File: cert_verify_proc_chromeos.h

package info (click to toggle)
chromium-browser 41.0.2272.118-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-kfreebsd
  • size: 2,189,132 kB
  • sloc: cpp: 9,691,462; ansic: 3,341,451; python: 712,689; asm: 518,779; xml: 208,926; java: 169,820; sh: 119,353; perl: 68,907; makefile: 28,311; yacc: 13,305; objc: 11,385; tcl: 3,186; cs: 2,225; sql: 2,217; lex: 2,215; lisp: 1,349; pascal: 1,256; awk: 407; ruby: 155; sed: 53; php: 14; exp: 11
file content (59 lines) | stat: -rw-r--r-- 2,408 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_
#define CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_

#include "crypto/scoped_nss_types.h"
#include "net/cert/cert_verify_proc_nss.h"
#include "net/cert/nss_profile_filter_chromeos.h"

namespace chromeos {

// Wrapper around CertVerifyProcNSS which allows filtering trust decisions on a
// per-slot basis.
//
// Note that only the simple case is currently handled (if a slot contains a new
// trust root, that root should not be trusted by CertVerifyProcChromeOS
// instances using other slots). More complicated cases are not handled (like
// two slots adding the same root cert but with different trust values).
class CertVerifyProcChromeOS : public net::CertVerifyProcNSS {
 public:
  // Creates a CertVerifyProc that doesn't allow any user-provided trust roots.
  CertVerifyProcChromeOS();

  // Creates a CertVerifyProc that doesn't allow trust roots provided by
  // users other than the specified slot.
  explicit CertVerifyProcChromeOS(crypto::ScopedPK11Slot public_slot);

 protected:
  virtual ~CertVerifyProcChromeOS();

 private:
  // net::CertVerifyProcNSS implementation:
  virtual int VerifyInternal(
      net::X509Certificate* cert,
      const std::string& hostname,
      int flags,
      net::CRLSet* crl_set,
      const net::CertificateList& additional_trust_anchors,
      net::CertVerifyResult* verify_result) override;

  // Check if the trust root of |current_chain| is allowed.
  // |is_chain_valid_arg| is actually a ChainVerifyArgs*, which is used to pass
  // state through the NSS CERTChainVerifyCallback.isChainValidArg parameter.
  // If the chain is allowed, |*chain_ok| will be set to PR_TRUE.
  // If the chain is not allowed, |*chain_ok| is set to PR_FALSE, and this
  // function may be called again during a single certificate verification if
  // there are multiple possible valid chains.
  static SECStatus IsChainValidFunc(void* is_chain_valid_arg,
                                    const CERTCertList* current_chain,
                                    PRBool* chain_ok);

  net::NSSProfileFilterChromeOS profile_filter_;
};

}  // namespace chromeos

#endif  // CHROME_BROWSER_CHROMEOS_NET_CERT_VERIFY_PROC_CHROMEOS_H_