search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Less strict CHECK for DeviceCapabilities results.
[chromium-blink-merge.git] / chromeos / network / client_cert_resolver.cc
blobdd66e94dc21689b29d608dc12cb670ffc541608c
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chromeos/network/client_cert_resolver.h"
6
7 #include <cert.h>
8 #include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA
9 #include <pk11pub.h>
10
11 #include <algorithm>
12 #include <string>
13
14 #include "base/bind.h"
15 #include "base/location.h"
16 #include "base/stl_util.h"
17 #include "base/strings/string_number_conversions.h"
18 #include "base/task_runner.h"
19 #include "base/threading/worker_pool.h"
20 #include "base/time/time.h"
21 #include "chromeos/cert_loader.h"
22 #include "chromeos/dbus/dbus_thread_manager.h"
23 #include "chromeos/dbus/shill_service_client.h"
24 #include "chromeos/network/certificate_pattern.h"
25 #include "chromeos/network/client_cert_util.h"
26 #include "chromeos/network/favorite_state.h"
27 #include "chromeos/network/managed_network_configuration_handler.h"
28 #include "chromeos/network/network_state_handler.h"
29 #include "chromeos/network/network_ui_data.h"
30 #include "chromeos/tpm_token_loader.h"
31 #include "components/onc/onc_constants.h"
32 #include "dbus/object_path.h"
33 #include "net/cert/scoped_nss_types.h"
34 #include "net/cert/x509_certificate.h"
35
36 namespace chromeos {
37
38 // Describes a network |network_path| for which a matching certificate |cert_id|
39 // was found.
40 struct ClientCertResolver::NetworkAndMatchingCert {
41 NetworkAndMatchingCert(const std::string& network_path,
42 client_cert::ConfigType config_type,
43 const std::string& cert_id)
44 : service_path(network_path),
45 cert_config_type(config_type),
46 pkcs11_id(cert_id) {}
47
48 std::string service_path;
49 client_cert::ConfigType cert_config_type;
50 // The id of the matching certificate.
51 std::string pkcs11_id;
52 };
53
54 typedef std::vector<ClientCertResolver::NetworkAndMatchingCert>
55 NetworkCertMatches;
56
57 namespace {
58
59 // Returns true if |vector| contains |value|.
60 template <class T>
61 bool ContainsValue(const std::vector<T>& vector, const T& value) {
62 return find(vector.begin(), vector.end(), value) != vector.end();
63 }
64
65 // Returns true if a private key for certificate |cert| is installed.
66 bool HasPrivateKey(const net::X509Certificate& cert) {
67 PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
68 if (!slot)
69 return false;
70
71 PK11_FreeSlot(slot);
72 return true;
73 }
74
75 // Describes a certificate which is issued by |issuer| (encoded as PEM).
76 struct CertAndIssuer {
77 CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate,
78 const std::string& issuer)
79 : cert(certificate),
80 pem_encoded_issuer(issuer) {}
81
82 scoped_refptr<net::X509Certificate> cert;
83 std::string pem_encoded_issuer;
84 };
85
86 bool CompareCertExpiration(const CertAndIssuer& a,
87 const CertAndIssuer& b) {
88 return (a.cert->valid_expiry() > b.cert->valid_expiry());
89 }
90
91 // Describes a network that is configured with the certificate pattern
92 // |client_cert_pattern|.
93 struct NetworkAndCertPattern {
94 NetworkAndCertPattern(const std::string& network_path,
95 client_cert::ConfigType config_type,
96 const CertificatePattern& pattern)
97 : service_path(network_path),
98 cert_config_type(config_type),
99 client_cert_pattern(pattern) {}
100 std::string service_path;
101 client_cert::ConfigType cert_config_type;
102 CertificatePattern client_cert_pattern;
103 };
104
105 // A unary predicate that returns true if the given CertAndIssuer matches the
106 // certificate pattern of the NetworkAndCertPattern.
