1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_ 6 #define CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/memory/ref_counted.h" 12 #include "chromeos/chromeos_export.h" 13 #include "chromeos/network/certificate_pattern.h" 14 15 namespace base { 16 class DictionaryValue; 17 } 18 19 namespace net { 20 struct CertPrincipal; 21 class X509Certificate; 22 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 23 } 24 25 namespace chromeos { 26 27 namespace client_cert { 28 29 enum ConfigType { 30 CONFIG_TYPE_NONE, 31 CONFIG_TYPE_OPENVPN, 32 CONFIG_TYPE_IPSEC, 33 CONFIG_TYPE_EAP 34 }; 35 36 struct CHROMEOS_EXPORT ClientCertConfig { 37 ClientCertConfig(); 38 39 // Independent of whether the client cert (pattern or reference) is 40 // configured, the location determines whether this network configuration 41 // supports client certs and what kind of configuration it requires. 42 ConfigType location; 43 44 // One of the ClientCertTypes defined in ONC: kNone, kRef, or kPattern. 45 std::string client_cert_type; 46 47 // If |client_cert_type| equals kPattern, this contains the pattern. 48 CertificatePattern pattern; 49 }; 50 51 // Returns true only if any fields set in this pattern match exactly with 52 // similar fields in the principal. If organization_ or organizational_unit_ 53 // are set, then at least one of the organizations or units in the principal 54 // must match. 55 bool CertPrincipalMatches(const IssuerSubjectPattern& pattern, 56 const net::CertPrincipal& principal); 57 58 // Returns the PKCS11 and slot ID of |cert_id|, which is expected to be a 59 // value of the Shill property kEapCertIdProperty or kEapKeyIdProperty, either 60 // of format "<pkcs11_id>" or "<slot_id>:<pkcs11_id>". 61 CHROMEOS_EXPORT std::string GetPkcs11AndSlotIdFromEapCertId( 62 const std::string& cert_id, 63 int* slot_id); 64 65 // Reads the client certificate configuration from the Shill Service properties 66 // |shill_properties|. 67 // If such a configuration is found, the values |cert_config_type|, |tpm_slot| 68 // and |pkcs11_id| are filled accordingly. In case of OpenVPN or because the 69 // property was not set, |tpm_slot| will be set to -1. 70 // If an error occurred or no client configuration is found, |cert_config_type| 71 // will be set to CONFIG_TYPE_NONE, |tpm_slot| to -1 and |pkcs11_id| to the 72 // empty string. 73 CHROMEOS_EXPORT void GetClientCertFromShillProperties( 74 const base::DictionaryValue& shill_properties, 75 ConfigType* cert_config_type, 76 int* tpm_slot, 77 std::string* pkcs11_id); 78 79 // Sets the properties of a client cert and the TPM slot that it's contained in. 80 // |cert_config_type| determines which dictionary entries to set. 81 CHROMEOS_EXPORT void SetShillProperties(const ConfigType cert_config_type, 82 const int tpm_slot, 83 const std::string& pkcs11_id, 84 base::DictionaryValue* properties); 85 86 // Like SetShillProperties but instead sets the properties to empty strings. 87 // This should be used to clear previously set client certificate properties. 88 CHROMEOS_EXPORT void SetEmptyShillProperties(const ConfigType cert_config_type, 89 base::DictionaryValue* properties); 90 91 // Returns true if all required configuration properties are set and not empty. 92 bool IsCertificateConfigured(const client_cert::ConfigType cert_config_type, 93 const base::DictionaryValue& service_properties); 94 95 // Determines the type of the CertificatePattern configuration, i.e. is it a 96 // pattern within an EAP, IPsec or OpenVPN configuration. 97 CHROMEOS_EXPORT void OncToClientCertConfig( 98 const base::DictionaryValue& network_config, 99 ClientCertConfig* cert_config); 100 101 } // namespace client_cert 102 103 } // namespace chromeos 104 105 #endif // CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_ 106