1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_CERT_NSS_PROFILE_FILTER_CHROMEOS_H_ 6#define NET_CERT_NSS_PROFILE_FILTER_CHROMEOS_H_ 7 8#include "base/memory/scoped_ptr.h" 9#include "crypto/scoped_nss_types.h" 10#include "net/base/crypto_module.h" 11#include "net/base/net_export.h" 12 13namespace net { 14 15class X509Certificate; 16 17// On ChromeOS each user has separate NSS databases, which are loaded 18// simultaneously when multiple users are logged in at the same time. NSS 19// doesn't have built-in support to partition databases into separate groups, so 20// NSSProfileFilterChromeOS can be used to check if a given slot or certificate 21// should be used for a given user. 22// 23// Objects of this class are thread-safe except for the Init function, which if 24// called must not be called while other threads could access the object. 25class NET_EXPORT NSSProfileFilterChromeOS { 26 public: 27 // Create a filter. Until Init is called (or if Init is called with NULL 28 // slot handles), the filter will allow only certs/slots from the read-only 29 // slots and the root CA module. 30 NSSProfileFilterChromeOS(); 31 NSSProfileFilterChromeOS(const NSSProfileFilterChromeOS& other); 32 ~NSSProfileFilterChromeOS(); 33 34 NSSProfileFilterChromeOS& operator=(const NSSProfileFilterChromeOS& other); 35 36 // Initialize the filter with the slot handles to allow. This method is not 37 // thread-safe. 38 void Init(crypto::ScopedPK11Slot public_slot, 39 crypto::ScopedPK11Slot private_slot, 40 crypto::ScopedPK11Slot system_slot); 41 42 bool IsModuleAllowed(PK11SlotInfo* slot) const; 43 bool IsCertAllowed(CERTCertificate* cert) const; 44 45 class CertNotAllowedForProfilePredicate { 46 public: 47 explicit CertNotAllowedForProfilePredicate( 48 const NSSProfileFilterChromeOS& filter); 49 bool operator()(const scoped_refptr<X509Certificate>& cert) const; 50 51 private: 52 const NSSProfileFilterChromeOS& filter_; 53 }; 54 55 class ModuleNotAllowedForProfilePredicate { 56 public: 57 explicit ModuleNotAllowedForProfilePredicate( 58 const NSSProfileFilterChromeOS& filter); 59 bool operator()(const scoped_refptr<CryptoModule>& module) const; 60 61 private: 62 const NSSProfileFilterChromeOS& filter_; 63 }; 64 65 private: 66 crypto::ScopedPK11Slot public_slot_; 67 crypto::ScopedPK11Slot private_slot_; 68 crypto::ScopedPK11Slot system_slot_; 69}; 70 71} // namespace net 72 73#endif // NET_CERT_NSS_PROFILE_FILTER_CHROMEOS_H_ 74