdb->GetCertTrust(x509_cert.get(), net_cert_type); | 253 trust & ~target_nssdb_->GetCertTrust(x509_cert.get(), net_cert_type); |
| 299 if (missing_trust_bits) { | 254 if (missing_trust_bits) { |
| 300 std::string error_reason; | 255 std::string error_reason; |
| 301 bool success = false; | 256 bool success = false; |
| 302 if (nssdb->IsReadOnly(x509_cert.get())) { | 257 if (target_nssdb_->IsReadOnly(x509_cert.get())) { |
| 303 error_reason = " Certificate is stored read-only."; | 258 error_reason = " Certificate is stored read-only."; |
| 304 } else { | 259 } else { |
| 305 success = nssdb->SetCertTrust(x509_cert.get(), net_cert_type, trust); | 260 success = target_nssdb_->SetCertTrust(x509_cert.get(), |
| 261 net_cert_type, |
| 262 trust); |
| 306 } | 263 } |
| 307 if (!success) { | 264 if (!success) { |
| 308 LOG(ERROR) << "Certificate of type " << cert_type | 265 ONC_LOG_ERROR("Certificate of type " + cert_type + |
| 309 << " was already present, but trust couldn't be set." | 266 " was already present, but trust couldn't be set." + |
| 310 << error_reason; | 267 error_reason); |
| 311 } | 268 } |
| 312 } | 269 } |
| 313 } else { | 270 } else { |
| 314 net::CertificateList cert_list; | 271 net::CertificateList cert_list; |
| 315 cert_list.push_back(x509_cert); | 272 cert_list.push_back(x509_cert); |
| 316 net::NSSCertDatabase::ImportCertFailureList failures; | 273 net::NSSCertDatabase::ImportCertFailureList failures; |
| 317 bool success = false; | 274 bool success = false; |
| 318 if (cert_type == ::onc::certificate::kServer) | 275 if (cert_type == ::onc::certificate::kServer) |
| 319 success = nssdb->ImportServerCert(cert_list, trust, &failures); | 276 success = target_nssdb_->ImportServerCert(cert_list, trust, &failures); |
| 320 else // Authority cert | 277 else // Authority cert |
| 321 success = nssdb->ImportCACerts(cert_list, trust, &failures); | 278 success = target_nssdb_->ImportCACerts(cert_list, trust, &failures); |
| 322 | 279 |
| 323 if (!failures.empty()) { | 280 if (!failures.empty()) { |
| 324 std::string error_string = net::ErrorToString(failures[0].net_error); | 281 std::string error_string = net::ErrorToString(failures[0].net_error); |
| 325 LOG(ERROR) << "Error ( " << error_string | 282 ONC_LOG_ERROR( |
| 326 << " ) importing certificate of type " << cert_type; | 283 base::StringPrintf("Error ( %s ) importing %s certificate", |
| 284 error_string.c_str(), |
| 285 cert_type.c_str())); |
| 327 return false; | 286 return false; |
| 328 } | 287 } |
| 329 | 288 |
| 330 if (!success) { | 289 if (!success) { |
| 331 LOG(ERROR) << "Unknown error importing " << cert_type << " certificate."; | 290 ONC_LOG_ERROR("Unknown error importing " + cert_type + " certificate."); |
| 332 return false; | 291 return false; |
| 333 } | 292 } |
| 334 } | 293 } |
| 335 | 294 |
| 336 if (web_trust_flag && onc_trusted_certificates) | 295 if (web_trust_flag && onc_trusted_certificates) |
| 337 onc_trusted_certificates->push_back(x509_cert); | 296 onc_trusted_certificates->push_back(x509_cert); |
| 338 | 297 |
| 298 if (imported_server_and_ca_certs) |
| 299 (*imported_server_and_ca_certs)[guid] = x509_cert; |
| 300 |
| 339 return true; | 301 return true; |
| 340 } | 302 } |
| 341 | 303 |
| 342 bool CertificateImporterImpl::ParseClientCertificate( | 304 bool CertificateImporterImpl::ParseClientCertificate( |
| 343 const std::string& guid, | 305 const std::string& guid, |
| 344 const base::DictionaryValue& certificate, | 306 const base::DictionaryValue& certificate) { |
| 345 net::NSSCertDatabase* nssdb) { | |
| 346 std::string pkcs12_data; | 307 std::string pkcs12_data; |
| 347 if (!certificate.GetStringWithoutPathExpansion(::onc::certificate::kPKCS12, | 308 if (!certificate.GetStringWithoutPathExpansion(::onc::certificate::kPKCS12, |
| 348 &pkcs12_data) || | 309 &pkcs12_data) || |
| 349 pkcs12_data.empty()) { | 310 pkcs12_data.empty()) { |
| 350 LOG(ERROR) << "PKCS12 data is missing for client certificate."; | 311 ONC_LOG_ERROR("PKCS12 data is missing for client certificate."); |
| 351 return false; | 312 return false; |
