commit ecf4cd104cf2957d6db9076b975d9deee87c55b2
author Paul Stewart <pstew@chromium.org> Tue Apr 17 11:08:39 2012 -0700
committer Gerrit <chrome-bot@google.com> Tue Apr 17 18:01:06 2012 -0700
tree 63d8753821d502546b1189dcd24c2783621807c4
parent b0b66df7532f6d602ae6746e38c8ef7e793874ab

shill: wifi: Enable use of NSS-backed CA Certificates

Export CA certificates out of NSS if one is specified.

BUG=chromium-os:29462,chromium-os:25663
TEST=New unit test, manual -- ensure certificate is written out to /tmp

Change-Id: Ibe2c4b60a76402995eda4fdbef742ffe8c6a64fb
Reviewed-on: https://gerrit.chromium.org/gerrit/20386
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
Commit-Ready: Paul Stewart <pstew@chromium.org>

wifi_service.cc

diff --git a/wifi_service.cc b/wifi_service.cc
index 86653ea..e61e0c1 100644
--- a/wifi_service.cc
+++ b/wifi_service.cc
@@ -22,6 +22,7 @@
 #include "shill/event_dispatcher.h"
 #include "shill/ieee80211.h"
 #include "shill/metrics.h"
+#include "shill/nss.h"
 #include "shill/property_accessor.h"
 #include "shill/store_interface.h"
 #include "shill/wifi.h"
@@ -62,7 +63,8 @@
       frequency_(0),
       physical_mode_(0),
       wifi_(device),
-      ssid_(ssid) {
+      ssid_(ssid),
+      nss_(NSS::GetInstance()) {
   PropertyStore *store = this->mutable_store();
   store->RegisterConstString(flimflam::kModeProperty, &mode_);
   HelpRegisterWriteOnlyDerivedString(flimflam::kPassphraseProperty,
@@ -739,6 +741,18 @@
 
 void WiFiService::Populate8021xProperties(
     std::map<string, DBus::Variant> *params) {
+  string ca_cert = eap().ca_cert;
+  if (!eap().ca_cert_nss.empty()) {
+    vector<char> id(ssid_.begin(), ssid_.end());
+    FilePath certfile = nss_->GetDERCertfile(eap().ca_cert_nss, id);
+    if (certfile.empty()) {
+      LOG(ERROR) << "Unable to extract certificate: " << eap().ca_cert_nss;
+    } else {
+      ca_cert = certfile.value();
+    }
+  }
+
+
   typedef std::pair<const char *, const char *> KeyVal;
   KeyVal init_propertyvals[] = {
     KeyVal(wpa_supplicant::kNetworkPropertyEapIdentity, eap().identity.c_str()),
@@ -753,15 +767,13 @@
            eap().private_key.c_str()),
     KeyVal(wpa_supplicant::kNetworkPropertyEapPrivateKeyPassword,
            eap().private_key_password.c_str()),
-    KeyVal(wpa_supplicant::kNetworkPropertyEapCaCert, eap().ca_cert.c_str()),
+    KeyVal(wpa_supplicant::kNetworkPropertyEapCaCert, ca_cert.c_str()),
     KeyVal(wpa_supplicant::kNetworkPropertyEapCaPassword,
            eap().password.c_str()),
     KeyVal(wpa_supplicant::kNetworkPropertyEapCertId, eap().cert_id.c_str()),
     KeyVal(wpa_supplicant::kNetworkPropertyEapKeyId, eap().key_id.c_str()),
     KeyVal(wpa_supplicant::kNetworkPropertyEapCaCertId,
            eap().ca_cert_id.c_str()),
-    // TODO(gauravsh): Support getting CA certificates out of the NSS certdb.
-    //                 crosbug.com/25663
   };
 
   vector<KeyVal> propertyvals(init_propertyvals,
@@ -769,7 +781,7 @@
   if (eap().use_system_cas) {
     propertyvals.push_back(KeyVal(
         wpa_supplicant::kNetworkPropertyCaPath, wpa_supplicant::kCaPath));
-  } else if (eap().ca_cert.empty()) {
+  } else if (ca_cert.empty()) {
       LOG(WARNING) << __func__
                    << ": No certificate authorities are configured."
                    << " Server certificates will be accepted"