NetworkConfig UI: EAP: Validate server CA by default

Before this CL, when a user tries to add a WiFi with [PEAP/EAP-TTLS] security, the default configuration choice was to not validate the server's CA certificate. This CL changes the default behavior to use the system CAs as trust anchors. Bug: 1145024 Change-Id: Iae06bcf72ea0805d29faf7967045fbfde305fc8d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2732109 Commit-Queue: Omar Morsi <omorsi@google.com> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Cr-Commit-Position: refs/heads/master@{#859865}
marcosholgado · Mar 4, 2021 · 7431eca · 7431eca
1 parent 3a0fa8d
commit 7431eca
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/chrome/test/data/webui/cr_components/chromeos/network/network_config_test.js b/chrome/test/data/webui/cr_components/chromeos/network/network_config_test.js
@@ -292,9 +292,9 @@ suite('network-config', function() {
         return flushAsync().then(() => {
           let outer = networkConfig.$$('#outer');
           assertEquals('EAP-TLS', outer.value);
-          // Check that with no certificates, 'do-not-check' amd 'no-certs'
-          // are selected.
-          assertEquals('do-not-check', networkConfig.selectedServerCaHash_);
+          // Check that with no certificates, 'default' and 'no-certs' are
+          // selected.
+          assertEquals('default', networkConfig.selectedServerCaHash_);
           assertEquals('no-certs', networkConfig.selectedUserCertHash_);
         });
       });

diff --git a/ui/webui/resources/cr_components/chromeos/network/network_config.js b/ui/webui/resources/cr_components/chromeos/network/network_config.js
@@ -1181,10 +1181,11 @@ Polymer({
         this.selectedServerCaHash_ = DEFAULT_HASH;
       } else if (!this.guid && this.serverCaCerts_[0]) {
         // For unconfigured networks, default to the first available
-        // certificate, or DO_NOT_CHECK (i.e. skip DEFAULT_HASH). See
-        /// onNetworkCertificatesChanged() for how certificates are added.
+        // certificate and fallback to DEFAULT_HASH. See
+        // onNetworkCertificatesChanged() for how certificates are added.
         let cert = this.serverCaCerts_[0];
-        if (cert.hash === DEFAULT_HASH && this.serverCaCerts_[1]) {
+        if (cert.hash === DEFAULT_HASH &&
+            this.isRealCertUsableForNetworkAuth_(this.serverCaCerts_[1])) {
           cert = this.serverCaCerts_[1];
         }
         this.selectedServerCaHash_ = cert.hash;
@@ -1209,7 +1210,17 @@ Polymer({
       }
     }
   },
-
+  /**
+   * Checks that the hash of the certificate is set and not one of the default
+   * special strings.
+   * @param {chromeos.networkConfig.mojom.NetworkCertificate|undefined} cert
+   * @return {boolean}
+   * @private
+   */
+  isRealCertUsableForNetworkAuth_(cert) {
+    return !!cert && cert.hash !== DO_NOT_CHECK_HASH &&
+        cert.hash !== DEFAULT_HASH;
+  },
   /**
    * @return {boolean}
    * @private