| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" | 5 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/callback.h" | 10 #include "base/callback.h" |
| 11 #include "base/location.h" | 11 #include "base/location.h" |
| 12 #include "base/time/time.h" | 12 #include "base/time/time.h" |
| 13 #include "chrome/browser/chrome_notification_types.h" | 13 #include "chrome/browser/chrome_notification_types.h" |
| 14 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" | 14 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" |
| 15 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h" | 15 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h" |
| 16 #include "chrome/browser/chromeos/settings/cros_settings.h" | 16 #include "chrome/browser/chromeos/settings/cros_settings.h" |
| 17 #include "chromeos/attestation/attestation_flow.h" | 17 #include "chromeos/attestation/attestation_flow.h" |
| 18 #include "chromeos/cryptohome/async_method_caller.h" | 18 #include "chromeos/cryptohome/async_method_caller.h" |
| 19 #include "chromeos/dbus/cryptohome_client.h" | 19 #include "chromeos/dbus/cryptohome_client.h" |
| 20 #include "chromeos/dbus/dbus_method_call_status.h" | 20 #include "chromeos/dbus/dbus_method_call_status.h" |
| 21 #include "chromeos/dbus/dbus_thread_manager.h" | 21 #include "chromeos/dbus/dbus_thread_manager.h" |
| 22 #include "components/policy/core/common/cloud/cloud_policy_client.h" | 22 #include "components/policy/core/common/cloud/cloud_policy_client.h" |
| 23 #include "components/policy/core/common/cloud/cloud_policy_manager.h" | 23 #include "components/policy/core/common/cloud/cloud_policy_manager.h" |
| 24 #include "content/public/browser/browser_thread.h" | 24 #include "content/public/browser/browser_thread.h" |
| 25 #include "content/public/browser/notification_details.h" | 25 #include "content/public/browser/notification_details.h" |
| 26 #include "net/cert/pem_tokenizer.h" |
| 26 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 27 | 28 |
| 28 namespace { | 29 namespace { |
| 29 | 30 |
| 30 // The number of days before a certificate expires during which it is | 31 // The number of days before a certificate expires during which it is |
| 31 // considered 'expiring soon' and replacement is initiated. The Chrome OS CA | 32 // considered 'expiring soon' and replacement is initiated. The Chrome OS CA |
| 32 // issues certificates with an expiry of at least two years. This value has | 33 // issues certificates with an expiry of at least two years. This value has |
| 33 // been set large enough so that the majority of users will have gone through | 34 // been set large enough so that the majority of users will have gone through |
| 34 // a full sign-in during the period. | 35 // a full sign-in during the period. |
| 35 const int kExpiryThresholdInDays = 30; | 36 const int kExpiryThresholdInDays = 30; |
| (...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 204 base::Bind(DBusStringCallback, | 205 base::Bind(DBusStringCallback, |
| 205 base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, | 206 base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, |
| 206 weak_factory_.GetWeakPtr()), | 207 weak_factory_.GetWeakPtr()), |
| 207 base::Bind(&AttestationPolicyObserver::Reschedule, | 208 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 208 weak_factory_.GetWeakPtr()), | 209 weak_factory_.GetWeakPtr()), |
| 209 FROM_HERE)); | 210 FROM_HERE)); |
| 210 } | 211 } |
| 211 | 212 |
| 212 void AttestationPolicyObserver::CheckCertificateExpiry( | 213 void AttestationPolicyObserver::CheckCertificateExpiry( |
| 213 const std::string& certificate) { | 214 const std::string& certificate) { |
| 214 scoped_refptr<net::X509Certificate> x509( | 215 int num_certificates = 0; |
| 215 net::X509Certificate::CreateFromBytes(certificate.data(), | 216 net::PEMTokenizer pem_tokenizer(certificate, {"CERTIFICATE"}); |
| 216 certificate.length())); | 217 while (pem_tokenizer.GetNext()) { |
| 217 if (!x509.get() || x509->valid_expiry().is_null()) { | 218 ++num_certificates; |
| 218 LOG(WARNING) << "Failed to parse certificate, cannot check expiry."; | 219 scoped_refptr<net::X509Certificate> x509 = |
| 219 } else { | 220 net::X509Certificate::CreateFromBytes(pem_tokenizer.data().data(), |
| 221 pem_tokenizer.data().length()); |
| 222 if (!x509.get() || x509->valid_expiry().is_null()) { |
| 223 // This logic intentionally fails open. In theory this should not happen |
| 224 // but in practice parsing X.509 can be brittle and there are a lot of |
| 225 // factors including which underlying module is parsing the certificate, |
| 226 // whether that module performs more checks than just ASN.1/DER format, |
| 227 // and the server module that generated the certificate(s). Renewal is |
| 228 // expensive so we only renew certificates with good evidence that they |
| 229 // have expired or will soon expire; if we don't know, we don't renew. |
| 230 LOG(WARNING) << "Failed to parse certificate, cannot check expiry."; |
| 231 continue; |
| 232 } |
| 220 const base::TimeDelta threshold = | 233 const base::TimeDelta threshold = |
| 221 base::TimeDelta::FromDays(kExpiryThresholdInDays); | 234 base::TimeDelta::FromDays(kExpiryThresholdInDays); |
| 222 if ((base::Time::Now() + threshold) > x509->valid_expiry()) { | 235 if ((base::Time::Now() + threshold) > x509->valid_expiry()) { |
| 223 // The certificate has expired or will soon, replace it. | 236 // The certificate has expired or will soon, replace it. |
| 224 GetNewCertificate(); | 237 GetNewCertificate(); |
| 225 return; | 238 return; |
| 226 } | 239 } |
| 227 } | 240 } |
| 228 | 241 if (num_certificates == 0) { |
| 242 LOG(WARNING) << "Failed to parse certificate chain, cannot check expiry."; |
| 243 } |
| 229 // Get the payload and check if the certificate has already been uploaded. | 244 // Get the payload and check if the certificate has already been uploaded. |
| 230 GetKeyPayload(base::Bind(&AttestationPolicyObserver::CheckIfUploaded, | 245 GetKeyPayload(base::Bind(&AttestationPolicyObserver::CheckIfUploaded, |
| 231 weak_factory_.GetWeakPtr(), | 246 weak_factory_.GetWeakPtr(), |
| 232 certificate)); | 247 certificate)); |
| 233 } | 248 } |
| 234 | 249 |
| 235 void AttestationPolicyObserver::UploadCertificate( | 250 void AttestationPolicyObserver::UploadCertificate( |
| 236 const std::string& certificate) { | 251 const std::string& certificate) { |
| 237 policy_client_->UploadCertificate( | 252 policy_client_->UploadCertificate( |
| 238 certificate, | 253 certificate, |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 303 base::Bind(&AttestationPolicyObserver::Start, | 318 base::Bind(&AttestationPolicyObserver::Start, |
| 304 weak_factory_.GetWeakPtr()), | 319 weak_factory_.GetWeakPtr()), |
| 305 base::TimeDelta::FromSeconds(retry_delay_)); | 320 base::TimeDelta::FromSeconds(retry_delay_)); |
| 306 } else { | 321 } else { |
| 307 LOG(WARNING) << "AttestationPolicyObserver: Retry limit exceeded."; | 322 LOG(WARNING) << "AttestationPolicyObserver: Retry limit exceeded."; |
| 308 } | 323 } |
| 309 } | 324 } |
| 310 | 325 |
| 311 } // namespace attestation | 326 } // namespace attestation |
| 312 } // namespace chromeos | 327 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1511793004:
attestation: Fix policy observer expiry check. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master