1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chromeos/network/client_cert_resolver.h"
6
7#include <cert.h>
8#include <certt.h>  // for (SECCertUsageEnum) certUsageAnyCA
9#include <pk11pub.h>
10
11#include <algorithm>
12#include <string>
13
14#include "base/bind.h"
15#include "base/location.h"
16#include "base/stl_util.h"
17#include "base/task_runner.h"
18#include "base/threading/worker_pool.h"
19#include "base/time/time.h"
20#include "chromeos/cert_loader.h"
21#include "chromeos/dbus/dbus_thread_manager.h"
22#include "chromeos/dbus/shill_service_client.h"
23#include "chromeos/network/managed_network_configuration_handler.h"
24#include "chromeos/network/network_state.h"
25#include "components/onc/onc_constants.h"
26#include "dbus/object_path.h"
27#include "net/cert/scoped_nss_types.h"
28#include "net/cert/x509_certificate.h"
29
30namespace chromeos {
31
32// Describes a network |network_path| for which a matching certificate |cert_id|
33// was found or for which no certificate was found (|cert_id| will be empty).
34struct ClientCertResolver::NetworkAndMatchingCert {
35  NetworkAndMatchingCert(const std::string& network_path,
36                         client_cert::ConfigType config_type,
37                         const std::string& cert_id,
38                         int slot_id)
39      : service_path(network_path),
40        cert_config_type(config_type),
41        pkcs11_id(cert_id),
42        key_slot_id(slot_id) {}
43
44  std::string service_path;
45  client_cert::ConfigType cert_config_type;
46
47  // The id of the matching certificate or empty if no certificate was found.
48  std::string pkcs11_id;
49
50  // The id of the slot containing the certificate and the private key.
51  int key_slot_id;
52};
53
54typedef std::vector<ClientCertResolver::NetworkAndMatchingCert>
55    NetworkCertMatches;
56
57namespace {
58
59// Returns true if |vector| contains |value|.
60template <class T>
61bool ContainsValue(const std::vector<T>& vector, const T& value) {
62  return find(vector.begin(), vector.end(), value) != vector.end();
63}
64
65// Returns true if a private key for certificate |cert| is installed.
66bool HasPrivateKey(const net::X509Certificate& cert) {
67  PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
68  if (!slot)
69    return false;
70
71  PK11_FreeSlot(slot);
72  return true;
73}
74
75// Describes a certificate which is issued by |issuer| (encoded as PEM).
76struct CertAndIssuer {
77  CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate,
78                const std::string& issuer)
79      : cert(certificate),
80        pem_encoded_issuer(issuer) {}
81
82  scoped_refptr<net::X509Certificate> cert;
83  std::string pem_encoded_issuer;
84};
85
86bool CompareCertExpiration(const CertAndIssuer& a,
87                           const CertAndIssuer& b) {
88  return (a.cert->valid_expiry() > b.cert->valid_expiry());
89}
90
91// Describes a network that is configured with the certificate pattern
92// |client_cert_pattern|.
93struct NetworkAndCertPattern {
94  NetworkAndCertPattern(const std::string& network_path,
95                        const client_cert::ClientCertConfig& client_cert_config)
96      : service_path(network_path),
97        cert_config(client_cert_config) {}
98
99  std::string service_path;
100  client_cert::ClientCertConfig cert_config;
101};
102
103// A unary predicate that returns true if the given CertAndIssuer matches the
104// given certificate pattern.
105struct MatchCertWithPattern {
106  explicit MatchCertWithPattern(const CertificatePattern& cert_pattern)
107      : pattern(cert_pattern) {}
108
109  bool operator()(const CertAndIssuer& cert_and_issuer) {
110    if (!pattern.issuer().Empty() &&
111        !client_cert::CertPrincipalMatches(pattern.issuer(),
112                                           cert_and_issuer.cert->issuer())) {
113      return false;
114    }
115    if (!pattern.subject().Empty() &&
116        !client_cert::CertPrincipalMatches(pattern.subject(),
117                                           cert_and_issuer.cert->subject())) {
118      return false;
119    }
120
121    const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems();
122    if (!issuer_ca_pems.empty() &&
123        !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) {
124      return false;
125    }
126    return true;
127  }
128
129  const CertificatePattern pattern;
130};
131
132std::vector<CertAndIssuer> CreateSortedCertAndIssuerList(
133    const net::CertificateList& certs) {
134  // Filter all client certs and determines each certificate's issuer, which is
135  // required for the pattern matching.
