1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 6 #define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 7 8 #include <map> 9 #include <string> 10 #include <vector> 11 12 #include "base/basictypes.h" 13 #include "base/memory/ref_counted.h" 14 #include "base/memory/scoped_ptr.h" 15 #include "chromeos/chromeos_export.h" 16 #include "chromeos/network/onc/onc_certificate_importer.h" 17 #include "components/onc/onc_constants.h" 18 19 namespace base { 20 class DictionaryValue; 21 class ListValue; 22 } 23 24 namespace net { 25 class NSSCertDatabase; 26 class X509Certificate; 27 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 28 } 29 30 namespace chromeos { 31 namespace onc { 32 33 // This class handles certificate imports from ONC (both policy and user 34 // imports) into the certificate store. The GUID of Client certificates is 35 // stored together with the certificate as Nickname. In contrast, Server and CA 36 // certificates are identified by their PEM and not by GUID. 37 // TODO(pneubeck): Replace Nickname by PEM for Client 38 // certificates. http://crbug.com/252119 39 class CHROMEOS_EXPORT CertificateImporterImpl : public CertificateImporter { 40 public: 41 typedef std::map<std::string, scoped_refptr<net::X509Certificate> > 42 CertsByGUID; 43 44 explicit CertificateImporterImpl(net::NSSCertDatabase* target_nssdb_); 45 46 // CertificateImporter overrides 47 virtual bool ImportCertificates( 48 const base::ListValue& certificates, 49 ::onc::ONCSource source, 50 net::CertificateList* onc_trusted_certificates) OVERRIDE; 51 52 // This implements ImportCertificates. Additionally, if 53 // |imported_server_and_ca_certs| is not NULL, it will be filled with the 54 // (GUID, Certificate) pairs of all succesfully imported Server and CA 55 // certificates. 56 bool ParseAndStoreCertificates(bool allow_trust_imports, 57 const base::ListValue& onc_certificates, 58 net::CertificateList* onc_trusted_certificates, 59 CertsByGUID* imported_server_and_ca_certs); 60 61 private: 62 // Lists the certificates that have the string |label| as their certificate 63 // nickname (exact match). 64 static void ListCertsWithNickname(const std::string& label, 65 net::CertificateList* result, 66 net::NSSCertDatabase* target_nssdb); 67 68 // Deletes any certificate that has the string |label| as its nickname (exact 69 // match). 70 static bool DeleteCertAndKeyByNickname(const std::string& label, 71 net::NSSCertDatabase* target_nssdb); 72 73 // Parses and stores/removes |certificate| in/from the certificate 74 // store. Returns true if the operation succeeded. 75 bool ParseAndStoreCertificate( 76 bool allow_trust_imports, 77 const base::DictionaryValue& certificate, 78 net::CertificateList* onc_trusted_certificates, 79 CertsByGUID* imported_server_and_ca_certs); 80 81 // Imports the Server or CA certificate |certificate|. Web trust is only 82 // applied if the certificate requests the TrustBits attribute "Web" and if 83 // the |allow_trust_imports| permission is granted, otherwise the attribute is 84 // ignored. 85 bool ParseServerOrCaCertificate( 86 bool allow_trust_imports, 87 const std::string& cert_type, 88 const std::string& guid, 89 const base::DictionaryValue& certificate, 90 net::CertificateList* onc_trusted_certificates, 91 CertsByGUID* imported_server_and_ca_certs); 92 93 bool ParseClientCertificate(const std::string& guid, 94 const base::DictionaryValue& certificate); 95 96 // The certificate database to which certificates are imported. 97 net::NSSCertDatabase* target_nssdb_; 98 99 DISALLOW_COPY_AND_ASSIGN(CertificateImporterImpl); 100 }; 101 102 } // namespace onc 103 } // namespace chromeos 104 105 #endif // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 106