diff options
| author | pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-26 12:20:20 +0000 |
|---|---|---|
| committer | pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-26 12:20:20 +0000 |
| commit | 623cd8544506d69c348018f2d31b9eb1e884a0e7 (patch) | |
| tree | 52e9d4b0d59ede73ebac33782ec9eca092cd5a1a /chromeos | |
| parent | 2a8a0ba568c82ba88068ef20e9f0d5f925d90218 (diff) | |
| download | chromium_src-623cd8544506d69c348018f2d31b9eb1e884a0e7.zip chromium_src-623cd8544506d69c348018f2d31b9eb1e884a0e7.tar.gz chromium_src-623cd8544506d69c348018f2d31b9eb1e884a0e7.tar.bz2 | |
Make CertificateHandler a proper interface of CertificateImporter.
- Change CertificateHandler into a pure interface onc::CertificateImporter.
- Make the old onc::CertificateImporter an implementation of that interface.
- Replace the unnecessary CertificateImporter::ParseResult by a simple bool.
This also frees the name CertificateHandler for other purposes.
BUG=NONE
TBR=stevenjb@chromium.org (gyp change), eroman@chromium.org (net-internals: API usage)
Review URL: https://chromiumcodereview.appspot.com/20041002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@213860 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chromeos')
| -rw-r--r-- | chromeos/chromeos.gyp | 11 | ||||
| -rw-r--r-- | chromeos/network/certificate_handler.cc | 39 | ||||
| -rw-r--r-- | chromeos/network/certificate_handler.h | 41 | ||||
| -rw-r--r-- | chromeos/network/mock_certificate_handler.cc | 15 | ||||
| -rw-r--r-- | chromeos/network/mock_certificate_handler.h | 28 | ||||
| -rw-r--r-- | chromeos/network/onc/mock_certificate_importer.cc | 17 | ||||
| -rw-r--r-- | chromeos/network/onc/mock_certificate_importer.h | 31 | ||||
| -rw-r--r-- | chromeos/network/onc/onc_certificate_importer.h | 94 | ||||
| -rw-r--r-- | chromeos/network/onc/onc_certificate_importer_impl.cc (renamed from chromeos/network/onc/onc_certificate_importer.cc) | 64 | ||||
| -rw-r--r-- | chromeos/network/onc/onc_certificate_importer_impl.h | 99 | ||||
| -rw-r--r-- | chromeos/network/onc/onc_certificate_importer_impl_unittest.cc (renamed from chromeos/network/onc/onc_certificate_importer_unittest.cc) | 61 |
11 files changed, 238 insertions, 262 deletions
diff --git a/chromeos/chromeos.gyp b/chromeos/chromeos.gyp index 807f1d0..04459d6 100644 --- a/chromeos/chromeos.gyp +++ b/chromeos/chromeos.gyp @@ -211,8 +211,6 @@ 'login/login_state.h', 'network/cert_loader.cc', 'network/cert_loader.h', - 'network/certificate_handler.cc', - 'network/certificate_handler.h', 'network/certificate_pattern.cc', 'network/certificate_pattern.h', 'network/certificate_pattern_matcher.cc', @@ -264,8 +262,9 @@ 'network/network_ui_data.h', 'network/network_util.cc', 'network/network_util.h', - 'network/onc/onc_certificate_importer.cc', 'network/onc/onc_certificate_importer.h', + 'network/onc/onc_certificate_importer_impl.cc', + 'network/onc/onc_certificate_importer_impl.h', 'network/onc/onc_constants.cc', 'network/onc/onc_constants.h', 'network/onc/onc_mapper.cc', @@ -372,8 +371,8 @@ 'disks/mock_disk_mount_manager.h', 'ime/mock_component_extension_ime_manager_delegate.cc', 'ime/mock_component_extension_ime_manager_delegate.h', - 'network/mock_certificate_handler.cc', - 'network/mock_certificate_handler.h', + 'network/onc/mock_certificate_importer.cc', + 'network/onc/mock_certificate_importer.h', 'network/onc/onc_test_utils.cc', 'network/onc/onc_test_utils.h', ], @@ -504,7 +503,7 @@ 'network/network_state_unittest.cc', 'network/network_ui_data_unittest.cc', 'network/network_util_unittest.cc', - 'network/onc/onc_certificate_importer_unittest.cc', + 'network/onc/onc_certificate_importer_impl_unittest.cc', 'network/onc/onc_merger_unittest.cc', 