search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Some additional network settings cleanup
[chromium-blink-merge.git] / chromeos / network / client_cert_resolver.cc
bloba416061dd2399b6a5499d8758f2c56ab5ac9da74
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chromeos/network/client_cert_resolver.h"
6
7 #include <cert.h>
8 #include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA
9 #include <pk11pub.h>
10
11 #include <algorithm>
12 #include <string>
13
14 #include "base/bind.h"
15 #include "base/location.h"
16 #include "base/stl_util.h"
17 #include "base/task_runner.h"
18 #include "base/threading/worker_pool.h"
19 #include "base/time/time.h"
20 #include "chromeos/cert_loader.h"
21 #include "chromeos/dbus/dbus_thread_manager.h"
22 #include "chromeos/dbus/shill_service_client.h"
23 #include "chromeos/network/managed_network_configuration_handler.h"
24 #include "chromeos/network/network_state.h"
25 #include "components/onc/onc_constants.h"
26 #include "dbus/object_path.h"
27 #include "net/cert/scoped_nss_types.h"
28 #include "net/cert/x509_certificate.h"
29
30 namespace chromeos {
31
32 // Describes a network |network_path| for which a matching certificate |cert_id|
33 // was found or for which no certificate was found (|cert_id| will be empty).
34 struct ClientCertResolver::NetworkAndMatchingCert {
35 NetworkAndMatchingCert(const std::string& network_path,
36 client_cert::ConfigType config_type,
37 const std::string& cert_id,
38 int slot_id)
39 : service_path(network_path),
40 cert_config_type(config_type),
41 pkcs11_id(cert_id),
42 key_slot_id(slot_id) {}
43
44 std::string service_path;
45 client_cert::ConfigType cert_config_type;
46
47 // The id of the matching certificate or empty if no certificate was found.
48 std::string pkcs11_id;
49
50 // The id of the slot containing the certificate and the private key.
51 int key_slot_id;
52 };
53
54 typedef std::vector<ClientCertResolver::NetworkAndMatchingCert>
55 NetworkCertMatches;
56
57 namespace {
58
59 // Returns true if |vector| contains |value|.
60 template <class T>
61 bool ContainsValue(const std::vector<T>& vector, const T& value) {
62 return find(vector.begin(), vector.end(), value) != vector.end();
63 }
64
65 // Returns true if a private key for certificate |cert| is installed.
66 bool HasPrivateKey(const net::X509Certificate& cert) {
67 PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
68 if (!slot)
69 return false;
70
71 PK11_FreeSlot(slot);
72 return true;
73 }
74
75 // Describes a certificate which is issued by |issuer| (encoded as PEM).
76 struct CertAndIssuer {
77 CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate,
78 const std::string& issuer)
79 : cert(certificate),
80 pem_encoded_issuer(issuer) {}
81
82 scoped_refptr<net::X509Certificate> cert;
83 std::string pem_encoded_issuer;
84 };
85
86 bool CompareCertExpiration(const CertAndIssuer& a,
87 const CertAndIssuer& b) {
88 return (a.cert->valid_expiry() > b.cert->valid_expiry());
89 }
90
91 // Describes a network that is configured with the certificate pattern
92 // |client_cert_pattern|.
93 struct NetworkAndCertPattern {
94 NetworkAndCertPattern(const std::string& network_path,
95 const client_cert::ClientCertConfig& client_cert_config)
96 : service_path(network_path),
97 cert_config(client_cert_config) {}
98
99 std::string service_path;
100 client_cert::ClientCertConfig cert_config;
101 };
102
103 // A unary predicate that returns true if the given CertAndIssuer matches the
104 // given certificate pattern.
