*WIP* Store NSS slots per profile. Move keygen to chrome.

net/cert/nss_profile_filter_chromeos.cc

Index: net/cert/nss_profile_filter_chromeos.cc
diff --git a/net/cert/nss_profile_filter_chromeos.cc b/net/cert/nss_profile_filter_chromeos.cc
new file mode 100644
index 0000000000000000000000000000000000000000..442d2aa16ded67b2d3bedf554f0546b4bff6e8c8
--- /dev/null
+++ b/net/cert/nss_profile_filter_chromeos.cc
@@ -0,0 +1,98 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/nss_profile_filter_chromeos.h"
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/strings/string_number_conversions.h"
+
+namespace net {
+namespace {
+
+std::string CertSlotsString(const scoped_refptr<X509Certificate>& cert) {
+  std::string r;
+  crypto::ScopedPK11SlotList slots_for_cert(
+      PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL));
+  for (PK11SlotListElement* slot_element =
+           PK11_GetFirstSafe(slots_for_cert.get());
+       slot_element;
+       slot_element =
+           PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) {
+    if (!r.empty())
+      r += ',';
+    r += base::IntToString(PK11_GetModuleID(slot_element->slot)) + ":" +
+         base::IntToString(PK11_GetSlotID(slot_element->slot));
+  }
+  return r;
+}
+
+}  // namespace
+
+NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {}
+
+NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {}
+
+void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot,
+                                    crypto::ScopedPK11Slot private_slot) {
+  public_slot_ = public_slot.Pass();
+  private_slot_ = private_slot.Pass();
+}
+
+bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const {
+  // If this is one of the public/private slots for this profile, allow it.
+  if (slot == public_slot_.get() || slot == private_slot_.get())
+    return true;
+  // If it's from the read-only slot, allow it.
+  if (slot == PK11_GetInternalKeySlot())
+    return true;
+  // If this is a completely different module, allow it.
+  SECMODModule* module_for_slot = PK11_GetModule(slot);
+  if (module_for_slot != PK11_GetModule(public_slot_.get()) &&
+      module_for_slot != PK11_GetModule(private_slot_.get()))
+    return true;
+  return false;
+}
+
+bool NSSProfileFilterChromeOS::IsCertAllowed(
+    const scoped_refptr<X509Certificate>& cert) const {
+  crypto::ScopedPK11SlotList slots_for_cert(
+      PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL));
+  if (!slots_for_cert) {
+    DVLOG(1) << "cert no slots: " << cert->subject().GetDisplayName();
+    return false;
+  }
+
+  for (PK11SlotListElement* slot_element =
+           PK11_GetFirstSafe(slots_for_cert.get());
+       slot_element;
+       slot_element =
+           PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) {
+    if (IsModuleAllowed(slot_element->slot)) {
+      DVLOG(3) << "cert allowed:" << cert->subject().GetDisplayName()
+               << "  from:" << CertSlotsString(cert);
+      return true;
+    }
+  }
+  DVLOG(1) << "cert filtered:" << cert->subject().GetDisplayName()
+           << "  from:" << CertSlotsString(cert);
+  return false;
+}
+
+NSSProfileFilterChromeOS::Predicate::Predicate(
+    const NSSProfileFilterChromeOS& filter)
+    : filter_(filter) {}
+
+bool NSSProfileFilterChromeOS::Predicate::operator()(
+    const scoped_refptr<CryptoModule>& module) const {
+  return !filter_.IsModuleAllowed(module->os_module_handle());
+}
+
+bool NSSProfileFilterChromeOS::Predicate::operator()(
+    const scoped_refptr<X509Certificate>& cert) const {
+  return !filter_.IsCertAllowed(cert);
+}
+
+}  // namespace net
+