1// Copyright 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_ 6#define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_ 7 8#include "crypto/scoped_nss_types.h" 9#include "net/cert/cert_verify_proc_nss.h" 10#include "net/cert/nss_profile_filter_chromeos.h" 11 12namespace chromeos { 13 14// Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a 15// per-slot basis. 16// 17// Note that only the simple case is currently handled (if a slot contains a new 18// trust root, that root should not be trusted by CertVerifyProcChromeOS 19// instances using other slots). More complicated cases are not handled (like 20// two slots adding the same root cert but with different trust values). 21class CertVerifyProcChromeOS : public net::CertVerifyProcNSS { 22 public: 23 // Creates a CertVerifyProc that doesn't allow any user-provided trust roots. 24 CertVerifyProcChromeOS(); 25 26 // Creates a CertVerifyProc that doesn't allow trust roots provided by 27 // users other than the specified slot. 28 explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot); 29 30 protected: 31 virtual ~CertVerifyProcChromeOS(); 32 33 private: 34 // net::CertVerifyProcNSS implementation: 35 virtual int VerifyInternal( 36 net::X509Certificate* cert, 37 const std::string& hostname, 38 int flags, 39 net::CRLSet* crl_set, 40 const net::CertificateList& additional_trust_anchors, 41 net::CertVerifyResult* verify_result) OVERRIDE; 42 43 // Check if the trust root of |current_chain| is allowed. 44 // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass 45 // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter. 46 // If the chain is allowed, |*chain_ok| will be set to PR_TRUE. 47 // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this 48 // function may be called again during a single certificate verification if 49 // there are multiple possible valid chains. 50 static SECStatus IsChainValidFunc(void* is_chain_valid_arg, 51 const CERTCertList* current_chain, 52 PRBool* chain_ok); 53 54 net::NSSProfileFilterChromeOS profile_filter_; 55}; 56 57} // namespace chromeos 58 59#endif // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_ 60