105 struct MatchCertWithPattern {
106 explicit MatchCertWithPattern(const CertificatePattern& cert_pattern)
107 : pattern(cert_pattern) {}
108
109 bool operator()(const CertAndIssuer& cert_and_issuer) {
110 if (!pattern.issuer().Empty() &&
111 !client_cert::CertPrincipalMatches(pattern.issuer(),
112 cert_and_issuer.cert->issuer())) {
113 return false;
114 }
115 if (!pattern.subject().Empty() &&
116 !client_cert::CertPrincipalMatches(pattern.subject(),
117 cert_and_issuer.cert->subject())) {
118 return false;
119 }
120
121 const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems();
122 if (!issuer_ca_pems.empty() &&
123 !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) {
124 return false;
125 }
126 return true;
127 }
128
129 const CertificatePattern pattern;
130 };
131
132 std::vector<CertAndIssuer> CreateSortedCertAndIssuerList(
133 const net::CertificateList& certs) {
134 // Filter all client certs and determines each certificate's issuer, which is
135 // required for the pattern matching.
136 std::vector<CertAndIssuer> client_certs;
137 for (net::CertificateList::const_iterator it = certs.begin();
138 it != certs.end(); ++it) {
139 const net::X509Certificate& cert = **it;
140 if (cert.valid_expiry().is_null() || cert.HasExpired() ||
141 !HasPrivateKey(cert)) {
142 continue;
143 }
144 net::ScopedCERTCertificate issuer_handle(
145 CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA));
146 if (!issuer_handle) {
147 LOG(ERROR) << "Couldn't find an issuer.";
148 continue;
149 }
150 scoped_refptr<net::X509Certificate> issuer =
151 net::X509Certificate::CreateFromHandle(
152 issuer_handle.get(),
153 net::X509Certificate::OSCertHandles() /* no intermediate certs */);
154 if (!issuer.get()) {
155 LOG(ERROR) << "Couldn't create issuer cert.";
156 continue;
157 }
158 std::string pem_encoded_issuer;
159 if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
160 &pem_encoded_issuer)) {
161 LOG(ERROR) << "Couldn't PEM-encode certificate.";
162 continue;
163 }
164 client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer));
165 }
166
167 std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
168 return client_certs;
169 }
170
171 // Searches for matches between |networks| and |certs| and writes matches to
172 // |matches|. Because this calls NSS functions and is potentially slow, it must
173 // be run on a worker thread.
174 void FindCertificateMatches(const net::CertificateList& certs,
175 std::vector<NetworkAndCertPattern>* networks,
176 NetworkCertMatches* matches) {
177 std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(certs));
178
179 for (std::vector<NetworkAndCertPattern>::const_iterator it =
180 networks->begin();
181 it != networks->end(); ++it) {
182 std::vector<CertAndIssuer>::iterator cert_it =
183 std::find_if(client_certs.begin(),
184 client_certs.end(),
185 MatchCertWithPattern(it->cert_config.pattern));
186 std::string pkcs11_id;
187 int slot_id = -1;
188 if (cert_it == client_certs.end()) {
189 VLOG(1) << "Couldn't find a matching client cert for network "
190 << it->service_path;
191 // Leave |pkcs11_id| empty to indicate that no cert was found for this
192 // network.
193 } else {
194 pkcs11_id =
195 CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
196 if (pkcs11_id.empty()) {
197 LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
198 // So far this error is not expected to happen. We can just continue, in
199 // the worst case the user can remove the problematic cert.
