1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
6#define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
7
8#include "crypto/scoped_nss_types.h"
9#include "net/cert/cert_verify_proc_nss.h"
10#include "net/cert/nss_profile_filter_chromeos.h"
11
12namespace chromeos {
13
14// Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a
15// per-slot basis.
16//
17// Note that only the simple case is currently handled (if a slot contains a new
18// trust root, that root should not be trusted by CertVerifyProcChromeOS
19// instances using other slots). More complicated cases are not handled (like
20// two slots adding the same root cert but with different trust values).
21class CertVerifyProcChromeOS : public net::CertVerifyProcNSS {
22 public:
23  // Creates a CertVerifyProc that doesn't allow any user-provided trust roots.
24  CertVerifyProcChromeOS();
25
26  // Creates a CertVerifyProc that doesn't allow trust roots provided by
27  // users other than the specified slot.
28  explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot);
29
30 protected:
31  virtual ~CertVerifyProcChromeOS();
32
33 private:
34  // net::CertVerifyProcNSS implementation:
35  virtual int VerifyInternal(
36      net::X509Certificate* cert,
37      const std::string& hostname,
38      int flags,
39      net::CRLSet* crl_set,
40      const net::CertificateList& additional_trust_anchors,
41      net::CertVerifyResult* verify_result) OVERRIDE;
42
43  // Check if the trust root of |current_chain| is allowed.
44  // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass
45  // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter.
46  // If the chain is allowed, |*chain_ok| will be set to PR_TRUE.
47  // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this
48  // function may be called again during a single certificate verification if
49  // there are multiple possible valid chains.
50  static SECStatus IsChainValidFunc(void* is_chain_valid_arg,
51                                    const CERTCertList* current_chain,
52                                    PRBool* chain_ok);
53
54  net::NSSProfileFilterChromeOS profile_filter_;
55};
56
57}  // namespace chromeos
58
59#endif  // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
60