| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/cros/onc_network_parser.h" | 5 #include "chrome/browser/chromeos/cros/onc_network_parser.h" |
| 6 | 6 |
| 7 #include <keyhi.h> | 7 #include <keyhi.h> |
| 8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| (...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 275 | 275 |
| 276 } // namespace | 276 } // namespace |
| 277 | 277 |
| 278 // -------------------- OncNetworkParser -------------------- | 278 // -------------------- OncNetworkParser -------------------- |
| 279 | 279 |
| 280 OncNetworkParser::OncNetworkParser(const std::string& onc_blob, | 280 OncNetworkParser::OncNetworkParser(const std::string& onc_blob, |
| 281 const std::string& passphrase, | 281 const std::string& passphrase, |
| 282 NetworkUIData::ONCSource onc_source) | 282 NetworkUIData::ONCSource onc_source) |
| 283 : NetworkParser(get_onc_mapper()), | 283 : NetworkParser(get_onc_mapper()), |
| 284 onc_source_(onc_source), | 284 onc_source_(onc_source), |
| 285 allow_web_trust_from_policy_(false), |
| 285 network_configs_(NULL), | 286 network_configs_(NULL), |
| 286 certificates_(NULL) { | 287 certificates_(NULL) { |
| 287 VLOG(2) << __func__ << ": OncNetworkParser called on " << onc_blob; | 288 VLOG(2) << __func__ << ": OncNetworkParser called on " << onc_blob; |
| 288 JSONStringValueSerializer deserializer(onc_blob); | 289 JSONStringValueSerializer deserializer(onc_blob); |
| 289 deserializer.set_allow_trailing_comma(true); | 290 deserializer.set_allow_trailing_comma(true); |
| 290 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, &parse_error_)); | 291 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, &parse_error_)); |
| 291 | 292 |
| 292 if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) { | 293 if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) { |
| 293 LOG(WARNING) << "OncNetworkParser received bad ONC file: " << parse_error_; | 294 LOG(WARNING) << "OncNetworkParser received bad ONC file: " << parse_error_; |
| 294 } else { | 295 } else { |
| (...skipping 520 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 815 } | 816 } |
| 816 return true; | 817 return true; |
| 817 } | 818 } |
| 818 | 819 |
| 819 scoped_refptr<net::X509Certificate> | 820 scoped_refptr<net::X509Certificate> |
| 820 OncNetworkParser::ParseServerOrCaCertificate( | 821 OncNetworkParser::ParseServerOrCaCertificate( |
| 821 int cert_index, | 822 int cert_index, |
| 822 const std::string& cert_type, | 823 const std::string& cert_type, |
| 823 const std::string& guid, | 824 const std::string& guid, |
| 824 base::DictionaryValue* certificate) { | 825 base::DictionaryValue* certificate) { |
| 825 net::CertDatabase cert_database; | 826 // Device policy can't import certificates. |
| 827 if (onc_source_ == NetworkUIData::ONC_SOURCE_DEVICE_POLICY) { |
| 828 LOG(WARNING) << "Refusing to import certificate from device policy"; |
| 829 // This isn't a parsing error, so just return NULL here. |
| 830 return NULL; |
| 831 } |
| 832 |
| 826 bool web_trust = false; | 833 bool web_trust = false; |
| 827 base::ListValue* trust_list = NULL; | 834 base::ListValue* trust_list = NULL; |
| 828 if (certificate->GetList("Trust", &trust_list)) { | 835 if (certificate->GetList("Trust", &trust_list)) { |
| 829 for (size_t i = 0; i < trust_list->GetSize(); ++i) { | 836 for (size_t i = 0; i < trust_list->GetSize(); ++i) { |
| 830 std::string trust_type; | 837 std::string trust_type; |
| 831 if (!trust_list->GetString(i, &trust_type)) { | 838 if (!trust_list->GetString(i, &trust_type)) { |
| 832 LOG(WARNING) << "ONC File: certificate trust is invalid at index " | 839 LOG(WARNING) << "ONC File: certificate trust is invalid at index " |
| 833 << cert_index; | 840 << cert_index; |
| 834 parse_error_ = l10n_util::GetStringUTF8( | 841 parse_error_ = l10n_util::GetStringUTF8( |
| 835 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_INVALID); | 842 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_INVALID); |
| 836 return NULL; | 843 return NULL; |
| 837 } | 844 } |
| 838 if (trust_type == "Web") { | 845 if (trust_type == "Web") { |
| 839 // "Web" implies that the certificate is to be trusted for SSL | 846 // "Web" implies that the certificate is to be trusted for SSL |
| 840 // identification. | 847 // identification. |
| 841 web_trust = true; | 848 web_trust = true; |
| 842 } else { | 849 } else { |
| 843 LOG(WARNING) << "ONC File: certificate contains unknown " | 850 LOG(WARNING) << "ONC File: certificate contains unknown " |
| 844 << "trust type: " << trust_type | 851 << "trust type: " << trust_type |
| 845 << " at index " << cert_index; | 852 << " at index " << cert_index; |
