net/cert/nss_profile_filter_chromeos.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_NSS_PROFILE_FILTER_CHROMEOS_H_
   6 #define NET_CERT_NSS_PROFILE_FILTER_CHROMEOS_H_
   7
   8 #include "base/memory/scoped_ptr.h"
   9 #include "crypto/scoped_nss_types.h"
  10 #include "net/base/crypto_module.h"
  11 #include "net/base/net_export.h"
  12
  13 namespace net {
  14
  15 class X509Certificate;
  16
  17 // On ChromeOS each user has separate NSS databases, which are loaded
  18 // simultaneously when multiple users are logged in at the same time. NSS
  19 // doesn't have built-in support to partition databases into separate groups, so
  20 // NSSProfileFilterChromeOS can be used to check if a given slot or certificate
  21 // should be used for a given user.
  22 //
  23 // Objects of this class are thread-safe except for the Init function, which if
  24 // called must not be called while other threads could access the object.
  25 class NET_EXPORT NSSProfileFilterChromeOS {
  26  public:
  27   // Create a filter. Until Init is called (or if Init is called with NULL
  28   // slot handles), the filter will allow only certs/slots from the read-only
  29   // slots and the root CA module.
  30   NSSProfileFilterChromeOS();
  31   NSSProfileFilterChromeOS(const NSSProfileFilterChromeOS& other);
  32   ~NSSProfileFilterChromeOS();
  33
  34   NSSProfileFilterChromeOS& operator=(const NSSProfileFilterChromeOS& other);
  35
  36   // Initialize the filter with the slot handles to allow. This method is not
  37   // thread-safe.
  38   void Init(crypto::ScopedPK11Slot public_slot,
  39             crypto::ScopedPK11Slot private_slot,
  40             crypto::ScopedPK11Slot system_slot);
  41
  42   bool IsModuleAllowed(PK11SlotInfo* slot) const;
  43   bool IsCertAllowed(CERTCertificate* cert) const;
  44
  45   class CertNotAllowedForProfilePredicate {
  46    public:
  47     explicit CertNotAllowedForProfilePredicate(
  48         const NSSProfileFilterChromeOS& filter);
  49     bool operator()(const scoped_refptr<X509Certificate>& cert) const;
  50
  51    private:
  52     const NSSProfileFilterChromeOS& filter_;
  53   };
  54
  55   class ModuleNotAllowedForProfilePredicate {
  56    public:
  57     explicit ModuleNotAllowedForProfilePredicate(
  58         const NSSProfileFilterChromeOS& filter);
  59     bool operator()(const scoped_refptr<CryptoModule>& module) const;
  60
  61    private:
  62     const NSSProfileFilterChromeOS& filter_;
  63   };
  64
  65  private:
  66   crypto::ScopedPK11Slot public_slot_;
  67   crypto::ScopedPK11Slot private_slot_;
  68   crypto::ScopedPK11Slot system_slot_;
  69 };
  70
  71 }  // namespace net
  72
  73 #endif  // NET_CERT_NSS_PROFILE_FILTER_CHROMEOS_H_