src/chromeos/network/client_cert_resolver.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chromeos/network/client_cert_resolver.h"
   6
   7 #include <cert.h>
   8 #include <certt.h>  // for (SECCertUsageEnum) certUsageAnyCA
   9 #include <pk11pub.h>
  10
  11 #include <algorithm>
  12 #include <string>
  13
  14 #include "base/bind.h"
  15 #include "base/location.h"
  16 #include "base/stl_util.h"
  17 #include "base/task_runner.h"
  18 #include "base/threading/worker_pool.h"
  19 #include "base/time/time.h"
  20 #include "chromeos/cert_loader.h"
  21 #include "chromeos/dbus/dbus_thread_manager.h"
  22 #include "chromeos/dbus/shill_service_client.h"
  23 #include "chromeos/network/managed_network_configuration_handler.h"
  24 #include "chromeos/network/network_state.h"
  25 #include "components/onc/onc_constants.h"
  26 #include "dbus/object_path.h"
  27 #include "net/cert/scoped_nss_types.h"
  28 #include "net/cert/x509_certificate.h"
  29
  30 namespace chromeos {
  31
  32 // Describes a network |network_path| for which a matching certificate |cert_id|
  33 // was found or for which no certificate was found (|cert_id| will be empty).
  34 struct ClientCertResolver::NetworkAndMatchingCert {
  35   NetworkAndMatchingCert(const std::string& network_path,
  36                          client_cert::ConfigType config_type,
  37                          const std::string& cert_id,
  38                          int slot_id)
  39       : service_path(network_path),
  40         cert_config_type(config_type),
  41         pkcs11_id(cert_id),
  42         key_slot_id(slot_id) {}
  43
  44   std::string service_path;
  45   client_cert::ConfigType cert_config_type;
  46
  47   // The id of the matching certificate or empty if no certificate was found.
  48   std::string pkcs11_id;
  49
  50   // The id of the slot containing the certificate and the private key.
  51   int key_slot_id;
  52 };
  53
  54 typedef std::vector<ClientCertResolver::NetworkAndMatchingCert>
  55     NetworkCertMatches;
  56
  57 namespace {
  58
  59 // Returns true if |vector| contains |value|.
  60 template <class T>
  61 bool ContainsValue(const std::vector<T>& vector, const T& value) {
  62   return find(vector.begin(), vector.end(), value) != vector.end();
  63 }
  64
  65 // Returns true if a private key for certificate |cert| is installed.
  66 bool HasPrivateKey(const net::X509Certificate& cert) {
  67   PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
  68   if (!slot)
  69     return false;
  70
  71   PK11_FreeSlot(slot);
  72   return true;
  73 }
  74
  75 // Describes a certificate which is issued by |issuer| (encoded as PEM).
  76 struct CertAndIssuer {
  77   CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate,
  78                 const std::string& issuer)
  79       : cert(certificate),
  80         pem_encoded_issuer(issuer) {}
  81
  82   scoped_refptr<net::X509Certificate> cert;
  83   std::string pem_encoded_issuer;
  84 };
  85
  86 bool CompareCertExpiration(const CertAndIssuer& a,
  87                            const CertAndIssuer& b) {
  88   return (a.cert->valid_expiry() > b.cert->valid_expiry());
  89 }
  90
  91 // Describes a network that is configured with the certificate pattern
  92 // |client_cert_pattern|.
  93 struct NetworkAndCertPattern {
  94   NetworkAndCertPattern(const std::string& network_path,
  95                         const client_cert::ClientCertConfig& client_cert_config)
  96       : service_path(network_path),
  97         cert_config(client_cert_config) {}
  98
  99   std::string service_path;
 100   client_cert::ClientCertConfig cert_config;
 101 };
 102
 103 // A unary predicate that returns true if the given CertAndIssuer matches the
 104 // given certificate pattern.
