• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/nss_profile_filter_chromeos.h"
6 
7 #include <memory>
8 #include <utility>
9 
10 #include "base/logging.h"
11 #include "base/strings/string_piece.h"
12 #include "net/cert/x509_certificate.h"
13 
14 namespace net {
15 
16 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS() = default;
17 
NSSProfileFilterChromeOS(const NSSProfileFilterChromeOS & other)18 NSSProfileFilterChromeOS::NSSProfileFilterChromeOS(
19     const NSSProfileFilterChromeOS& other) {
20   public_slot_.reset(other.public_slot_
21                          ? PK11_ReferenceSlot(other.public_slot_.get())
22                          : nullptr);
23   private_slot_.reset(other.private_slot_
24                           ? PK11_ReferenceSlot(other.private_slot_.get())
25                           : nullptr);
26   system_slot_.reset(other.system_slot_
27                          ? PK11_ReferenceSlot(other.system_slot_.get())
28                          : nullptr);
29 }
30 
31 NSSProfileFilterChromeOS::~NSSProfileFilterChromeOS() = default;
32 
operator =(const NSSProfileFilterChromeOS & other)33 NSSProfileFilterChromeOS& NSSProfileFilterChromeOS::operator=(
34     const NSSProfileFilterChromeOS& other) {
35   public_slot_.reset(other.public_slot_
36                          ? PK11_ReferenceSlot(other.public_slot_.get())
37                          : nullptr);
38   private_slot_.reset(other.private_slot_
39                           ? PK11_ReferenceSlot(other.private_slot_.get())
40                           : nullptr);
41   system_slot_.reset(other.system_slot_
42                          ? PK11_ReferenceSlot(other.system_slot_.get())
43                          : nullptr);
44   return *this;
45 }
46 
Init(crypto::ScopedPK11Slot public_slot,crypto::ScopedPK11Slot private_slot,crypto::ScopedPK11Slot system_slot)47 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot,
48                                     crypto::ScopedPK11Slot private_slot,
49                                     crypto::ScopedPK11Slot system_slot) {
50   // crypto::ScopedPK11Slot actually holds a reference counted object.
51   // Because std::unique_ptr<T> assignment is a no-op if it already points to
52   // the same pointer, a reference would be leaked because std::move() does
53   // not release its reference, and the receiving object won't free
54   // its copy.
55   // TODO(dcheng): This comment doesn't seem quite right.
56   if (public_slot_.get() != public_slot.get())
57     public_slot_ = std::move(public_slot);
58   if (private_slot_.get() != private_slot.get())
59     private_slot_ = std::move(private_slot);
60   if (system_slot_.get() != system_slot.get())
61     system_slot_ = std::move(system_slot);
62 }
63 
IsModuleAllowed(PK11SlotInfo * slot) const64 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const {
65   // If this is one of the public/private slots for this profile or the system
66   // slot, allow it.
67   if (slot == public_slot_.get() || slot == private_slot_.get() ||
68       slot == system_slot_.get()) {
69     return true;
70   }
71   // Allow the root certs module.
72   if (PK11_HasRootCerts(slot))
73     return true;
74   // If it's from the read-only slots, allow it.
75   if (PK11_IsInternal(slot) && !PK11_IsRemovable(slot))
76     return true;
77   // If |public_slot_| or |private_slot_| is null, there isn't a way to get the
78   // modules to use in the final test.
79   if (!public_slot_.get() || !private_slot_.get())
80     return false;
81   // If this is not the internal (file-system) module or the TPM module, allow
82   // it. This would allow smartcards/etc, although ChromeOS doesn't currently
83   // support that. (This assumes that private_slot_ and system_slot_ are on the
84   // same module.)
85   DCHECK(!system_slot_.get() ||
86          PK11_GetModule(private_slot_.get()) ==
87              PK11_GetModule(system_slot_.get()));
88   SECMODModule* module_for_slot = PK11_GetModule(slot);
89   if (module_for_slot != PK11_GetModule(public_slot_.get()) &&
90       module_for_slot != PK11_GetModule(private_slot_.get())) {
91     return true;
92   }
93   return false;
94 }
95 
IsCertAllowed(CERTCertificate * cert) const96 bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const {
97   crypto::ScopedPK11SlotList slots_for_cert(
98       PK11_GetAllSlotsForCert(cert, nullptr));
99   if (!slots_for_cert)
100     return false;
101 
102   for (PK11SlotListElement* slot_element =
103            PK11_GetFirstSafe(slots_for_cert.get());
104        slot_element;
105        slot_element =
106            PK11_GetNextSafe(slots_for_cert.get(), slot_element, PR_FALSE)) {
107     if (IsModuleAllowed(slot_element->slot)) {
108       PK11_FreeSlotListElement(slots_for_cert.get(), slot_element);
109       return true;
110     }
111   }
112 
113   return false;
114 }
115 
116 }  // namespace net
117