1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chromeos/network/client_cert_resolver.h" 6 7 #include <cert.h> 8 #include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA 9 #include <pk11pub.h> 10 11 #include <algorithm> 12 #include <string> 13 14 #include "base/stl_util.h" 15 #include "base/strings/string_number_conversions.h" 16 #include "base/task_runner.h" 17 #include "base/threading/worker_pool.h" 18 #include "base/time/time.h" 19 #include "chromeos/cert_loader.h" 20 #include "chromeos/dbus/dbus_thread_manager.h" 21 #include "chromeos/dbus/shill_service_client.h" 22 #include "chromeos/network/certificate_pattern.h" 23 #include "chromeos/network/client_cert_util.h" 24 #include "chromeos/network/favorite_state.h" 25 #include "chromeos/network/managed_network_configuration_handler.h" 26 #include "chromeos/network/network_state_handler.h" 27 #include "chromeos/network/network_ui_data.h" 28 #include "components/onc/onc_constants.h" 29 #include "dbus/object_path.h" 30 #include "net/cert/x509_certificate.h" 31 32 namespace chromeos { 33 34 // Describes a network |network_path| for which a matching certificate |cert_id| 35 // was found. 36 struct ClientCertResolver::NetworkAndMatchingCert { 37 NetworkAndMatchingCert(const std::string& network_path, 38 client_cert::ConfigType config_type, 39 const std::string& cert_id) 40 : service_path(network_path), 41 cert_config_type(config_type), 42 pkcs11_id(cert_id) {} 43 44 std::string service_path; 45 client_cert::ConfigType cert_config_type; 46 // The id of the matching certificate. 47 std::string pkcs11_id; 48 }; 49 50 typedef std::vector<ClientCertResolver::NetworkAndMatchingCert> 51 NetworkCertMatches; 52 53 namespace { 54 55 // Returns true if |vector| contains |value|. 56 template <class T> 57 bool ContainsValue(const std::vector<T>& vector, const T& value) { 58 return find(vector.begin(), vector.end(), value) != vector.end(); 59 } 60 61 // Returns true if a private key for certificate |cert| is installed. 62 bool HasPrivateKey(const net::X509Certificate& cert) { 63 PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL); 64 if (!slot) 65 return false; 66 67 PK11_FreeSlot(slot); 68 return true; 69 } 70 71 // Describes a certificate which is issued by |issuer| (encoded as PEM). 72 struct CertAndIssuer { 73 CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate, 74 const std::string& issuer) 75 : cert(certificate), 76 pem_encoded_issuer(issuer) {} 77 78 scoped_refptr<net::X509Certificate> cert; 79 std::string pem_encoded_issuer; 80 }; 81 82 bool CompareCertExpiration(const CertAndIssuer& a, 83 const CertAndIssuer& b) { 84 return (a.cert->valid_expiry() > b.cert->valid_expiry()); 85 } 86 87 // Describes a network that is configured with the certificate pattern 88 // |client_cert_pattern|. 89 struct NetworkAndCertPattern { 90 NetworkAndCertPattern(const std::string& network_path, 91 client_cert::ConfigType config_type, 92 const CertificatePattern& pattern) 93 : service_path(network_path), 94 cert_config_type(config_type), 95 client_cert_pattern(pattern) {} 96 std::string service_path; 97 client_cert::ConfigType cert_config_type; 98 CertificatePattern client_cert_pattern; 99 }; 100 101 // A unary predicate that returns true if the given CertAndIssuer matches the 102 // certificate pattern of the NetworkAndCertPattern. 103 struct MatchCertWithPattern { 104 explicit MatchCertWithPattern(const NetworkAndCertPattern& pattern) 105 : net_and_pattern(pattern) {} 106 107 bool operator()(const CertAndIssuer& cert_and_issuer) { 108 const CertificatePattern& pattern = net_and_pattern.client_cert_pattern; 109 if (!pattern.issuer().Empty() && 110 !client_cert::CertPrincipalMatches(pattern.issuer(), 111 cert_and_issuer.cert->issuer())) { 112 return false; 113 } 114 if (!pattern.subject().Empty() && 115 !client_cert::CertPrincipalMatches(pattern.subject(), 116 cert_and_issuer.cert->subject())) { 117 return false; 118 } 119 120 const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems(); 121 if (!issuer_ca_pems.empty() && 122 !