| Index: chromeos/network/onc/onc_certificate_importer.cc
|
| diff --git a/chromeos/network/onc/onc_certificate_importer.cc b/chromeos/network/onc/onc_certificate_importer.cc
|
| index 34079715a2a5f0cfdd521dd340976d9ec6484b40..0dd932543dfa70399ee23bf74827b94b05a16019 100644
|
| --- a/chromeos/network/onc/onc_certificate_importer.cc
|
| +++ b/chromeos/network/onc/onc_certificate_importer.cc
|
| @@ -34,12 +34,13 @@ const char kX509CertificateHeader[] = "X509 CERTIFICATE";
|
| namespace chromeos {
|
| namespace onc {
|
|
|
| -CertificateImporter::CertificateImporter(bool allow_web_trust)
|
| - : allow_web_trust_(allow_web_trust) {
|
| +CertificateImporter::CertificateImporter(bool allow_trust_imports)
|
| + : allow_trust_imports_(allow_trust_imports) {
|
| }
|
|
|
| CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
|
| - const base::ListValue& certificates) {
|
| + const base::ListValue& certificates,
|
| + net::CertificateList* onc_trusted_certificates) {
|
| size_t successful_imports = 0;
|
| for (size_t i = 0; i < certificates.GetSize(); ++i) {
|
| const base::DictionaryValue* certificate = NULL;
|
| @@ -48,7 +49,7 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
|
|
|
| VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
|
|
|
| - if (!ParseAndStoreCertificate(*certificate)) {
|
| + if (!ParseAndStoreCertificate(*certificate, onc_trusted_certificates)) {
|
| ONC_LOG_ERROR(
|
| base::StringPrintf("Cannot parse certificate at index %zu", i));
|
| } else {
|
| @@ -66,37 +67,6 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
|
| }
|
| }
|
|
|
| -bool CertificateImporter::ParseAndStoreCertificate(
|
| - const base::DictionaryValue& certificate) {
|
| - // Get out the attributes of the given certificate.
|
| - std::string guid;
|
| - certificate.GetString(certificate::kGUID, &guid);
|
| - DCHECK(!guid.empty());
|
| -
|
| - bool remove = false;
|
| - if (certificate.GetBoolean(kRemove, &remove) && remove) {
|
| - if (!DeleteCertAndKeyByNickname(guid)) {
|
| - ONC_LOG_ERROR("Unable to delete certificate");
|
| - return false;
|
| - } else {
|
| - return true;
|
| - }
|
| - }
|
| -
|
| - // Not removing, so let's get the data we need to add this certificate.
|
| - std::string cert_type;
|
| - certificate.GetString(certificate::kType, &cert_type);
|
| - if (cert_type == certificate::kServer ||
|
| - cert_type == certificate::kAuthority) {
|
| - return ParseServerOrCaCertificate(cert_type, guid, certificate);
|
| - } else if (cert_type == certificate::kClient) {
|
| - return ParseClientCertificate(guid, certificate);
|
| - }
|
| -
|
| - NOTREACHED();
|
| - return false;
|
| -}
|
| -
|
| // static
|
| void CertificateImporter::ListCertsWithNickname(const std::string& label,
|
| net::CertificateList* result) {
|
| @@ -155,11 +125,45 @@ bool CertificateImporter::DeleteCertAndKeyByNickname(const std::string& label) {
|
| return result;
|
| }
|
|
|
| +bool CertificateImporter::ParseAndStoreCertificate(
|
| + const base::DictionaryValue& certificate,
|
| + net::CertificateList* onc_trusted_certificates) {
|
| + // Get out the attributes of the given certificate.
|
| + std::string guid;
|
| + certificate.GetString(certificate::kGUID, &guid);
|
| + DCHECK(!guid.empty());
|
| +
|
| + bool remove = false;
|
| + if (certificate.GetBoolean(kRemove, &remove) && remove) {
|
| + if (!DeleteCertAndKeyByNickname(guid)) {
|
| + ONC_LOG_ERROR("Unable to delete certificate");
|
| + return false;
|
| + } else {
|
| + return true;
|
| + }
|
| + }
|
| +
|
| + // Not removing, so let's get the data we need to add this certificate.
|
| + std::string cert_type;
|
| + certificate.GetString(certificate::kType, &cert_type);
|
| + if (cert_type == certificate::kServer ||
|
| + cert_type == certificate::kAuthority) {
|
| + return ParseServerOrCaCertificate(
|
| + cert_type, guid, certificate, onc_trusted_certificates);
|
| + } else if (cert_type == certificate::kClient) {
|
| + return ParseClientCertificate(guid, certificate);
|
| + }
|
| +
|
| + NOTREACHED();
|
| + return false;
|
| +}
|
| +
|
| bool CertificateImporter::ParseServerOrCaCertificate(
|
| const std::string& cert_type,
|
| const std::string& guid,
|
| - const base::DictionaryValue& certificate) {
|
| - bool web_trust = false;
|
| + const base::DictionaryValue& certificate,
|
| + net::CertificateList* onc_trusted_certificates) {
|
| + bool web_trust_flag = false;
|
| const base::ListValue* trust_list = NULL;
|
| if (certificate.GetList(certificate::kTrust, &trust_list)) {
|
| for (size_t i = 0; i < trust_list->GetSize(); ++i) {
|
| @@ -170,7 +174,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| if (trust_type == certificate::kWeb) {
|
| // "Web" implies that the certificate is to be trusted for SSL
|
| // identification.
|
| - web_trust = true;
|
| + web_trust_flag = true;
|
| } else {
|
| ONC_LOG_ERROR("Certificate contains unknown trust type " + trust_type);
|
| return false;
|
| @@ -178,9 +182,12 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| }
|
| }
|
|
|
| - if (web_trust && !allow_web_trust_) {
|
| - LOG(WARNING) << "Web trust not granted for certificate: " << guid;
|
| - web_trust = false;
|
| + bool import_with_ssl_trust = false;
|
| + if (web_trust_flag) {
|
| + if (!allow_trust_imports_)
|
| + LOG(WARNING) << "Web trust not granted for certificate: " << guid;
|
| + else
|
| + import_with_ssl_trust = true;
|
| }
|
|
|
| std::string x509_data;
|
| @@ -276,7 +283,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| cert_list.push_back(x509_cert);
|
| net::NSSCertDatabase::ImportCertFailureList failures;
|
| bool success = false;
|
| - net::NSSCertDatabase::TrustBits trust = web_trust ?
|
| + net::NSSCertDatabase::TrustBits trust = import_with_ssl_trust ?
|
| net::NSSCertDatabase::TRUSTED_SSL :
|
| net::NSSCertDatabase::TRUST_DEFAULT;
|
| if (cert_type == certificate::kServer) {
|
| @@ -295,6 +302,9 @@ bool CertificateImporter::ParseServerOrCaCertificate(
|
| return false;
|
| }
|
|
|
| + if (web_trust_flag && onc_trusted_certificates)
|
| + onc_trusted_certificates->push_back(x509_cert);
|
| +
|
| return true;
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 13532005:
Added a PolicyCertVerifier that uses the trust anchors from the ONC policies. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src