ONC: Allow multiple CA certificates.

So far only a single CA certificate was supported for EAP/IPsec/OpenVPN. Instead, we now support multiple CA certs. These are provided as a list of GUID references to CA certificates in the toplevel "Certificates" section. BUG=276291 R=armansito@chromium.org, davidroche@chromium.org Review URL: https://codereview.chromium.org/68343010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@240874 0039d316-1c4b-4281-b951-d872f2087c98
author: pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-12-16 13:08:13 +0000
committer: pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-12-16 13:08:13 +0000
commit: 7f123d2a3dc472dd796c13e2d7d599446fe9831d (patch)
tree: 6f3ead0503ad43e7d88db6d130ae4b65f89bf5a4 /chromeos/network
parent: ff39e9b81c8619d19a318a8d97d0bac552d455b4 (diff)
download: chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.zip
chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.tar.gz
chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.tar.bz2
4 files changed, 120 insertions, 21 deletions
diff --git a/chromeos/network/onc/onc_signature.cc b/chromeos/network/onc/onc_signature.cc
index cdedf67..b0e9656 100644
--- a/chromeos/network/onc/onc_signature.cc
+++ b/chromeos/network/onc/onc_signature.cc
@@ -47,6 +47,7 @@ const OncFieldSignature certificate_pattern_fields[] = {
     { ::onc::certificate::kEnrollmentURI, &kStringListSignature},
     { ::onc::certificate::kIssuer, &kIssuerSubjectPatternSignature},
     { ::onc::certificate::kIssuerCARef, &kStringListSignature},
+    // Used internally. Not officially supported.
     { ::onc::certificate::kIssuerCAPEMs, &kStringListSignature},
     { ::onc::certificate::kSubject, &kIssuerSubjectPatternSignature},
     {NULL}};
@@ -62,8 +63,10 @@ const OncFieldSignature eap_fields[] = {
     { ::onc::eap::kOuter, &kStringSignature},
     { ::onc::eap::kPassword, &kStringSignature},
     { ::onc::eap::kSaveCredentials, &kBoolSignature},
+    // Used internally. Not officially supported.
     { ::onc::eap::kServerCAPEMs, &kStringListSignature},
     { ::onc::eap::kServerCARef, &kStringSignature},
+    { ::onc::eap::kServerCARefs, &kStringListSignature},
     { ::onc::eap::kUseSystemCAs, &kBoolSignature},
     {NULL}};
 
@@ -77,8 +80,10 @@ const OncFieldSignature ipsec_fields[] = {
     { ::onc::ipsec::kIKEVersion, &kIntegerSignature},
     { ::onc::ipsec::kPSK, &kStringSignature},
     { ::onc::vpn::kSaveCredentials, &kBoolSignature},
-    { ::onc::ipsec::kServerCAPEMs, &kStringSignature},
+    // Used internally. Not officially supported.
+    { ::onc::ipsec::kServerCAPEMs, &kStringListSignature},
     { ::onc::ipsec::kServerCARef, &kStringSignature},
+    { ::onc::ipsec::kServerCARefs, &kStringListSignature},
     // Not yet supported.
     //  { ipsec::kEAP, &kEAPSignature },
     //  { ipsec::kXAUTH, &kXAUTHSignature },
@@ -113,8 +118,10 @@ const OncFieldSignature openvpn_fields[] = {
     { ::onc::openvpn::kRemoteCertTLS, &kStringSignature},
     { ::onc::openvpn::kRenegSec, &kIntegerSignature},
     { ::onc::vpn::kSaveCredentials, &kBoolSignature},
+    // Used internally. Not officially supported.
     { ::onc::openvpn::kServerCAPEMs, &kStringListSignature},
     { ::onc::openvpn::kServerCARef, &kStringSignature},
+    { ::onc::openvpn::kServerCARefs, &kStringListSignature},
     // Not supported, yet.
     { ::onc::openvpn::kServerCertPEM, &kStringSignature},
     { ::onc::openvpn::kServerCertRef, &kStringSignature},
diff --git a/chromeos/network/onc/onc_utils.cc b/chromeos/network/onc/onc_utils.cc
index 586907d..aa612d9 100644
--- a/chromeos/network/onc/onc_utils.cc
+++ b/chromeos/network/onc/onc_utils.cc
@@ -431,7 +431,6 @@ bool ParseAndValidateOncForImport(const std::string& onc_blob,
       success = false;
     }
 
-    ResolveServerCertRefsInNetworks(server_and_ca_certs, validated_networks);
     network_configs->Swap(validated_networks);
   }
 
@@ -537,6 +536,29 @@ bool ResolveSingleCertRefToList(const CertPEMsByGUIDMap& certs_by_guid,
   return true;
 }
 
