client_cert_util.h revision 116680a4aac90f2aa7413d9095a592090648e557 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_
6#define CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_
7
8#include <string>
9#include <vector>
10
11#include "base/memory/ref_counted.h"
12#include "chromeos/chromeos_export.h"
13#include "chromeos/network/certificate_pattern.h"
14
15namespace base {
16class DictionaryValue;
17}
18
19namespace net {
20struct CertPrincipal;
21class X509Certificate;
22typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
23}
24
25namespace chromeos {
26
27class IssuerSubjectPattern;
28
29namespace client_cert {
30
31enum ConfigType {
32  CONFIG_TYPE_NONE,
33  CONFIG_TYPE_OPENVPN,
34  CONFIG_TYPE_IPSEC,
35  CONFIG_TYPE_EAP
36};
37
38struct CHROMEOS_EXPORT ClientCertConfig {
39  ClientCertConfig();
40
41  // Independent of whether the client cert (pattern or reference) is
42  // configured, the location determines whether this network configuration
43  // supports client certs and what kind of configuration it requires.
44  ConfigType location;
45
46  // One of the ClientCertTypes defined in ONC: kNone, kRef, or kPattern.
47  std::string client_cert_type;
48
49  // If |client_cert_type| equals kPattern, this contains the pattern.
50  CertificatePattern pattern;
51};
52
53// Returns true only if any fields set in this pattern match exactly with
54// similar fields in the principal.  If organization_ or organizational_unit_
55// are set, then at least one of the organizations or units in the principal
56// must match.
57bool CertPrincipalMatches(const IssuerSubjectPattern& pattern,
58                          const net::CertPrincipal& principal);
59
60// Fetches the matching certificate that has the latest valid start date.
61// Returns a NULL refptr if there is no such match.
62CHROMEOS_EXPORT scoped_refptr<net::X509Certificate> GetCertificateMatch(
63    const CertificatePattern& pattern,
64    const net::CertificateList& all_certs);
65
66// If not empty, sets the TPM properties in |properties|. If |pkcs11_id| is not
67// NULL, also sets the ClientCertID. |cert_config_type| determines which
68// dictionary entries to set.
69void SetShillProperties(const ConfigType cert_config_type,
70                        const std::string& tpm_slot,
71                        const std::string& tpm_pin,
72                        const std::string* pkcs11_id,
73                        base::DictionaryValue* properties);
74
75// Returns true if all required configuration properties are set and not empty.
76bool IsCertificateConfigured(const client_cert::ConfigType cert_config_type,
77                             const base::DictionaryValue& service_properties);
78
79// Determines the type of the CertificatePattern configuration, i.e. is it a
80// pattern within an EAP, IPsec or OpenVPN configuration.
81CHROMEOS_EXPORT void OncToClientCertConfig(
82    const base::DictionaryValue& network_config,
83    ClientCertConfig* cert_config);
84
85}  // namespace client_cert
86
87}  // namespace chromeos
88
89#endif  // CHROMEOS_NETWORK_CLIENT_CERT_UTIL_H_
90