OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/nss_profile_filter_chromeos.h" | 5 #include "net/cert/nss_profile_filter_chromeos.h" |
6 | 6 |
7 #include "base/strings/string_piece.h" | 7 #include "base/strings/string_piece.h" |
8 #include "base/strings/stringprintf.h" | 8 #include "base/strings/stringprintf.h" |
9 #include "net/cert/x509_certificate.h" | 9 #include "net/cert/x509_certificate.h" |
10 | 10 |
(...skipping 25 matching lines...) Expand all Loading... |
36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} | 36 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {} |
37 | 37 |
38 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS( | 38 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS( |
39 const NSSProfileFilterChromeOS& other) { | 39 const NSSProfileFilterChromeOS& other) { |
40 public_slot_.reset(other.public_slot_ ? | 40 public_slot_.reset(other.public_slot_ ? |
41 PK11_ReferenceSlot(other.public_slot_.get()) : | 41 PK11_ReferenceSlot(other.public_slot_.get()) : |
42 NULL); | 42 NULL); |
43 private_slot_.reset(other.private_slot_ ? | 43 private_slot_.reset(other.private_slot_ ? |
44 PK11_ReferenceSlot(other.private_slot_.get()) : | 44 PK11_ReferenceSlot(other.private_slot_.get()) : |
45 NULL); | 45 NULL); |
| 46 system_slot_.reset( |
| 47 other.system_slot_ ? PK11_ReferenceSlot(other.system_slot_.get()) : NULL); |
46 } | 48 } |
47 | 49 |
48 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} | 50 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {} |
49 | 51 |
50 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=( | 52 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=( |
51 const NSSProfileFilterChromeOS& other) { | 53 const NSSProfileFilterChromeOS& other) { |
52 public_slot_.reset(other.public_slot_ ? | 54 public_slot_.reset(other.public_slot_ ? |
53 PK11_ReferenceSlot(other.public_slot_.get()) : | 55 PK11_ReferenceSlot(other.public_slot_.get()) : |
54 NULL); | 56 NULL); |
55 private_slot_.reset(other.private_slot_ ? | 57 private_slot_.reset(other.private_slot_ ? |
56 PK11_ReferenceSlot(other.private_slot_.get()) : | 58 PK11_ReferenceSlot(other.private_slot_.get()) : |
57 NULL); | 59 NULL); |
| 60 system_slot_.reset( |
| 61 other.system_slot_ ? PK11_ReferenceSlot(other.system_slot_.get()) : NULL); |
58 return *this; | 62 return *this; |
59 } | 63 } |
60 | 64 |
61 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, | 65 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot, |
62 crypto::ScopedPK11Slot private_slot) { | 66 crypto::ScopedPK11Slot private_slot, |
| 67 crypto::ScopedPK11Slot system_slot) { |
63 // crypto::ScopedPK11Slot actually holds a reference counted object. | 68 // crypto::ScopedPK11Slot actually holds a reference counted object. |
64 // Because scoped_ptr<T> assignment is a no-op if it already points to | 69 // Because scoped_ptr<T> assignment is a no-op if it already points to |
65 // the same pointer, a reference would be leaked because .Pass() does | 70 // the same pointer, a reference would be leaked because .Pass() does |
66 // not release its reference, and the receiving object won't free | 71 // not release its reference, and the receiving object won't free |
67 // its copy. | 72 // its copy. |
68 if (public_slot_.get() != public_slot.get()) | 73 if (public_slot_.get() != public_slot.get()) |
69 public_slot_ = public_slot.Pass(); | 74 public_slot_ = public_slot.Pass(); |
70 if (private_slot_.get() != private_slot.get()) | 75 if (private_slot_.get() != private_slot.get()) |
71 private_slot_ = private_slot.Pass(); | 76 private_slot_ = private_slot.Pass(); |
| 77 if (system_slot_.get() != system_slot.get()) |
| 78 system_slot_ = system_slot.Pass(); |
72 } | 79 } |
73 | 80 |
74 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { | 81 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const { |
75 // If this is one of the public/private slots for this profile, allow it. | 82 // If this is one of the public/private slots for this profile or the system |
76 if (slot == public_slot_.get() || slot == private_slot_.get()) | 83 // slot, allow it. |
| 84 if (slot == public_slot_.get() || slot == private_slot_.get() || |
| 85 slot == system_slot_.get()) { |
77 return true; | 86 return true; |
| 87 } |
78 // Allow the root certs module. | 88 // Allow the root certs module. |
79 if (PK11_HasRootCerts(slot)) | 89 if (PK11_HasRootCerts(slot)) |
80 return true; | 90 return true; |
81 // If it's from the read-only slots, allow it. | 91 // If it's from the read-only slots, allow it. |
82 if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) | 92 if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot)) |
83 return true; | 93 return true; |
84 // If |public_slot_| or |private_slot_| is null, there isn't a way to get the | 94 // If |public_slot_| or |private_slot_| is null, there isn't a way to get the |
85 // modules to use in the final test. | 95 // modules to use in the final test. |
86 if (!public_slot_.get() || !private_slot_.get()) | 96 if (!public_slot_.get() || !private_slot_.get()) |
87 return false; | 97 return false; |
88 // If this is not the internal (file-system) module or the TPM module, allow | 98 // If this is not the internal (file-system) module or the TPM module, allow |
89 // it. | 99 // it. This would allow smartcards/etc, although ChromeOS doesn't currently |
| 100 // support that. (This assumes that private_slot_ and system_slot_ are on the |
| 101 // same module.) |
| 102 DCHECK(!system_slot_.get() || |
| 103 PK11_GetModule(private_slot_.get()) == |
| 104 PK11_GetModule(system_slot_.get())); |
90 SECMODModule* module_for_slot = PK11_GetModule(slot); | 105 SECMODModule* module_for_slot = PK11_GetModule(slot); |
91 if (module_for_slot != PK11_GetModule(public_slot_.get()) && | 106 if (module_for_slot != PK11_GetModule(public_slot_.get()) && |
92 module_for_slot != PK11_GetModule(private_slot_.get())) | 107 module_for_slot != PK11_GetModule(private_slot_.get())) { |
93 return true; | 108 return true; |
| 109 } |
94 return false; | 110 return false; |
95 } | 111 } |
96 | 112 |
97 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { | 113 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { |
98 crypto::ScopedPK11SlotList slots_for_cert( | 114 crypto::ScopedPK11SlotList slots_for_cert( |
99 PK11_GetAllSlotsForCert(cert, NULL)); | 115 PK11_GetAllSlotsForCert(cert, NULL)); |
100 if (!slots_for_cert) { | 116 if (!slots_for_cert) { |
101 DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname); | 117 DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname); |
102 return false; | 118 return false; |
103 } | 119 } |
(...skipping 28 matching lines...) Expand all Loading... |
132 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) | 148 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) |
133 : filter_(filter) {} | 149 : filter_(filter) {} |
134 | 150 |
135 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( | 151 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( |
136 const scoped_refptr<CryptoModule>& module) const { | 152 const scoped_refptr<CryptoModule>& module) const { |
137 return !filter_.IsModuleAllowed(module->os_module_handle()); | 153 return !filter_.IsModuleAllowed(module->os_module_handle()); |
138 } | 154 } |
139 | 155 |
140 } // namespace net | 156 } // namespace net |
141 | 157 |
OLD | NEW |