+// Resolves the reference list at |key_guid_refs| if present and otherwise the
+// single reference at |key_guid_ref|. Returns whether the respective resolving
+// was successful.
+bool ResolveCertRefsOrRefToList(const CertPEMsByGUIDMap& certs_by_guid,
+                                const std::string& key_guid_refs,
+                                const std::string& key_guid_ref,
+                                const std::string& key_pem_list,
+                                base::DictionaryValue* onc_object) {
+  if (onc_object->HasKey(key_guid_refs)) {
+    if (onc_object->HasKey(key_guid_ref)) {
+      LOG(ERROR) << "Found both " << key_guid_refs << " and " << key_guid_ref
+                 << ". Ignoring and removing the latter.";
+      onc_object->RemoveWithoutPathExpansion(key_guid_ref, NULL);
+    }
+    return ResolveCertRefList(
+        certs_by_guid, key_guid_refs, key_pem_list, onc_object);
+  }
+
+  // Only resolve |key_guid_ref| if |key_guid_refs| isn't present.
+  return ResolveSingleCertRefToList(
+      certs_by_guid, key_guid_ref, key_pem_list, onc_object);
+}
+
 bool ResolveServerCertRefsInObject(const CertPEMsByGUIDMap& certs_by_guid,
                                    const OncValueSignature& signature,
                                    base::DictionaryValue* onc_object) {
@@ -546,21 +568,32 @@ bool ResolveServerCertRefsInObject(const CertPEMsByGUIDMap& certs_by_guid,
       return false;
     }
   } else if (&signature == &kEAPSignature) {
-    if (!ResolveSingleCertRefToList(certs_by_guid, eap::kServerCARef,
-                                    eap::kServerCAPEMs, onc_object)) {
+    if (!ResolveCertRefsOrRefToList(certs_by_guid,
+                                    eap::kServerCARefs,
+                                    eap::kServerCARef,
+                                    eap::kServerCAPEMs,
+                                    onc_object)) {
       return false;
     }
   } else if (&signature == &kIPsecSignature) {
-    if (!ResolveSingleCertRefToList(certs_by_guid, ipsec::kServerCARef,
-                                    ipsec::kServerCAPEMs, onc_object)) {
+    if (!ResolveCertRefsOrRefToList(certs_by_guid,
+                                    ipsec::kServerCARefs,
+                                    ipsec::kServerCARef,
+                                    ipsec::kServerCAPEMs,
+                                    onc_object)) {
       return false;
     }
   } else if (&signature == &kIPsecSignature ||
              &signature == &kOpenVPNSignature) {
-    if (!ResolveSingleCertRef(certs_by_guid, openvpn::kServerCertRef,
-                              openvpn::kServerCertPEM, onc_object) ||
-        !ResolveSingleCertRefToList(certs_by_guid, openvpn::kServerCARef,
-                                    openvpn::kServerCAPEMs, onc_object)) {
+    if (!ResolveSingleCertRef(certs_by_guid,
+                              openvpn::kServerCertRef,
+                              openvpn::kServerCertPEM,
+                              onc_object) ||
+        !ResolveCertRefsOrRefToList(certs_by_guid,
+                                    openvpn::kServerCARefs,
+                                    openvpn::kServerCARef,
+                                    openvpn::kServerCAPEMs,
+                                    onc_object)) {
       return false;
     }
   }
diff --git a/chromeos/network/onc/onc_validator.cc b/chromeos/network/onc/onc_validator.cc
index 7fdaba8..6755390 100644
--- a/chromeos/network/onc/onc_validator.cc
+++ b/chromeos/network/onc/onc_validator.cc
@@ -348,9 +348,20 @@ bool Validator::FieldExistsAndIsNotInRange(const base::DictionaryValue& object,
 
 bool Validator::FieldExistsAndIsEmpty(const base::DictionaryValue& object,
                                       const std::string& field_name) {
-  std::string value;
-  if (!object.GetStringWithoutPathExpansion(field_name, &value) ||
-      !value.empty()) {
+  const base::Value* value = NULL;
+  if (!object.GetWithoutPathExpansion(field_name, &value))
+    return false;
+
+  std::string str;
+  const base::ListValue* list = NULL;
+  if (value->GetAsString(&str)) {
+    if (!str.empty())
+      return false;
+  } else if (value->GetAsList(&list)) {
+    if (!list->empty())
+      return false;
+  } else {
+    NOTREACHED();
     return false;
   }
 
@@ -583,7 +594,15 @@ bool Validator::ValidateIPsec(base::DictionaryValue* result) {
   if (FieldExistsAndHasNoValidValue(
           *result, kAuthenticationType, kValidAuthentications) ||
       FieldExistsAndHasNoValidValue(
-          *result, ::onc::vpn::kClientCertType, kValidCertTypes)) {
+          *result, ::onc::vpn::kClientCertType, kValidCertTypes) ||
+      FieldExistsAndIsEmpty(*result, kServerCARefs)) {
+    return false;
+  }
+
+  if (result->HasKey(kServerCARefs) && result->HasKey(kServerCARef)) {
+    error_or_warning_found_ = true;
+    LOG(ERROR) << MessageHeader() << "At most one of " << kServerCARefs
+               << " and " << kServerCARef << " can be set.";
     return false;
   }
 
