ONC: Allow multiple CA certificates.

So far only a single CA certificate was supported for EAP/IPsec/OpenVPN. Instead, we now support multiple CA certs. These are provided as a list of GUID references to CA certificates in the toplevel "Certificates" section.

BUG=276291
R=armansito@chromium.org, davidroche@chromium.org

Review URL: https://codereview.chromium.org/68343010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@240874 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 69 insertions, 17 deletions

diff --git a/components/onc/docs/onc_spec.html b/components/onc/docs/onc_spec.html
index 709ca0f..10b2f0f 100644
--- a/components/onc/docs/onc_spec.html
+++ b/components/onc/docs/onc_spec.html
@@ -658,7 +658,7 @@
         <span class="rule">
           <span class="rule_id"></span>
           Allowed values are <span class="value">PSK</span> and
-          <span class="value">Cert</span>
+          <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set.
         </span>
       </dd>
 
@@ -749,14 +749,25 @@
         (PSK) each time they connect.
       </dd>
 
+      <dt class="field">ServerCARefs</dt>
+      <dd>
+        <span class="field_meta">
+          (optional if <span class="field">AuthenticationType</span>
+          is <span class="value">Cert</span>, otherwise rejected)
+          <span class="type">array of string</span>
+        </span>
+        Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset.
+      </dd>
+
       <dt class="field">ServerCARef</dt>
       <dd>
         <span class="field_meta">
-          (required if <span class="field">AuthenticationType</span>
+          (optional if <span class="field">AuthenticationType</span>
           is <span class="value">Cert</span>, otherwise rejected)
           <span class="type">string</span>
         </span>
-        Reference to server certificate authority stored in certificate section.
+        DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
+        Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
       </dd>
 
       <dt class="field">XAUTH</dt>
@@ -771,6 +782,16 @@
       </dd>
     </dl>
 
+    <p class="rule">
+      <span class="rule_id"></span>
+      If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set.
+    </p>
+
+    <p class="rule">
+      <span class="rule_id"></span>
+      At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
+    </p>
+
     <p>
       <span class="type">L2TP</span> type contains the following:
     </p>
@@ -1108,14 +1129,23 @@
       each time they connect.
     </dd>
 
+    <dt class="field">ServerCARefs</dt>
+    <dd>
+      <span class="field_meta">
+        (optional)
+        <span class="type">array of string</span>
+      </span>
+      Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset.
+    </dd>
+
     <dt class="field">ServerCARef</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
-      Reference to a certificate. Certificate authority to use for verifying
-      connection.
+      DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
+      Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
     </dd>
 
     <dt class="field">ServerCertRef</dt>
@@ -1215,6 +1245,11 @@
     </dd>
   </dl>
 
+  <p class="rule">
+    <span class="rule_id"></span>
+    At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
+  </p>
+
   <p>
     <span class="type">VerifyX509</span> type contains the following:
   </p>
@@ -1618,16 +1653,23 @@
       <span class="value">false</span> is not allowed.
     </dd>
 
+    <dt class="field">ServerCARefs</dt>
+    <dd>
+      <span class="field_meta">
+        (optional)
+        <span class="type">array of string</span>
+      </span>
+      Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
+    </dd>
+
     <dt class="field">ServerCARef</dt>
     <dd>
       <span class="field_meta">
         (optional)
         <span class="type">string</span>
       </span>
-      Reference to server certificate authority stored in certificate
-      section. If not specified, client does not check the server certificate is
-      signed by a specific CA. It will still check the server CA
-      if <span class="field">UseSystemCAs</span> is set.
+      DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
+      Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
     </dd>
 
     <dt class="field">UseSystemCAs</dt>
@@ -1637,15 +1679,19 @@
         <span class="type">boolean</span>
       </span>
       Required server certificate to be signed by "system default certificate
-      authorities". If both <span class="field">ServerCARef</span>
+      authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>)
       and <span class="field">UseSystemCAs</span> are supplied, a server
       certificate will be allowed if it either has a chain of trust to a system
-      CA or to the given server CA. If <span class="field">UseSystemCAs</span>
-      is <span class="value">false</span>, and
-      no <span class="field">ServerCARef</span> is set, then the certificate
+      CA or to one of the given CA certificates. If <span class="field">UseSystemCAs</span>
+      is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate
       must be a self signed certificate, and no CA signature is required.
     </dd>
   </dl>
+
+  <p class="rule">
+    <span class="rule_id"></span>
+    At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
+  </p>
 </section>
 