'network/onc/onc_normalizer_unittest.cc', 'network/onc/onc_translator_unittest.cc', diff --git a/chromeos/network/certificate_handler.cc b/chromeos/network/certificate_handler.cc deleted file mode 100644 index 93a6ed4..0000000 --- a/chromeos/network/certificate_handler.cc +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chromeos/network/certificate_handler.h" - -#include "base/logging.h" -#include "base/values.h" -#include "chromeos/network/onc/onc_certificate_importer.h" -#include "chromeos/network/onc/onc_utils.h" - -namespace chromeos { - -CertificateHandler::CertificateHandler() { -} - -CertificateHandler::~CertificateHandler() { -} - -bool CertificateHandler::ImportCertificates( - const base::ListValue& certificates, - onc::ONCSource source, - net::CertificateList* onc_trusted_certificates) { - VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates"; - - // Web trust is only granted to certificates imported by the user. - bool allow_trust_imports = source == onc::ONC_SOURCE_USER_IMPORT; - onc::CertificateImporter cert_importer(allow_trust_imports); - if (cert_importer.ParseAndStoreCertificates( - certificates, onc_trusted_certificates, NULL) != - onc::CertificateImporter::IMPORT_OK) { - LOG(ERROR) << "Cannot parse some of the certificates in the ONC from " - << onc::GetSourceAsString(source); - return false; - } - return true; -} - -} // namespace chromeos diff --git a/chromeos/network/certificate_handler.h b/chromeos/network/certificate_handler.h deleted file mode 100644 index c4df5b8..0000000 --- a/chromeos/network/certificate_handler.h +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright (c) 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef CHROMEOS_NETWORK_CERTIFICATE_HANDLER_H_ -#define CHROMEOS_NETWORK_CERTIFICATE_HANDLER_H_ - -#include "base/memory/ref_counted.h" -#include "chromeos/chromeos_export.h" -#include "chromeos/network/onc/onc_constants.h" -#include "net/cert/x509_certificate.h" - -namespace base { -class ListValue; -} - -namespace chromeos { - -class CHROMEOS_EXPORT CertificateHandler { - public: - CertificateHandler(); - virtual ~CertificateHandler(); - - // Import the |certificates|, which must be a list of ONC Certificate objects. - // If |onc_trusted_certificates| is not NULL, it will be filled with the list - // of certificates that requested the TrustBit "Web". If - // |imported_server_and_ca_certs| is not null, it will be filled with the - // (GUID, Certificate) pairs of all successfully imported Server and CA - // certificates. Returns true if all certificates were imported successfully. - virtual bool ImportCertificates( - const base::ListValue& certificates, - onc::ONCSource source, - net::CertificateList* onc_trusted_certificates); - - private: - DISALLOW_COPY_AND_ASSIGN(CertificateHandler); -}; - -} // namespace chromeos - -#endif // CHROMEOS_NETWORK_CERTIFICATE_HANDLER_H_ diff --git a/chromeos/network/mock_certificate_handler.cc b/chromeos/network/mock_certificate_handler.cc deleted file mode 100644 index 8ff080f..0000000 --- a/chromeos/network/mock_certificate_handler.cc +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright (c) 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chromeos/network/mock_certificate_handler.h" - -namespace chromeos { - -MockCertificateHandler::MockCertificateHandler() { -} - -MockCertificateHandler::~MockCertificateHandler() { -} - -} // namespace chromeos diff --git a/chromeos/network/mock_certificate_handler.h b/chromeos/network/mock_certificate_handler.h deleted file mode 100644 index 984aa18..0000000 --- a/chromeos/network/mock_certificate_handler.h +++ /dev/null @@ -1,28 +0,0 @@ -// Copyright (c) 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef