Index: net/cert/nss_profile_filter_chromeos.cc |
diff --git a/net/cert/nss_profile_filter_chromeos.cc b/net/cert/nss_profile_filter_chromeos.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..0495d7a6abd21ffdba6aa3cd35a0e493d52f5777 |
--- /dev/null |
+++ b/net/cert/nss_profile_filter_chromeos.cc |
@@ -0,0 +1,106 @@ |
+// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "net/cert/nss_profile_filter_chromeos.h" |
+ |
+#include "base/bind.h" |
+#include "base/callback.h" |
+#include "base/strings/stringprintf.h" |
+ |
+namespace net { |
+ |
+namespace { |
+ |
+std::string CertSlotsString(const scoped_refptr<X509Certificate>& cert) { |
+ std::string result; |
+ crypto::ScopedPK11SlotList slots_for_cert( |
+ PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
+ for (PK11SlotListElement* slot_element = |
+ PK11_GetFirstSafe(slots_for_cert.get()); |
+ slot_element; |
+ slot_element = |
+ PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
+ if (!result.empty()) |
+ result += ','; |
+ base::StringAppendF(&result, |
+ "%lu:%lu", |
+ PK11_GetModuleID(slot_element->slot), |
+ PK11_GetSlotID(slot_element->slot)); |
+ } |
+ return result; |
+} |
+ |
+} // namespace |
+ |
+NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
+ |
+NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
+ |
+void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
+ crypto::ScopedPK11Slot private_slot) { |
+ public_slot_ = public_slot.Pass(); |
+ private_slot_ = private_slot.Pass(); |
+} |
+ |
+bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
+ // If this is one of the public/private slots for this profile, allow it. |
+ if (slot == public_slot_.get() || slot == private_slot_.get()) |
+ return true; |
+ // If it's from the read-only slot, allow it. |
+ if (slot == PK11_GetInternalKeySlot()) |
+ return true; |
+ // If this is not the internal (file-system) module or the TPM module, allow |
+ // it. |
+ SECMODModule* module_for_slot = PK11_GetModule(slot); |
+ if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
+ module_for_slot != PK11_GetModule(private_slot_.get())) |
+ return true; |
+ return false; |
+} |
+ |
+bool NSSProfileFilterChromeOS::IsCertAllowed( |
+ const scoped_refptr<X509Certificate>& cert) const { |
+ crypto::ScopedPK11SlotList slots_for_cert( |
+ PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
+ if (!slots_for_cert) { |
+ DVLOG(2) << "cert no slots: " << cert->subject().GetDisplayName(); |
+ return true; |
+ } |
+ |
+ for (PK11SlotListElement* slot_element = |
+ PK11_GetFirstSafe(slots_for_cert.get()); |
+ slot_element; |
+ slot_element = |
+ PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
+ if (IsModuleAllowed(slot_element->slot)) { |
+ DVLOG(3) << "cert from " << CertSlotsString(cert) |
+ << " allowed: " << cert->subject().GetDisplayName(); |
+ return true; |
+ } |
+ } |
+ DVLOG(2) << "cert from " << CertSlotsString(cert) |
+ << " filtered: " << cert->subject().GetDisplayName(); |
+ return false; |
+} |
+ |
+NSSProfileFilterChromeOS::CertNotAllowedForProfilePredicate:: |
+ CertNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
+ : filter_(filter) {} |
+ |
+bool NSSProfileFilterChromeOS::CertNotAllowedForProfilePredicate::operator()( |
+ const scoped_refptr<X509Certificate>& cert) const { |
+ return !filter_.IsCertAllowed(cert); |
+} |
+ |
+NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate:: |
+ ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
+ : filter_(filter) {} |
+ |
+bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( |
+ const scoped_refptr<CryptoModule>& module) const { |
+ return !filter_.IsModuleAllowed(module->os_module_handle()); |
+} |
+ |
+} // namespace net |
+ |