| 846 parse_error_ = l10n_util::GetStringUTF8( | 853 parse_error_ = l10n_util::GetStringUTF8( |
| 847 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_UNKNOWN); | 854 IDS_NETWORK_CONFIG_ERROR_CERT_TRUST_UNKNOWN); |
| 848 return NULL; | 855 return NULL; |
| 849 } | 856 } |
| 850 } | 857 } |
| 851 } | 858 } |
| 852 | 859 |
| 860 // Web trust is only granted to certificates imported for a managed user |
| 861 // on a managed device. |
| 862 if (onc_source_ == NetworkUIData::ONC_SOURCE_USER_POLICY && |
| 863 web_trust && !allow_web_trust_from_policy_) { |
| 864 LOG(WARNING) << "Web trust not granted for certificate: " << guid; |
| 865 web_trust = false; |
| 866 } |
| 867 |
| 853 std::string x509_data; | 868 std::string x509_data; |
| 854 if (!certificate->GetString("X509", &x509_data) || x509_data.empty()) { | 869 if (!certificate->GetString("X509", &x509_data) || x509_data.empty()) { |
| 855 LOG(WARNING) << "ONC File: certificate missing appropriate " | 870 LOG(WARNING) << "ONC File: certificate missing appropriate " |
| 856 << "certificate data for type: " << cert_type | 871 << "certificate data for type: " << cert_type |
| 857 << " at index " << cert_index; | 872 << " at index " << cert_index; |
| 858 parse_error_ = l10n_util::GetStringUTF8( | 873 parse_error_ = l10n_util::GetStringUTF8( |
| 859 IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MISSING); | 874 IDS_NETWORK_CONFIG_ERROR_CERT_DATA_MISSING); |
| 860 return NULL; | 875 return NULL; |
| 861 } | 876 } |
| 862 | 877 |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 908 // identical certificate known to NSS, so we can safely import the | 923 // identical certificate known to NSS, so we can safely import the |
| 909 // certificate. The GUID being imported may still be on a different | 924 // certificate. The GUID being imported may still be on a different |
| 910 // certificate, and we could jump through hoops to reimport the existing | 925 // certificate, and we could jump through hoops to reimport the existing |
| 911 // certificate with a different nickname. However, that would mean lots of | 926 // certificate with a different nickname. However, that would mean lots of |
| 912 // effort for a case that's pretty much illegal (reusing GUIDs contradicts | 927 // effort for a case that's pretty much illegal (reusing GUIDs contradicts |
| 913 // the intention of GUIDs), so we just report an error. | 928 // the intention of GUIDs), so we just report an error. |
| 914 // | 929 // |
| 915 // TODO(mnissler, gspencer): We should probably switch to a mode where we | 930 // TODO(mnissler, gspencer): We should probably switch to a mode where we |
| 916 // keep our own database for mapping GUIDs to certs in order to enable several | 931 // keep our own database for mapping GUIDs to certs in order to enable several |
| 917 // GUIDs to map to the same cert. See http://crosbug.com/26073. | 932 // GUIDs to map to the same cert. See http://crosbug.com/26073. |
| 933 net::CertDatabase cert_database; |
| 918 if (x509_cert->os_cert_handle()->isperm) { | 934 if (x509_cert->os_cert_handle()->isperm) { |
| 919 if (!cert_database.DeleteCertAndKey(x509_cert.get())) { | 935 if (!cert_database.DeleteCertAndKey(x509_cert.get())) { |
| 920 parse_error_ = l10n_util::GetStringUTF8( | 936 parse_error_ = l10n_util::GetStringUTF8( |
| 921 IDS_NETWORK_CONFIG_ERROR_CERT_DELETE); | 937 IDS_NETWORK_CONFIG_ERROR_CERT_DELETE); |
| 922 return NULL; | 938 return NULL; |
| 923 } | 939 } |
| 924 | 940 |
| 925 // Reload the cert here to get an actual temporary cert instance. | 941 // Reload the cert here to get an actual temporary cert instance. |
| 926 x509_cert = | 942 x509_cert = |
| 927 net::X509Certificate::CreateFromBytesWithNickname( | 943 net::X509Certificate::CreateFromBytesWithNickname( |
| (...skipping 1083 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2011 // on the value of AuthenticationType. | 2027 // on the value of AuthenticationType. |
| 2012 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK }, | 2028 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK }, |
| 2013 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN }, | 2029 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN }, |
| 2014 }; | 2030 }; |
| 2015 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser, | 2031 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser, |
| 2016 (table, arraysize(table), PROVIDER_TYPE_MAX)); | 2032 (table, arraysize(table), PROVIDER_TYPE_MAX)); |
| 2017 return parser.Get(type); | 2033 return parser.Get(type); |
| 2018 } | 2034 } |
| 2019 | 2035 |
| 2020 } // namespace chromeos | 2036 } // namespace chromeos |
| OLD | NEW |