CHROMEOS_NETWORK_MOCK_CERTIFICATE_HANDLER_H_ -#define CHROMEOS_NETWORK_MOCK_CERTIFICATE_HANDLER_H_ - -#include "base/values.h" -#include "chromeos/chromeos_export.h" -#include "chromeos/network/certificate_handler.h" -#include "testing/gmock/include/gmock/gmock.h" - -namespace chromeos { - -class CHROMEOS_EXPORT MockCertificateHandler : public CertificateHandler { - public: - MockCertificateHandler(); - virtual ~MockCertificateHandler(); - MOCK_METHOD3(ImportCertificates, bool(const base::ListValue&, - onc::ONCSource, - net::CertificateList*)); - private: - DISALLOW_COPY_AND_ASSIGN(MockCertificateHandler); -}; - -} // namespace chromeos - -#endif // CHROMEOS_NETWORK_MOCK_CERTIFICATE_HANDLER_H_ diff --git a/chromeos/network/onc/mock_certificate_importer.cc b/chromeos/network/onc/mock_certificate_importer.cc new file mode 100644 index 0000000..5ae7fb20 --- /dev/null +++ b/chromeos/network/onc/mock_certificate_importer.cc @@ -0,0 +1,17 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chromeos/network/onc/mock_certificate_importer.h" + +namespace chromeos { +namespace onc { + +MockCertificateImporter::MockCertificateImporter() { +} + +MockCertificateImporter::~MockCertificateImporter() { +} + +} // namespace onc +} // namespace chromeos diff --git a/chromeos/network/onc/mock_certificate_importer.h b/chromeos/network/onc/mock_certificate_importer.h new file mode 100644 index 0000000..fc3544f --- /dev/null +++ b/chromeos/network/onc/mock_certificate_importer.h @@ -0,0 +1,31 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROMEOS_NETWORK_ONC_MOCK_CERTIFICATE_IMPORTER_H_ +#define CHROMEOS_NETWORK_ONC_MOCK_CERTIFICATE_IMPORTER_H_ + +#include "base/basictypes.h" +#include "base/values.h" +#include "chromeos/chromeos_export.h" +#include "chromeos/network/onc/onc_certificate_importer.h" +#include "testing/gmock/include/gmock/gmock.h" + +namespace chromeos { +namespace onc { + +class CHROMEOS_EXPORT MockCertificateImporter : public CertificateImporter { + public: + MockCertificateImporter(); + virtual ~MockCertificateImporter(); + MOCK_METHOD3(ImportCertificates, bool(const base::ListValue&, + onc::ONCSource, + net::CertificateList*)); + private: + DISALLOW_COPY_AND_ASSIGN(MockCertificateImporter); +}; + +} // namespace onc +} // namespace chromeos + +#endif // CHROMEOS_NETWORK_ONC_MOCK_CERTIFICATE_IMPORTER_H_ diff --git a/chromeos/network/onc/onc_certificate_importer.h b/chromeos/network/onc/onc_certificate_importer.h index 4848882..32e901e 100644 --- a/chromeos/network/onc/onc_certificate_importer.h +++ b/chromeos/network/onc/onc_certificate_importer.h @@ -1,102 +1,40 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright (c) 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_H_ #define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_H_ -#include <map> -#include <string> -#include <vector> - #include "base/basictypes.h" -#include "base/memory/ref_counted.h" -#include "base/memory/scoped_ptr.h" #include "chromeos/chromeos_export.h" #include "chromeos/network/onc/onc_constants.h" +#include "net/cert/x509_certificate.h" namespace base { -class DictionaryValue; class ListValue; } -namespace net { -class X509Certificate; -typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; -} - namespace chromeos { namespace onc { -// This class handles certificate imports from ONC (both policy and user -// imports) into the certificate store. The GUID of Client certificates is -// stored together with the certificate as Nickname. In contrast, Server and CA -// certificates are identified by their PEM and not by GUID. -// TODO(pneubeck): Replace Nickname by PEM for Client -// certificates. http://crbug.com/252119 class CHROMEOS_EXPORT CertificateImporter { public: - typedef std::map<std::string, scoped_refptr<net::X509Certificate> > - CertsByGUID; - enum ParseResult { - IMPORT_OK, - IMPORT_INCOMPLETE, - IMPORT_FAILED, - }; - - // During import with ParseCertificate(), Web trust is only applied to Server - // and Authority certificates with the TrustBits attribute "Web" if the - // |allow_trust_imports| permission is granted, otherwise the attribute is - // ignored. - explicit CertificateImporter(bool allow_trust_imports); - - // Parses and stores the certificates in |onc_certificates| into the - // certificate store. If the "Remove" field of a certificate is enabled, then - // removes the certificate from the store instead of importing. Returns the - // result of the parse operation. In case of IMPORT_INCOMPLETE, some of the - // certificates may be stored/removed successfully while others had errors. - // If no error occurred, returns IMPORT_OK. If |onc_trusted_certificates| is - // not NULL, it will be filled with the list of certificates that requested - // the Web trust flag. If |imported_server_and_ca_certs| is not null, it will - // be filled with the (GUID, Certificate) pairs of all successfully imported - // Server and CA certificates. - ParseResult ParseAndStoreCertificates( - const base::ListValue& onc_certificates, - net::CertificateList* onc_trusted_certificates, - CertsByGUID* imported_server_and_ca_certs); - - // Lists the certificates that have the string |label| as their certificate - // nickname (exact match). - static void ListCertsWithNickname(const std::string& label, - net::CertificateList* result); - - protected: - // Deletes any certificate that has the string |label| as its nickname (exact - // match). - static bool DeleteCertAndKeyByNickname(const std::string& label); + CertificateImporter() {} + virtual ~CertificateImporter() {} + + // Import the |certificates|, which must be a list of ONC Certificate objects. + // Certificates are only imported with web trust for user imports. If + // |onc_trusted_certificates| is not NULL, it will be filled with the list + // of certificates that requested the TrustBit "Web". If the "Remove" field of + // a certificate is enabled, then removes the certificate from the store + // instead of importing. Returns true if all certificates were imported + // successfully. + virtual bool ImportCertificates( + const base::ListValue& certificates, + onc::ONCSource source, + net::CertificateList* onc_trusted_certificates) = 0; private: - // Parses and stores/removes |certificate| in/from the certificate - // store. Returns true if the operation succeeded. - bool ParseAndStoreCertificate( - const base::DictionaryValue& certificate, - net::CertificateList* onc_trusted_certificates, - CertsByGUID* imported_server_and_ca_certs); - - bool ParseServerOrCaCertificate( - const std::string& cert_type, - const std::string& guid, - const base::DictionaryValue& certificate, - net::CertificateList* onc_trusted_certificates, - CertsByGUID* imported_server_and_ca_certs); - - bool ParseClientCertificate(const std::string& guid, - const base::DictionaryValue& certificate); - - // Whether certificates with TrustBits attribute "Web" should be stored with - // web trust. - bool allow_trust_imports_; - DISALLOW_COPY_AND_ASSIGN(CertificateImporter); }; diff --git a/chromeos/network/onc/onc_certificate_importer.cc b/chromeos/network/onc/onc_certificate_importer_impl.cc index 0ed9faf..c21a5ae 100644 --- a/chromeos/network/onc/onc_certificate_importer.cc +++ b/chromeos/network/onc/onc_certificate_importer_impl.cc @@ -1,8 +1,8 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "chromeos/network/onc/onc_certificate_importer.h" +#include "chromeos/network/onc/onc_certificate_importer_impl.h" #include <cert.h> #include <keyhi.h> @@ -27,15 +27,32 @@ namespace chromeos { namespace onc { -CertificateImporter::CertificateImporter(bool allow_trust_imports) - : allow_trust_imports_(allow_trust_imports) { +CertificateImporterImpl::CertificateImporterImpl() { } -CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates( +bool CertificateImporterImpl::ImportCertificates( + const base::ListValue& certificates, + onc::ONCSource source, + net::CertificateList* onc_trusted_certificates) { + VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates"; + + // Web trust is only granted to certificates imported by the user. + bool allow_trust_imports = source == onc::ONC_SOURCE_USER_IMPORT; + if (!ParseAndStoreCertificates( + allow_trust_imports, certificates, onc_trusted_certificates, NULL)) { + LOG(ERROR) << "Cannot parse some of the certificates in the ONC from " + << onc::GetSourceAsString(source); + return false; + } + return true; +} + +bool CertificateImporterImpl::ParseAndStoreCertificates( + bool allow_trust_imports, const base::ListValue& certificates, net::CertificateList* onc_trusted_certificates, CertsByGUID* imported_server_and_ca_certs) { - size_t successful_imports = 0; + bool success = true; for (size_t i = 0; i < certificates.GetSize(); ++i) { const base::DictionaryValue* certificate = NULL; certificates.GetDictionary(i, &certificate); @@ -43,27 +60,22 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates( VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate; - if (!ParseAndStoreCertificate(*certificate, onc_trusted_certificates, + if (!ParseAndStoreCertificate(allow_trust_imports, + *certificate, + onc_trusted_certificates, imported_server_and_ca_certs)) { + success = false; ONC_LOG_ERROR( base::StringPrintf("Cannot parse certificate at index %zu", i)); } else { VLOG(2) << "Successfully imported certificate at index " << i; - ++successful_imports; } } - - if (successful_imports == certificates.GetSize()) { - return IMPORT_OK; - } else if (successful_imports == 0) { - return IMPORT_FAILED; - } else { - return IMPORT_INCOMPLETE; - } + return success; } // static -void CertificateImporter::ListCertsWithNickname(const std::string& label, +void CertificateImporterImpl::ListCertsWithNickname(const std::string& label, net::CertificateList* result) { net::CertificateList all_certs; net::NSSCertDatabase::GetInstance()->ListCerts(&all_certs); @@ -101,7 +113,8 @@ void CertificateImporter::ListCertsWithNickname(const std::string& label, } // static -bool CertificateImporter::DeleteCertAndKeyByNickname(const std::string& label) { +bool CertificateImporterImpl::DeleteCertAndKeyByNickname( + const std::string& label) { net::CertificateList cert_list; ListCertsWithNickname(label, &cert_list); bool result = true; @@ -120,7 +133,8 @@ bool CertificateImporter::DeleteCertAndKeyByNickname(const std::string& label) { return result; } -bool CertificateImporter::ParseAndStoreCertificate( +bool CertificateImporterImpl::ParseAndStoreCertificate( + bool allow_trust_imports, const base::DictionaryValue& certificate, net::CertificateList* onc_trusted_certificates, CertsByGUID* imported_server_and_ca_certs) { @@ -144,7 +158,10 @@ bool CertificateImporter::ParseAndStoreCertificate( certificate.GetStringWithoutPathExpansion(certificate::kType, &cert_type); if (cert_type == certificate::kServer || cert_type == certificate::kAuthority) { - return ParseServerOrCaCertificate(cert_type, guid, certificate, + return ParseServerOrCaCertificate(allow_trust_imports, + cert_type, + guid, + certificate, onc_trusted_certificates, imported_server_and_ca_certs); } else if (cert_type == certificate::kClient) { @@ -155,7 +172,8 @@ bool