136  std::vector<CertAndIssuer> client_certs;
137  for (net::CertificateList::const_iterator it = certs.begin();
138       it != certs.end(); ++it) {
139    const net::X509Certificate& cert = **it;
140    if (cert.valid_expiry().is_null() || cert.HasExpired() ||
141        !HasPrivateKey(cert)) {
142      continue;
143    }
144    net::ScopedCERTCertificate issuer_handle(
145        CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA));
146    if (!issuer_handle) {
147      LOG(ERROR) << "Couldn't find an issuer.";
148      continue;
149    }
150    scoped_refptr<net::X509Certificate> issuer =
151        net::X509Certificate::CreateFromHandle(
152            issuer_handle.get(),
153            net::X509Certificate::OSCertHandles() /* no intermediate certs */);
154    if (!issuer.get()) {
155      LOG(ERROR) << "Couldn't create issuer cert.";
156      continue;
157    }
158    std::string pem_encoded_issuer;
159    if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
160                                             &pem_encoded_issuer)) {
161      LOG(ERROR) << "Couldn't PEM-encode certificate.";
162      continue;
163    }
164    client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer));
165  }
166
167  std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
168  return client_certs;
169}
170
171// Searches for matches between |networks| and |certs| and writes matches to
172// |matches|. Because this calls NSS functions and is potentially slow, it must
173// be run on a worker thread.
174void FindCertificateMatches(const net::CertificateList& certs,
175                            std::vector<NetworkAndCertPattern>* networks,
176                            NetworkCertMatches* matches) {
177  std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(certs));
178
179  for (std::vector<NetworkAndCertPattern>::const_iterator it =
180           networks->begin();
181       it != networks->end(); ++it) {
182    std::vector<CertAndIssuer>::iterator cert_it =
183        std::find_if(client_certs.begin(),
184                     client_certs.end(),
185                     MatchCertWithPattern(it->cert_config.pattern));
186    std::string pkcs11_id;
187    int slot_id = -1;
188    if (cert_it == client_certs.end()) {
189      VLOG(1) << "Couldn't find a matching client cert for network "
190              << it->service_path;
191      // Leave |pkcs11_id| empty to indicate that no cert was found for this
192      // network.
193    } else {
194      pkcs11_id =
195          CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
196      if (pkcs11_id.empty()) {
197        LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
198        // So far this error is not expected to happen. We can just continue, in
199        // the worst case the user can remove the problematic cert.
