Move PEM certificate decoding to onc_utils.

chromeos/network/onc/onc_certificate_importer.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/onc/onc_certificate_importer.h"
 
 #include <cert.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 
 #include "base/base64.h"
 #include "base/logging.h"
 #include "base/values.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/onc/onc_constants.h"
+#include "chromeos/network/onc/onc_utils.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/cert/nss_cert_database.h"
-#include "net/cert/pem_tokenizer.h"
 #include "net/cert/x509_certificate.h"
 
 #define ONC_LOG_WARNING(message)                                \
   NET_LOG_DEBUG("ONC Certificate Import Warning", message)
 #define ONC_LOG_ERROR(message)                                  \
   NET_LOG_ERROR("ONC Certificate Import Error", message)
 
-namespace {
-
-// The PEM block header used for DER certificates
-const char kCertificateHeader[] = "CERTIFICATE";
-// This is an older PEM marker for DER certificates.
-const char kX509CertificateHeader[] = "X509 CERTIFICATE";
-
-}  // namespace
-
 namespace chromeos {
 namespace onc {
 
 CertificateImporter::CertificateImporter(bool allow_trust_imports)
     : allow_trust_imports_(allow_trust_imports) {
 }
 
 CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
     const base::ListValue& certificates,
     net::CertificateList* onc_trusted_certificates) {
@@ skipping 153 matching lines @@
   std::string x509_data;
   if (!certificate.GetStringWithoutPathExpansion(certificate::kX509,
                                                  &x509_data) ||
       x509_data.empty()) {
     ONC_LOG_ERROR(
         "Certificate missing appropriate certificate data for type: " +
         cert_type);
     return false;
   }
 
-  // Parse PEM certificate, and get the decoded data for use in creating
-  // certificate below.
-  std::vector<std::string> pem_headers;
-  pem_headers.push_back(kCertificateHeader);
-  pem_headers.push_back(kX509CertificateHeader);
-
-  net::PEMTokenizer pem_tokenizer(x509_data, pem_headers);
-  std::string decoded_x509;
-  if (!pem_tokenizer.GetNext()) {
-    // If we failed to read the data as a PEM file, then let's just try plain
-    // base64 decode: some versions of Spigots didn't apply the PEM marker
-    // strings. For this to work, there has to be no white space, and it has to
-    // only contain the base64-encoded data.
-    if (!base::Base64Decode(x509_data, &decoded_x509)) {
-      ONC_LOG_ERROR("Unable to base64 decode X509 data: " + x509_data);
-      return false;
-    }
-  } else {
-    decoded_x509 = pem_tokenizer.data();
-  }
-
   scoped_refptr<net::X509Certificate> x509_cert =
-      net::X509Certificate::CreateFromBytesWithNickname(
-          decoded_x509.data(),
-          decoded_x509.size(),
-          guid.c_str());
+      DecodePEMCertificate(x509_data, guid);
   if (!x509_cert.get()) {
-    ONC_LOG_ERROR("Unable to create X509 certificate from bytes.");
+    ONC_LOG_ERROR("Unable to create certificate from PEM encoding, type: " +
+                  cert_type);
     return false;
   }
 
   // Due to a mismatch regarding cert identity between NSS (cert identity is
   // determined by the raw bytes) and ONC (cert identity is determined by
   // GUIDs), we have to special-case a number of situations here:
   //
   // a) The cert bits we're trying to insert are already present in the NSS cert
   //    store. This is indicated by the isperm bit in CERTCertificateStr. Since
   //    we might have to update the nick name, we just delete the existing cert
@@ skipping 10 matching lines @@
   // keep our own database for mapping GUIDs to certs in order to enable several
   // GUIDs to map to the same cert. See http://crosbug.com/26073.
   net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance();
   if (x509_cert->os_cert_handle()->isperm) {
     if (!cert_database->DeleteCertAndKey(x509_cert.get())) {
       ONC_LOG_ERROR("Unable to delete X509 certificate.");
       return false;
     }
 
     // Reload the cert here to get an actual temporary cert instance.
-    x509_cert = net::X509Certificate::CreateFromBytesWithNickname(
-        decoded_x509.data(),
-        decoded_x509.size(),
-        guid.c_str());
+    x509_cert = DecodePEMCertificate(x509_data, guid);
     if (!x509_cert.get()) {
       ONC_LOG_ERROR("Unable to create X509 certificate from bytes.");
       return false;
     }
     DCHECK(!x509_cert->os_cert_handle()->isperm);
     DCHECK(x509_cert->os_cert_handle()->istemp);
   }
 
   // Make sure the GUID is not already taken. Note that for the reimport case we
   // have removed the existing cert above.
@@ skipping 88 matching lines @@
     PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str()));
     SECKEY_DestroyPrivateKey(private_key);
   } else {
     ONC_LOG_WARNING("Unable to find private key for certificate.");
   }
   return true;
 }
 
 }  // namespace onc
 }  // namespace chromeos