CertificateImporter::ParseAndStoreCertificate( return false; } -bool CertificateImporter::ParseServerOrCaCertificate( +bool CertificateImporterImpl::ParseServerOrCaCertificate( + bool allow_trust_imports, const std::string& cert_type, const std::string& guid, const base::DictionaryValue& certificate, @@ -186,7 +204,7 @@ bool CertificateImporter::ParseServerOrCaCertificate( bool import_with_ssl_trust = false; if (web_trust_flag) { - if (!allow_trust_imports_) + if (!allow_trust_imports) ONC_LOG_WARNING("Web trust not granted for certificate: " + guid); else import_with_ssl_trust = true; @@ -270,7 +288,7 @@ bool CertificateImporter::ParseServerOrCaCertificate( return true; } -bool CertificateImporter::ParseClientCertificate( +bool CertificateImporterImpl::ParseClientCertificate( const std::string& guid, const base::DictionaryValue& certificate) { std::string pkcs12_data; diff --git a/chromeos/network/onc/onc_certificate_importer_impl.h b/chromeos/network/onc/onc_certificate_importer_impl.h new file mode 100644 index 0000000..87fea6c --- /dev/null +++ b/chromeos/network/onc/onc_certificate_importer_impl.h @@ -0,0 +1,99 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ +#define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ + +#include <map> +#include <string> +#include <vector> + +#include "base/basictypes.h" +#include "base/memory/ref_counted.h" +#include "base/memory/scoped_ptr.h" +#include "chromeos/chromeos_export.h" +#include "chromeos/network/onc/onc_certificate_importer.h" +#include "chromeos/network/onc/onc_constants.h" + +namespace base { +class DictionaryValue; +class ListValue; +} + +namespace net { +class X509Certificate; +typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; +} + +namespace chromeos { +namespace onc { + +// This class handles certificate imports from ONC (both policy and user +// imports) into the certificate store. The GUID of Client certificates is +// stored together with the certificate as Nickname. In contrast, Server and CA +// certificates are identified by their PEM and not by GUID. +// TODO(pneubeck): Replace Nickname by PEM for Client +// certificates. http://crbug.com/252119 +class CHROMEOS_EXPORT CertificateImporterImpl : public CertificateImporter { + public: + typedef std::map<std::string, scoped_refptr<net::X509Certificate> > + CertsByGUID; + + CertificateImporterImpl(); + + // CertificateImporter overrides + virtual bool ImportCertificates( + const base::ListValue& certificates, + onc::ONCSource source, + net::CertificateList* onc_trusted_certificates) OVERRIDE; + + // This implements ImportCertificates. Additionally, if + // |imported_server_and_ca_certs| is not NULL, it will be filled with the + // (GUID, Certificate) pairs of all succesfully imported Server and CA + // certificates. + bool ParseAndStoreCertificates(bool allow_trust_imports, + const base::ListValue& onc_certificates, + net::CertificateList* onc_trusted_certificates, + CertsByGUID* imported_server_and_ca_certs); + + // Lists the certificates that have the string |label| as their certificate + // nickname (exact match). + static void ListCertsWithNickname(const std::string& label, + net::CertificateList* result); + + private: + // Deletes any certificate that has the string |label| as its nickname (exact + // match). + static bool DeleteCertAndKeyByNickname(const std::string& label); + + // Parses and stores/removes |certificate| in/from the certificate + // store. Returns true if the operation succeeded. + bool ParseAndStoreCertificate( + bool allow_trust_imports, + const base::DictionaryValue& certificate, + net::CertificateList* onc_trusted_certificates, + CertsByGUID* imported_server_and_ca_certs); + + // Imports the