107 struct MatchCertWithPattern {
108 explicit MatchCertWithPattern(const NetworkAndCertPattern& pattern)
109 : net_and_pattern(pattern) {}
110
111 bool operator()(const CertAndIssuer& cert_and_issuer) {
112 const CertificatePattern& pattern = net_and_pattern.client_cert_pattern;
113 if (!pattern.issuer().Empty() &&
114 !client_cert::CertPrincipalMatches(pattern.issuer(),
115 cert_and_issuer.cert->issuer())) {
116 return false;
117 }
118 if (!pattern.subject().Empty() &&
119 !client_cert::CertPrincipalMatches(pattern.subject(),
120 cert_and_issuer.cert->subject())) {
121 return false;
122 }
123
124 const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems();
125 if (!issuer_ca_pems.empty() &&
126 !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) {
127 return false;
128 }
129 return true;
130 }
131
132 NetworkAndCertPattern net_and_pattern;
133 };
134
135 // Searches for matches between |networks| and |certs| and writes matches to
136 // |matches|. Because this calls NSS functions and is potentially slow, it must
137 // be run on a worker thread.
138 void FindCertificateMatches(const net::CertificateList& certs,
139 std::vector<NetworkAndCertPattern>* networks,
140 NetworkCertMatches* matches) {
141 // Filter all client certs and determines each certificate's issuer, which is
142 // required for the pattern matching.
143 std::vector<CertAndIssuer> client_certs;
144 for (net::CertificateList::const_iterator it = certs.begin();
145 it != certs.end(); ++it) {
146 const net::X509Certificate& cert = **it;
147 if (cert.valid_expiry().is_null() || cert.HasExpired() ||
148 !HasPrivateKey(cert)) {
149 continue;
150 }
151 net::ScopedCERTCertificate issuer_handle(
152 CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA));
153 if (!issuer_handle) {
154 LOG(ERROR) << "Couldn't find an issuer.";
155 continue;
156 }
157 scoped_refptr<net::X509Certificate> issuer =
158 net::X509Certificate::CreateFromHandle(
159 issuer_handle.get(),
160 net::X509Certificate::OSCertHandles() /* no intermediate certs */);
161 if (!issuer) {
162 LOG(ERROR) << "Couldn't create issuer cert.";
163 continue;
164 }
165 std::string pem_encoded_issuer;
166 if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
167 &pem_encoded_issuer)) {
168 LOG(ERROR) << "Couldn't PEM-encode certificate.";
169 continue;
170 }
171 client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer));
172 }
173
174 std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
175
176 for (std::vector<NetworkAndCertPattern>::const_iterator it =
177 networks->begin();
178 it != networks->end(); ++it) {
179 std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
180 client_certs.begin(), client_certs.end(), MatchCertWithPattern(*it));
181 if (cert_it == client_certs.end()) {
182 LOG(WARNING) << "Couldn't find a matching client cert for network "
183 << it->service_path;
184 continue;
185 }
186 std::string pkcs11_id = CertLoader::GetPkcs11IdForCert(*cert_it->cert);
187 if (pkcs11_id.empty()) {
188 LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
189 continue;
190 }
191 matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
192 it->service_path, it->cert_config_type, pkcs11_id));
193 }
194 }
195
196 // Determines the type of the CertificatePattern configuration, i.e. is it a
197 // pattern within an EAP, IPsec or OpenVPN configuration.
198 client_cert::ConfigType OncToClientCertConfigurationType(
199 const base::DictionaryValue& network_config) {
200 using namespace ::onc;
201
202 const base::DictionaryValue* wifi = NULL;
203 network_config.GetDictionaryWithoutPathExpansion(network_config::kWiFi,
204 &wifi);
205 if (wifi) {
206 const base::DictionaryValue* eap = NULL;
207 wifi->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap);
208 if (!eap)
209 return client_cert::CONFIG_TYPE_NONE;
210 return client_cert::CONFIG_TYPE_EAP;
211 }
212
213 const base::DictionaryValue* vpn = NULL;
214 network_config.GetDictionaryWithoutPathExpansion(network_config::kVPN, &vpn);
215 if (vpn) {
216 const base::DictionaryValue* openvpn = NULL;
217 vpn->GetDictionaryWithoutPathExpansion(vpn::kOpenVPN, &openvpn);
