OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/nss_profile_filter_chromeos.h" |
| 6 |
| 7 #include "base/bind.h" |
| 8 #include "base/callback.h" |
| 9 #include "base/strings/string_number_conversions.h" |
| 10 |
| 11 namespace net { |
| 12 namespace { |
| 13 |
| 14 std::string CertSlotsString(const scoped_refptr<X509Certificate>& cert) { |
| 15 std::string r; |
| 16 crypto::ScopedPK11SlotList slots_for_cert( |
| 17 PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
| 18 for (PK11SlotListElement* slot_element = |
| 19 PK11_GetFirstSafe(slots_for_cert.get()); |
| 20 slot_element; |
| 21 slot_element = |
| 22 PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
| 23 if (!r.empty()) |
| 24 r += ','; |
| 25 r += base::IntToString(PK11_GetModuleID(slot_element->slot)) + ":" + |
| 26 base::IntToString(PK11_GetSlotID(slot_element->slot)); |
| 27 } |
| 28 return r; |
| 29 } |
| 30 |
| 31 } // namespace |
| 32 |
| 33 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
| 34 |
| 35 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
| 36 |
| 37 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
| 38 crypto::ScopedPK11Slot private_slot) { |
| 39 public_slot_ = public_slot.Pass(); |
| 40 private_slot_ = private_slot.Pass(); |
| 41 } |
| 42 |
| 43 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
| 44 // If this is one of the public/private slots for this profile, allow it. |
| 45 if (slot == public_slot_.get() || slot == private_slot_.get()) |
| 46 return true; |
| 47 // If it's from the read-only slot, allow it. |
| 48 if (slot == PK11_GetInternalKeySlot()) |
| 49 return true; |
| 50 // If this is a completely different module, allow it. |
| 51 SECMODModule* module_for_slot = PK11_GetModule(slot); |
| 52 if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
| 53 module_for_slot != PK11_GetModule(private_slot_.get())) |
| 54 return true; |
| 55 return false; |
| 56 } |
| 57 |
| 58 bool NSSProfileFilterChromeOS::IsCertAllowed( |
| 59 const scoped_refptr<X509Certificate>& cert) const { |
| 60 crypto::ScopedPK11SlotList slots_for_cert( |
| 61 PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL)); |
| 62 if (!slots_for_cert) { |
| 63 DVLOG(1) << "cert no slots: " << cert->subject().GetDisplayName(); |
| 64 return false; |
| 65 } |
| 66 |
| 67 for (PK11SlotListElement* slot_element = |
| 68 PK11_GetFirstSafe(slots_for_cert.get()); |
| 69 slot_element; |
| 70 slot_element = |
| 71 PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) { |
| 72 if (IsModuleAllowed(slot_element->slot)) { |
| 73 DVLOG(3) << "cert allowed:" << cert->subject().GetDisplayName() |
| 74 << " from:" << CertSlotsString(cert); |
| 75 return true; |
| 76 } |
| 77 } |
| 78 DVLOG(1) << "cert filtered:" << cert->subject().GetDisplayName() |
| 79 << " from:" << CertSlotsString(cert); |
| 80 return false; |
| 81 } |
| 82 |
| 83 NSSProfileFilterChromeOS::Predicate::Predicate( |
| 84 const NSSProfileFilterChromeOS& filter) |
| 85 : filter_(filter) {} |
| 86 |
| 87 bool NSSProfileFilterChromeOS::Predicate::operator()( |
| 88 const scoped_refptr<CryptoModule>& module) const { |
| 89 return !filter_.IsModuleAllowed(module->os_module_handle()); |
| 90 } |
| 91 |
| 92 bool NSSProfileFilterChromeOS::Predicate::operator()( |
| 93 const scoped_refptr<X509Certificate>& cert) const { |
| 94 return !filter_.IsCertAllowed(cert); |
| 95 } |
| 96 |
| 97 } // namespace net |
| 98 |
OLD | NEW |