Chromium Code Reviews Chromium Code Reviews
Issue 112533002:
Add ClientCertStoreChromeOS which only returns the certs for a given user. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/cert/nss_profile_filter_chromeos.cc |
| diff --git a/net/cert/nss_profile_filter_chromeos.cc b/net/cert/nss_profile_filter_chromeos.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..cbe456b4ff09c03eb8bb3d029f82000629013d86 |
| --- /dev/null |
| +++ b/net/cert/nss_profile_filter_chromeos.cc |
| @@ -0,0 +1,98 @@ |
| +// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "net/cert/nss_profile_filter_chromeos.h" |
| + |
| +#include "base/bind.h" |
| +#include "base/callback.h" |
| +#include "base/strings/string_number_conversions.h" |
| + |
| +namespace net { |
| +namespace { |
|
Ryan Sleevi
2013/12/11 06:52:50
style nit: line break
mattm
2013/12/12 00:45:22
Done.
|
| + |
| +std::string CertSlotsString(const scoped_refptr<X509Certificate>& cert) { |
| + std::string r; |
|
Ryan Sleevi
2013/12/11 06:52:50
naming nit: result
mattm
2013/12/12 00:45:22
Done.
|
| + crypto::ScopedPK11SlotList slots_for_cert( |
| + PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
| + for (PK11SlotListElement* slot_element = |
| + PK11_GetFirstSafe(slots_for_cert.get()); |
| + slot_element; |
| + slot_element = |
| + PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
| + if (!r.empty()) |
| + r += ','; |
| + r += base::IntToString(PK11_GetModuleID(slot_element->slot)) + ":" + |
| + base::IntToString(PK11_GetSlotID(slot_element->slot)); |
|
Ryan Sleevi
2013/12/11 06:52:50
base::StringAppendF("%ul:%ul") ?
In both cases, C
mattm
2013/12/12 00:45:22
Done.
|
| + } |
| + return r; |
| +} |
| + |
| +} // namespace |
| + |
| +NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
| + |
| +NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
| + |
| +void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
| + crypto::ScopedPK11Slot private_slot) { |
| + public_slot_ = public_slot.Pass(); |
| + private_slot_ = private_slot.Pass(); |
| +} |
| + |
| +bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
| + // If this is one of the public/private slots for this profile, allow it. |
| + if (slot == public_slot_.get() || slot == private_slot_.get()) |
| + return true; |
| + // If it's from the read-only slot, allow it. |
| + if (slot == PK11_GetInternalKeySlot()) |
| + return true; |
| + // If this is a completely different module, allow it. |
|
Ryan Sleevi
2013/12/11 06:52:50
Can you expand this comment?
// If this is not th
mattm
2013/12/12 00:45:22
Done.
|
| + SECMODModule* module_for_slot = PK11_GetModule(slot); |
| + if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
| + module_for_slot != PK11_GetModule(private_slot_.get())) |
| + return true; |
| + return false; |
| +} |
| + |
| +bool NSSProfileFilterChromeOS::IsCertAllowed( |
| + const scoped_refptr<X509Certificate>& cert) const { |
| + crypto::ScopedPK11SlotList slots_for_cert( |
| + PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
| + if (!slots_for_cert) { |
| + DVLOG(2) << "cert no slots: " << cert->subject().GetDisplayName(); |
| + return true; |
| + } |
| + |
| + for (PK11SlotListElement* slot_element = |
| + PK11_GetFirstSafe(slots_for_cert.get()); |
| + slot_element; |
| + slot_element = |
| + PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
| + if (IsModuleAllowed(slot_element->slot)) { |
| + DVLOG(3) << "cert allowed:" << cert->subject().GetDisplayName() |
| + << " from:" << CertSlotsString(cert); |
| + return true; |
| + } |
| + } |
| + DVLOG(2) << "cert filtered:" << cert->subject().GetDisplayName() |
| + << " from:" << CertSlotsString(cert); |
|
Ryan Sleevi
2013/12/11 06:52:50
nit: Missing spaces after the ": ", and extra spac
mattm
2013/12/12 00:45:22
changed the format around, should be better now.
|
| + return false; |
| +} |
| + |
| +NSSProfileFilterChromeOS::Predicate::Predicate( |
| + const NSSProfileFilterChromeOS& filter) |
| + : filter_(filter) {} |
| + |
| +bool NSSProfileFilterChromeOS::Predicate::operator()( |
| + const scoped_refptr<CryptoModule>& module) const { |
| + return !filter_.IsModuleAllowed(module->os_module_handle()); |
| +} |
| + |
| +bool NSSProfileFilterChromeOS::Predicate::operator()( |
| + const scoped_refptr<X509Certificate>& cert) const { |
| + return !filter_.IsCertAllowed(cert); |
| +} |
| + |
| +} // namespace net |
| + |
