1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_ 6 #define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_ 7 8 #include "crypto/scoped_nss_types.h" 9 #include "net/cert/cert_verify_proc_nss.h" 10 #include "net/cert/nss_profile_filter_chromeos.h" 11 12 namespace chromeos { 13 14 // Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a 15 // per-slot basis. 16 // 17 // Note that only the simple case is currently handled (if a slot contains a new 18 // trust root, that root should not be trusted by CertVerifyProcChromeOS 19 // instances using other slots). More complicated cases are not handled (like 20 // two slots adding the same root cert but with different trust values). 21 class CertVerifyProcChromeOS : public net::CertVerifyProcNSS { 22 public: 23 // Creates a CertVerifyProc that doesn't allow any user-provided trust roots. 24 CertVerifyProcChromeOS(); 25 26 // Creates a CertVerifyProc that doesn't allow trust roots provided by 27 // users other than the specified slot. 28 explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot); 29 30 protected: 31 virtual ~CertVerifyProcChromeOS(); 32 33 private: 34 // net::CertVerifyProcNSS implementation: 35 virtual int VerifyInternal( 36 net::X509Certificate* cert, 37 const std::string& hostname, 38 int flags, 39 net::CRLSet* crl_set, 40 const net::CertificateList& additional_trust_anchors, 41 net::CertVerifyResult* verify_result) OVERRIDE; 42 43 // Check if the trust root of |current_chain| is allowed. 44 // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass 45 // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter. 46 // If the chain is allowed, |*chain_ok| will be set to PR_TRUE. 47 // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this 48 // function may be called again during a single certificate verification if 49 // there are multiple possible valid chains. 50 static SECStatus IsChainValidFunc(void* is_chain_valid_arg, 51 const CERTCertList* current_chain, 52 PRBool* chain_ok); 53 54 net::NSSProfileFilterChromeOS profile_filter_; 55 }; 56 57 } // namespace chromeos 58 59 #endif // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_ 60