#include "base/memory/ref_counted.h"
#include "chromeos/chromeos_export.h"
+#include "chromeos/network/certificate_pattern.h"
namespace base {
class DictionaryValue;
namespace chromeos {
-class CertificatePattern;
-class IssuerSubjectPattern;
-
namespace client_cert {
enum ConfigType {
CONFIG_TYPE_EAP
};
+struct CHROMEOS_EXPORT ClientCertConfig {
+ ClientCertConfig();
+
+ // Independent of whether the client cert (pattern or reference) is
+ // configured, the location determines whether this network configuration
+ // supports client certs and what kind of configuration it requires.
+ ConfigType location;
+
+ // One of the ClientCertTypes defined in ONC: kNone, kRef, or kPattern.
+ std::string client_cert_type;
+
+ // If |client_cert_type| equals kPattern, this contains the pattern.
+ CertificatePattern pattern;
+};
+
// Returns true only if any fields set in this pattern match exactly with
// similar fields in the principal. If organization_ or organizational_unit_
// are set, then at least one of the organizations or units in the principal
bool CertPrincipalMatches(const IssuerSubjectPattern& pattern,
const net::CertPrincipal& principal);
-// Fetches the matching certificate that has the latest valid start date.
-// Returns a NULL refptr if there is no such match.
-CHROMEOS_EXPORT scoped_refptr<net::X509Certificate> GetCertificateMatch(
- const CertificatePattern& pattern,
- const net::CertificateList& all_certs);
-
-// If not empty, sets the TPM properties in |properties|. If |pkcs11_id| is not
-// NULL, also sets the ClientCertID. |cert_config_type| determines which
-// dictionary entries to set.
-void SetShillProperties(const ConfigType cert_config_type,
- const std::string& tpm_slot,
- const std::string& tpm_pin,
- const std::string* pkcs11_id,
- base::DictionaryValue* properties);
+// Returns the PKCS11 and slot ID of |cert_id|, which is expected to be a
+// value of the Shill property kEapCertIdProperty or kEapKeyIdProperty, either
+// of format "<pkcs11_id>" or "<slot_id>:<pkcs11_id>".
+CHROMEOS_EXPORT std::string GetPkcs11AndSlotIdFromEapCertId(
+ const std::string& cert_id,
+ int* slot_id);
+
+// Reads the client certificate configuration from the Shill Service properties
+// |shill_properties|.
+// If such a configuration is found, the values |cert_config_type|, |tpm_slot|
+// and |pkcs11_id| are filled accordingly. In case of OpenVPN or because the
+// property was not set, |tpm_slot| will be set to -1.
+// If an error occurred or no client configuration is found, |cert_config_type|
+// will be set to CONFIG_TYPE_NONE, |tpm_slot| to -1 and |pkcs11_id| to the
+// empty string.
+CHROMEOS_EXPORT void GetClientCertFromShillProperties(
+ const base::DictionaryValue& shill_properties,
+ ConfigType* cert_config_type,
+ int* tpm_slot,
+ std::string* pkcs11_id);
+
+// Sets the properties of a client cert and the TPM slot that it's contained in.
+// |cert_config_type| determines which dictionary entries to set.
+CHROMEOS_EXPORT void SetShillProperties(const ConfigType cert_config_type,
+ const int tpm_slot,
+ const std::string& pkcs11_id,
+ base::DictionaryValue* properties);
+
+// Like SetShillProperties but instead sets the properties to empty strings.
+// This should be used to clear previously set client certificate properties.
+CHROMEOS_EXPORT void SetEmptyShillProperties(const ConfigType cert_config_type,
+ base::DictionaryValue* properties);
// Returns true if all required configuration properties are set and not empty.
bool IsCertificateConfigured(const client_cert::ConfigType cert_config_type,
const base::DictionaryValue& service_properties);
+// Determines the type of the CertificatePattern configuration, i.e. is it a
+// pattern within an EAP, IPsec or OpenVPN configuration.
+CHROMEOS_EXPORT void OncToClientCertConfig(
+ const base::DictionaryValue& network_config,
+ ClientCertConfig* cert_config);
+
} // namespace client_cert
} // namespace chromeos