New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 833426 link

Starred by 2 users
Status: Verified
Owner:
pmarko@chromium.org
Closed: Apr 2018
Cc:
kaned@google.com
emaxx@chromium.org
dskaram@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

Add further variable expansions for policy-specified Identity/Username fields in networks

Project Member Reported by pmarko@chromium.org, Apr 16 2018 
ChromeOS can expand variables in ONC network policy specified Identity/Username fields.

Currently supported variables are:
- ${LOGIN_ID}
- ${LOGIN_EMAIL}
- ${CERT_SAN_EMAIL}
- ${CERT_SAN_UPN}

Add:
- ${CERT_SUBJECT_COMMON_NAME}

Maybe add:
- ${DEVICE_SERIAL_NUMBER}
- ${DEVICE_ASSET_ID}

Comment 1 by kaned@google.com, Apr 17 2018

Cc: -danielkane@google.com kaned@google.com

Comment 2 by emaxx@chromium.org, Apr 18 2018

Cc: emaxx@chromium.org
Just asking for the context - is there a concrete feature request for that, or it's a generic improvement in the network certs area?

Comment 3 by pmarko@chromium.org, Apr 19 2018 

It was triggered by feedback from a TT program provided by kaned@.

Mainly, the identity/username for device-wide networks can currently be either static, or use the placeholders ${CERT_SAN_EMAIL} / ${CERT_SAN_UPN}.

What makes this worse is that the current version of the certificate enrollment extension supports filling fields into the 'Subject' part of the CSR, but it doesn't support filling things into the UPN SubjectAlternativeName yet.

So we end up with
- configuring the extaension to fill a machine-specific identifier into ${CERT_SAN_EMAIL}
- configuring the DeviceOpenNetworkConfiguration to use ${CERT_SAN_EMAIL} as identity
being the only way to make the device use a machine-specific 'Identity' field when using the certiicate enrollment extension.
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 24 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/75f1569b82b21f4f4d14c044098c163a3dca1a08

commit 75f1569b82b21f4f4d14c044098c163a3dca1a08
Author: Pavol Marko <pmarko@chromium.org>
Date: Tue Apr 24 14:01:21 2018

Support additional placeholders in ONC identity fields

Support additional placeholders in ONC identity fields such as Identity
or Username:
- CERT_SUBJECT_COMMON_NAME: the ASCII CommonName of the selected client
  certificate (replaced when a CertPattern is used).
- DEVICE_SERIAL_NUMBER: the serial number of the device. Only replaced
  in DeviceOpenNetworkConfiguration.
- DEVICE_ASSET_ID: the Asset ID of the device. Only replaced in
  DeviceOpenNetworkConfiguration.

This CL also changes ONC identity field variable replacement to use
|VariableExpander| instead of custom code.

      chromeos_unittests --gtet_filter=ClientCertResolverTest*

Bug:  833426 
Test: unit_tests --gtest_filter=*NetworkConfigurationUpdater* && \
Change-Id: I436792ea0115230554f9726d56288cae09e80d40
Reviewed-on: https://chromium-review.googlesource.com/1016920
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#553087}
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chrome/browser/chromeos/policy/browser_policy_connector_chromeos.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chrome/browser/chromeos/policy/device_network_configuration_updater.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chrome/browser/chromeos/policy/device_network_configuration_updater.h
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/certificate_helper.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/certificate_helper.h
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/client_cert_resolver.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/client_cert_resolver_unittest.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/onc/onc_translator_onc_to_shill.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/onc/onc_translator_shill_to_onc.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/onc/onc_utils.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/onc/onc_utils.h
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/network/onc/onc_utils_unittest.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/tools/variable_expander.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/chromeos/tools/variable_expander.h
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/components/onc/docs/onc_spec.md
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/components/onc/onc_constants.cc
[modify] https://crrev.com/75f1569b82b21f4f4d14c044098c163a3dca1a08/components/onc/onc_constants.h

Comment 5 by pmarko@chromium.org, Apr 26 2018

Status: Fixed (was: Assigned)
The above CL landed in 68.0.3406.0.

Comment 6 by pmarko@chromium.org, Apr 26 2018

Labels: -Type-Bug Type-Feature

Comment 7 by pmarko@chromium.org, May 17 2018

Labels: M-68

Comment 8 by jingwee@chromium.org, May 18 2018

Status: Verified (was: Fixed)
Verified working in M68.0.3432.0 10684.0.0 dev paine as tested on ONC WAP/WPA2 Enterprise (802.1X) and Dynamic WEP networks.

Sign in to add a comment