chrome/browser/chromeos/policy/policy_cert_verifier.cc - Issue 13035003: Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

Side by Side Diff: chrome/browser/chromeos/policy/policy_cert_verifier.cc

Issue 13035003: Added a PolicyCertVerifier that uses the trust anchors from the ONC policies. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Addressed comments Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« chrome/browser/chromeos/policy/policy_cert_verifier.h ('K') | « chrome/browser/chromeos/policy/policy_cert_verifier.h ('k') | chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc » ('j') | chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"

	6

	7 #include "base/logging.h"

	8 #include "base/prefs/pref_service.h"

	9 #include "chrome/browser/browser_process.h"

	10 #include "chrome/browser/profiles/profile.h"

	11 #include "chrome/browser/profiles/profile_manager.h"

	12 #include "chrome/common/pref_names.h"

	13 #include "content/public/browser/browser_thread.h"

	14 #include "net/base/net_errors.h"

	15 #include "net/cert/cert_verify_proc.h"

	16 #include "net/cert/multi_threaded_cert_verifier.h"

	17

	18 namespace policy {

	19

	20 namespace {

	21

	22 void TaintProfile(void* profile_ptr) {
	Ryan Sleevi 2013/04/02 19:16:07 nit: DCHECK for UI thread here? Even with the adde nit: DCHECK for UI thread here? Even with the added bloat to debug binaries, I tend to find the DCHECKs the best documentation. Just my $.0000000000000000000000000002 (super tiny nit) Joao da Silva 2013/04/03 15:24:39 Done. Show quoted text On 2013/04/02 19:16:07, Ryan Sleevi wrote: > nit: DCHECK for UI thread here? Even with the added bloat to debug binaries, I > tend to find the DCHECKs the best documentation. > > Just my $.0000000000000000000000000002 (super tiny nit) Done.
	23 Profile* profile = reinterpret_cast<Profile*>(profile_ptr);

	24 if (!g_browser_process->profile_manager()->IsValidProfile(profile))

	25 return;

	26 profile->GetPrefs()->SetBoolean(prefs::kUsedPolicyCertificatesOnce, true);

	27 }

	28

	29 void MaybeTaintProfile(const net::CertVerifyResult& verify_result,

	30 void* profile) {

	31 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));

	32 if (verify_result.is_issued_by_additional_trust_anchor) {

	33 content::BrowserThread::PostTask(content::BrowserThread::UI, FROM_HERE,

	34 base::Bind(&TaintProfile, profile));

	35 }

	36 }

	37

	38 void CallbackWrapper(void* profile,
	pneubeck (no reviews) 2013/04/02 08:12:08 to replace some of the void* by Profile, could yo to replace some of the void by Profile, could you do the reinterpret cast already here? Or does it have to happen on the UI thread? Joao da Silva* 2013/04/03 15:24:39 It could be done here, but this is still the IO th Show quoted text On 2013/04/02 08:12:08, pneubeck wrote: > to replace some of the void* by Profile, could you do the reinterpret cast > already here? Or does it have to happen on the UI thread? It could be done here, but this is still the IO thread and it's not safe to access the object outside the UI thread. I find it clearer to pass around a void on the IO thread, to make sure it's not accessed.
	39 const net::CertVerifyResult* verify_result,

	40 const net::CompletionCallback& original_callback,

	41 int error) {

	42 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));

	43 if (error == net::OK)

	44 MaybeTaintProfile(*verify_result, profile);

	45 if (!original_callback.is_null())

	46 original_callback.Run(error);

	47 }

	48

	49 } // namespace

	50

	51 PolicyCertVerifier::PolicyCertVerifier(

	52 void* profile,

	53 net::CertTrustAnchorProvider* trust_anchor_provider)

	54 : profile_(profile) {

	55 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));

	56 net::MultiThreadedCertVerifier* verifier =

	57 new net::MultiThreadedCertVerifier(net::CertVerifyProc::CreateDefault());

	58 verifier->SetCertTrustAnchorProvider(trust_anchor_provider);

	59 delegate_.reset(verifier);

	60 }

	61

	62 PolicyCertVerifier::~PolicyCertVerifier() {

	63 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));

	64 }

	65

	66 int PolicyCertVerifier::Verify(net::X509Certificate* cert,

	67 const std::string& hostname,

	68 int flags,

	69 net::CRLSet* crl_set,

	70 net::CertVerifyResult* verify_result,

	71 const net::CompletionCallback& callback,

	72 RequestHandle* out_req,

	73 const net::BoundNetLog& net_log) {

	74 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));

	75 net::CompletionCallback wrapped_callback =

	76 base::Bind(&CallbackWrapper, profile_, verify_result, callback);

	77 int error = delegate_->Verify(cert, hostname, flags, crl_set, verify_result,

	78 wrapped_callback, out_req, net_log);

	79 if (error == net::OK)

	80 MaybeTaintProfile(*verify_result, profile_);

	81 return error;

	82 }

	83

	84 void PolicyCertVerifier::CancelRequest(RequestHandle req) {

	85 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));

	86 delegate_->CancelRequest(req);

	87 }

	88

	89 } // namespace policy

OLD	NEW