blob: 45bd99c9f6b12e8a8df17a88ed92ac899bd81758 [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/nss_profile_filter_chromeos.h"
#include <memory>
#include <utility>
#include "base/strings/string_piece.h"
#include "base/strings/stringprintf.h"
#include "net/cert/x509_certificate.h"
namespace net {
namespace {
std::string CertSlotsString(CERTCertificate* cert) {
std::string result;
crypto::ScopedPK11SlotList slots_for_cert(
PK11_GetAllSlotsForCert(cert, NULL));
for (PK11SlotListElement* slot_element =
PK11_GetFirstSafe(slots_for_cert.get());
slot_element;
slot_element =
PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) {
if (!result.empty())
result += ',';
base::StringAppendF(&result,
"%lu:%lu",
PK11_GetModuleID(slot_element->slot),
PK11_GetSlotID(slot_element->slot));
}
return result;
}
} // namespace
NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() = default;
NSSProfileFilterChromeOS::NSSProfileFilterChromeOS(
const NSSProfileFilterChromeOS& other) {
public_slot_.reset(other.public_slot_ ?
PK11_ReferenceSlot(other.public_slot_.get()) :
NULL);
private_slot_.reset(other.private_slot_ ?
PK11_ReferenceSlot(other.private_slot_.get()) :
NULL);
system_slot_.reset(
other.system_slot_ ? PK11_ReferenceSlot(other.system_slot_.get()) : NULL);
}
NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() = default;
NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=(
const NSSProfileFilterChromeOS& other) {
public_slot_.reset(other.public_slot_ ?
PK11_ReferenceSlot(other.public_slot_.get()) :
NULL);
private_slot_.reset(other.private_slot_ ?
PK11_ReferenceSlot(other.private_slot_.get()) :
NULL);
system_slot_.reset(
other.system_slot_ ? PK11_ReferenceSlot(other.system_slot_.get()) : NULL);
return *this;
}
void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot,
crypto::ScopedPK11Slot private_slot,
crypto::ScopedPK11Slot system_slot) {
// crypto::ScopedPK11Slot actually holds a reference counted object.
// Because std::unique_ptr<T> assignment is a no-op if it already points to
// the same pointer, a reference would be leaked because std::move() does
// not release its reference, and the receiving object won't free
// its copy.
// TODO(dcheng): This comment doesn't seem quite right.
if (public_slot_.get() != public_slot.get())
public_slot_ = std::move(public_slot);
if (private_slot_.get() != private_slot.get())
private_slot_ = std::move(private_slot);
if (system_slot_.get() != system_slot.get())
system_slot_ = std::move(system_slot);
}
bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const {
// If this is one of the public/private slots for this profile or the system
// slot, allow it.
if (slot == public_slot_.get() || slot == private_slot_.get() ||
slot == system_slot_.get()) {
return true;
}
// Allow the root certs module.
if (PK11_HasRootCerts(slot))
return true;
// If it's from the read-only slots, allow it.
if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot))
return true;
// If |public_slot_| or |private_slot_| is null, there isn't a way to get the
// modules to use in the final test.
if (!public_slot_.get() || !private_slot_.get())
return false;
// If this is not the internal (file-system) module or the TPM module, allow
// it. This would allow smartcards/etc, although ChromeOS doesn't currently
// support that. (This assumes that private_slot_ and system_slot_ are on the
// same module.)
DCHECK(!system_slot_.get() ||
PK11_GetModule(private_slot_.get()) ==
PK11_GetModule(system_slot_.get()));
SECMODModule* module_for_slot = PK11_GetModule(slot);
if (module_for_slot != PK11_GetModule(public_slot_.get()) &&
module_for_slot != PK11_GetModule(private_slot_.get())) {
return true;
}
return false;
}
bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const {
crypto::ScopedPK11SlotList slots_for_cert(
PK11_GetAllSlotsForCert(cert, NULL));
if (!slots_for_cert) {
DVLOG(2) << "cert no slots: " << base::StringPiece(cert->nickname);
return false;
}
for (PK11SlotListElement* slot_element =
PK11_GetFirstSafe(slots_for_cert.get());
slot_element;
slot_element =
PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) {
if (IsModuleAllowed(slot_element->slot)) {
DVLOG(3) << "cert from " << CertSlotsString(cert)
<< " allowed: " << base::StringPiece(cert->nickname);
PK11_FreeSlotListElement(slots_for_cert.get(), slot_element);
return true;
}
}
DVLOG(2) << "cert from " << CertSlotsString(cert)
<< " filtered: " << base::StringPiece(cert->nickname);
return false;
}
NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::
ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter)
: filter_(filter) {}
bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()(
const crypto::ScopedPK11Slot& module) const {
return !filter_.IsModuleAllowed(module.get());
}
} // namespace net