NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles.

net/cert/cert_verify_proc_chromeos.h

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_CERT_VERIFY_PROC_CHROMEOS_H_
+#define NET_CERT_CERT_VERIFY_PROC_CHROMEOS_H_
+
+#include "crypto/scoped_nss_types.h"
+#include "net/base/net_export.h"
+#include "net/cert/cert_verify_proc_nss.h"
+#include "net/cert/nss_profile_filter_chromeos.h"
+
+namespace net {
+
+// Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a
+// per-user basis. Unlike the other CertVerifyProc implementations, this one is
+// publicly exported, as the browser will need to create one for each profile.
+//
+// Note that only the simple case is currently handled (if a profile adds a new
+// trust root, that root should not be trusted by other profiles). More
+// complicated cases are not handled (like two profiles adding the same root
+// cert but with different trust values).

[Ryan Sleevi, 2014/01/22 00:43:48]

The whole discussion of "profiles" is certainly something that doesn't seem like
it belongs in net/ at all. Much like the policy cert verifier, this seems like
it belongs in chrome/ (where the notion of profiles exists).

[mattm, 2014/01/24 04:47:31]

If it's defined in chrome/, we couldn't have CertVerifyProc::CreateDefault
return one.

I've rewritten the text to remove references to profiles.

[Ryan Sleevi, 2014/01/25 01:50:17]

I don't understand why this is an issue. It still belongs in Chrome proper, much
like the imported trust anchors. CertVerifier is created in src/chrome, so it
can always supply a custom CertVerifyProc.

[mattm, 2014/01/28 04:36:43]

Done.
guess I was worried about the number of places calling
CertVerifier::CreateDefault, but after looking at them I guess most of them
don't need this.

[Ryan Sleevi, 2014/01/30 05:27:39]

Nothing outside of unit tests, the net::URLRequestContextBuilder, and "process
hosts" (eg: chrome, remoting) should be using CreateDefault. Definitely needs
fixing.

+class NET_EXPORT CertVerifyProcChromeOS : public CertVerifyProcNSS {
+ public:
+  // Creates a CertVerifyProc that doesn't allow any user-provided trust roots.
+  CertVerifyProcChromeOS();
+
+  // Creates a CertVerifyProc that doesn't allow trust roots provided by
+  // users other than the specified slot.
+  CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot,
+                         crypto::ScopedPK11Slot private_slot);
+
+ protected:
+  virtual ~CertVerifyProcChromeOS();
+
+ private:
+  CERTChainVerifyCallback* InitializeCERTChainVerifyCallback();
+
+  static SECStatus IsChainValidFunc(void* is_chain_valid_arg,
+                                    const CERTCertList* current_chain,
+                                    PRBool* chain_ok);
+
+  // A pointer to this object is passed to CertVerifyProcNSS.
+  CERTChainVerifyCallback chain_verify_callback_;
+
+  NSSProfileFilterChromeOS profile_filter_;
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_CERT_VERIFY_PROC_CHROMEOS_H_
+