 <section>
diff --git a/components/onc/onc_constants.cc b/components/onc/onc_constants.cc
index efd2b9d..68b8755 100644
--- a/components/onc/onc_constants.cc
+++ b/components/onc/onc_constants.cc
@@ -205,6 +205,7 @@ const char kPassword[] = "Password";
 const char kSaveCredentials[] = "SaveCredentials";
 const char kServerCAPEMs[] = "ServerCAPEMs";
 const char kServerCARef[] = "ServerCARef";
+const char kServerCARefs[] = "ServerCARefs";
 const char kUseSystemCAs[] = "UseSystemCAs";
 }  // namespace eap
 
@@ -231,8 +232,9 @@ const char kEAP[] = "EAP";
 const char kGroup[] = "Group";
 const char kIKEVersion[] = "IKEVersion";
 const char kPSK[] = "PSK";
-const char kServerCARef[] = "ServerCARef";
 const char kServerCAPEMs[] = "ServerCAPEMs";
+const char kServerCARef[] = "ServerCARef";
+const char kServerCARefs[] = "ServerCARefs";
 const char kXAUTH[] = "XAUTH";
 }  // namespace ipsec
 
@@ -255,8 +257,9 @@ const char kRemoteCertEKU[] = "RemoteCertEKU";
 const char kRemoteCertKU[] = "RemoteCertKU";
 const char kRemoteCertTLS[] = "RemoteCertTLS";
 const char kRenegSec[] = "RenegSec";
-const char kServerCARef[] = "ServerCARef";
 const char kServerCAPEMs[] = "ServerCAPEMs";
+const char kServerCARef[] = "ServerCARef";
+const char kServerCARefs[] = "ServerCARefs";
 const char kServerCertPEM[] = "ServerCertPEM";
 const char kServerCertRef[] = "ServerCertRef";
 const char kServerPollTimeout[] = "ServerPollTimeout";
diff --git a/components/onc/onc_constants.h b/components/onc/onc_constants.h
index 4ef51e7..400b340 100644
--- a/components/onc/onc_constants.h
+++ b/components/onc/onc_constants.h
@@ -226,8 +226,9 @@ ONC_EXPORT extern const char kPAP[];
 ONC_EXPORT extern const char kPEAP[];
 ONC_EXPORT extern const char kPassword[];
 ONC_EXPORT extern const char kSaveCredentials[];
-ONC_EXPORT extern const char kServerCARef[];
 ONC_EXPORT extern const char kServerCAPEMs[];
+ONC_EXPORT extern const char kServerCARef[];
+ONC_EXPORT extern const char kServerCARefs[];
 ONC_EXPORT extern const char kUseSystemCAs[];
 }  // namespace eap
 
@@ -254,8 +255,9 @@ ONC_EXPORT extern const char kEAP[];
 ONC_EXPORT extern const char kGroup[];
 ONC_EXPORT extern const char kIKEVersion[];
 ONC_EXPORT extern const char kPSK[];
-ONC_EXPORT extern const char kServerCARef[];
 ONC_EXPORT extern const char kServerCAPEMs[];
+ONC_EXPORT extern const char kServerCARef[];
+ONC_EXPORT extern const char kServerCARefs[];
 ONC_EXPORT extern const char kXAUTH[];
 }  // namespace ipsec
 
@@ -280,6 +282,7 @@ ONC_EXPORT extern const char kRemoteCertTLS[];
 ONC_EXPORT extern const char kRenegSec[];
 ONC_EXPORT extern const char kServerCAPEMs[];
 ONC_EXPORT extern const char kServerCARef[];
+ONC_EXPORT extern const char kServerCARefs[];
 ONC_EXPORT extern const char kServerCertPEM[];
 ONC_EXPORT extern const char kServerCertRef[];
 ONC_EXPORT extern const char kServerPollTimeout[];