1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_ 6#define CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_ 7 8#include <string> 9#include <vector> 10 11#include "base/memory/ref_counted.h" 12#include "chromeos/chromeos_export.h" 13#include "chromeos/network/certificate_pattern.h" 14 15namespace base { 16class DictionaryValue; 17} 18 19namespace net { 20struct CertPrincipal; 21class X509Certificate; 22typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 23} 24 25namespace chromeos { 26 27namespace client_cert { 28 29enum ConfigType { 30 CONFIG_TYPE_NONE, 31 CONFIG_TYPE_OPENVPN, 32 CONFIG_TYPE_IPSEC, 33 CONFIG_TYPE_EAP 34}; 35 36struct CHROMEOS_EXPORT ClientCertConfig { 37 ClientCertConfig(); 38 39 // Independent of whether the client cert (pattern or reference) is 40 // configured, the location determines whether this network configuration 41 // supports client certs and what kind of configuration it requires. 42 ConfigType location; 43 44 // One of the ClientCertTypes defined in ONC: kNone, kRef, or kPattern. 45 std::string client_cert_type; 46 47 // If |client_cert_type| equals kPattern, this contains the pattern. 48 CertificatePattern pattern; 49}; 50 51// Returns true only if any fields set in this pattern match exactly with 52// similar fields in the principal. If organization_ or organizational_unit_ 53// are set, then at least one of the organizations or units in the principal 54// must match. 55bool CertPrincipalMatches(const IssuerSubjectPattern& pattern, 56 const net::CertPrincipal& principal); 57 58// Returns the PKCS11 and slot ID of |cert_id|, which is expected to be a 59// value of the Shill property kEapCertIdProperty or kEapKeyIdProperty, either 60// of format "<pkcs11_id>" or "<slot_id>:<pkcs11_id>". 61CHROMEOS_EXPORT std::string GetPkcs11AndSlotIdFromEapCertId( 62 const std::string& cert_id, 63 int* slot_id); 64 65// Reads the client certificate configuration from the Shill Service properties 66// |shill_properties|. 67// If such a configuration is found, the values |cert_config_type|, |tpm_slot| 68// and |pkcs11_id| are filled accordingly. In case of OpenVPN or because the 69// property was not set, |tpm_slot| will be set to -1. 70// If an error occurred or no client configuration is found, |cert_config_type| 71// will be set to CONFIG_TYPE_NONE, |tpm_slot| to -1 and |pkcs11_id| to the 72// empty string. 73CHROMEOS_EXPORT void GetClientCertFromShillProperties( 74 const base::DictionaryValue& shill_properties, 75 ConfigType* cert_config_type, 76 int* tpm_slot, 77 std::string* pkcs11_id); 78 79// Sets the properties of a client cert and the TPM slot that it's contained in. 80// |cert_config_type| determines which dictionary entries to set. 81CHROMEOS_EXPORT void SetShillProperties(const ConfigType cert_config_type, 82 const int tpm_slot, 83 const std::string& pkcs11_id, 84 base::DictionaryValue* properties); 85 86// Like SetShillProperties but instead sets the properties to empty strings. 87// This should be used to clear previously set client certificate properties. 88CHROMEOS_EXPORT void SetEmptyShillProperties(const ConfigType cert_config_type, 89 base::DictionaryValue* properties); 90 91// Returns true if all required configuration properties are set and not empty. 92bool IsCertificateConfigured(const client_cert::ConfigType cert_config_type, 93 const base::DictionaryValue& service_properties); 94 95// Determines the type of the CertificatePattern configuration, i.e. is it a 96// pattern within an EAP, IPsec or OpenVPN configuration. 97CHROMEOS_EXPORT void OncToClientCertConfig( 98 const base::DictionaryValue& network_config, 99 ClientCertConfig* cert_config); 100 101} // namespace client_cert 102 103} // namespace chromeos 104 105#endif // CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_ 106