| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/nss_profile_filter_chromeos.h" | 5 #include "net/cert/nss_profile_filter_chromeos.h" |
| 6 | 6 |
| 7 #include "base/strings/string_piece.h" | 7 #include "base/strings/string_piece.h" |
| 8 #include "base/strings/stringprintf.h" | 8 #include "base/strings/stringprintf.h" |
| 9 #include "net/cert/x509_certificate.h" | 9 #include "net/cert/x509_certificate.h" |
| 10 | 10 |
| (...skipping 25 matching lines...) Expand all Loading... |
| 36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} | 36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
| 37 | 37 |
| 38 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS( | 38 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS( |
| 39 const NSSProfileFilterChromeOS& other) { | 39 const NSSProfileFilterChromeOS& other) { |
| 40 public_slot_.reset(other.public_slot_ ? | 40 public_slot_.reset(other.public_slot_ ? |
| 41 PK11_ReferenceSlot(other.public_slot_.get()) : | 41 PK11_ReferenceSlot(other.public_slot_.get()) : |
| 42 NULL); | 42 NULL); |
| 43 private_slot_.reset(other.private_slot_ ? | 43 private_slot_.reset(other.private_slot_ ? |
| 44 PK11_ReferenceSlot(other.private_slot_.get()) : | 44 PK11_ReferenceSlot(other.private_slot_.get()) : |
| 45 NULL); | 45 NULL); |
| 46 system_slot_.reset(other.system_slot_ ? |
| 47 PK11_ReferenceSlot(other.system_slot_.get()) : |
| 48 NULL); |
| 46 } | 49 } |
| 47 | 50 |
| 48 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} | 51 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
| 49 | 52 |
| 50 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=( | 53 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=( |
| 51 const NSSProfileFilterChromeOS& other) { | 54 const NSSProfileFilterChromeOS& other) { |
| 52 public_slot_.reset(other.public_slot_ ? | 55 public_slot_.reset(other.public_slot_ ? |
| 53 PK11_ReferenceSlot(other.public_slot_.get()) : | 56 PK11_ReferenceSlot(other.public_slot_.get()) : |
| 54 NULL); | 57 NULL); |
| 55 private_slot_.reset(other.private_slot_ ? | 58 private_slot_.reset(other.private_slot_ ? |
| 56 PK11_ReferenceSlot(other.private_slot_.get()) : | 59 PK11_ReferenceSlot(other.private_slot_.get()) : |
| 57 NULL); | 60 NULL); |
| 61 system_slot_.reset(other.system_slot_ ? |
| 62 PK11_ReferenceSlot(other.system_slot_.get()) : |
| 63 NULL); |
| 58 return *this; | 64 return *this; |
| 59 } | 65 } |
| 60 | 66 |
| 61 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, | 67 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
| 62 crypto::ScopedPK11Slot private_slot) { | 68 crypto::ScopedPK11Slot private_slot, |
| 69 crypto::ScopedPK11Slot system_slot) { |
| 63 // crypto::ScopedPK11Slot actually holds a reference counted object. | 70 // crypto::ScopedPK11Slot actually holds a reference counted object. |
| 64 // Because scoped_ptr<T> assignment is a no-op if it already points to | 71 // Because scoped_ptr<T> assignment is a no-op if it already points to |
| 65 // the same pointer, a reference would be leaked because .Pass() does | 72 // the same pointer, a reference would be leaked because .Pass() does |
| 66 // not release its reference, and the receiving object won't free | 73 // not release its reference, and the receiving object won't free |
| 67 // its copy. | 74 // its copy. |
| 68 if (public_slot_.get() != public_slot.get()) | 75 if (public_slot_.get() != public_slot.get()) |
| 69 public_slot_ = public_slot.Pass(); | 76 public_slot_ = public_slot.Pass(); |
| 70 if (private_slot_.get() != private_slot.get()) | 77 if (private_slot_.get() != private_slot.get()) |
| 71 private_slot_ = private_slot.Pass(); | 78 private_slot_ = private_slot.Pass(); |
| 79 if (system_slot_.get() != system_slot.get()) |
| 80 system_slot_ = system_slot.Pass(); |
| 72 } | 81 } |
| 73 | 82 |