200 continue;
201 }
202 }
203 matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
204 it->service_path, it->cert_config.location, pkcs11_id, slot_id));
205 }
206 }
207
208 void LogError(const std::string& service_path,
209 const std::string& dbus_error_name,
210 const std::string& dbus_error_message) {
211 network_handler::ShillErrorCallbackFunction(
212 "ClientCertResolver.SetProperties failed",
213 service_path,
214 network_handler::ErrorCallback(),
215 dbus_error_name,
216 dbus_error_message);
217 }
218
219 bool ClientCertificatesLoaded() {
220 if (!CertLoader::Get()->certificates_loaded()) {
221 VLOG(1) << "Certificates not loaded yet.";
222 return false;
223 }
224 if (!CertLoader::Get()->IsHardwareBacked()) {
225 VLOG(1) << "TPM is not available.";
226 return false;
227 }
228 return true;
229 }
230
231 } // namespace
232
233 ClientCertResolver::ClientCertResolver()
234 : network_state_handler_(NULL),
235 managed_network_config_handler_(NULL),
236 weak_ptr_factory_(this) {
237 }
238
239 ClientCertResolver::~ClientCertResolver() {
240 if (network_state_handler_)
241 network_state_handler_->RemoveObserver(this, FROM_HERE);
242 if (CertLoader::IsInitialized())
243 CertLoader::Get()->RemoveObserver(this);
244 if (managed_network_config_handler_)
245 managed_network_config_handler_->RemoveObserver(this);
246 }
247
248 void ClientCertResolver::Init(
249 NetworkStateHandler* network_state_handler,
250 ManagedNetworkConfigurationHandler* managed_network_config_handler) {
251 DCHECK(network_state_handler);
252 network_state_handler_ = network_state_handler;
253 network_state_handler_->AddObserver(this, FROM_HERE);
254
255 DCHECK(managed_network_config_handler);
256 managed_network_config_handler_ = managed_network_config_handler;
257 managed_network_config_handler_->AddObserver(this);
258
259 CertLoader::Get()->AddObserver(this);
260 }
261
262 void ClientCertResolver::SetSlowTaskRunnerForTest(
263 const scoped_refptr<base::TaskRunner>& task_runner) {
264 slow_task_runner_for_test_ = task_runner;
265 }
266
267 // static
268 bool ClientCertResolver::ResolveCertificatePatternSync(
269 const client_cert::ConfigType client_cert_type,
270 const CertificatePattern& pattern,
271 base::DictionaryValue* shill_properties) {
272 // Prepare and sort the list of known client certs.
273 std::vector<CertAndIssuer> client_certs(
274 CreateSortedCertAndIssuerList(CertLoader::Get()->cert_list()));
275
276 // Search for a certificate matching the pattern.
277 std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
278 client_certs.begin(), client_certs.end(), MatchCertWithPattern(pattern));
279
280 if (cert_it == client_certs.end()) {
281 VLOG(1) << "Couldn't find a matching client cert";
282 client_cert::SetEmptyShillProperties(client_cert_type, shill_properties);
283 return false;
284 }
285
286 int slot_id = -1;
287 std::string pkcs11_id =
288 CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
289 if (pkcs11_id.empty()) {
290 LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
291 // So far this error is not expected to happen. We can just continue, in
292 // the worst case the user can remove the problematic cert.
293 return false;
294 }
295 client_cert::SetShillProperties(
296 client_cert_type, slot_id, pkcs11_id, shill_properties);
297 return true;
298 }
299
300 void ClientCertResolver::NetworkListChanged() {
301 VLOG(2) << "NetworkListChanged.";
302 if (!ClientCertificatesLoaded())
303 return;
304 // Configure only networks that were not configured before.
305
306 // We'll drop networks from |resolved_networks_|, which are not known anymore.
307 std::set<std::string> old_resolved_networks;
308 old_resolved_networks.swap(resolved_networks_);
309
310 NetworkStateHandler::NetworkStateList networks;
311 network_state_handler_->GetNetworkListByType(
312 NetworkTypePattern::Default(),
313 true /* configured_only */,
314 false /* visible_only */,
315 0 /* no limit */,
316 &networks);
317
318 NetworkStateHandler::NetworkStateList networks_to_check;
319 for (NetworkStateHandler::NetworkStateList::const_iterator it =
320 networks.begin(); it != networks.end(); ++it) {
321 const std::string& service_path = (*it)->path();
322 if (ContainsKey(old_resolved_networks, service_path)) {
323 resolved_networks_.insert(service_path);
324 continue;
325 }
326 networks_to_check.push_back(*it);
327 }
328
329 ResolveNetworks(networks_to_check);
330 }
331
332 void ClientCertResolver::OnCertificatesLoaded(
333 const net::CertificateList& cert_list,
334 bool initial_load) {
335 VLOG(2) << "OnCertificatesLoaded.";
336 if (!ClientCertificatesLoaded())
337 return;
338 // Compare all networks with all certificates.