Server or CA certificate |certificate|. Web trust is only + // applied if the certificate requests the TrustBits attribute "Web" and if + // the |allow_trust_imports| permission is granted, otherwise the attribute is + // ignored. + bool ParseServerOrCaCertificate( + bool allow_trust_imports, + const std::string& cert_type, + const std::string& guid, + const base::DictionaryValue& certificate, + net::CertificateList* onc_trusted_certificates, + CertsByGUID* imported_server_and_ca_certs); + + bool ParseClientCertificate(const std::string& guid, + const base::DictionaryValue& certificate); + + DISALLOW_COPY_AND_ASSIGN(CertificateImporterImpl); +}; + +} // namespace onc +} // namespace chromeos + +#endif // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ diff --git a/chromeos/network/onc/onc_certificate_importer_unittest.cc b/chromeos/network/onc/onc_certificate_importer_impl_unittest.cc index 7fce5d3..497a610 100644 --- a/chromeos/network/onc/onc_certificate_importer_unittest.cc +++ b/chromeos/network/onc/onc_certificate_importer_impl_unittest.cc @@ -1,8 +1,8 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "chromeos/network/onc/onc_certificate_importer.h" +#include "chromeos/network/onc/onc_certificate_importer_impl.h" #include <cert.h> #include <certdb.h> @@ -55,7 +55,7 @@ net::CertType GetCertType(net::X509Certificate::OSCertHandle cert) { } #endif // USE_NSS -class ONCCertificateImporterTest : public testing::Test { +class ONCCertificateImporterImplTest : public testing::Test { public: virtual void SetUp() { ASSERT_TRUE(test_nssdb_.is_open()); @@ -74,12 +74,10 @@ class ONCCertificateImporterTest : public testing::Test { EXPECT_EQ(0ul, ListCertsInSlot().size()); } - virtual ~ONCCertificateImporterTest() {} + virtual ~ONCCertificateImporterImplTest() {} protected: - void AddCertificatesFromFile( - std::string filename, - CertificateImporter::ParseResult expected_parse_result) { + void AddCertificatesFromFile(std::string filename, bool expected_success) { scoped_ptr<base::DictionaryValue> onc = test_utils::ReadTestDictionary(filename); base::Value* certificates_value = NULL; @@ -91,12 +89,13 @@ class ONCCertificateImporterTest : public testing::Test { web_trust_certificates_.clear(); imported_server_and_ca_certs_.clear(); - CertificateImporter importer(true /* allow web trust */); - EXPECT_EQ(expected_parse_result, - importer.ParseAndStoreCertificates( - *certificates, - &web_trust_certificates_, - &imported_server_and_ca_certs_)); + CertificateImporterImpl importer; + EXPECT_EQ( + expected_success, + importer.ParseAndStoreCertificates(true, // allow web trust + *certificates, + &web_trust_certificates_, + &imported_server_and_ca_certs_)); result_list_.clear(); result_list_ = ListCertsInSlot(); @@ -109,7 +108,7 @@ class ONCCertificateImporterTest : public testing::Test { if (!guid) guid = &guid_temporary; - AddCertificatesFromFile(filename, CertificateImporter::IMPORT_OK); + AddCertificatesFromFile(filename, true); ASSERT_EQ(1ul, result_list_.size()); EXPECT_EQ(expected_type, GetCertType(result_list_[0]->os_cert_handle())); @@ -123,7 +122,7 @@ class ONCCertificateImporterTest : public testing::Test { result_list_[0])); } else { // net::USER_CERT EXPECT_TRUE(imported_server_and_ca_certs_.empty()); - CertificateImporter::ListCertsWithNickname(*guid, &result_list_); + CertificateImporterImpl::ListCertsWithNickname(*guid, &result_list_); } } @@ -131,7 +130,7 @@ class ONCCertificateImporterTest : public testing::Test { scoped_refptr<net::CryptoModule> slot_; net::CertificateList result_list_; net::CertificateList web_trust_certificates_; - CertificateImporter::CertsByGUID imported_server_and_ca_certs_; + CertificateImporterImpl::CertsByGUID