| 74 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { | 83 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
| 75 // If this is one of the public/private slots for this profile, allow it. | 84 // If this is one of the public/private slots for this profile or the system |
| 76 if (slot == public_slot_.get() || slot == private_slot_.get()) | 85 // slot, allow it. |
| 86 if (slot == public_slot_.get() || slot == private_slot_.get() || |
| 87 slot == system_slot_.get()) { |
| 77 return true; | 88 return true; |
| 89 } |
| 78 // Allow the root certs module. | 90 // Allow the root certs module. |
| 79 if (PK11_HasRootCerts(slot)) | 91 if (PK11_HasRootCerts(slot)) |
| 80 return true; | 92 return true; |
| 81 // If it's from the read-only slots, allow it. | 93 // If it's from the read-only slots, allow it. |
| 82 if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) | 94 if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) |
| 83 return true; | 95 return true; |
| 84 // If |public_slot_| or |private_slot_| is null, there isn't a way to get the | 96 // If |public_slot_| or |private_slot_| is null, there isn't a way to get the |
| 85 // modules to use in the final test. | 97 // modules to use in the final test. |
| 86 if (!public_slot_.get() || !private_slot_.get()) | 98 if (!public_slot_.get() || !private_slot_.get()) |
| 87 return false; | 99 return false; |
| 88 // If this is not the internal (file-system) module or the TPM module, allow | 100 // If this is not the internal (file-system) module or the TPM module, allow |
| 89 // it. | 101 // it. This would allow smartcards/etc, although ChromeOS doesn't currently |
| 102 // support that. (This assumes that private_slot_ and system_slot_ are on the |
| 103 // same module.) |
| 104 DCHECK(!system_slot_.get() || |
| 105 PK11_GetModule(private_slot_.get()) == |
| 106 PK11_GetModule(system_slot_.get())); |
| 90 SECMODModule* module_for_slot = PK11_GetModule(slot); | 107 SECMODModule* module_for_slot = PK11_GetModule(slot); |
| 91 if (module_for_slot != PK11_GetModule(public_slot_.get()) && | 108 if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
| 92 module_for_slot != PK11_GetModule(private_slot_.get())) | 109 module_for_slot != PK11_GetModule(private_slot_.get())) { |
| 93 return true; | 110 return true; |
| 111 } |
| 94 return false; | 112 return false; |
| 95 } | 113 } |
| 96 | 114 |
| 97 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { | 115 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { |
| 98 crypto::ScopedPK11SlotList slots_for_cert( | 116 crypto::ScopedPK11SlotList slots_for_cert( |
| 99 PK11_GetAllSlotsForCert(cert, NULL)); | 117 PK11_GetAllSlotsForCert(cert, NULL)); |
| 100 if (!slots_for_cert) { | 118 if (!slots_for_cert) { |
| 101 DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname); | 119 DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname); |
| 102 return false; | 120 return false; |
| 103 } | 121 } |
| (...skipping 28 matching lines...) Expand all Loading... |
| 132 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) | 150 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
| 133 : filter_(filter) {} | 151 : filter_(filter) {} |
| 134 | 152 |
| 135 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( | 153 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( |
| 136 const scoped_refptr<CryptoModule>& module) const { | 154 const scoped_refptr<CryptoModule>& module) const { |
| 137 return !filter_.IsModuleAllowed(module->os_module_handle()); | 155 return !filter_.IsModuleAllowed(module->os_module_handle()); |
| 138 } | 156 } |
| 139 | 157 |
| 140 } // namespace net | 158 } // namespace net |
| 141 | 159 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 330213002:
*wip* NSS: handle chromeos system slot. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src