Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(263)

Side by Side Diff: chrome/browser/chromeos/cros/onc_network_parser.cc

Issue 10868076: Only import certificates with Web trust from ONC if the user is managed and matches the enterprise … (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: rebaesd Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/chromeos/cros/onc_network_parser.h" 5 #include "chrome/browser/chromeos/cros/onc_network_parser.h"
6 6
7 #include <keyhi.h> 7 #include <keyhi.h>
8 #include <pk11pub.h> 8 #include <pk11pub.h>
9 9
10 #include "base/base64.h" 10 #include "base/base64.h"
(...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after
275 275
276 } // namespace 276 } // namespace
277 277
278 // -------------------- OncNetworkParser -------------------- 278 // -------------------- OncNetworkParser --------------------
279 279
280 OncNetworkParser::OncNetworkParser(const std::string& onc_blob, 280 OncNetworkParser::OncNetworkParser(const std::string& onc_blob,
281 const std::string& passphrase, 281 const std::string& passphrase,
282 NetworkUIData::ONCSource onc_source) 282 NetworkUIData::ONCSource onc_source)
283 : NetworkParser(get_onc_mapper()), 283 : NetworkParser(get_onc_mapper()),
284 onc_source_(onc_source), 284 onc_source_(onc_source),
285 allow_web_trust_from_policy_(false),
285 network_configs_(NULL), 286 network_configs_(NULL),
286 certificates_(NULL) { 287 certificates_(NULL) {
287 VLOG(2) << __func__ << ": OncNetworkParser called on " << onc_blob; 288 VLOG(2) << __func__ << ": OncNetworkParser called on " << onc_blob;
288 JSONStringValueSerializer deserializer(onc_blob); 289 JSONStringValueSerializer deserializer(onc_blob);
289 deserializer.set_allow_trailing_comma(true); 290 deserializer.set_allow_trailing_comma(true);
290 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, &parse_error_)); 291 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, &parse_error_));
291 292
292 if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) { 293 if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) {
293 LOG(WARNING) << "OncNetworkParser received bad ONC file: " << parse_error_; 294 LOG(WARNING) << "OncNetworkParser received bad ONC file: " << parse_error_;
294 } else { 295 } else {
(...skipping 520 matching lines...) Expand 10 before | Expand all | Expand 10 after
815 } 816 }
816 return true; 817 return true;
817 } 818 }
818 819
819 scoped_refptr<net::X509Certificate> 820 scoped_refptr<net::X509Certificate>
820 OncNetworkParser::ParseServerOrCaCertificate( 821 OncNetworkParser::ParseServerOrCaCertificate(
821 int cert_index, 822 int cert_index,
822 const std::string& cert_type, 823 const std::string& cert_type,
823 const std::string& guid, 824 const std::string& guid,
824 base::DictionaryValue* certificate) { 825 base::DictionaryValue* certificate) {
825 net::CertDatabase cert_database; 826 // Device policy can't import certificates.
827 if (onc_source_ == NetworkUIData::ONC_SOURCE_DEVICE_POLICY) {
828 LOG(WARNING) << "Refusing to import certificate from device policy";
829 // This isn't a parsing error, so just return NULL here.
830 return NULL;
831 }
832
826 bool web_trust = false; 833 bool web_trust = false;
827 base::ListValue* trust_list = NULL; 834 base::ListValue* trust_list = NULL;
828 if (certificate->GetList("Trust", &trust_list)) { 835 if (certificate->GetList("Trust", &trust_list)) {
829 for (size_t i = 0; i < trust_list->GetSize(); ++i) { 836 for (size_t i = 0; i < trust_list->GetSize(); ++i) {
830 std::string trust_type; 837 std::string trust_type;
831 if (!trust_list->GetString(i, &trust_type)) { 838 if (!trust_list->GetString(i, &trust_type)) {
832 LOG(WARNING) << "ONC File: certificate trust is invalid at index " 839 LOG(WARNING) << "ONC File: certificate trust is invalid at index "
833 << cert_index; 840 << cert_index;
834 parse_error_ = l10n_util::GetStringUTF8( 841 parse_error_ = l10n_util::GetStringUTF8(
835 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_INVALID); 842 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_INVALID);
836 return NULL; 843 return NULL;
837 } 844 }
838 if (trust_type == "Web") { 845 if (trust_type == "Web") {
839 // "Web" implies that the certificate is to be trusted for SSL 846 // "Web" implies that the certificate is to be trusted for SSL
840 // identification. 847 // identification.
