onc_certificate_importer.h revision eb525c5499e34cc9c4b825d6d9e75bb07cc06ace
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_H_ 6#define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_H_ 7 8#include <map> 9#include <string> 10#include <vector> 11 12#include "base/basictypes.h" 13#include "base/memory/ref_counted.h" 14#include "base/memory/scoped_ptr.h" 15#include "chromeos/chromeos_export.h" 16#include "chromeos/network/onc/onc_constants.h" 17 18namespace base { 19class DictionaryValue; 20class ListValue; 21} 22 23namespace net { 24class X509Certificate; 25typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 26} 27 28namespace chromeos { 29namespace onc { 30 31// This class handles certificate imports from ONC (both policy and user 32// imports) into the certificate store. The GUID of Client certificates is 33// stored together with the certificate as Nickname. In contrast, Server and CA 34// certificates are identified by their PEM and not by GUID. 35// TODO(pneubeck): Replace Nickname by PEM for Client 36// certificates. http://crbug.com/252119 37class CHROMEOS_EXPORT CertificateImporter { 38 public: 39 typedef std::map<std::string, scoped_refptr<net::X509Certificate> > 40 CertsByGUID; 41 enum ParseResult { 42 IMPORT_OK, 43 IMPORT_INCOMPLETE, 44 IMPORT_FAILED, 45 }; 46 47 // During import with ParseCertificate(), Web trust is only applied to Server 48 // and Authority certificates with the TrustBits attribute "Web" if the 49 // |allow_trust_imports| permission is granted, otherwise the attribute is 50 // ignored. 51 explicit CertificateImporter(bool allow_trust_imports); 52 53 // Parses and stores the certificates in |onc_certificates| into the 54 // certificate store. If the "Remove" field of a certificate is enabled, then 55 // removes the certificate from the store instead of importing. Returns the 56 // result of the parse operation. In case of IMPORT_INCOMPLETE, some of the 57 // certificates may be stored/removed successfully while others had errors. 58 // If no error occurred, returns IMPORT_OK. If |onc_trusted_certificates| is 59 // not NULL, it will be filled with the list of certificates that requested 60 // the Web trust flag. If |imported_server_and_ca_certs| is not null, it will 61 // be filled with the (GUID, Certificate) pairs of all successfully imported 62 // Server and CA certificates. 63 ParseResult ParseAndStoreCertificates( 64 const base::ListValue& onc_certificates, 65 net::CertificateList* onc_trusted_certificates, 66 CertsByGUID* imported_server_and_ca_certs); 67 68 // Lists the certificates that have the string |label| as their certificate 69 // nickname (exact match). 70 static void ListCertsWithNickname(const std::string& label, 71 net::CertificateList* result); 72 73 protected: 74 // Deletes any certificate that has the string |label| as its nickname (exact 75 // match). 76 static bool DeleteCertAndKeyByNickname(const std::string& label); 77 78 private: 79 // Parses and stores/removes |certificate| in/from the certificate 80 // store. Returns true if the operation succeeded. 81 bool ParseAndStoreCertificate( 82 const base::DictionaryValue& certificate, 83 net::CertificateList* onc_trusted_certificates, 84 CertsByGUID* imported_server_and_ca_certs); 85 86 bool ParseServerOrCaCertificate( 87 const std::string& cert_type, 88 const std::string& guid, 89 const base::DictionaryValue& certificate, 90 net::CertificateList* onc_trusted_certificates, 91 CertsByGUID* imported_server_and_ca_certs); 92 93 bool ParseClientCertificate(const std::string& guid, 94 const base::DictionaryValue& certificate); 95 96 // Whether certificates with TrustBits attribute "Web" should be stored with 97 // web trust. 98 bool allow_trust_imports_; 99 100 DISALLOW_COPY_AND_ASSIGN(CertificateImporter); 101}; 102 103} // namespace onc 104} // namespace chromeos 105 106#endif // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_H_ 107