Support altsubject_match for EAP Networks

Subject alternative name match is used by the WPA Supplicant to be
matched against the alternative subject name of the authentication
server certificate. It is sent from chrome to shill to WPA supplicant.
It is sent to shill in a serialized form to be able to store it
permanently on disk. Because StoreInterface used in chromeOS to save EAP
data permanently doesn't support saving dictionaries.
Shill implementation that uses this CL:1897535
System API implementation that uses this CL:1893872

chromeos-base/shill and chromium on my chromebook and checked the flow
of the subject alternative name match and found that it is serialized
correctly, transferred to shill, translated to WPA Supplicant format
correctly.

Tests: chromeos_unittests and built and deployed chromeos-base/system-api as well as
Bug: 1004261
Cq-Depend: chromium:1897535
Change-Id: I8226e18591db89e783c450863ab6691be0ea0470
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1892955
Commit-Queue: Omar Morsi <omorsi@google.com>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#730090}

chromeos/network/onc/onc_signature.cc

@@ -26,6 +26,9 @@ const OncValueSignature kCellularApnListSignature = {
     base::Value::Type::LIST, NULL, &kCellularApnSignature};
 const OncValueSignature kCellularFoundNetworkListSignature = {
     base::Value::Type::LIST, NULL, &kCellularFoundNetworkSignature};
+const OncValueSignature kEAPSubjectAlternativeNameMatchListSignature = {
+    base::Value::Type::LIST, nullptr,
+    &kEAPSubjectAlternativeNameMatchSignature};
 
 const OncFieldSignature issuer_subject_pattern_fields[] = {
     {::onc::client_cert::kCommonName, &kStringSignature},
@@ -62,6 +65,8 @@ const OncFieldSignature eap_fields[] = {
     {::onc::eap::kServerCARef, &kStringSignature},
     {::onc::eap::kServerCARefs, &kStringListSignature},
     {::onc::eap::kSubjectMatch, &kStringSignature},
+    {::onc::eap::kSubjectAlternativeNameMatch,
+     &kEAPSubjectAlternativeNameMatchListSignature},
     {::onc::eap::kTLSVersionMax, &kStringSignature},
     {::onc::eap::kUseProactiveKeyCaching, &kBoolSignature},
     {::onc::eap::kUseSystemCAs, &kBoolSignature},
@@ -391,6 +396,11 @@ const OncFieldSignature toplevel_configuration_fields[] = {
     {::onc::encrypted::kStretch, &kStringSignature},
     {NULL}};
 
+const OncFieldSignature eap_subject_alternative_name_match_fields[] = {
+    {::onc::eap_subject_alternative_name_match::kType, &kStringSignature},
+    {::onc::eap_subject_alternative_name_match::kValue, &kStringSignature},
+    {nullptr}};
+
 }  // namespace
 
 const OncValueSignature kRecommendedSignature = {base::Value::Type::LIST, NULL,
@@ -475,6 +485,9 @@ const OncValueSignature kCellularFoundNetworkSignature = {
     base::Value::Type::DICTIONARY, cellular_found_network_fields, NULL};
 const OncValueSignature kSIMLockStatusSignature = {
     base::Value::Type::DICTIONARY, sim_lock_status_fields, NULL};
+const OncValueSignature kEAPSubjectAlternativeNameMatchSignature = {
+    base::Value::Type::DICTIONARY, eap_subject_alternative_name_match_fields,
+    nullptr};
 
 const OncFieldSignature* GetFieldSignature(const OncValueSignature& signature,
                                            const std::string& onc_field_name) {

chromeos/network/onc/onc_signature.h

@@ -91,6 +91,10 @@ COMPONENT_EXPORT(CHROMEOS_NETWORK)
 extern const OncValueSignature kNetworkConfigurationListSignature;
 COMPONENT_EXPORT(CHROMEOS_NETWORK)
 extern const OncValueSignature kToplevelConfigurationSignature;
+COMPONENT_EXPORT(CHROMEOS_NETWORK)
+extern const OncValueSignature kEAPSubjectAlternativeNameMatchListSignature;
+COMPONENT_EXPORT(CHROMEOS_NETWORK)
+extern const OncValueSignature kEAPSubjectAlternativeNameMatchSignature;
 