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) { 123 return false; 124 } 125 return true; 126 } 127 128 NetworkAndCertPattern net_and_pattern; 129 }; 130 131 // Searches for matches between |networks| and |certs| and writes matches to 132 // |matches|. Because this calls NSS functions and is potentially slow, it must 133 // be run on a worker thread. 134 void FindCertificateMatches(const net::CertificateList& certs, 135 std::vector<NetworkAndCertPattern>* networks, 136 NetworkCertMatches* matches) { 137 // Filter all client certs and determines each certificate's issuer, which is 138 // required for the pattern matching. 139 std::vector<CertAndIssuer> client_certs; 140 for (net::CertificateList::const_iterator it = certs.begin(); 141 it != certs.end(); ++it) { 142 const net::X509Certificate& cert = **it; 143 if (cert.valid_expiry().is_null() || cert.HasExpired() || 144 !HasPrivateKey(cert)) { 145 continue; 146 } 147 net::X509Certificate::OSCertHandle issuer_handle = 148 CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA); 149 if (!issuer_handle) { 150 LOG(ERROR) << "Couldn't find an issuer."; 151 continue; 152 } 153 scoped_refptr<net::X509Certificate> issuer = 154 net::X509Certificate::CreateFromHandle( 155 issuer_handle, 156 net::X509Certificate::OSCertHandles() /* no intermediate certs */); 157 if (!issuer) { 158 LOG(ERROR) << "Couldn't create issuer cert."; 159 continue; 160 } 161 std::string pem_encoded_issuer; 162 if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(), 163 &pem_encoded_issuer)) { 164 LOG(ERROR) << "Couldn't PEM-encode certificate."; 165 continue; 166 } 167 client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer)); 168 } 169 170 std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration); 171 172 for (std::vector<NetworkAndCertPattern>::const_iterator it = 173 networks->begin(); 174 it != networks->end(); ++it) { 175 std::vector<CertAndIssuer>::iterator cert_it = std::find_if( 176 client_certs.begin(), client_certs.end(), MatchCertWithPattern(*it)); 177 if (cert_it == client_certs.end()) { 178 LOG(WARNING) << "Couldn't find a matching client cert for network " 179 << it->service_path; 180 continue; 181 } 182 std::string pkcs11_id = CertLoader::GetPkcs11IdForCert(*cert_it->cert); 183 if (pkcs11_id.empty()) { 184 LOG(ERROR) << "Couldn't determine PKCS#11 ID."; 185 continue; 186 } 187 matches->push_back(ClientCertResolver::NetworkAndMatchingCert( 188 it->service_path, it->cert_config_type, pkcs11_id)); 189 } 190 } 191 192 // Determines the type of the CertificatePattern configuration, i.e. is it a 193 // pattern within an EAP, IPsec or OpenVPN configuration. 194 client_cert::ConfigType OncToClientCertConfigurationType( 195 const base::DictionaryValue& network_config) { 196 using namespace ::onc; 197 198 const base::DictionaryValue* wifi = NULL; 199 network_config.GetDictionaryWithoutPathExpansion(network_config::kWiFi, 200 &wifi); 201 if (wifi) { 202 const base::DictionaryValue* eap = NULL; 203 wifi->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap); 204 if (!eap) 205 return client_cert::CONFIG_TYPE_NONE; 206 return client_cert::CONFIG_TYPE_EAP; 207 } 208 209 const base::DictionaryValue* vpn = NULL; 210 network_config.GetDictionaryWithoutPathExpansion(network_config::kVPN, &vpn); 211 if (vpn) { 212 const base::DictionaryValue* openvpn = NULL; 213 vpn->GetDictionaryWithoutPathExpansion(vpn::kOpenVPN, &openvpn); 214 if (openvpn) 215 return client_cert::CONFIG_TYPE_OPENVPN; 216 217 const base::DictionaryValue* ipsec = NULL; 218 vpn->GetDictionaryWithoutPathExpansion(vpn::kIPsec, &ipsec); 219 if (ipsec) 220 return client_cert::CONFIG_TYPE_IPSEC; 221 222 return client_cert::CONFIG_TYPE_NONE; 223 } 224 225 const base::DictionaryValue* ethernet = NULL; 