| 352 } | 313 } |
| 353 | 314 |
| 354 std::string decoded_pkcs12; | 315 std::string decoded_pkcs12; |
| 355 if (!base::Base64Decode(pkcs12_data, &decoded_pkcs12)) { | 316 if (!base::Base64Decode(pkcs12_data, &decoded_pkcs12)) { |
| 356 LOG(ERROR) << "Unable to base64 decode PKCS#12 data: \"" << pkcs12_data | 317 ONC_LOG_ERROR( |
| 357 << "\"."; | 318 "Unable to base64 decode PKCS#12 data: \"" + pkcs12_data + "\"."); |
| 358 return false; | 319 return false; |
| 359 } | 320 } |
| 360 | 321 |
| 361 // Since this has a private key, always use the private module. | 322 // Since this has a private key, always use the private module. |
| 362 crypto::ScopedPK11Slot private_slot(nssdb->GetPrivateSlot()); | 323 crypto::ScopedPK11Slot private_slot(target_nssdb_->GetPrivateSlot()); |
| 363 if (!private_slot) | 324 if (!private_slot) |
| 364 return false; | 325 return false; |
| 365 scoped_refptr<net::CryptoModule> module( | 326 scoped_refptr<net::CryptoModule> module( |
| 366 net::CryptoModule::CreateFromHandle(private_slot.get())); | 327 net::CryptoModule::CreateFromHandle(private_slot.get())); |
| 367 net::CertificateList imported_certs; | 328 net::CertificateList imported_certs; |
| 368 | 329 |
| 369 int import_result = nssdb->ImportFromPKCS12( | 330 int import_result = target_nssdb_->ImportFromPKCS12( |
| 370 module.get(), decoded_pkcs12, base::string16(), false, &imported_certs); | 331 module.get(), decoded_pkcs12, base::string16(), false, &imported_certs); |
| 371 if (import_result != net::OK) { | 332 if (import_result != net::OK) { |
| 372 std::string error_string = net::ErrorToString(import_result); | 333 std::string error_string = net::ErrorToString(import_result); |
| 373 LOG(ERROR) << "Unable to import client certificate, error: " | 334 ONC_LOG_ERROR( |
| 374 << error_string; | 335 base::StringPrintf("Unable to import client certificate (error %s)", |
| 336 error_string.c_str())); |
| 375 return false; | 337 return false; |
| 376 } | 338 } |
| 377 | 339 |
| 378 if (imported_certs.size() == 0) { | 340 if (imported_certs.size() == 0) { |
| 379 LOG(WARNING) << "PKCS12 data contains no importable certificates."; | 341 ONC_LOG_WARNING("PKCS12 data contains no importable certificates."); |
| 380 return true; | 342 return true; |
| 381 } | 343 } |
| 382 | 344 |
| 383 if (imported_certs.size() != 1) { | 345 if (imported_certs.size() != 1) { |
| 384 LOG(WARNING) << "ONC File: PKCS12 data contains more than one certificate. " | 346 ONC_LOG_WARNING("ONC File: PKCS12 data contains more than one certificate. " |
| 385 "Only the first one will be imported."; | 347 "Only the first one will be imported."); |
| 386 } | 348 } |
| 387 | 349 |
| 388 scoped_refptr<net::X509Certificate> cert_result = imported_certs[0]; | 350 scoped_refptr<net::X509Certificate> cert_result = imported_certs[0]; |
| 389 | 351 |
| 390 // Find the private key associated with this certificate, and set the | 352 // Find the private key associated with this certificate, and set the |
| 391 // nickname on it. | 353 // nickname on it. |
| 392 SECKEYPrivateKey* private_key = PK11_FindPrivateKeyFromCert( | 354 SECKEYPrivateKey* private_key = PK11_FindPrivateKeyFromCert( |
| 393 cert_result->os_cert_handle()->slot, | 355 cert_result->os_cert_handle()->slot, |
| 394 cert_result->os_cert_handle(), | 356 cert_result->os_cert_handle(), |
| 395 NULL); // wincx | 357 NULL); // wincx |
| 396 if (private_key) { | 358 if (private_key) { |
| 397 PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str())); | 359 PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str())); |
| 398 SECKEY_DestroyPrivateKey(private_key); | 360 SECKEY_DestroyPrivateKey(private_key); |
| 399 } else { | 361 } else { |
| 400 LOG(WARNING) << "Unable to find private key for certificate."; | 362 ONC_LOG_WARNING("Unable to find private key for certificate."); |
| 401 } | 363 } |
| 402 return true; | 364 return true; |
| 403 } | 365 } |
| 404 | 366 |
| 405 } // namespace onc | 367 } // namespace onc |
| 406 } // namespace chromeos | 368 } // namespace chromeos |
| OLD | NEW |