chrome/browser/certificate_manager_model.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
   6 #define CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
   7
   8 #include <map>
   9 #include <string>
  10
  11 #include "base/callback.h"
  12 #include "base/memory/ref_counted.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/strings/string16.h"
  15 #include "net/cert/nss_cert_database.h"
  16
  17 namespace content {
  18 class BrowserContext;
  19 class ResourceContext;
  20 }  // namespace content
  21
  22 // CertificateManagerModel provides the data to be displayed in the certificate
  23 // manager dialog, and processes changes from the view.
  24 class CertificateManagerModel {
  25  public:
  26   // Map from the subject organization name to the list of certs from that
  27   // organization.  If a cert does not have an organization name, the
  28   // subject's CertPrincipal::GetDisplayName() value is used instead.
  29   typedef std::map<std::string, net::CertificateList> OrgGroupingMap;
  30
  31   typedef base::Callback<void(scoped_ptr<CertificateManagerModel>)>
  32       CreationCallback;
  33
  34   // Enumeration of the possible columns in the certificate manager tree view.
  35   enum Column {
  36     COL_SUBJECT_NAME,
  37     COL_CERTIFICATE_STORE,
  38     COL_SERIAL_NUMBER,
  39     COL_EXPIRES_ON,
  40   };
  41
  42   class Observer {
  43    public:
  44     // Called to notify the view that the certificate list has been refreshed.
  45     // TODO(mattm): do a more granular updating strategy?  Maybe retrieve new
  46     // list of certs, diff against past list, and then notify of the changes?
  47     virtual void CertificatesRefreshed() = 0;
  48   };
  49
  50   // Creates a CertificateManagerModel. The model will be passed to the callback
  51   // when it is ready. The caller must ensure the model does not outlive the
  52   // |browser_context|.
  53   static void Create(content::BrowserContext* browser_context,
  54                      Observer* observer,
  55                      const CreationCallback& callback);
  56
  57   ~CertificateManagerModel();
  58
  59   bool is_user_db_available() const { return is_user_db_available_; }
  60   bool is_tpm_available() const { return is_tpm_available_; }
  61
  62   // Accessor for read-only access to the underlying NSSCertDatabase.
  63   const net::NSSCertDatabase* cert_db() const { return cert_db_; }
  64
  65   // Trigger a refresh of the list of certs, unlock any slots if necessary.
  66   // Following this call, the observer CertificatesRefreshed method will be
  67   // called so the view can call FilterAndBuildOrgGroupingMap as necessary to
  68   // refresh its tree views.
  69   void Refresh();
  70
  71   // Fill |map| with the certificates matching |filter_type|.
  72   void FilterAndBuildOrgGroupingMap(net::CertType filter_type,
  73                                     OrgGroupingMap* map) const;
  74
  75   // Get the data to be displayed in |column| for the given |cert|.
  76   base::string16 GetColumnText(const net::X509Certificate& cert, Column column) const;
  77
  78   // Import private keys and certificates from PKCS #12 encoded
  79   // |data|, using the given |password|. If |is_extractable| is false,
  80   // mark the private key as unextractable from the module.
  81   // Returns a net error code on failure.
  82   int ImportFromPKCS12(net::CryptoModule* module, const std::string& data,
  83                        const base::string16& password, bool is_extractable);
  84
  85   // Import CA certificates.
  86   // Tries to import all the certificates given.  The root will be trusted
  87   // according to |trust_bits|.  Any certificates that could not be imported
  88   // will be listed in |not_imported|.
  89   // |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
  90   // Returns false if there is an internal error, otherwise true is returned and
  91   // |not_imported| should be checked for any certificates that were not
  92   // imported.
  93   bool ImportCACerts(const net::CertificateList& certificates,
  94                      net::NSSCertDatabase::TrustBits trust_bits,
  95                      net::NSSCertDatabase::ImportCertFailureList* not_imported);
  96
  97   // Import server certificate.  The first cert should be the server cert.  Any
  98   // additional certs should be intermediate/CA certs and will be imported but
  99   // not given any trust.
 100   // Any certificates that could not be imported will be listed in
 101   // |not_imported|.
 102   // |trust_bits| can be set to explicitly trust or distrust the certificate, or
 103   // use TRUST_DEFAULT to inherit trust as normal.
 104   // Returns false if there is an internal error, otherwise true is returned and
 105   // |not_imported| should be checked for any certificates that were not
 106   // imported.
 107   bool ImportServerCert(
 108       const net::CertificateList& certificates,
 109       net::NSSCertDatabase::TrustBits trust_bits,
 110       net::NSSCertDatabase::ImportCertFailureList* not_imported);
 111
 112   // Set trust values for certificate.
 113   // |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
 114   // Returns true on success or false on failure.
 115   bool SetCertTrust(const net::X509Certificate* cert,
 116                     net::CertType type,
 117                     net::NSSCertDatabase::TrustBits trust_bits);
 118
 119   // Delete the cert.  Returns true on success.  |cert| is still valid when this
 120   // function returns.
 121   bool Delete(net::X509Certificate* cert);
 122
 123   // IsHardwareBacked returns true if |cert| is hardware backed.
 124   bool IsHardwareBacked(const net::X509Certificate* cert) const;
 125
 126  private:
 127   CertificateManagerModel(net::NSSCertDatabase* nss_cert_database,
 128                           bool is_user_db_available,
 129                           bool is_tpm_available,
 130                           Observer* observer);
 131
 132   // Methods used during initialization, see the comment at the top of the .cc
 133   // file for details.
 134   static void DidGetCertDBOnUIThread(
 135       net::NSSCertDatabase* cert_db,
 136       bool is_user_db_available,
 137       bool is_tpm_available,
 138       CertificateManagerModel::Observer* observer,
 139       const CreationCallback& callback);
 140   static void DidGetCertDBOnIOThread(
 141       CertificateManagerModel::Observer* observer,
 142       const CreationCallback& callback,
 143       net::NSSCertDatabase* cert_db);
 144   static void GetCertDBOnIOThread(content::ResourceContext* context,
 145                                   CertificateManagerModel::Observer* observer,
 146                                   const CreationCallback& callback);
 147
 148   // Callback used by Refresh() for when the cert slots have been unlocked.
 149   // This method does the actual refreshing.
 150   void RefreshSlotsUnlocked();
 151
 152   net::NSSCertDatabase* cert_db_;
 153   net::CertificateList cert_list_;
 154   // Whether the certificate database has a public slot associated with the
 155   // profile. If not set, importing certificates is not allowed with this model.
 156   bool is_user_db_available_;
 157   bool is_tpm_available_;
 158
 159   // The observer to notify when certificate list is refreshed.
 160   Observer* observer_;
 161
 162   DISALLOW_COPY_AND_ASSIGN(CertificateManagerModel);
 163 };
 164
 165 #endif  // CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_