xref: /aosp_15_r20/external/cronet/net/ssl/client_cert_store_nss.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SSL_CLIENT_CERT_STORE_NSS_H_
6 #define NET_SSL_CLIENT_CERT_STORE_NSS_H_
7 
8 #include "base/functional/callback.h"
9 #include "net/base/net_export.h"
10 #include "net/ssl/client_cert_store.h"
11 
12 typedef struct CERTCertListStr CERTCertList;
13 typedef struct CERTCertificateStr CERTCertificate;
14 
15 namespace crypto {
16 class CryptoModuleBlockingPasswordDelegate;
17 }
18 
19 namespace net {
20 class HostPortPair;
21 class SSLCertRequestInfo;
22 
23 class NET_EXPORT ClientCertStoreNSS : public ClientCertStore {
24  public:
25   using PasswordDelegateFactory =
26       base::RepeatingCallback<crypto::CryptoModuleBlockingPasswordDelegate*(
27           const HostPortPair& /* server */)>;
28   using CertFilter = base::RepeatingCallback<bool(CERTCertificate*)>;
29 
30   explicit ClientCertStoreNSS(
31       const PasswordDelegateFactory& password_delegate_factory);
32 
33   ClientCertStoreNSS(const ClientCertStoreNSS&) = delete;
34   ClientCertStoreNSS& operator=(const ClientCertStoreNSS&) = delete;
35 
36   ~ClientCertStoreNSS() override;
37 
38   // ClientCertStore:
39   void GetClientCerts(const SSLCertRequestInfo& cert_request_info,
40                       ClientCertListCallback callback) override;
41 
42   // Examines the certificates in |identities| to find all certificates that
43   // match the client certificate request in |request|, removing any that don't.
44   // The remaining certs will be updated to include intermediates.
45   // Must be called from a worker thread.
46   static void FilterCertsOnWorkerThread(ClientCertIdentityList* identities,
47                                         const SSLCertRequestInfo& request);
48 
49   // Retrieves all client certificates that are stored by NSS and adds them to
50   // |identities|. |password_delegate| is used to unlock slots if required. If
51   // |cert_filter| is not null, only certificates that it returns true on will
52   // be added.
53   // Must be called from a worker thread.
54   static void GetPlatformCertsOnWorkerThread(
55       scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
56           password_delegate,
57       const CertFilter& cert_filter,
58       ClientCertIdentityList* identities);
59 
60  private:
61   ClientCertIdentityList GetAndFilterCertsOnWorkerThread(
62       scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
63           password_delegate,
64       const SSLCertRequestInfo* request);
65 
66   // The factory for creating the delegate for requesting a password to a
67   // PKCS#11 token. May be null.
68   PasswordDelegateFactory password_delegate_factory_;
69 };
70 
71 }  // namespace net
72 
73 #endif  // NET_SSL_CLIENT_CERT_STORE_NSS_H_
74