#include "net/cert/nss_profile_filter_chromeos.h"
-#include "base/bind.h"
-#include "base/callback.h"
+#include "base/strings/string_piece.h"
#include "base/strings/stringprintf.h"
+#include "net/cert/x509_certificate.h"
namespace net {
namespace {
-std::string CertSlotsString(const scoped_refptr<X509Certificate>& cert) {
+std::string CertSlotsString(CERTCertificate* cert) {
std::string result;
crypto::ScopedPK11SlotList slots_for_cert(
- PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL));
+ PK11_GetAllSlotsForCert(cert, NULL));
for (PK11SlotListElement* slot_element =
PK11_GetFirstSafe(slots_for_cert.get());
slot_element;
NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() {}
+NSSProfileFilterChromeOS::NSSProfileFilterChromeOS(
+ const NSSProfileFilterChromeOS& other) {
+ public_slot_.reset(other.public_slot_ ?
+ PK11_ReferenceSlot(other.public_slot_.get()) :
+ NULL);
+ private_slot_.reset(other.private_slot_ ?
+ PK11_ReferenceSlot(other.private_slot_.get()) :
+ NULL);
+ system_slot_.reset(
+ other.system_slot_ ? PK11_ReferenceSlot(other.system_slot_.get()) : NULL);
+}
+
NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() {}
+NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=(
+ const NSSProfileFilterChromeOS& other) {
+ public_slot_.reset(other.public_slot_ ?
+ PK11_ReferenceSlot(other.public_slot_.get()) :
+ NULL);
+ private_slot_.reset(other.private_slot_ ?
+ PK11_ReferenceSlot(other.private_slot_.get()) :
+ NULL);
+ system_slot_.reset(
+ other.system_slot_ ? PK11_ReferenceSlot(other.system_slot_.get()) : NULL);
+ return *this;
+}
+
void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot,
- crypto::ScopedPK11Slot private_slot) {
- public_slot_ = public_slot.Pass();
- private_slot_ = private_slot.Pass();
+ crypto::ScopedPK11Slot private_slot,
+ crypto::ScopedPK11Slot system_slot) {
+ // crypto::ScopedPK11Slot actually holds a reference counted object.
+ // Because scoped_ptr<T> assignment is a no-op if it already points to
+ // the same pointer, a reference would be leaked because .Pass() does
+ // not release its reference, and the receiving object won't free
+ // its copy.
+ if (public_slot_.get() != public_slot.get())
+ public_slot_ = public_slot.Pass();
+ if (private_slot_.get() != private_slot.get())
+ private_slot_ = private_slot.Pass();
+ if (system_slot_.get() != system_slot.get())
+ system_slot_ = system_slot.Pass();
}
bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const {
- // If this is one of the public/private slots for this profile, allow it.
- if (slot == public_slot_.get() || slot == private_slot_.get())
+ // If this is one of the public/private slots for this profile or the system
+ // slot, allow it.
+ if (slot == public_slot_.get() || slot == private_slot_.get() ||
+ slot == system_slot_.get()) {
return true;
+ }
// Allow the root certs module.
if (PK11_HasRootCerts(slot))
return true;
if (!public_slot_.get() || !private_slot_.get())
return false;
// If this is not the internal (file-system) module or the TPM module, allow
- // it.
+ // it. This would allow smartcards/etc, although ChromeOS doesn't currently
+ // support that. (This assumes that private_slot_ and system_slot_ are on the
+ // same module.)
+ DCHECK(!system_slot_.get() ||
+ PK11_GetModule(private_slot_.get()) ==
+ PK11_GetModule(system_slot_.get()));
SECMODModule* module_for_slot = PK11_GetModule(slot);
if (module_for_slot != PK11_GetModule(public_slot_.get()) &&
- module_for_slot != PK11_GetModule(private_slot_.get()))
+ module_for_slot != PK11_GetModule(private_slot_.get())) {
return true;
+ }
return false;
}
-bool NSSProfileFilterChromeOS::IsCertAllowed(
- const scoped_refptr<X509Certificate>& cert) const {
+bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const {
crypto::ScopedPK11SlotList slots_for_cert(
- PK11_GetAllSlotsForCert(cert->os_cert_handle(), NULL));
+ PK11_GetAllSlotsForCert(cert, NULL));
if (!slots_for_cert) {
- DVLOG(2) << "cert no slots: " << cert->subject().GetDisplayName();
- return true;
+ DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname);
+ return false;
}
for (PK11SlotListElement* slot_element =
PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) {
if (IsModuleAllowed(slot_element->slot)) {
DVLOG(3) << "cert from " << CertSlotsString(cert)
- << " allowed: " << cert->subject().GetDisplayName();
+ << " allowed: " << base::StringPiece(cert->nickname);
PK11_FreeSlotListElement(slots_for_cert.get(), slot_element);
return true;
}
}
DVLOG(2) << "cert from " << CertSlotsString(cert)
- << " filtered: " << cert->subject().GetDisplayName();
+ << " filtered: " << base::StringPiece(cert->nickname);
return false;
}
bool NSSProfileFilterChromeOS::CertNotAllowedForProfilePredicate::operator()(
const scoped_refptr<X509Certificate>& cert) const {
- return !filter_.IsCertAllowed(cert);
+ return !filter_.IsCertAllowed(cert->os_cert_handle());
}
NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::