imported_server_and_ca_certs_; private: net::CertificateList ListCertsInSlot() { @@ -164,22 +163,20 @@ class ONCCertificateImporterTest : public testing::Test { crypto::ScopedTestNSSDB test_nssdb_; }; -TEST_F(ONCCertificateImporterTest, MultipleCertificates) { - AddCertificatesFromFile("managed_toplevel2.onc", - CertificateImporter::IMPORT_OK); +TEST_F(ONCCertificateImporterImplTest, MultipleCertificates) { + AddCertificatesFromFile("managed_toplevel2.onc", true); EXPECT_EQ(onc_certificates_->GetSize(), result_list_.size()); EXPECT_EQ(2ul, imported_server_and_ca_certs_.size()); } -TEST_F(ONCCertificateImporterTest, MultipleCertificatesWithFailures) { - AddCertificatesFromFile("toplevel_partially_invalid.onc", - CertificateImporter::IMPORT_INCOMPLETE); +TEST_F(ONCCertificateImporterImplTest, MultipleCertificatesWithFailures) { + AddCertificatesFromFile("toplevel_partially_invalid.onc", false); EXPECT_EQ(3ul, onc_certificates_->GetSize()); EXPECT_EQ(1ul, result_list_.size()); EXPECT_TRUE(imported_server_and_ca_certs_.empty()); } -TEST_F(ONCCertificateImporterTest, AddClientCertificate) { +TEST_F(ONCCertificateImporterImplTest, AddClientCertificate) { std::string guid; AddCertificateFromFile("certificate-client.onc", net::USER_CERT, &guid); EXPECT_TRUE(web_trust_certificates_.empty()); @@ -216,7 +213,7 @@ TEST_F(ONCCertificateImporterTest, AddClientCertificate) { } } -TEST_F(ONCCertificateImporterTest, AddServerCertificateWithWebTrust) { +TEST_F(ONCCertificateImporterImplTest, AddServerCertificateWithWebTrust) { AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT, NULL); SECKEYPrivateKeyList* privkey_list = @@ -233,7 +230,7 @@ TEST_F(ONCCertificateImporterTest, AddServerCertificateWithWebTrust) { web_trust_certificates_[0]->os_cert_handle())); } -TEST_F(ONCCertificateImporterTest, AddWebAuthorityCertificateWithWebTrust) { +TEST_F(ONCCertificateImporterImplTest, AddWebAuthorityCertificateWithWebTrust) { AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT, NULL); SECKEYPrivateKeyList* privkey_list = @@ -250,7 +247,7 @@ TEST_F(ONCCertificateImporterTest, AddWebAuthorityCertificateWithWebTrust) { web_trust_certificates_[0]->os_cert_handle())); } -TEST_F(ONCCertificateImporterTest, AddAuthorityCertificateWithoutWebTrust) { +TEST_F(ONCCertificateImporterImplTest, AddAuthorityCertificateWithoutWebTrust) { AddCertificateFromFile("certificate-authority.onc", net::CA_CERT, NULL); EXPECT_TRUE(web_trust_certificates_.empty()); @@ -276,12 +273,12 @@ struct CertParam { const char* update_file; }; -class ONCCertificateImporterTestWithParam : - public ONCCertificateImporterTest, +class ONCCertificateImporterImplTestWithParam : + public ONCCertificateImporterImplTest, public testing::WithParamInterface<CertParam> { }; -TEST_P(ONCCertificateImporterTestWithParam, UpdateCertificate) { +TEST_P(ONCCertificateImporterImplTestWithParam, UpdateCertificate) { // First we import a certificate. { SCOPED_TRACE("Import original certificate"); @@ -297,7 +294,7 @@ TEST_P(ONCCertificateImporterTestWithParam, UpdateCertificate) { } } -TEST_P(ONCCertificateImporterTestWithParam, ReimportCertificate) { +TEST_P(ONCCertificateImporterImplTestWithParam, ReimportCertificate) { // Verify that reimporting a client certificate works. for (int i = 0; i < 2; ++i) { SCOPED_TRACE("Import certificate, iteration " + base::IntToString(i)); @@ -307,8 +304,8 @@ TEST_P(ONCCertificateImporterTestWithParam, ReimportCertificate) { } INSTANTIATE_TEST_CASE_P( - ONCCertificateImporterTestWithParam, - ONCCertificateImporterTestWithParam, + ONCCertificateImporterImplTestWithParam, + ONCCertificateImporterImplTestWithParam, ::testing::Values( CertParam(net::USER_CERT, "certificate-client.onc", |