onc_certificate_importer_impl.h revision 1320f92c476a1ad9d19dba2a48c72b75566198e9 
1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
6#define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
7
8#include <map>
9#include <string>
10#include <vector>
11
12#include "base/basictypes.h"
13#include "base/memory/ref_counted.h"
14#include "base/memory/scoped_ptr.h"
15#include "base/memory/weak_ptr.h"
16#include "chromeos/chromeos_export.h"
17#include "chromeos/network/onc/onc_certificate_importer.h"
18#include "components/onc/onc_constants.h"
19
20namespace base {
21class DictionaryValue;
22class ListValue;
23class SequencedTaskRunner;
24class SingleThreadTaskRunner;
25}
26
27namespace net {
28class NSSCertDatabase;
29class X509Certificate;
30typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
31}
32
33namespace chromeos {
34namespace onc {
35
36// This class handles certificate imports from ONC (both policy and user
37// imports) into a certificate store. The GUID of Client certificates is stored
38// together with the certificate as Nickname. In contrast, Server and CA
39// certificates are identified by their PEM and not by GUID.
40// TODO(pneubeck): Replace Nickname by PEM for Client
41// certificates. http://crbug.com/252119
42class CHROMEOS_EXPORT CertificateImporterImpl : public CertificateImporter {
43 public:
44  // |io_task_runner| will be used for NSSCertDatabase accesses.
45  CertificateImporterImpl(
46      const scoped_refptr<base::SequencedTaskRunner>& io_task_runner,
47      net::NSSCertDatabase* target_nssdb_);
48  virtual ~CertificateImporterImpl();
49
50  // CertificateImporter overrides
51  virtual void ImportCertificates(const base::ListValue& certificates,
52                                  ::onc::ONCSource source,
53                                  const DoneCallback& done_callback) OVERRIDE;
54
55 private:
56  void RunDoneCallback(const CertificateImporter::DoneCallback& callback,
57                       bool success,
58                       const net::CertificateList& onc_trusted_certificates);
59
60  // This is the synchronous implementation of ImportCertificates. It is
61  // executed on the given |io_task_runner_|.
62  static void ParseAndStoreCertificates(::onc::ONCSource source,
63                                        const DoneCallback& done_callback,
64                                        base::ListValue* certificates,
65                                        net::NSSCertDatabase* nssdb);
66
67  // Lists the certificates that have the string |label| as their certificate
68  // nickname (exact match).
69  static void ListCertsWithNickname(const std::string& label,
70                                    net::CertificateList* result,
71                                    net::NSSCertDatabase* target_nssdb);
72
73  // Deletes any certificate that has the string |label| as its nickname (exact
74  // match).
75  static bool DeleteCertAndKeyByNickname(const std::string& label,
76                                         net::NSSCertDatabase* target_nssdb);
77
78  // Parses and stores/removes |certificate| in/from the certificate
79  // store. Returns true if the operation succeeded.
80  static bool ParseAndStoreCertificate(
81      bool allow_trust_imports,
82      const base::DictionaryValue& certificate,
83      net::NSSCertDatabase* nssdb,
84      net::CertificateList* onc_trusted_certificates);
85
86  // Imports the Server or CA certificate |certificate|. Web trust is only
87  // applied if the certificate requests the TrustBits attribute "Web" and if
88  // the |allow_trust_imports| permission is granted, otherwise the attribute is
89  // ignored.
90  static bool ParseServerOrCaCertificate(
91      bool allow_trust_imports,
92      const std::string& cert_type,
93      const std::string& guid,
94      const base::DictionaryValue& certificate,
95      net::NSSCertDatabase* nssdb,
96      net::CertificateList* onc_trusted_certificates);
97
98  static bool ParseClientCertificate(const std::string& guid,
99                                     const base::DictionaryValue& certificate,
100                                     net::NSSCertDatabase* nssdb);
101
102  // The task runner to use for NSSCertDatabase accesses.
103  scoped_refptr<base::SequencedTaskRunner> io_task_runner_;
104
105  // The certificate database to which certificates are imported.
106  net::NSSCertDatabase* target_nssdb_;
107
108  base::WeakPtrFactory<CertificateImporterImpl> weak_factory_;
109
110  DISALLOW_COPY_AND_ASSIGN(CertificateImporterImpl);
111};
112
113}  // namespace onc
114}  // namespace chromeos
115
116#endif  // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
117