226 network_config.GetDictionaryWithoutPathExpansion(network_config::kEthernet, 227 ðernet); 228 if (ethernet) { 229 const base::DictionaryValue* eap = NULL; 230 ethernet->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap); 231 if (eap) 232 return client_cert::CONFIG_TYPE_EAP; 233 return client_cert::CONFIG_TYPE_NONE; 234 } 235 236 return client_cert::CONFIG_TYPE_NONE; 237 } 238 239 void LogError(const std::string& service_path, 240 const std::string& dbus_error_name, 241 const std::string& dbus_error_message) { 242 network_handler::ShillErrorCallbackFunction( 243 "ClientCertResolver.SetProperties failed", 244 service_path, 245 network_handler::ErrorCallback(), 246 dbus_error_name, 247 dbus_error_message); 248 } 249 250 bool ClientCertificatesLoaded() { 251 if (!CertLoader::Get()->certificates_loaded()) { 252 VLOG(1) << "Certificates not loaded yet."; 253 return false; 254 } 255 if (!CertLoader::Get()->IsHardwareBacked()) { 256 VLOG(1) << "TPM is not available."; 257 return false; 258 } 259 return true; 260 } 261 262 } // namespace 263 264 ClientCertResolver::ClientCertResolver() 265 : network_state_handler_(NULL), 266 managed_network_config_handler_(NULL), 267 weak_ptr_factory_(this) { 268 } 269 270 ClientCertResolver::~ClientCertResolver() { 271 if (network_state_handler_) 272 network_state_handler_->RemoveObserver(this, FROM_HERE); 273 if (CertLoader::IsInitialized()) 274 CertLoader::Get()->RemoveObserver(this); 275 if (managed_network_config_handler_) 276 managed_network_config_handler_->RemoveObserver(this); 277 } 278 279 void ClientCertResolver::Init( 280 NetworkStateHandler* network_state_handler, 281 ManagedNetworkConfigurationHandler* managed_network_config_handler) { 282 DCHECK(network_state_handler); 283 network_state_handler_ = network_state_handler; 284 network_state_handler_->AddObserver(this, FROM_HERE); 285 286 DCHECK(managed_network_config_handler); 287 managed_network_config_handler_ = managed_network_config_handler; 288 managed_network_config_handler_->AddObserver(this); 289 290 CertLoader::Get()->AddObserver(this); 291 } 292 293 void ClientCertResolver::SetSlowTaskRunnerForTest( 294 const scoped_refptr<base::TaskRunner>& task_runner) { 295 slow_task_runner_for_test_ = task_runner; 296 } 297 298 void ClientCertResolver::NetworkListChanged() { 299 VLOG(2) << "NetworkListChanged."; 300 if (!ClientCertificatesLoaded()) 301 return; 302 // Configure only networks that were not configured before. 303 304 // We'll drop networks from |resolved_networks_|, which are not known anymore. 305 std::set<std::string> old_resolved_networks; 306 old_resolved_networks.swap(resolved_networks_); 307 308 FavoriteStateList networks; 309 network_state_handler_->GetFavoriteList(&networks); 310 311 FavoriteStateList networks_to_check; 312 for (FavoriteStateList::const_iterator it = networks.begin(); 313 it != networks.end(); ++it) { 314 const std::string& service_path = (*it)->path(); 315 if (ContainsKey(old_resolved_networks, service_path)) { 316 resolved_networks_.insert(service_path); 317 continue; 318 } 319 networks_to_check.push_back(*it); 320 } 321 322 ResolveNetworks(networks_to_check); 323 } 324 325 void ClientCertResolver::OnCertificatesLoaded( 326 const net::CertificateList& cert_list, 327 bool initial_load) { 328 VLOG(2) << "OnCertificatesLoaded."; 329 if (!ClientCertificatesLoaded()) 330 return; 331 // Compare all networks with all certificates. 332 FavoriteStateList networks; 333 network_state_handler_->GetFavoriteList(&networks); 334 ResolveNetworks(networks); 335 } 336 337 void ClientCertResolver::PolicyApplied(const std::string& service_path) { 338 VLOG(2) << "PolicyApplied " << service_path; 339 if (!ClientCertificatesLoaded()) 340 return; 341 // Compare this network with all certificates. 