218 if (openvpn)
219 return client_cert::CONFIG_TYPE_OPENVPN;
220
221 const base::DictionaryValue* ipsec = NULL;
222 vpn->GetDictionaryWithoutPathExpansion(vpn::kIPsec, &ipsec);
223 if (ipsec)
224 return client_cert::CONFIG_TYPE_IPSEC;
225
226 return client_cert::CONFIG_TYPE_NONE;
227 }
228
229 const base::DictionaryValue* ethernet = NULL;
230 network_config.GetDictionaryWithoutPathExpansion(network_config::kEthernet,
231 &ethernet);
232 if (ethernet) {
233 const base::DictionaryValue* eap = NULL;
234 ethernet->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap);
235 if (eap)
236 return client_cert::CONFIG_TYPE_EAP;
237 return client_cert::CONFIG_TYPE_NONE;
238 }
239
240 return client_cert::CONFIG_TYPE_NONE;
241 }
242
243 void LogError(const std::string& service_path,
244 const std::string& dbus_error_name,
245 const std::string& dbus_error_message) {
246 network_handler::ShillErrorCallbackFunction(
247 "ClientCertResolver.SetProperties failed",
248 service_path,
249 network_handler::ErrorCallback(),
250 dbus_error_name,
251 dbus_error_message);
252 }
253
254 bool ClientCertificatesLoaded() {
255 if (!CertLoader::Get()->certificates_loaded()) {
256 VLOG(1) << "Certificates not loaded yet.";
257 return false;
258 }
259 if (!CertLoader::Get()->IsHardwareBacked()) {
260 VLOG(1) << "TPM is not available.";
261 return false;
262 }
263 return true;
264 }
265
266 } // namespace
267
268 ClientCertResolver::ClientCertResolver()
269 : network_state_handler_(NULL),
270 managed_network_config_handler_(NULL),
271 weak_ptr_factory_(this) {
272 }
273
274 ClientCertResolver::~ClientCertResolver() {
275 if (network_state_handler_)
276 network_state_handler_->RemoveObserver(this, FROM_HERE);
277 if (CertLoader::IsInitialized())
278 CertLoader::Get()->RemoveObserver(this);
279 if (managed_network_config_handler_)
280 managed_network_config_handler_->RemoveObserver(this);
281 }
282
283 void ClientCertResolver::Init(
284 NetworkStateHandler* network_state_handler,
285 ManagedNetworkConfigurationHandler* managed_network_config_handler) {
286 DCHECK(network_state_handler);
287 network_state_handler_ = network_state_handler;
288 network_state_handler_->AddObserver(this, FROM_HERE);
289
290 DCHECK(managed_network_config_handler);
291 managed_network_config_handler_ = managed_network_config_handler;
292 managed_network_config_handler_->AddObserver(this);
293
294 CertLoader::Get()->AddObserver(this);
295 }
296
297 void ClientCertResolver::SetSlowTaskRunnerForTest(
298 const scoped_refptr<base::TaskRunner>& task_runner) {
299 slow_task_runner_for_test_ = task_runner;
300 }
301
302 void ClientCertResolver::NetworkListChanged() {
303 VLOG(2) << "NetworkListChanged.";
304 if (!ClientCertificatesLoaded())
305 return;
306 // Configure only networks that were not configured before.
307
308 // We'll drop networks from |resolved_networks_|, which are not known anymore.
309 std::set<std::string> old_resolved_networks;
310 old_resolved_networks.swap(resolved_networks_);
311
312 FavoriteStateList networks;
313 network_state_handler_->GetFavoriteList(&networks);
314
315 FavoriteStateList networks_to_check;
316 for (FavoriteStateList::const_iterator it = networks.begin();
317 it != networks.end(); ++it) {
318 const std::string& service_path = (*it)->path();
319 if (ContainsKey(old_resolved_networks, service_path)) {
320 resolved_networks_.insert(service_path);
321 continue;
322 }
323 networks_to_check.push_back(*it);
324 }
325
326 ResolveNetworks(networks_to_check);
327 }
328
329 void ClientCertResolver::OnCertificatesLoaded(
330 const net::CertificateList& cert_list,
331 bool initial_load) {
332 VLOG(2) << "OnCertificatesLoaded.";
333 if (!ClientCertificatesLoaded())
334 return;
335 // Compare all networks with all certificates.
336 FavoriteStateList networks;
337 network_state_handler_->GetFavoriteList(&networks);
338 ResolveNetworks(networks);
339 }
340
341 void ClientCertResolver::PolicyApplied(const std::string& service_path) {
342 VLOG(2) << "PolicyApplied " << service_path;
343 if (!ClientCertificatesLoaded())
344 return;
345 // Compare this network with all certificates.