 // Derived "ONC with State" signatures.
 COMPONENT_EXPORT(CHROMEOS_NETWORK)

chromeos/network/onc/onc_translation_tables.cc

@@ -33,6 +33,9 @@ const FieldTranslationEntry eap_fields[] = {
     {::onc::eap::kSaveCredentials, shill::kSaveCredentialsProperty},
     {::onc::eap::kServerCAPEMs, shill::kEapCaCertPemProperty},
     {::onc::eap::kSubjectMatch, shill::kEapSubjectMatchProperty},
+    // This field is converted during translation, see onc_translator_*.
+    // {::onc::eap::kSubjectAlternativeNameMatch,
+    //  shill::kEapSubjectAlternativeNameMatchProperty},
     {::onc::eap::kTLSVersionMax, shill::kEapTLSVersionMaxProperty},
     {::onc::eap::kUseSystemCAs, shill::kEapUseSystemCasProperty},
     {::onc::eap::kUseProactiveKeyCaching,

chromeos/network/onc/onc_translator_onc_to_shill.cc

@@ -13,6 +13,7 @@
 #include <utility>
 
 #include "base/json/json_reader.h"
+#include "base/json/json_string_value_serializer.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/macros.h"
@@ -348,6 +349,23 @@ void LocalTranslator::TranslateEAP() {
                               base::Value(true));
   }
 
+  // Set shill::kEapSubjectAlternativeNameMatchProperty to the serialized form
+  // of the subject alternative name match list of dictionaries.
+  const base::ListValue* subject_alternative_name_match;
+  if (onc_object_->GetList(::onc::eap::kSubjectAlternativeNameMatch,
+                           &subject_alternative_name_match)) {
+    base::Value serialized_dicts(base::Value::Type::LIST);
+    std::string serialized_dict;
+    JSONStringValueSerializer serializer(&serialized_dict);
+    for (const base::Value& v : subject_alternative_name_match->GetList()) {
+      if (serializer.Serialize(v)) {
+        serialized_dicts.Append(serialized_dict);
+      }
+    }
+    shill_dictionary_->SetKey(shill::kEapSubjectAlternativeNameMatchProperty,
+                              std::move(serialized_dicts));
+  }
+
   CopyFieldsAccordingToSignature();
 }
 

chromeos/network/onc/onc_validator.cc

@@ -157,6 +157,8 @@ std::unique_ptr<base::DictionaryValue> Validator::MapObject(
       valid = ValidateProxyLocation(repaired.get());
     } else if (&signature == &kEAPSignature) {
       valid = ValidateEAP(repaired.get());
+    } else if (&signature == &kEAPSubjectAlternativeNameMatchSignature) {
+      valid = ValidateSubjectAlternativeNameMatch(repaired.get());
     } else if (&signature == &kCertificateSignature) {
       valid = ValidateCertificate(repaired.get());
     } else if (&signature == &kScopeSignature) {
@@ -1076,6 +1078,26 @@ bool Validator::ValidateEAP(base::DictionaryValue* result) {
   return !error_on_missing_field_ || all_required_exist;
 }
 
+bool Validator::ValidateSubjectAlternativeNameMatch(
+    base::DictionaryValue* result) {
+  const std::vector<const char*> valid_types = {
+      ::onc::eap_subject_alternative_name_match::kEMAIL,
+      ::onc::eap_subject_alternative_name_match::kDNS,
+      ::onc::eap_subject_alternative_name_match::kURI};
+
+  if (FieldExistsAndHasNoValidValue(
+          *result, ::onc::eap_subject_alternative_name_match::kType,
+          valid_types)) {
+    return false;
+  }
+
+  bool all_required_exist =
+      RequireField(*result, ::onc::eap_subject_alternative_name_match::kType) &&
+      RequireField(*result, ::onc::eap_subject_alternative_name_match::kValue);
+
+  return !error_on_missing_field_ || all_required_exist;
+}
+
 bool Validator::ValidateCertificate(base::DictionaryValue* result) {
   const std::vector<const char*> valid_types = {::onc::certificate::kClient,
                                                 ::onc::certificate::kServer,

chromeos/network/onc/onc_validator.h

@@ -190,6 +190,7 @@ class COMPONENT_EXPORT(CHROMEOS_NETWORK) Validator : public Mapper {
   bool ValidateProxySettings(base::DictionaryValue* result);
   bool ValidateProxyLocation(base::DictionaryValue* result);
   bool ValidateEAP(base::DictionaryValue* result);
+  bool ValidateSubjectAlternativeNameMatch(base::DictionaryValue* result);
   bool ValidateCertificate(base::DictionaryValue* result);
   bool ValidateScope(base::DictionaryValue* result);
   bool ValidateTether(base::DictionaryValue* result);

