New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697441 link

Starred by 1 user
Status: Fixed
Owner:
pmarko@chromium.org
Closed: Nov 19
Cc:
emaxx@chromium.org
dskaram@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

ONC: ClientCertRef not automatically resolved for EAP networks

Project Member Reported by pmarko@chromium.org, Mar 1 2017 
When configuring an EAP network which needs a client certificate for authentication through policy-pushed ONC, there are two ways to specify which client certificate should be used in the ONC:
(1) ClientCertPattern: Specifies criteria the certificate must match to be selected.
(2) ClientCertRef: The concerete certificate is selected (based on its ID in the ONC)

While (1) is automatically resolved and set in shill when the policy comes in (see ClientCertResolver), (2) is only resolved when connecting to the network through the UI.
This also has the side-effect of AutoConnect: true not working for EAP networks configured with ClientCertRef.

Note that the priority of this is low because
- the usage of ClientCertRef is limited by the ONC requirement for the cert to be listed in the same ONC json blob
- there is currently no way to configure ClientCertRef in the admin interface.

Comment 1 by emaxx@chromium.org, Mar 1 2017

Cc: dskaram@chromium.org
Labels: OS-Chrome
+David FYI

Comment 2 Deleted

Comment 3 by pmarko@chromium.org, Feb 6 2018

Labels: pmarko-backlog
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 29 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0b3feddd541e54787942c3c475b6a07a26b62d33

commit 0b3feddd541e54787942c3c475b6a07a26b62d33
Author: Pavol Marko <pmarko@chromium.org>
Date: Mon Oct 29 11:57:20 2018

Resolve ClientCertRef ONC references

Make ClientCertResolver understand ClientCertRef in addition to
ClientCertPattern.
The resolution of the ClientCertRef uses the fact that
CertificateImporterImpl sets the nickname of the imported private key
to the certificate's GUID.

Bug: 898603,  697441 
Test: chromeos_unittests --gtest_filter=*ClientCertResolver*
Change-Id: If52f7e324e14b41d018942adaa3c3aefa9eccf58
Reviewed-on: https://chromium-review.googlesource.com/c/1299008
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Alexander Hendrich <hendrich@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#603460}
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/client_cert_resolver.cc
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/client_cert_resolver.h
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/client_cert_resolver_unittest.cc
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/client_cert_util.cc
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/client_cert_util.h
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/network_connection_handler_impl.cc
[modify] https://crrev.com/0b3feddd541e54787942c3c475b6a07a26b62d33/chromeos/network/onc/onc_certificate_importer_impl.cc

Comment 5 by pmarko@chromium.org, Nov 19

Labels: M-72
Status: Fixed (was: Assigned)

Comment 6 by chchakrapani@google.com, Nov 20 

Hi Pavol,
Please provide steps if this requires manual verification. Thanks.!

Sign in to add a comment