342 const FavoriteState* network = 343 network_state_handler_->GetFavoriteState(service_path); 344 if (!network) { 345 LOG(ERROR) << "service path '" << service_path << "' unknown."; 346 return; 347 } 348 FavoriteStateList networks; 349 networks.push_back(network); 350 ResolveNetworks(networks); 351 } 352 353 void ClientCertResolver::ResolveNetworks(const FavoriteStateList& networks) { 354 scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern( 355 new std::vector<NetworkAndCertPattern>); 356 357 // Filter networks with ClientCertPattern. As ClientCertPatterns can only be 358 // set by policy, we check there. 359 for (FavoriteStateList::const_iterator it = networks.begin(); 360 it != networks.end(); ++it) { 361 const FavoriteState* network = *it; 362 363 // In any case, don't check this network again in NetworkListChanged. 364 resolved_networks_.insert(network->path()); 365 366 // If this network is not managed, it cannot have a ClientCertPattern. 367 if (network->guid().empty()) 368 continue; 369 370 if (network->profile_path().empty()) { 371 LOG(ERROR) << "Network " << network->path() 372 << " has a GUID but not profile path"; 373 continue; 374 } 375 const base::DictionaryValue* policy = 376 managed_network_config_handler_->FindPolicyByGuidAndProfile( 377 network->guid(), network->profile_path()); 378 379 if (!policy) { 380 VLOG(1) << "The policy for network " << network->path() << " with GUID " 381 << network->guid() << " is not available yet."; 382 // Skip this network for now. Once the policy is loaded, PolicyApplied() 383 // will retry. 384 continue; 385 } 386 387 VLOG(2) << "Inspecting network " << network->path(); 388 // TODO(pneubeck): Access the ClientCertPattern without relying on 389 // NetworkUIData, which also parses other things that we don't need here. 390 // The ONCSource is irrelevant here. 391 scoped_ptr<NetworkUIData> ui_data( 392 NetworkUIData::CreateFromONC(onc::ONC_SOURCE_NONE, *policy)); 393 394 // Skip networks that don't have a ClientCertPattern. 395 if (ui_data->certificate_type() != CLIENT_CERT_TYPE_PATTERN) 396 continue; 397 398 client_cert::ConfigType config_type = 399 OncToClientCertConfigurationType(*policy); 400 if (config_type == client_cert::CONFIG_TYPE_NONE) { 401 LOG(ERROR) << "UIData contains a CertificatePattern, but the policy " 402 << "doesn't. Network: " << network->path(); 403 continue; 404 } 405 406 networks_with_pattern->push_back(NetworkAndCertPattern( 407 network->path(), config_type, ui_data->certificate_pattern())); 408 } 409 if (networks_with_pattern->empty()) 410 return; 411 412 VLOG(2) << "Start task for resolving client cert patterns."; 413 base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); 414 if (!task_runner) 415 task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); 416 417 NetworkCertMatches* matches = new NetworkCertMatches; 418 task_runner->PostTaskAndReply( 419 FROM_HERE, 420 base::Bind(&FindCertificateMatches, 421 CertLoader::Get()->cert_list(), 422 base::Owned(networks_with_pattern.release()), 423 matches), 424 base::Bind(&ClientCertResolver::ConfigureCertificates, 425 weak_ptr_factory_.GetWeakPtr(), 426 base::Owned(matches))); 427 } 428 429 void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) { 430 for (NetworkCertMatches::const_iterator it = matches->begin(); 431 it != matches->end(); ++it) { 432 VLOG(1) << "Configuring certificate of network " << it->service_path; 433 CertLoader* cert_loader = CertLoader::Get(); 434 base::DictionaryValue shill_properties; 435 client_cert::SetShillProperties( 436 it->cert_config_type, 437 base::IntToString(cert_loader->tpm_token_slot_id()), 438 cert_loader->tpm_user_pin(), 439 &it->pkcs11_id, 440 &shill_properties); 441 DBusThreadManager::Get()->GetShillServiceClient()-> 442 SetProperties(dbus::ObjectPath(it->service_path), 443 shill_properties, 444 base::Bind(&base::DoNothing), 445 base::Bind(&LogError, it->service_path)); 446 network_state_handler_->RequestUpdateForNetwork(it->service_path); 447 } 448 } 449 450 } // namespace chromeos 451
