Home | History | Annotate | Download | only in net 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
      6 #define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
      7 
      8 #include "crypto/scoped_nss_types.h"
      9 #include "net/cert/cert_verify_proc_nss.h"
     10 #include "net/cert/nss_profile_filter_chromeos.h"
     11 
     12 namespace chromeos {
     13 
     14 // Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a
     15 // per-slot basis.
     16 //
     17 // Note that only the simple case is currently handled (if a slot contains a new
     18 // trust root, that root should not be trusted by CertVerifyProcChromeOS
     19 // instances using other slots). More complicated cases are not handled (like
     20 // two slots adding the same root cert but with different trust values).
     21 class CertVerifyProcChromeOS : public net::CertVerifyProcNSS {
     22  public:
     23   // Creates a CertVerifyProc that doesn't allow any user-provided trust roots.
     24   CertVerifyProcChromeOS();
     25 
     26   // Creates a CertVerifyProc that doesn't allow trust roots provided by
     27   // users other than the specified slot.
     28   explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot);
     29 
     30  protected:
     31   virtual ~CertVerifyProcChromeOS();
     32 
     33  private:
     34   // net::CertVerifyProcNSS implementation:
     35   virtual int VerifyInternal(
     36       net::X509Certificate* cert,
     37       const std::string& hostname,
     38       int flags,
     39       net::CRLSet* crl_set,
     40       const net::CertificateList& additional_trust_anchors,
     41       net::CertVerifyResult* verify_result) OVERRIDE;
     42 
     43   // Check if the trust root of |current_chain| is allowed.
     44   // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass
     45   // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter.
     46   // If the chain is allowed, |*chain_ok| will be set to PR_TRUE.
     47   // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this
     48   // function may be called again during a single certificate verification if
     49   // there are multiple possible valid chains.
     50   static SECStatus IsChainValidFunc(void* is_chain_valid_arg,
     51                                     const CERTCertList* current_chain,
     52                                     PRBool* chain_ok);
     53 
     54   net::NSSProfileFilterChromeOS profile_filter_;
     55 };
     56 
     57 }  // namespace chromeos
     58 
     59 #endif  // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
     60