New issue
Advanced search Search tips

Issue 898815 link

Starred by 1 user
Status: Fixed
Owner:
pmarko@chromium.org
Closed: Nov 5
Cc:
hendrich@chromium.org
emaxx@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Hide PKCS12 from ONC in chrome://policy

Project Member Reported by pmarko@chromium.org, Oct 25 
If a client certificate is transferred in ONC policy as a PKCS12 blob, hide it from chrome://policy, as the private key is supposed to be private.

Comment 1 by hendrich@chromium.org, Oct 26 

Easiest fix would probably be to re-use the same masking mechanism used for other network credentials[1]. I.e. we could add the parent's signature and the field's name to [2].

Do you have a sample ONC configuration with a PKCS12 blob? Is the field your talking about [3]? So the parent's signature would be [4]? I could prepare a CL if you like :)


[1] https://cs.chromium.org/chromium/src/chromeos/network/onc/onc_utils.cc?l=126&gs=kythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchromeos%252Fnetwork%252Fonc%252Fonc_utils.cc%253Froot%253Dchromium-chromeos%25235v1Bz9zolawAi%25252BHvZWLEN7lfQQNFPkwO0%25252Fd09LnmQr0%25253D%2Bkythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchromeos%252Fnetwork%252Fonc%252Fonc_utils.cc%253Froot%253Dchromium-chromeos%25237OThvB7Ln1xS0WXrcqi3bwf2VMQnZW%25252BLUoXV0IgBBUA%25253D%2Bkythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchromeos%252Fnetwork%252Fonc%252Fonc_utils.cc%253Froot%253Dchromium-chromeos%2523jJ0VtUyoPjn9ufhDhtM9l1NnqPwsJ0QUVrUNlqnUuh4%25253D%2Bkythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchromeos%252Fnetwork%252Fonc%252Fonc_utils.cc%253Froot%253Dchromium-chromeos%2523pSPHzYlpMPTDs0CQNbeuLTGC2oM6D%25252FYTrhS%25252F21arUoU%25253D&gsn=OncMaskValues&ct=xref_usages
[2] https://cs.chromium.org/chromium/src/chromeos/network/onc/onc_signature.cc?l=511&gs=kythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchromeos%252Fnetwork%252Fonc%252Fonc_signature.cc%253Froot%253Dchromium-chromeos%2523lydCgNPiNCqnQ6PTUdH%25252B1wBmhs%25252FG9G%25252FaXTZl3h3YxF8%25253D&gsn=credentials&ct=xref_usages
[3] https://cs.chromium.org/chromium/src/components/onc/onc_constants.cc?l=275&gs=kythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fcomponents%252Fonc%252Fonc_constants.cc%253Froot%253Dchromium-chromeos%2523B6UTENf%25252BSTBKuUay2yB3CtMHOumQlAvWut%25252BdjyueK%25252F8%25253D&gsn=kPKCS12&ct=xref_usages
[4] https://cs.chromium.org/chromium/src/chromeos/network/onc/onc_signature.cc?l=446&gs=kythe%253A%252F%252Fchromium%253Flang%253Dc%25252B%25252B%253Fpath%253Dsrc%252Fchromeos%252Fnetwork%252Fonc%252Fonc_signature.cc%253Froot%253Dchromium-chromeos%252373RNJNCOhjOj5rPuJk1tfxAF4r%25252FrihHD6r8YV3XzWxY%25253D&gsn=kCertificateSignature&ct=xref_usages

Comment 2 by pmarko@chromium.org, Oct 26 

Oh sorry, I forgot to add you as reviewer on the CL :-O

https://chromium-review.googlesource.com/c/chromium/src/+/1301253
Yes, [3]/[4] sounds correct and I think it's a good idea to reuse the same mechanism.

If we add support for encrypted PKCS12 blobs, masking may be made conditional again, but we can just keep masking forever then too.
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/34bb9a9162a541ba0659a37d56c73462c1343a65

commit 34bb9a9162a541ba0659a37d56c73462c1343a65
Author: Pavol Marko <pmarko@chromium.org>
Date: Tue Oct 30 08:55:59 2018

Treat PKCS12 onc values as credentials

PKCS12 values in onc policy may contain unencrypted private keys, so
mask them in the UI.

Bug:  898815 
Test: manual
Change-Id: I2f89af4d365d0206e97583c3d54de27c3d05b8e9
Reviewed-on: https://chromium-review.googlesource.com/c/1301253
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Alexander Hendrich <hendrich@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#603839}
[modify] https://crrev.com/34bb9a9162a541ba0659a37d56c73462c1343a65/chromeos/network/onc/onc_signature.cc

Comment 4 by pmarko@chromium.org, Nov 5

Status: Fixed (was: Started)

Sign in to add a comment