200        continue;
201      }
202    }
203    matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
204        it->service_path, it->cert_config.location, pkcs11_id, slot_id));
205  }
206}
207
208void LogError(const std::string& service_path,
209              const std::string& dbus_error_name,
210              const std::string& dbus_error_message) {
211  network_handler::ShillErrorCallbackFunction(
212      "ClientCertResolver.SetProperties failed",
213      service_path,
214      network_handler::ErrorCallback(),
215      dbus_error_name,
216      dbus_error_message);
217}
218
219bool ClientCertificatesLoaded() {
220  if (!CertLoader::Get()->certificates_loaded()) {
221    VLOG(1) << "Certificates not loaded yet.";
222    return false;
223  }
224  if (!CertLoader::Get()->IsHardwareBacked()) {
225    VLOG(1) << "TPM is not available.";
226    return false;
227  }
228  return true;
229}
230
231}  // namespace
232
233ClientCertResolver::ClientCertResolver()
234    : network_state_handler_(NULL),
235      managed_network_config_handler_(NULL),
236      weak_ptr_factory_(this) {
237}
238
239ClientCertResolver::~ClientCertResolver() {
240  if (network_state_handler_)
241    network_state_handler_->RemoveObserver(this, FROM_HERE);
242  if (CertLoader::IsInitialized())
243    CertLoader::Get()->RemoveObserver(this);
244  if (managed_network_config_handler_)
245    managed_network_config_handler_->RemoveObserver(this);
246}
247
248void ClientCertResolver::Init(
249    NetworkStateHandler* network_state_handler,
250    ManagedNetworkConfigurationHandler* managed_network_config_handler) {
251  DCHECK(network_state_handler);
252  network_state_handler_ = network_state_handler;
253  network_state_handler_->AddObserver(this, FROM_HERE);
254
255  DCHECK(managed_network_config_handler);
256  managed_network_config_handler_ = managed_network_config_handler;
257  managed_network_config_handler_->AddObserver(this);
258
259  CertLoader::Get()->AddObserver(this);
260}
261
262void ClientCertResolver::SetSlowTaskRunnerForTest(
263    const scoped_refptr<base::TaskRunner>& task_runner) {
264  slow_task_runner_for_test_ = task_runner;
265}
266
267// static
268bool ClientCertResolver::ResolveCertificatePatternSync(
269    const client_cert::ConfigType client_cert_type,
270    const CertificatePattern& pattern,
271    base::DictionaryValue* shill_properties) {
272  // Prepare and sort the list of known client certs.
273  std::vector<CertAndIssuer> client_certs(
274      CreateSortedCertAndIssuerList(CertLoader::Get()->cert_list()));
275
276  // Search for a certificate matching the pattern.
277  std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
278      client_certs.begin(), client_certs.end(), MatchCertWithPattern(pattern));
279
280  if (cert_it == client_certs.end()) {
281    VLOG(1) << "Couldn't find a matching client cert";
282    client_cert::SetEmptyShillProperties(client_cert_type, shill_properties);
283    return false;
284  }
285
286  int slot_id = -1;
287  std::string pkcs11_id =
288      CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
289  if (pkcs11_id.empty()) {
290    LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
291    // So far this error is not expected to happen. We can just continue, in
292    // the worst case the user can remove the problematic cert.
293    return false;
294  }
295  client_cert::SetShillProperties(
296      client_cert_type, slot_id, pkcs11_id, shill_properties);
297  return true;
298}
299
300void ClientCertResolver::NetworkListChanged() {
301  VLOG(2) << "NetworkListChanged.";
302  if (!ClientCertificatesLoaded())
303    return;
304  // Configure only networks that were not configured before.
305
306  // We'll drop networks from |resolved_networks_|, which are not known anymore.
307  std::set<std::string> old_resolved_networks;
308  old_resolved_networks.swap(resolved_networks_);
309
310  NetworkStateHandler::NetworkStateList networks;
311  network_state_handler_->GetNetworkListByType(
312      NetworkTypePattern::Default(),
313      true /* configured_only */,
314      false /* visible_only */,
315      0 /* no limit */,
316      &networks);
317
318  NetworkStateHandler::NetworkStateList networks_to_check;
319  for (NetworkStateHandler::NetworkStateList::const_iterator it =
320           networks.begin(); it != networks.end(); ++it) {
321    const std::string& service_path = (*it)->path();
322    if (ContainsKey(old_resolved_networks, service_path)) {
323      resolved_networks_.insert(service_path);
324      continue;
325    }
326    networks_to_check.push_back(*it);
327  }
328
329  ResolveNetworks(networks_to_check);
330}
331
332void ClientCertResolver::OnCertificatesLoaded(
333    const net::CertificateList& cert_list,
334    bool initial_load) {
335  VLOG(2) << "OnCertificatesLoaded.";
336  if (!ClientCertificatesLoaded())
337    return;
338  // Compare all networks with all certificates.
