OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/nss_profile_filter_chromeos.h" | 5 #include "net/cert/nss_profile_filter_chromeos.h" |
6 | 6 |
7 #include "base/strings/string_piece.h" | 7 #include "base/strings/string_piece.h" |
8 #include "base/strings/stringprintf.h" | 8 #include "base/strings/stringprintf.h" |
9 #include "net/cert/x509_certificate.h" | 9 #include "net/cert/x509_certificate.h" |
10 | 10 |
(...skipping 25 matching lines...) Expand all Loading... |
36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} | 36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
37 | 37 |
38 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS( | 38 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS( |
39 const NSSProfileFilterChromeOS& other) { | 39 const NSSProfileFilterChromeOS& other) { |
40 public_slot_.reset(other.public_slot_ ? | 40 public_slot_.reset(other.public_slot_ ? |
41 PK11_ReferenceSlot(other.public_slot_.get()) : | 41 PK11_ReferenceSlot(other.public_slot_.get()) : |
42 NULL); | 42 NULL); |
43 private_slot_.reset(other.private_slot_ ? | 43 private_slot_.reset(other.private_slot_ ? |
44 PK11_ReferenceSlot(other.private_slot_.get()) : | 44 PK11_ReferenceSlot(other.private_slot_.get()) : |
45 NULL); | 45 NULL); |
| 46 system_slot_.reset(other.system_slot_ ? |
| 47 PK11_ReferenceSlot(other.system_slot_.get()) : |
| 48 NULL); |
46 } | 49 } |
47 | 50 |
48 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} | 51 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
49 | 52 |
50 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=( | 53 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=( |
51 const NSSProfileFilterChromeOS& other) { | 54 const NSSProfileFilterChromeOS& other) { |
52 public_slot_.reset(other.public_slot_ ? | 55 public_slot_.reset(other.public_slot_ ? |
53 PK11_ReferenceSlot(other.public_slot_.get()) : | 56 PK11_ReferenceSlot(other.public_slot_.get()) : |
54 NULL); | 57 NULL); |
55 private_slot_.reset(other.private_slot_ ? | 58 private_slot_.reset(other.private_slot_ ? |
56 PK11_ReferenceSlot(other.private_slot_.get()) : | 59 PK11_ReferenceSlot(other.private_slot_.get()) : |
57 NULL); | 60 NULL); |
| 61 system_slot_.reset(other.system_slot_ ? |
| 62 PK11_ReferenceSlot(other.system_slot_.get()) : |
| 63 NULL); |
58 return *this; | 64 return *this; |
59 } | 65 } |
60 | 66 |
61 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, | 67 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
62 crypto::ScopedPK11Slot private_slot) { | 68 crypto::ScopedPK11Slot private_slot, |
| 69 crypto::ScopedPK11Slot system_slot) { |
63 // crypto::ScopedPK11Slot actually holds a reference counted object. | 70 // crypto::ScopedPK11Slot actually holds a reference counted object. |
64 // Because scoped_ptr<T> assignment is a no-op if it already points to | 71 // Because scoped_ptr<T> assignment is a no-op if it already points to |
65 // the same pointer, a reference would be leaked because .Pass() does | 72 // the same pointer, a reference would be leaked because .Pass() does |
66 // not release its reference, and the receiving object won't free | 73 // not release its reference, and the receiving object won't free |
67 // its copy. | 74 // its copy. |
68 if (public_slot_.get() != public_slot.get()) | 75 if (public_slot_.get() != public_slot.get()) |
69 public_slot_ = public_slot.Pass(); | 76 public_slot_ = public_slot.Pass(); |
70 if (private_slot_.get() != private_slot.get()) | 77 if (private_slot_.get() != private_slot.get()) |
71 private_slot_ = private_slot.Pass(); | 78 private_slot_ = private_slot.Pass(); |
| 79 if (system_slot_.get() != system_slot.get()) |
| 80 system_slot_ = system_slot.Pass(); |
72 } | 81 } |
73 | 82 |
74 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { | 83 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
75 // If this is one of the public/private slots for this profile, allow it. | 84 // If this is one of the public/private slots for this profile or the system |
76 if (slot == public_slot_.get() || slot == private_slot_.get()) | 85 // slot, allow it. |
| 86 if (slot == public_slot_.get() || slot == private_slot_.get() || |
| 87 slot == system_slot_.get()) { |
77 return true; | 88 return true; |
| 89 } |
78 // Allow the root certs module. | 90 // Allow the root certs module. |
79 if (PK11_HasRootCerts(slot)) | 91 if (PK11_HasRootCerts(slot)) |
80 return true; | 92 return true; |
81 // If it's from the read-only slots, allow it. | 93 // If it's from the read-only slots, allow it. |
82 if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) | 94 if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) |
83 return true; | 95 return true; |
84 // If |public_slot_| or |private_slot_| is null, there isn't a way to get the | 96 // If |public_slot_| or |private_slot_| is null, there isn't a way to get the |
85 // modules to use in the final test. | 97 // modules to use in the final test. |
86 if (!public_slot_.get() || !private_slot_.get()) | 98 if (!public_slot_.get() || !private_slot_.get()) |
87 return false; | 99 return false; |
88 // If this is not the internal (file-system) module or the TPM module, allow | 100 // If this is not the internal (file-system) module or the TPM module, allow |
89 // it. | 101 // it. This would allow smartcards/etc, although ChromeOS doesn't currently |
| 102 // support that. (This assumes that private_slot_ and system_slot_ are on the |
| 103 // same module.) |
| 104 DCHECK(!system_slot_.get() || |
| 105 PK11_GetModule(private_slot_.get()) == |
| 106 PK11_GetModule(system_slot_.get())); |
90 SECMODModule* module_for_slot = PK11_GetModule(slot); | 107 SECMODModule* module_for_slot = PK11_GetModule(slot); |
91 if (module_for_slot != PK11_GetModule(public_slot_.get()) && | 108 if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
92 module_for_slot != PK11_GetModule(private_slot_.get())) | 109 module_for_slot != PK11_GetModule(private_slot_.get())) { |
93 return true; | 110 return true; |
| 111 } |
94 return false; | 112 return false; |
95 } | 113 } |
96 | 114 |
97 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { | 115 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { |
98 crypto::ScopedPK11SlotList slots_for_cert( | 116 crypto::ScopedPK11SlotList slots_for_cert( |
99 PK11_GetAllSlotsForCert(cert, NULL)); | 117 PK11_GetAllSlotsForCert(cert, NULL)); |
100 if (!slots_for_cert) { | 118 if (!slots_for_cert) { |
101 DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname); | 119 DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname); |
102 return false; | 120 return false; |
103 } | 121 } |
(...skipping 28 matching lines...) Expand all Loading... |
132 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) | 150 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
133 : filter_(filter) {} | 151 : filter_(filter) {} |
134 | 152 |
135 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( | 153 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( |
136 const scoped_refptr<CryptoModule>& module) const { | 154 const scoped_refptr<CryptoModule>& module) const { |
137 return !filter_.IsModuleAllowed(module->os_module_handle()); | 155 return !filter_.IsModuleAllowed(module->os_module_handle()); |
138 } | 156 } |
139 | 157 |
140 } // namespace net | 158 } // namespace net |
141 | 159 |
OLD | NEW |