 105 struct MatchCertWithPattern {
 106   explicit MatchCertWithPattern(const CertificatePattern& cert_pattern)
 107       : pattern(cert_pattern) {}
 108
 109   bool operator()(const CertAndIssuer& cert_and_issuer) {
 110     if (!pattern.issuer().Empty() &&
 111         !client_cert::CertPrincipalMatches(pattern.issuer(),
 112                                            cert_and_issuer.cert->issuer())) {
 113       return false;
 114     }
 115     if (!pattern.subject().Empty() &&
 116         !client_cert::CertPrincipalMatches(pattern.subject(),
 117                                            cert_and_issuer.cert->subject())) {
 118       return false;
 119     }
 120
 121     const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems();
 122     if (!issuer_ca_pems.empty() &&
 123         !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) {
 124       return false;
 125     }
 126     return true;
 127   }
 128
 129   const CertificatePattern pattern;
 130 };
 131
 132 std::vector<CertAndIssuer> CreateSortedCertAndIssuerList(
 133     const net::CertificateList& certs) {
 134   // Filter all client certs and determines each certificate's issuer, which is
 135   // required for the pattern matching.
 136   std::vector<CertAndIssuer> client_certs;
 137   for (net::CertificateList::const_iterator it = certs.begin();
 138        it != certs.end(); ++it) {
 139     const net::X509Certificate& cert = **it;
 140     if (cert.valid_expiry().is_null() || cert.HasExpired() ||
 141         !HasPrivateKey(cert)) {
 142       continue;
 143     }
 144     net::ScopedCERTCertificate issuer_handle(
 145         CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA));
 146     if (!issuer_handle) {
 147       LOG(ERROR) << "Couldn't find an issuer.";
 148       continue;
 149     }
 150     scoped_refptr<net::X509Certificate> issuer =
 151         net::X509Certificate::CreateFromHandle(
 152             issuer_handle.get(),
 153             net::X509Certificate::OSCertHandles() /* no intermediate certs */);
 154     if (!issuer.get()) {
 155       LOG(ERROR) << "Couldn't create issuer cert.";
 156       continue;
 157     }
 158     std::string pem_encoded_issuer;
 159     if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
 160                                              &pem_encoded_issuer)) {
 161       LOG(ERROR) << "Couldn't PEM-encode certificate.";
 162       continue;
 163     }
 164     client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer));
 165   }
 166
 167   std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
 168   return client_certs;
 169 }
 170
 171 // Searches for matches between |networks| and |certs| and writes matches to
 172 // |matches|. Because this calls NSS functions and is potentially slow, it must
 173 // be run on a worker thread.
 174 void FindCertificateMatches(const net::CertificateList& certs,
 175                             std::vector<NetworkAndCertPattern>* networks,
 176                             NetworkCertMatches* matches) {
 177   std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(certs));
 178
 179   for (std::vector<NetworkAndCertPattern>::const_iterator it =
 180            networks->begin();
 181        it != networks->end(); ++it) {
 182     std::vector<CertAndIssuer>::iterator cert_it =
 183         std::find_if(client_certs.begin(),
 184                      client_certs.end(),
 185                      MatchCertWithPattern(it->cert_config.pattern));
 186     std::string pkcs11_id;
 187     int slot_id = -1;
 188     if (cert_it == client_certs.end()) {
 189       VLOG(1) << "Couldn't find a matching client cert for network "
 190               << it->service_path;
 191       // Leave |pkcs11_id| empty to indicate that no cert was found for this
 192       // network.
 193     } else {
 194       pkcs11_id =
 195           CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
 196       if (pkcs11_id.empty()) {
 197         LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
 198         // So far this error is not expected to happen. We can just continue, in
 199         // the worst case the user can remove the problematic cert.