339 NetworkStateHandler::NetworkStateList networks;
340 network_state_handler_->GetNetworkListByType(
341 NetworkTypePattern::Default(),
342 true /* configured_only */,
343 false /* visible_only */,
344 0 /* no limit */,
345 &networks);
346 ResolveNetworks(networks);
347 }
348
349 void ClientCertResolver::PolicyApplied(const std::string& service_path) {
350 VLOG(2) << "PolicyApplied " << service_path;
351 if (!ClientCertificatesLoaded())
352 return;
353 // Compare this network with all certificates.
354 const NetworkState* network =
355 network_state_handler_->GetNetworkStateFromServicePath(
356 service_path, true /* configured_only */);
357 if (!network) {
358 LOG(ERROR) << "service path '" << service_path << "' unknown.";
359 return;
360 }
361 NetworkStateHandler::NetworkStateList networks;
362 networks.push_back(network);
363 ResolveNetworks(networks);
364 }
365
366 void ClientCertResolver::ResolveNetworks(
367 const NetworkStateHandler::NetworkStateList& networks) {
368 scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern(
369 new std::vector<NetworkAndCertPattern>);
370
371 // Filter networks with ClientCertPattern. As ClientCertPatterns can only be
372 // set by policy, we check there.
373 for (NetworkStateHandler::NetworkStateList::const_iterator it =
374 networks.begin(); it != networks.end(); ++it) {
375 const NetworkState* network = *it;
376
377 // In any case, don't check this network again in NetworkListChanged.
378 resolved_networks_.insert(network->path());
379
380 // If this network is not configured, it cannot have a ClientCertPattern.
381 if (network->profile_path().empty())
382 continue;
383
384 const base::DictionaryValue* policy =
385 managed_network_config_handler_->FindPolicyByGuidAndProfile(
386 network->guid(), network->profile_path());
387
388 if (!policy) {
389 VLOG(1) << "The policy for network " << network->path() << " with GUID "
390 << network->guid() << " is not available yet.";
391 // Skip this network for now. Once the policy is loaded, PolicyApplied()
392 // will retry.
393 continue;
394 }
395
396 VLOG(2) << "Inspecting network " << network->path();
397 client_cert::ClientCertConfig cert_config;
398 OncToClientCertConfig(*policy, &cert_config);
399
400 // Skip networks that don't have a ClientCertPattern.
401 if (cert_config.client_cert_type != ::onc::client_cert::kPattern)
402 continue;
403
404 networks_with_pattern->push_back(
405 NetworkAndCertPattern(network->path(), cert_config));
406 }
407 if (networks_with_pattern->empty())
408 return;
409
410 VLOG(2) << "Start task for resolving client cert patterns.";
411 base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
412 if (!task_runner)
413 task_runner =
414 base::WorkerPool::GetTaskRunner(true /* task is slow */).get();
415
416 NetworkCertMatches* matches = new NetworkCertMatches;
417 task_runner->PostTaskAndReply(
418 FROM_HERE,
419 base::Bind(&FindCertificateMatches,
420 CertLoader::Get()->cert_list(),
421 base::Owned(networks_with_pattern.release()),
422 matches),
423 base::Bind(&ClientCertResolver::ConfigureCertificates,
424 weak_ptr_factory_.GetWeakPtr(),
425 base::Owned(matches)));
426 }
427
428 void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
429 for (NetworkCertMatches::const_iterator it = matches->begin();
430 it != matches->end(); ++it) {
431 VLOG(1) << "Configuring certificate of network " << it->service_path;
432 base::DictionaryValue shill_properties;
433 if (it->pkcs11_id.empty()) {
434 client_cert::SetEmptyShillProperties(it->cert_config_type,
435 &shill_properties);
436 } else {
437 client_cert::SetShillProperties(it->cert_config_type,
438 it->key_slot_id,
439 it->pkcs11_id,
440 &shill_properties);
441 }
442 DBusThreadManager::Get()->GetShillServiceClient()->
443 SetProperties(dbus::ObjectPath(it->service_path),
444 shill_properties,
445 base::Bind(&base::DoNothing),
446 base::Bind(&LogError, it->service_path));
447 network_state_handler_->RequestUpdateForNetwork(it->service_path);
448 }
449 }
450
451 } // namespace chromeos