chrome/browser/certificate_manager_model.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
   6 #define CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
   7
   8 #include <map>
   9 #include <string>
  10
  11 #include "base/memory/ref_counted.h"
  12 #include "base/strings/string16.h"
  13 #include "net/cert/nss_cert_database.h"
  14
  15 // CertificateManagerModel provides the data to be displayed in the certificate
  16 // manager dialog, and processes changes from the view.
  17 class CertificateManagerModel {
  18  public:
  19   // Map from the subject organization name to the list of certs from that
  20   // organization.  If a cert does not have an organization name, the
  21   // subject's CertPrincipal::GetDisplayName() value is used instead.
  22   typedef std::map<std::string, net::CertificateList> OrgGroupingMap;
  23
  24   // Enumeration of the possible columns in the certificate manager tree view.
  25   enum Column {
  26     COL_SUBJECT_NAME,
  27     COL_CERTIFICATE_STORE,
  28     COL_SERIAL_NUMBER,
  29     COL_EXPIRES_ON,
  30   };
  31
  32   class Observer {
  33    public:
  34     // Called to notify the view that the certificate list has been refreshed.
  35     // TODO(mattm): do a more granular updating strategy?  Maybe retrieve new
  36     // list of certs, diff against past list, and then notify of the changes?
  37     virtual void CertificatesRefreshed() = 0;
  38   };
  39
  40   explicit CertificateManagerModel(Observer* observer);
  41   ~CertificateManagerModel();
  42
  43   // Accessor for read-only access to the underlying NSSCertDatabase.
  44   const net::NSSCertDatabase* cert_db() const { return cert_db_; }
  45
  46   // Trigger a refresh of the list of certs, unlock any slots if necessary.
  47   // Following this call, the observer CertificatesRefreshed method will be
  48   // called so the view can call FilterAndBuildOrgGroupingMap as necessary to
  49   // refresh its tree views.
  50   void Refresh();
  51
  52   // Fill |map| with the certificates matching |filter_type|.
  53   void FilterAndBuildOrgGroupingMap(net::CertType filter_type,
  54                                     OrgGroupingMap* map) const;
  55
  56   // Get the data to be displayed in |column| for the given |cert|.
  57   string16 GetColumnText(const net::X509Certificate& cert, Column column) const;
  58
  59   // Import private keys and certificates from PKCS #12 encoded
  60   // |data|, using the given |password|. If |is_extractable| is false,
  61   // mark the private key as unextractable from the module.
  62   // Returns a net error code on failure.
  63   int ImportFromPKCS12(net::CryptoModule* module, const std::string& data,
  64                        const string16& password, bool is_extractable);
  65
  66   // Import CA certificates.
  67   // Tries to import all the certificates given.  The root will be trusted
  68   // according to |trust_bits|.  Any certificates that could not be imported
  69   // will be listed in |not_imported|.
  70   // |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
  71   // Returns false if there is an internal error, otherwise true is returned and
  72   // |not_imported| should be checked for any certificates that were not
  73   // imported.
  74   bool ImportCACerts(const net::CertificateList& certificates,
  75                      net::NSSCertDatabase::TrustBits trust_bits,
  76                      net::NSSCertDatabase::ImportCertFailureList* not_imported);
  77
  78   // Import server certificate.  The first cert should be the server cert.  Any
  79   // additional certs should be intermediate/CA certs and will be imported but
  80   // not given any trust.
  81   // Any certificates that could not be imported will be listed in
  82   // |not_imported|.
  83   // |trust_bits| can be set to explicitly trust or distrust the certificate, or
  84   // use TRUST_DEFAULT to inherit trust as normal.
  85   // Returns false if there is an internal error, otherwise true is returned and
  86   // |not_imported| should be checked for any certificates that were not
  87   // imported.
  88   bool ImportServerCert(
  89       const net::CertificateList& certificates,
  90       net::NSSCertDatabase::TrustBits trust_bits,
  91       net::NSSCertDatabase::ImportCertFailureList* not_imported);
  92
  93   // Set trust values for certificate.
  94   // |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
  95   // Returns true on success or false on failure.
  96   bool SetCertTrust(const net::X509Certificate* cert,
  97                     net::CertType type,
  98                     net::NSSCertDatabase::TrustBits trust_bits);
  99
 100   // Delete the cert.  Returns true on success.  |cert| is still valid when this
 101   // function returns.
 102   bool Delete(net::X509Certificate* cert);
 103
 104   // IsHardwareBacked returns true if |cert| is hardware backed.
 105   // This function is only implemented for Chrome OS and always returns false
 106   // for other platforms.
 107   bool IsHardwareBacked(const net::X509Certificate* cert) const;
 108
 109  private:
 110   // Callback used by Refresh() for when the cert slots have been unlocked.
 111   // This method does the actual refreshing.
 112   void RefreshSlotsUnlocked();
 113
 114   net::NSSCertDatabase* cert_db_;
 115   net::CertificateList cert_list_;
 116
 117   // The observer to notify when certificate list is refreshed.
 118   Observer* observer_;
 119
 120   DISALLOW_COPY_AND_ASSIGN(CertificateManagerModel);
 121 };
 122
 123 #endif  // CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_