841 web_trust = true; 848 web_trust = true;
842 } else { 849 } else {
843 LOG(WARNING) << "ONC File: certificate contains unknown " 850 LOG(WARNING) << "ONC File: certificate contains unknown "
844 << "trust type: " << trust_type 851 << "trust type: " << trust_type
845 << " at index " << cert_index; 852 << " at index " << cert_index;
846 parse_error_ = l10n_util::GetStringUTF8( 853 parse_error_ = l10n_util::GetStringUTF8(
847 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_UNKNOWN); 854 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_UNKNOWN);
848 return NULL; 855 return NULL;
849 } 856 }
850 } 857 }
851 } 858 }
852 859
860 // Web trust is only granted to certificates imported for a managed user
861 // on a managed device.
862 if (onc_source_ == NetworkUIData::ONC_SOURCE_USER_POLICY &&
863 web_trust && !allow_web_trust_from_policy_) {
864 LOG(WARNING) << "Web trust not granted for certificate: " << guid;
865 web_trust = false;
866 }
867
853 std::string x509_data; 868 std::string x509_data;
854 if (!certificate->GetString("X509", &x509_data) || x509_data.empty()) { 869 if (!certificate->GetString("X509", &x509_data) || x509_data.empty()) {
855 LOG(WARNING) << "ONC File: certificate missing appropriate " 870 LOG(WARNING) << "ONC File: certificate missing appropriate "
856 << "certificate data for type: " << cert_type 871 << "certificate data for type: " << cert_type
857 << " at index " << cert_index; 872 << " at index " << cert_index;
858 parse_error_ = l10n_util::GetStringUTF8( 873 parse_error_ = l10n_util::GetStringUTF8(
859 IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MISSING); 874 IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MISSING);
860 return NULL; 875 return NULL;
861 } 876 }
862 877
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
908 // identical certificate known to NSS, so we can safely import the 923 // identical certificate known to NSS, so we can safely import the
909 // certificate. The GUID being imported may still be on a different 924 // certificate. The GUID being imported may still be on a different
910 // certificate, and we could jump through hoops to reimport the existing 925 // certificate, and we could jump through hoops to reimport the existing
911 // certificate with a different nickname. However, that would mean lots of 926 // certificate with a different nickname. However, that would mean lots of
912 // effort for a case that's pretty much illegal (reusing GUIDs contradicts 927 // effort for a case that's pretty much illegal (reusing GUIDs contradicts
913 // the intention of GUIDs), so we just report an error. 928 // the intention of GUIDs), so we just report an error.
914 // 929 //
915 // TODO(mnissler, gspencer): We should probably switch to a mode where we 930 // TODO(mnissler, gspencer): We should probably switch to a mode where we
916 // keep our own database for mapping GUIDs to certs in order to enable several 931 // keep our own database for mapping GUIDs to certs in order to enable several
917 // GUIDs to map to the same cert. See http://crosbug.com/26073. 932 // GUIDs to map to the same cert. See http://crosbug.com/26073.
933 net::CertDatabase cert_database;
918 if (x509_cert->os_cert_handle()->isperm) { 934 if (x509_cert->os_cert_handle()->isperm) {
919 if (!cert_database.DeleteCertAndKey(x509_cert.get())) { 935 if (!cert_database.DeleteCertAndKey(x509_cert.get())) {
920 parse_error_ = l10n_util::GetStringUTF8( 936 parse_error_ = l10n_util::GetStringUTF8(
921 IDS_NETWORK_CONFIG_ERROR_CERT_DELETE); 937 IDS_NETWORK_CONFIG_ERROR_CERT_DELETE);
922 return NULL; 938 return NULL;
923 } 939 }
924 940
925 // Reload the cert here to get an actual temporary cert instance. 941 // Reload the cert here to get an actual temporary cert instance.
926 x509_cert = 942 x509_cert =
927 net::X509Certificate::CreateFromBytesWithNickname( 943 net::X509Certificate::CreateFromBytesWithNickname(
(...skipping 1083 matching lines...) Expand 10 before | Expand all | Expand 10 after
2011 // on the value of AuthenticationType. 2027 // on the value of AuthenticationType.
2012 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK }, 2028 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK },
2013 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN }, 2029 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN },
2014 }; 2030 };
2015 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser, 2031 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser,
2016 (table, arraysize(table), PROVIDER_TYPE_MAX)); 2032 (table, arraysize(table), PROVIDER_TYPE_MAX));
2017 return parser.Get(type); 2033 return parser.Get(type);
2018 } 2034 }
2019 2035
2020 } // namespace chromeos 2036 } // namespace chromeos
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698