 200         continue;
 201       }
 202     }
 203     matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
 204         it->service_path, it->cert_config.location, pkcs11_id, slot_id));
 205   }
 206 }
 207
 208 void LogError(const std::string& service_path,
 209               const std::string& dbus_error_name,
 210               const std::string& dbus_error_message) {
 211   network_handler::ShillErrorCallbackFunction(
 212       "ClientCertResolver.SetProperties failed",
 213       service_path,
 214       network_handler::ErrorCallback(),
 215       dbus_error_name,
 216       dbus_error_message);
 217 }
 218
 219 bool ClientCertificatesLoaded() {
 220   if (!CertLoader::Get()->certificates_loaded()) {
 221     VLOG(1) << "Certificates not loaded yet.";
 222     return false;
 223   }
 224   if (!CertLoader::Get()->IsHardwareBacked()) {
 225     VLOG(1) << "TPM is not available.";
 226     return false;
 227   }
 228   return true;
 229 }
 230
 231 }  // namespace
 232
 233 ClientCertResolver::ClientCertResolver()
 234     : network_state_handler_(NULL),
 235       managed_network_config_handler_(NULL),
 236       weak_ptr_factory_(this) {
 237 }
 238
 239 ClientCertResolver::~ClientCertResolver() {
 240   if (network_state_handler_)
 241     network_state_handler_->RemoveObserver(this, FROM_HERE);
 242   if (CertLoader::IsInitialized())
 243     CertLoader::Get()->RemoveObserver(this);
 244   if (managed_network_config_handler_)
 245     managed_network_config_handler_->RemoveObserver(this);
 246 }
 247
 248 void ClientCertResolver::Init(
 249     NetworkStateHandler* network_state_handler,
 250     ManagedNetworkConfigurationHandler* managed_network_config_handler) {
 251   DCHECK(network_state_handler);
 252   network_state_handler_ = network_state_handler;
 253   network_state_handler_->AddObserver(this, FROM_HERE);
 254
 255   DCHECK(managed_network_config_handler);
 256   managed_network_config_handler_ = managed_network_config_handler;
 257   managed_network_config_handler_->AddObserver(this);
 258
 259   CertLoader::Get()->AddObserver(this);
 260 }
 261
 262 void ClientCertResolver::SetSlowTaskRunnerForTest(
 263     const scoped_refptr<base::TaskRunner>& task_runner) {
 264   slow_task_runner_for_test_ = task_runner;
 265 }
 266
 267 // static
 268 bool ClientCertResolver::ResolveCertificatePatternSync(
 269     const client_cert::ConfigType client_cert_type,
 270     const CertificatePattern& pattern,
 271     base::DictionaryValue* shill_properties) {
 272   // Prepare and sort the list of known client certs.
 273   std::vector<CertAndIssuer> client_certs(
 274       CreateSortedCertAndIssuerList(CertLoader::Get()->cert_list()));
 275
 276   // Search for a certificate matching the pattern.
 277   std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
 278       client_certs.begin(), client_certs.end(), MatchCertWithPattern(pattern));
 279
 280   if (cert_it == client_certs.end()) {
 281     VLOG(1) << "Couldn't find a matching client cert";
 282     client_cert::SetEmptyShillProperties(client_cert_type, shill_properties);
 283     return false;
 284   }
 285
 286   int slot_id = -1;
 287   std::string pkcs11_id =
 288       CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
 289   if (pkcs11_id.empty()) {
 290     LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
 291     // So far this error is not expected to happen. We can just continue, in
 292     // the worst case the user can remove the problematic cert.
 293     return false;
 294   }
 295   client_cert::SetShillProperties(
 296       client_cert_type, slot_id, pkcs11_id, shill_properties);
 297   return true;
 298 }
 299
 300 void ClientCertResolver::NetworkListChanged() {
 301   VLOG(2) << "NetworkListChanged.";
 302   if (!ClientCertificatesLoaded())
 303     return;
 304   // Configure only networks that were not configured before.
 305
 306   // We'll drop networks from |resolved_networks_|, which are not known anymore.
 307   std::set<std::string> old_resolved_networks;
 308   old_resolved_networks.swap(resolved_networks_);
 309
 310   NetworkStateHandler::NetworkStateList networks;
 311   network_state_handler_->GetNetworkListByType(
 312       NetworkTypePattern::Default(),
 313       true /* configured_only */,
 314       false /* visible_only */,
 315       0 /* no limit */,
 316       &networks);
 317
 318   NetworkStateHandler::NetworkStateList networks_to_check;
 319   for (NetworkStateHandler::NetworkStateList::const_iterator it =
 320            networks.begin(); it != networks.end(); ++it) {
 321     const std::string& service_path = (*it)->path();
 322     if (ContainsKey(old_resolved_networks, service_path)) {
 323       resolved_networks_.insert(service_path);
 324       continue;
 325     }
 326     networks_to_check.push_back(*it);
 327   }
 328
 329   ResolveNetworks(networks_to_check);
 330 }
 331
 332 void ClientCertResolver::OnCertificatesLoaded(
 333     const net::CertificateList& cert_list,
 334     bool initial_load) {
 335   VLOG(2) << "OnCertificatesLoaded.";
 336   if (!ClientCertificatesLoaded())
 337     return;
 338   // Compare all networks with all certificates.
