1558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// Copyright 2013 The Chromium Authors. All rights reserved. 2558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// Use of this source code is governed by a BSD-style license that can be 3558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// found in the LICENSE file. 4558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 5558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 6558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 7558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 8558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include <map> 9558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include <string> 10558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include <vector> 11558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 12558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include "base/basictypes.h" 13558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include "base/memory/ref_counted.h" 14558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include "base/memory/scoped_ptr.h" 151320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci#include "base/memory/weak_ptr.h" 16558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include "chromeos/chromeos_export.h" 17558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#include "chromeos/network/onc/onc_certificate_importer.h" 184e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)#include "components/onc/onc_constants.h" 19558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 20558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochnamespace base { 21558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochclass DictionaryValue; 22558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochclass ListValue; 231320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciclass SequencedTaskRunner; 241320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciclass SingleThreadTaskRunner; 25558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch} 26558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 27558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochnamespace net { 285d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)class NSSCertDatabase; 29558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochclass X509Certificate; 30558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochtypedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 31558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch} 32558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 33558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochnamespace chromeos { 34558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochnamespace onc { 35558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 36558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// This class handles certificate imports from ONC (both policy and user 371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci// imports) into a certificate store. The GUID of Client certificates is stored 381320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci// together with the certificate as Nickname. In contrast, Server and CA 39558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// certificates are identified by their PEM and not by GUID. 40558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// TODO(pneubeck): Replace Nickname by PEM for Client 41558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch// certificates. http://crbug.com/252119 42558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdochclass CHROMEOS_EXPORT CertificateImporterImpl : public CertificateImporter { 43558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch public: 441320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // |io_task_runner| will be used for NSSCertDatabase accesses. 451320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci CertificateImporterImpl( 461320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const scoped_refptr<base::SequencedTaskRunner>& io_task_runner, 471320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::NSSCertDatabase* target_nssdb_); 481320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci virtual ~CertificateImporterImpl(); 49558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 50558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // CertificateImporter overrides 511320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci virtual void ImportCertificates(const base::ListValue& certificates, 521320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci ::onc::ONCSource source, 531320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const DoneCallback& done_callback) OVERRIDE; 54558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) private: 561320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci void RunDoneCallback(const CertificateImporter::DoneCallback& callback, 571320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci bool success, 581320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const net::CertificateList& onc_trusted_certificates); 591320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 601320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // This is the synchronous implementation of ImportCertificates. It is 611320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // executed on the given |io_task_runner_|. 621320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci static void ParseAndStoreCertificates(::onc::ONCSource source, 631320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const DoneCallback& done_callback, 641320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci base::ListValue* certificates, 651320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::NSSCertDatabase* nssdb); 661320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 67558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // Lists the certificates that have the string |label| as their certificate 68558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // nickname (exact match). 69558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch static void ListCertsWithNickname(const std::string& label, 705d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) net::CertificateList* result, 715d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) net::NSSCertDatabase* target_nssdb); 72558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 73558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // Deletes any certificate that has the string |label| as its nickname (exact 74558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // match). 755d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) static bool DeleteCertAndKeyByNickname(const std::string& label, 765d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) net::NSSCertDatabase* target_nssdb); 77558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 78558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // Parses and stores/removes |certificate| in/from the certificate 79558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // store. Returns true if the operation succeeded. 801320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci static bool ParseAndStoreCertificate( 81558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch bool allow_trust_imports, 82558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch const base::DictionaryValue& certificate, 831320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::NSSCertDatabase* nssdb, 841320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::CertificateList* onc_trusted_certificates); 85558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 86558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // Imports the Server or CA certificate |certificate|. Web trust is only 87558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // applied if the certificate requests the TrustBits attribute "Web" and if 88558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // the |allow_trust_imports| permission is granted, otherwise the attribute is 89558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch // ignored. 901320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci static bool ParseServerOrCaCertificate( 91558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch bool allow_trust_imports, 92558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch const std::string& cert_type, 93558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch const std::string& guid, 94558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch const base::DictionaryValue& certificate, 951320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::NSSCertDatabase* nssdb, 961320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::CertificateList* onc_trusted_certificates); 97558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 981320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci static bool ParseClientCertificate(const std::string& guid, 991320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const base::DictionaryValue& certificate, 1001320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::NSSCertDatabase* nssdb); 1011320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 1021320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // The task runner to use for NSSCertDatabase accesses. 1031320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci scoped_refptr<base::SequencedTaskRunner> io_task_runner_; 104558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 1055d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // The certificate database to which certificates are imported. 1065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) net::NSSCertDatabase* target_nssdb_; 1075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1081320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci base::WeakPtrFactory<CertificateImporterImpl> weak_factory_; 1091320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 110558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch DISALLOW_COPY_AND_ASSIGN(CertificateImporterImpl); 111558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch}; 112558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 113558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch} // namespace onc 114558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch} // namespace chromeos 115558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch 116558790d6acca3451cf3a6b497803a5f07d0bec58Ben Murdoch#endif // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 117