1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
6#define CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
7
8#include <map>
9#include <string>
10
11#include "base/memory/ref_counted.h"
12#include "base/strings/string16.h"
13#include "net/cert/nss_cert_database.h"
14
15// CertificateManagerModel provides the data to be displayed in the certificate
16// manager dialog, and processes changes from the view.
17class CertificateManagerModel {
18 public:
19  // Map from the subject organization name to the list of certs from that
20  // organization.  If a cert does not have an organization name, the
21  // subject's CertPrincipal::GetDisplayName() value is used instead.
22  typedef std::map<std::string, net::CertificateList> OrgGroupingMap;
23
24  // Enumeration of the possible columns in the certificate manager tree view.
25  enum Column {
26    COL_SUBJECT_NAME,
27    COL_CERTIFICATE_STORE,
28    COL_SERIAL_NUMBER,
29    COL_EXPIRES_ON,
30  };
31
32  class Observer {
33   public:
34    // Called to notify the view that the certificate list has been refreshed.
35    // TODO(mattm): do a more granular updating strategy?  Maybe retrieve new
36    // list of certs, diff against past list, and then notify of the changes?
37    virtual void CertificatesRefreshed() = 0;
38  };
39
40  explicit CertificateManagerModel(Observer* observer);
41  ~CertificateManagerModel();
42
43  // Accessor for read-only access to the underlying NSSCertDatabase.
44  const net::NSSCertDatabase* cert_db() const { return cert_db_; }
45
46  // Trigger a refresh of the list of certs, unlock any slots if necessary.
47  // Following this call, the observer CertificatesRefreshed method will be
48  // called so the view can call FilterAndBuildOrgGroupingMap as necessary to
49  // refresh its tree views.
50  void Refresh();
51
52  // Fill |map| with the certificates matching |filter_type|.
53  void FilterAndBuildOrgGroupingMap(net::CertType filter_type,
54                                    OrgGroupingMap* map) const;
55
56  // Get the data to be displayed in |column| for the given |cert|.
57  string16 GetColumnText(const net::X509Certificate& cert, Column column) const;
58
59  // Import private keys and certificates from PKCS #12 encoded
60  // |data|, using the given |password|. If |is_extractable| is false,
61  // mark the private key as unextractable from the module.
62  // Returns a net error code on failure.
63  int ImportFromPKCS12(net::CryptoModule* module, const std::string& data,
64                       const string16& password, bool is_extractable);
65
66  // Import CA certificates.
67  // Tries to import all the certificates given.  The root will be trusted
68  // according to |trust_bits|.  Any certificates that could not be imported
69  // will be listed in |not_imported|.
70  // |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
71  // Returns false if there is an internal error, otherwise true is returned and
72  // |not_imported| should be checked for any certificates that were not
73  // imported.
74  bool ImportCACerts(const net::CertificateList& certificates,
75                     net::NSSCertDatabase::TrustBits trust_bits,
76                     net::NSSCertDatabase::ImportCertFailureList* not_imported);
77
78  // Import server certificate.  The first cert should be the server cert.  Any
79  // additional certs should be intermediate/CA certs and will be imported but
80  // not given any trust.
81  // Any certificates that could not be imported will be listed in
82  // |not_imported|.
83  // |trust_bits| can be set to explicitly trust or distrust the certificate, or
84  // use TRUST_DEFAULT to inherit trust as normal.
85  // Returns false if there is an internal error, otherwise true is returned and
86  // |not_imported| should be checked for any certificates that were not
87  // imported.
88  bool ImportServerCert(
89      const net::CertificateList& certificates,
90      net::NSSCertDatabase::TrustBits trust_bits,
91      net::NSSCertDatabase::ImportCertFailureList* not_imported);
92
93  // Set trust values for certificate.
94  // |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
95  // Returns true on success or false on failure.
96  bool SetCertTrust(const net::X509Certificate* cert,
97                    net::CertType type,
98                    net::NSSCertDatabase::TrustBits trust_bits);
99
100  // Delete the cert.  Returns true on success.  |cert| is still valid when this
101  // function returns.
102  bool Delete(net::X509Certificate* cert);
103
104  // IsHardwareBacked returns true if |cert| is hardware backed.
105  // This function is only implemented for Chrome OS and always returns false
106  // for other platforms.
107  bool IsHardwareBacked(const net::X509Certificate* cert) const;
108
109 private:
110  // Callback used by Refresh() for when the cert slots have been unlocked.
111  // This method does the actual refreshing.
112  void RefreshSlotsUnlocked();
113
114  net::NSSCertDatabase* cert_db_;
115  net::CertificateList cert_list_;
116
117  // The observer to notify when certificate list is refreshed.
118  Observer* observer_;
119
120  DISALLOW_COPY_AND_ASSIGN(CertificateManagerModel);
121};
122
123#endif  // CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
124