Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1306)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/chromeos/net/cert_verify_proc_chromeos.h

Issue 137553004: NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: update ProfileIOData comment Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc » ('j') | chrome/browser/profiles/profile_io_data.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/chromeos/net/cert_verify_proc_chromeos.h
diff --git a/chrome/browser/chromeos/net/cert_verify_proc_chromeos.h b/chrome/browser/chromeos/net/cert_verify_proc_chromeos.h
new file mode 100644
index 0000000000000000000000000000000000000000..b111f4d87cc6e7d8bf3c6b33bdadad2ac51b2d1d
--- /dev/null
+++ b/chrome/browser/chromeos/net/cert_verify_proc_chromeos.h
@@ -0,0 +1,58 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
+#define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
+
+#include "crypto/scoped_nss_types.h"
+#include "net/cert/cert_verify_proc_nss.h"
+#include "net/cert/nss_profile_filter_chromeos.h"
+
+namespace chromeos {
+
+// Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a
+// per-slot basis.
+//
+// Note that only the simple case is currently handled (if a slot contains a new
+// trust root, that root should not be trusted by CertVerifyProcChromeOS
+// instances using other slots). More complicated cases are not handled (like
+// two slots adding the same root cert but with different trust values).
+class CertVerifyProcChromeOS : public net::CertVerifyProcNSS {
+ public:
+ // Creates a CertVerifyProc that doesn't allow any user-provided trust roots.
+ CertVerifyProcChromeOS();
+
+ // Creates a CertVerifyProc that doesn't allow trust roots provided by
+ // users other than the specified slot.
+ explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot);
+
+ protected:
+ virtual ~CertVerifyProcChromeOS();
+
+ private:
+ virtual int VerifyInternal(
Daniel Erat 2014/02/07 16:29:28 nit: mind adding a // net::CertVerifyProcNSS im
mattm 2014/02/07 22:13:54 Done.
+ net::X509Certificate* cert,
+ const std::string& hostname,
+ int flags,
+ net::CRLSet* crl_set,
+ const net::CertificateList& additional_trust_anchors,
+ net::CertVerifyResult* verify_result) OVERRIDE;
+
+ // Check if the trust root of |current_chain| is allowed.
+ // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass
+ // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter.
+ // If the chain is allowed, |*chain_ok| will be set to PR_TRUE.
+ // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this
+ // function may be called again during a single certificate verification if
+ // there are multiple possible valid chains.
+ static SECStatus IsChainValidFunc(void* is_chain_valid_arg,
+ const CERTCertList* current_chain,
+ PRBool* chain_ok);
+
+ net::NSSProfileFilterChromeOS profile_filter_;
+};
+
+} // namespace chromeos
+
+#endif // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
« no previous file with comments | « no previous file | chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc » ('j') | chrome/browser/profiles/profile_io_data.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698