| Index: chrome/browser/chromeos/net/cert_verify_proc_chromeos.h
|
| diff --git a/chrome/browser/chromeos/net/cert_verify_proc_chromeos.h b/chrome/browser/chromeos/net/cert_verify_proc_chromeos.h
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..a715e45c2bb4738c514f7c718a8072b9a1027dd5
|
| --- /dev/null
|
| +++ b/chrome/browser/chromeos/net/cert_verify_proc_chromeos.h
|
| @@ -0,0 +1,59 @@
|
| +// Copyright 2014 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
|
| +#define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
|
| +
|
| +#include "crypto/scoped_nss_types.h"
|
| +#include "net/cert/cert_verify_proc_nss.h"
|
| +#include "net/cert/nss_profile_filter_chromeos.h"
|
| +
|
| +namespace chromeos {
|
| +
|
| +// Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a
|
| +// per-slot basis.
|
| +//
|
| +// Note that only the simple case is currently handled (if a slot contains a new
|
| +// trust root, that root should not be trusted by CertVerifyProcChromeOS
|
| +// instances using other slots). More complicated cases are not handled (like
|
| +// two slots adding the same root cert but with different trust values).
|
| +class CertVerifyProcChromeOS : public net::CertVerifyProcNSS {
|
| + public:
|
| + // Creates a CertVerifyProc that doesn't allow any user-provided trust roots.
|
| + CertVerifyProcChromeOS();
|
| +
|
| + // Creates a CertVerifyProc that doesn't allow trust roots provided by
|
| + // users other than the specified slot.
|
| + explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot);
|
| +
|
| + protected:
|
| + virtual ~CertVerifyProcChromeOS();
|
| +
|
| + private:
|
| + // net::CertVerifyProcNSS implementation:
|
| + virtual int VerifyInternal(
|
| + net::X509Certificate* cert,
|
| + const std::string& hostname,
|
| + int flags,
|
| + net::CRLSet* crl_set,
|
| + const net::CertificateList& additional_trust_anchors,
|
| + net::CertVerifyResult* verify_result) OVERRIDE;
|
| +
|
| + // Check if the trust root of |current_chain| is allowed.
|
| + // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass
|
| + // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter.
|
| + // If the chain is allowed, |*chain_ok| will be set to PR_TRUE.
|
| + // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this
|
| + // function may be called again during a single certificate verification if
|
| + // there are multiple possible valid chains.
|
| + static SECStatus IsChainValidFunc(void* is_chain_valid_arg,
|
| + const CERTCertList* current_chain,
|
| + PRBool* chain_ok);
|
| +
|
| + net::NSSProfileFilterChromeOS profile_filter_;
|
| +};
|
| +
|
| +} // namespace chromeos
|
| +
|
| +#endif // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
|
|
|
Chromium Code Reviews
Issue 137553004:
NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src