OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/nss_profile_filter_chromeos.h" |
| 6 |
| 7 #include "base/bind.h" |
| 8 #include "base/callback.h" |
| 9 #include "base/strings/stringprintf.h" |
| 10 |
| 11 namespace net { |
| 12 |
| 13 namespace { |
| 14 |
| 15 std::string CertSlotsString(const scoped_refptr<X509Certificate>& cert) { |
| 16 std::string result; |
| 17 crypto::ScopedPK11SlotList slots_for_cert( |
| 18 PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
| 19 for (PK11SlotListElement* slot_element = |
| 20 PK11_GetFirstSafe(slots_for_cert.get()); |
| 21 slot_element; |
| 22 slot_element = |
| 23 PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
| 24 if (!result.empty()) |
| 25 result += ','; |
| 26 base::StringAppendF(&result, |
| 27 "%lu:%lu", |
| 28 PK11_GetModuleID(slot_element->slot), |
| 29 PK11_GetSlotID(slot_element->slot)); |
| 30 } |
| 31 return result; |
| 32 } |
| 33 |
| 34 } // namespace |
| 35 |
| 36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
| 37 |
| 38 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
| 39 |
| 40 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
| 41 crypto::ScopedPK11Slot private_slot) { |
| 42 public_slot_ = public_slot.Pass(); |
| 43 private_slot_ = private_slot.Pass(); |
| 44 } |
| 45 |
| 46 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
| 47 // If this is one of the public/private slots for this profile, allow it. |
| 48 if (slot == public_slot_.get() || slot == private_slot_.get()) |
| 49 return true; |
| 50 // If it's from the read-only slot, allow it. |
| 51 if (slot == PK11_GetInternalKeySlot()) |
| 52 return true; |
| 53 // If this is not the internal (file-system) module or the TPM module, allow |
| 54 // it. |
| 55 SECMODModule* module_for_slot = PK11_GetModule(slot); |
| 56 if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
| 57 module_for_slot != PK11_GetModule(private_slot_.get())) |
| 58 return true; |
| 59 return false; |
| 60 } |
| 61 |
| 62 bool NSSProfileFilterChromeOS::IsCertAllowed( |
| 63 const scoped_refptr<X509Certificate>& cert) const { |
| 64 crypto::ScopedPK11SlotList slots_for_cert( |
| 65 PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
| 66 if (!slots_for_cert) { |
| 67 DVLOG(2) << "cert no slots: " << cert->subject().GetDisplayName(); |
| 68 return true; |
| 69 } |
| 70 |
| 71 for (PK11SlotListElement* slot_element = |
| 72 PK11_GetFirstSafe(slots_for_cert.get()); |
| 73 slot_element; |
| 74 slot_element = |
| 75 PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
| 76 if (IsModuleAllowed(slot_element->slot)) { |
| 77 DVLOG(3) << "cert from " << CertSlotsString(cert) |
| 78 << " allowed: " << cert->subject().GetDisplayName(); |
| 79 return true; |
| 80 } |
| 81 } |
| 82 DVLOG(2) << "cert from " << CertSlotsString(cert) |
| 83 << " filtered: " << cert->subject().GetDisplayName(); |
| 84 return false; |
| 85 } |
| 86 |
| 87 NSSProfileFilterChromeOS::CertNotAllowedForProfilePredicate:: |
| 88 CertNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
| 89 : filter_(filter) {} |
| 90 |
| 91 bool NSSProfileFilterChromeOS::CertNotAllowedForProfilePredicate::operator()( |
| 92 const scoped_refptr<X509Certificate>& cert) const { |
| 93 return !filter_.IsCertAllowed(cert); |
| 94 } |
| 95 |
| 96 NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate:: |
| 97 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
| 98 : filter_(filter) {} |
| 99 |
| 100 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( |
| 101 const scoped_refptr<CryptoModule>& module) const { |
| 102 return !filter_.IsModuleAllowed(module->os_module_handle()); |
| 103 } |
| 104 |
| 105 } // namespace net |
| 106 |
OLD | NEW |