 339   NetworkStateHandler::NetworkStateList networks;
 340   network_state_handler_->GetNetworkListByType(
 341       NetworkTypePattern::Default(),
 342       true /* configured_only */,
 343       false /* visible_only */,
 344       0 /* no limit */,
 345       &networks);
 346   ResolveNetworks(networks);
 347 }
 348
 349 void ClientCertResolver::PolicyApplied(const std::string& service_path) {
 350   VLOG(2) << "PolicyApplied " << service_path;
 351   if (!ClientCertificatesLoaded())
 352     return;
 353   // Compare this network with all certificates.
 354   const NetworkState* network =
 355       network_state_handler_->GetNetworkStateFromServicePath(
 356           service_path, true /* configured_only */);
 357   if (!network) {
 358     LOG(ERROR) << "service path '" << service_path << "' unknown.";
 359     return;
 360   }
 361   NetworkStateHandler::NetworkStateList networks;
 362   networks.push_back(network);
 363   ResolveNetworks(networks);
 364 }
 365
 366 void ClientCertResolver::ResolveNetworks(
 367     const NetworkStateHandler::NetworkStateList& networks) {
 368   scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern(
 369       new std::vector<NetworkAndCertPattern>);
 370
 371   // Filter networks with ClientCertPattern. As ClientCertPatterns can only be
 372   // set by policy, we check there.
 373   for (NetworkStateHandler::NetworkStateList::const_iterator it =
 374            networks.begin(); it != networks.end(); ++it) {
 375     const NetworkState* network = *it;
 376
 377     // In any case, don't check this network again in NetworkListChanged.
 378     resolved_networks_.insert(network->path());
 379
 380     // If this network is not configured, it cannot have a ClientCertPattern.
 381     if (network->profile_path().empty())
 382       continue;
 383
 384     const base::DictionaryValue* policy =
 385         managed_network_config_handler_->FindPolicyByGuidAndProfile(
 386             network->guid(), network->profile_path());
 387
 388     if (!policy) {
 389       VLOG(1) << "The policy for network " << network->path() << " with GUID "
 390               << network->guid() << " is not available yet.";
 391       // Skip this network for now. Once the policy is loaded, PolicyApplied()
 392       // will retry.
 393       continue;
 394     }
 395
 396     VLOG(2) << "Inspecting network " << network->path();
 397     client_cert::ClientCertConfig cert_config;
 398     OncToClientCertConfig(*policy, &cert_config);
 399
 400     // Skip networks that don't have a ClientCertPattern.
 401     if (cert_config.client_cert_type != ::onc::client_cert::kPattern)
 402       continue;
 403
 404     networks_with_pattern->push_back(
 405         NetworkAndCertPattern(network->path(), cert_config));
 406   }
 407   if (networks_with_pattern->empty())
 408     return;
 409
 410   VLOG(2) << "Start task for resolving client cert patterns.";
 411   base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
 412   if (!task_runner)
 413     task_runner =
 414         base::WorkerPool::GetTaskRunner(true /* task is slow */).get();
 415
 416   NetworkCertMatches* matches = new NetworkCertMatches;
 417   task_runner->PostTaskAndReply(
 418       FROM_HERE,
 419       base::Bind(&FindCertificateMatches,
 420                  CertLoader::Get()->cert_list(),
 421                  base::Owned(networks_with_pattern.release()),
 422                  matches),
 423       base::Bind(&ClientCertResolver::ConfigureCertificates,
 424                  weak_ptr_factory_.GetWeakPtr(),
 425                  base::Owned(matches)));
 426 }
 427
 428 void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
 429   for (NetworkCertMatches::const_iterator it = matches->begin();
 430        it != matches->end(); ++it) {
 431     VLOG(1) << "Configuring certificate of network " << it->service_path;
 432     base::DictionaryValue shill_properties;
 433     if (it->pkcs11_id.empty()) {
 434       client_cert::SetEmptyShillProperties(it->cert_config_type,
 435                                            &shill_properties);
 436     } else {
 437       client_cert::SetShillProperties(it->cert_config_type,
 438                                       it->key_slot_id,
 439                                       it->pkcs11_id,
 440                                       &shill_properties);
 441     }
 442     DBusThreadManager::Get()->GetShillServiceClient()->
 443         SetProperties(dbus::ObjectPath(it->service_path),
 444                         shill_properties,
 445                         base::Bind(&base::DoNothing),
 446                         base::Bind(&LogError, it->service_path));
 447     network_state_handler_->RequestUpdateForNetwork(it->service_path);
 448   }
 449 }
 450
 451 }  // namespace chromeos