339  NetworkStateHandler::NetworkStateList networks;
340  network_state_handler_->GetNetworkListByType(
341      NetworkTypePattern::Default(),
342      true /* configured_only */,
343      false /* visible_only */,
344      0 /* no limit */,
345      &networks);
346  ResolveNetworks(networks);
347}
348
349void ClientCertResolver::PolicyApplied(const std::string& service_path) {
350  VLOG(2) << "PolicyApplied " << service_path;
351  if (!ClientCertificatesLoaded())
352    return;
353  // Compare this network with all certificates.
354  const NetworkState* network =
355      network_state_handler_->GetNetworkStateFromServicePath(
356          service_path, true /* configured_only */);
357  if (!network) {
358    LOG(ERROR) << "service path '" << service_path << "' unknown.";
359    return;
360  }
361  NetworkStateHandler::NetworkStateList networks;
362  networks.push_back(network);
363  ResolveNetworks(networks);
364}
365
366void ClientCertResolver::ResolveNetworks(
367    const NetworkStateHandler::NetworkStateList& networks) {
368  scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern(
369      new std::vector<NetworkAndCertPattern>);
370
371  // Filter networks with ClientCertPattern. As ClientCertPatterns can only be
372  // set by policy, we check there.
373  for (NetworkStateHandler::NetworkStateList::const_iterator it =
374           networks.begin(); it != networks.end(); ++it) {
375    const NetworkState* network = *it;
376
377    // In any case, don't check this network again in NetworkListChanged.
378    resolved_networks_.insert(network->path());
379
380    // If this network is not configured, it cannot have a ClientCertPattern.
381    if (network->profile_path().empty())
382      continue;
383
384    const base::DictionaryValue* policy =
385        managed_network_config_handler_->FindPolicyByGuidAndProfile(
386            network->guid(), network->profile_path());
387
388    if (!policy) {
389      VLOG(1) << "The policy for network " << network->path() << " with GUID "
390              << network->guid() << " is not available yet.";
391      // Skip this network for now. Once the policy is loaded, PolicyApplied()
392      // will retry.
393      continue;
394    }
395
396    VLOG(2) << "Inspecting network " << network->path();
397    client_cert::ClientCertConfig cert_config;
398    OncToClientCertConfig(*policy, &cert_config);
399
400    // Skip networks that don't have a ClientCertPattern.
401    if (cert_config.client_cert_type != ::onc::client_cert::kPattern)
402      continue;
403
404    networks_with_pattern->push_back(
405        NetworkAndCertPattern(network->path(), cert_config));
406  }
407  if (networks_with_pattern->empty())
408    return;
409
410  VLOG(2) << "Start task for resolving client cert patterns.";
411  base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
412  if (!task_runner)
413    task_runner =
414        base::WorkerPool::GetTaskRunner(true /* task is slow */).get();
415
416  NetworkCertMatches* matches = new NetworkCertMatches;
417  task_runner->PostTaskAndReply(
418      FROM_HERE,
419      base::Bind(&FindCertificateMatches,
420                 CertLoader::Get()->cert_list(),
421                 base::Owned(networks_with_pattern.release()),
422                 matches),
423      base::Bind(&ClientCertResolver::ConfigureCertificates,
424                 weak_ptr_factory_.GetWeakPtr(),
425                 base::Owned(matches)));
426}
427
428void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
429  for (NetworkCertMatches::const_iterator it = matches->begin();
430       it != matches->end(); ++it) {
431    VLOG(1) << "Configuring certificate of network " << it->service_path;
432    base::DictionaryValue shill_properties;
433    if (it->pkcs11_id.empty()) {
434      client_cert::SetEmptyShillProperties(it->cert_config_type,
435                                           &shill_properties);
436    } else {
437      client_cert::SetShillProperties(it->cert_config_type,
438                                      it->key_slot_id,
439                                      it->pkcs11_id,
440                                      &shill_properties);
441    }
442    DBusThreadManager::Get()->GetShillServiceClient()->
443        SetProperties(dbus::ObjectPath(it->service_path),
444                        shill_properties,
445                        base::Bind(&base::DoNothing),
446                        base::Bind(&LogError, it->service_path));
447    network_state_handler_->RequestUpdateForNetwork(it->service_path);
448  }
449}
450
451}  // namespace chromeos
452