346 const FavoriteState* network =
347 network_state_handler_->GetFavoriteState(service_path);
348 if (!network) {
349 LOG(ERROR) << "service path '" << service_path << "' unknown.";
350 return;
351 }
352 FavoriteStateList networks;
353 networks.push_back(network);
354 ResolveNetworks(networks);
355 }
356
357 void ClientCertResolver::ResolveNetworks(const FavoriteStateList& networks) {
358 scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern(
359 new std::vector<NetworkAndCertPattern>);
360
361 // Filter networks with ClientCertPattern. As ClientCertPatterns can only be
362 // set by policy, we check there.
363 for (FavoriteStateList::const_iterator it = networks.begin();
364 it != networks.end(); ++it) {
365 const FavoriteState* network = *it;
366
367 // In any case, don't check this network again in NetworkListChanged.
368 resolved_networks_.insert(network->path());
369
370 // If this network is not managed, it cannot have a ClientCertPattern.
371 if (network->guid().empty())
372 continue;
373
374 if (network->profile_path().empty()) {
375 LOG(ERROR) << "Network " << network->path()
376 << " has a GUID but not profile path";
377 continue;
378 }
379 const base::DictionaryValue* policy =
380 managed_network_config_handler_->FindPolicyByGuidAndProfile(
381 network->guid(), network->profile_path());
382
383 if (!policy) {
384 VLOG(1) << "The policy for network " << network->path() << " with GUID "
385 << network->guid() << " is not available yet.";
386 // Skip this network for now. Once the policy is loaded, PolicyApplied()
387 // will retry.
388 continue;
389 }
390
391 VLOG(2) << "Inspecting network " << network->path();
392 // TODO(pneubeck): Access the ClientCertPattern without relying on
393 // NetworkUIData, which also parses other things that we don't need here.
394 // The ONCSource is irrelevant here.
395 scoped_ptr<NetworkUIData> ui_data(
396 NetworkUIData::CreateFromONC(onc::ONC_SOURCE_NONE, *policy));
397
398 // Skip networks that don't have a ClientCertPattern.
399 if (ui_data->certificate_type() != CLIENT_CERT_TYPE_PATTERN)
400 continue;
401
402 client_cert::ConfigType config_type =
403 OncToClientCertConfigurationType(*policy);
404 if (config_type == client_cert::CONFIG_TYPE_NONE) {
405 LOG(ERROR) << "UIData contains a CertificatePattern, but the policy "
406 << "doesn't. Network: " << network->path();
407 continue;
408 }
409
410 networks_with_pattern->push_back(NetworkAndCertPattern(
411 network->path(), config_type, ui_data->certificate_pattern()));
412 }
413 if (networks_with_pattern->empty())
414 return;
415
416 VLOG(2) << "Start task for resolving client cert patterns.";
417 base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
418 if (!task_runner)
419 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */);
420
421 NetworkCertMatches* matches = new NetworkCertMatches;
422 task_runner->PostTaskAndReply(
423 FROM_HERE,
424 base::Bind(&FindCertificateMatches,
425 CertLoader::Get()->cert_list(),
426 base::Owned(networks_with_pattern.release()),
427 matches),
428 base::Bind(&ClientCertResolver::ConfigureCertificates,
429 weak_ptr_factory_.GetWeakPtr(),
430 base::Owned(matches)));
431 }
432
433 void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
434 for (NetworkCertMatches::const_iterator it = matches->begin();
435 it != matches->end(); ++it) {
436 VLOG(1) << "Configuring certificate of network " << it->service_path;
437 CertLoader* cert_loader = CertLoader::Get();
438 base::DictionaryValue shill_properties;
439 client_cert::SetShillProperties(
440 it->cert_config_type,
441 base::IntToString(cert_loader->TPMTokenSlotID()),
442 TPMTokenLoader::Get()->tpm_user_pin(),
443 &it->pkcs11_id,
444 &shill_properties);
445 DBusThreadManager::Get()->GetShillServiceClient()->
446 SetProperties(dbus::ObjectPath(it->service_path),
447 shill_properties,
448 base::Bind(&base::DoNothing),
449 base::Bind(&LogError, it->service_path));
450 network_state_handler_->RequestUpdateForNetwork(it->service_path);
451 }
452 }
453
454 } // namespace chromeos