• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SSL_CLIENT_CERT_STORE_NSS_H_
6 #define NET_SSL_CLIENT_CERT_STORE_NSS_H_
7 
8 #include "base/functional/callback.h"
9 #include "base/memory/scoped_refptr.h"
10 #include "base/memory/weak_ptr.h"
11 #include "net/base/net_export.h"
12 #include "net/ssl/client_cert_matcher.h"
13 #include "net/ssl/client_cert_store.h"
14 
15 typedef struct CERTCertListStr CERTCertList;
16 typedef struct CERTCertificateStr CERTCertificate;
17 
18 namespace crypto {
19 class CryptoModuleBlockingPasswordDelegate;
20 }
21 
22 namespace net {
23 class HostPortPair;
24 class SSLCertRequestInfo;
25 
26 class NET_EXPORT ClientCertStoreNSS : public ClientCertStore {
27  public:
28   using PasswordDelegateFactory =
29       base::RepeatingCallback<crypto::CryptoModuleBlockingPasswordDelegate*(
30           const HostPortPair& /* server */)>;
31   using CertFilter = base::RepeatingCallback<bool(CERTCertificate*)>;
32 
33   class IssuerSourceNSS : public ClientCertIssuerSource {
34     std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> GetCertsByName(
35         base::span<const uint8_t> name) override;
36   };
37 
38   explicit ClientCertStoreNSS(
39       const PasswordDelegateFactory& password_delegate_factory);
40 
41   ClientCertStoreNSS(const ClientCertStoreNSS&) = delete;
42   ClientCertStoreNSS& operator=(const ClientCertStoreNSS&) = delete;
43 
44   ~ClientCertStoreNSS() override;
45 
46   // ClientCertStore:
47   void GetClientCerts(scoped_refptr<const SSLCertRequestInfo> cert_request_info,
48                       ClientCertListCallback callback) override;
49 
50   // Examines the certificates in |identities| to find all certificates that
51   // match the client certificate request in |request|, removing any that don't.
52   // The remaining certs will be updated to include intermediates.
53   // Must be called from a worker thread.
54   static void FilterCertsOnWorkerThread(ClientCertIdentityList* identities,
55                                         const SSLCertRequestInfo& request);
56 
57   // Retrieves all client certificates that are stored by NSS and adds them to
58   // |identities|. |password_delegate| is used to unlock slots if required. If
59   // |cert_filter| is not null, only certificates that it returns true on will
60   // be added.
61   // Must be called from a worker thread.
62   static void GetPlatformCertsOnWorkerThread(
63       scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
64           password_delegate,
65       const CertFilter& cert_filter,
66       ClientCertIdentityList* identities);
67 
68  private:
69   static ClientCertIdentityList GetAndFilterCertsOnWorkerThread(
70       scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
71           password_delegate,
72       scoped_refptr<const SSLCertRequestInfo> request);
73 
74   void OnClientCertsResponse(ClientCertListCallback callback,
75                              ClientCertIdentityList identities);
76 
77   // The factory for creating the delegate for requesting a password to a
78   // PKCS#11 token. May be null.
79   PasswordDelegateFactory password_delegate_factory_;
80 
81   base::WeakPtrFactory<ClientCertStoreNSS> weak_factory_{this};
82 };
83 
84 }  // namespace net
85 
86 #endif  // NET_SSL_CLIENT_CERT_STORE_NSS_H_
87