chromeos/test/data/network/shill_wifi_eap_tls.json

@@ -5,6 +5,13 @@
    "EAP.KeyID": "1:123456abcdef",
    "EAP.PIN": "111111",
    "EAP.SubjectMatch": "my_subject",
+   "EAP.SubjectAlternativeNameMatch": [
+      "{\"Type\":\"EMAIL\",\"Value\":\"my_email_1\"}",
+      "{\"Type\":\"EMAIL\",\"Value\":\"my_email_2\"}",
+      "{\"Type\":\"EMAIL\",\"Value\":\"my;email\"}",
+      "{\"Type\":\"DNS\",\"Value\":\"my_dns\"}",
+      "{\"Type\":\"URI\",\"Value\":\"my_uri\"}"
+   ],
    "EAP.TLSVersionMax": "1.2",
    "EAP.UseSystemCAs": true,
    "GUID": "{77db0089-0bc8-4358-929c-123xcv}",

chromeos/test/data/network/wifi_eap_tls.onc

@@ -13,6 +13,13 @@
       "ClientCertPKCS11Id": "1:123456abcdef",
       "SaveCredentials": true,
       "SubjectMatch": "my_subject",
+      "SubjectAlternativeNameMatch":[
+        {"Type": "EMAIL", "Value": "my_email_1"},
+        {"Type": "EMAIL", "Value": "my_email_2"},
+        {"Type": "EMAIL", "Value": "my;email"},
+        {"Type": "DNS", "Value": "my_dns"},
+        {"Type": "URI", "Value": "my_uri"}
+      ],
       "TLSVersionMax": "1.2",
       "UseSystemCAs": true
     }

components/onc/docs/onc_spec.md

@@ -1264,6 +1264,11 @@ type exists to configure the authentication.
     * WiFi only. A substring which a remote RADIUS service certificate subject
       name must contain in order to connect.
 
+* **SubjectAlternativeNameMatch**
+	* (optional) - [array of AlternativeSubjectName](#AlternativeSubjectName-type)
+	* WiFi only. A list of alternative subject names to be matched against the
+    alternative subject name of an authentication server certificate.
+
 * **TLSVersionMax**
     * (optional) - **string**
     * Sets the maximum TLS protocol version used by the OS for EAP.
@@ -1294,6 +1299,19 @@ type exists to configure the authentication.
     can be set.
 ---
 
+### AlternativeSubjectName type
+
+* **Type**
+	* (required) - **string**
+	* Type of the alternative subject name.
+	* Allowed values are:
+		* *EMAIL*
+		* *DNS*
+		* *URI*
+* **Value**
+	 * (required) - **string**
+	 * Value of the alternative subject name.
+
 ## Cellular Networks
 
 For Cellular connections, **Type** must be set to *Cellular* and the

components/onc/onc_constants.cc

@@ -323,11 +323,20 @@ const char kServerCAPEMs[] = "ServerCAPEMs";
 const char kServerCARef[] = "ServerCARef";
 const char kServerCARefs[] = "ServerCARefs";
 const char kSubjectMatch[] = "SubjectMatch";
+const char kSubjectAlternativeNameMatch[] = "SubjectAlternativeNameMatch";
 const char kTLSVersionMax[] = "TLSVersionMax";
 const char kUseSystemCAs[] = "UseSystemCAs";
 const char kUseProactiveKeyCaching[] = "UseProactiveKeyCaching";
 }  // namespace eap
 
+namespace eap_subject_alternative_name_match {
+const char kType[] = "Type";
+const char kValue[] = "Value";
+const char kEMAIL[] = "EMAIL";
+const char kDNS[] = "DNS";
+const char kURI[] = "URI";
+}  // namespace eap_subject_alternative_name_match
+
 namespace vpn {
 const char kAutoConnect[] = "AutoConnect";
 const char kHost[] = "Host";

components/onc/onc_constants.h

@@ -335,11 +335,20 @@ ONC_EXPORT extern const char kServerCAPEMs[];
 ONC_EXPORT extern const char kServerCARef[];
 ONC_EXPORT extern const char kServerCARefs[];
 ONC_EXPORT extern const char kSubjectMatch[];
+ONC_EXPORT extern const char kSubjectAlternativeNameMatch[];
 ONC_EXPORT extern const char kTLSVersionMax[];
 ONC_EXPORT extern const char kUseSystemCAs[];
 ONC_EXPORT extern const char kUseProactiveKeyCaching[];
 }  // namespace eap
 
+namespace eap_subject_alternative_name_match {
+ONC_EXPORT extern const char kType[];
+ONC_EXPORT extern const char kValue[];
+ONC_EXPORT extern const char kEMAIL[];
+ONC_EXPORT extern const char kDNS[];
+ONC_EXPORT extern const char kURI[];
+}  // namespace eap_subject_alternative_name_match
+
 namespace vpn {
 ONC_EXPORT extern const char kAutoConnect[];
 ONC_EXPORT extern const char kHost[];