@@ -591,13 +610,25 @@ bool Validator::ValidateIPsec(base::DictionaryValue* result) {
                             RequireField(*result, kIKEVersion);
   std::string auth;
   result->GetStringWithoutPathExpansion(kAuthenticationType, &auth);
+  bool has_server_ca_cert =
+      result->HasKey(kServerCARefs) || result->HasKey(kServerCARef);
   if (auth == kCert) {
-    all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertType) &&
-                          RequireField(*result, kServerCARef);
-  } else if (result->HasKey(kServerCARef)) {
+    all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertType);
+    if (!has_server_ca_cert) {
+      all_required_exist = false;
+      error_or_warning_found_ = true;
+      std::string message = MessageHeader() + "The required field '" +
+                            kServerCARefs + "' is missing.";
+      if (error_on_missing_field_)
+        LOG(ERROR) << message;
+      else
+        LOG(WARNING) << message;
+    }
+  } else if (has_server_ca_cert) {
     error_or_warning_found_ = true;
-    LOG(ERROR) << MessageHeader() << kServerCARef << " can only be set if "
-               << kAuthenticationType << " is set to " << kCert << ".";
+    LOG(ERROR) << MessageHeader() << kServerCARefs << " (or " << kServerCARef
+               << ") can only be set if " << kAuthenticationType
+               << " is set to " << kCert << ".";
     return false;
   }
 
@@ -632,7 +663,15 @@ bool Validator::ValidateOpenVPN(base::DictionaryValue* result) {
       FieldExistsAndHasNoValidValue(
           *result, ::onc::vpn::kClientCertType, kValidCertTypes) ||
       FieldExistsAndHasNoValidValue(
-          *result, kRemoteCertTLS, kValidCertTlsValues)) {
+          *result, kRemoteCertTLS, kValidCertTlsValues) ||
+      FieldExistsAndIsEmpty(*result, kServerCARefs)) {
+    return false;
+  }
+
+  if (result->HasKey(kServerCARefs) && result->HasKey(kServerCARef)) {
+    error_or_warning_found_ = true;
+    LOG(ERROR) << MessageHeader() << "At most one of " << kServerCARefs
+               << " and " << kServerCARef << " can be set.";
     return false;
   }
 
@@ -727,7 +766,15 @@ bool Validator::ValidateEAP(base::DictionaryValue* result) {
   if (FieldExistsAndHasNoValidValue(*result, kInner, kValidInnerValues) ||
       FieldExistsAndHasNoValidValue(*result, kOuter, kValidOuterValues) ||
       FieldExistsAndHasNoValidValue(
-          *result, kClientCertType, kValidCertTypes)) {
+          *result, kClientCertType, kValidCertTypes) ||
+      FieldExistsAndIsEmpty(*result, kServerCARefs)) {
+    return false;
+  }
+
+  if (result->HasKey(kServerCARefs) && result->HasKey(kServerCARef)) {
+    error_or_warning_found_ = true;
+    LOG(ERROR) << MessageHeader() << "At most one of " << kServerCARefs
+               << " and " << kServerCARef << " can be set.";
     return false;
   }
 
diff --git a/chromeos/network/onc/onc_validator_unittest.cc b/chromeos/network/onc/onc_validator_unittest.cc
index d100aea..7722676 100644
--- a/chromeos/network/onc/onc_validator_unittest.cc
+++ b/chromeos/network/onc/onc_validator_unittest.cc
@@ -383,6 +383,18 @@ INSTANTIATE_TEST_CASE_P(
          std::make_pair(OncParams("ipsec-with-psk-and-cacert",
                                   &kIPsecSignature, false),
                         RepairParams("", "")),
+         std::make_pair(OncParams("ipsec-with-empty-cacertrefs",
+                                  &kIPsecSignature, false),
+                        RepairParams("", "")),
+         std::make_pair(OncParams("ipsec-with-servercaref-and-servercarefs",
+                                  &kIPsecSignature, false),
+                        RepairParams("", "")),
+         std::make_pair(OncParams("openvpn-with-servercaref-and-servercarefs",
+                                  &kOpenVPNSignature, false),
+                        RepairParams("", "")),
+         std::make_pair(OncParams("eap-with-servercaref-and-servercarefs",
+                                  &kEAPSignature, false),
+                        RepairParams("", "")),
          std::make_pair(OncParams("managed-network-value-out-of-range",
                                   &kNetworkConfigurationSignature, true),
                         RepairParams("", "")),
author	pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-12-16 13:08:13 +0000
committer	pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-12-16 13:08:13 +0000
commit	7f123d2a3dc472dd796c13e2d7d599446fe9831d (patch)
tree	6f3ead0503ad43e7d88db6d130ae4b65f89bf5a4 /chromeos/network
parent	ff39e9b81c8619d19a318a8d97d0bac552d455b4 (diff)
download	chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.zip chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.tar.gz chromium_src-7f123d2a3dc472dd796c13e2d7d599446fe9831d.tar.bz2