1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_TRUST_STORE_H_ 6 #define NET_CERT_PKI_TRUST_STORE_H_ 7 8 #include "base/supports_user_data.h" 9 #include "net/base/net_export.h" 10 #include "net/cert/pki/cert_issuer_source.h" 11 #include "net/cert/pki/parsed_certificate.h" 12 #include "third_party/abseil-cpp/absl/types/optional.h" 13 14 namespace net { 15 16 enum class CertificateTrustType { 17 // This certificate is explicitly blocked (distrusted). 18 DISTRUSTED, 19 20 // The trustedness of this certificate is unknown (inherits trust from 21 // its issuer). 22 UNSPECIFIED, 23 24 // This certificate is a trust anchor (as defined by RFC 5280). 25 TRUSTED_ANCHOR, 26 27 // This certificate can be used as a trust anchor (as defined by RFC 5280) or 28 // a trusted leaf, depending on context. 29 TRUSTED_ANCHOR_OR_LEAF, 30 31 // This certificate is a directly trusted leaf. 32 TRUSTED_LEAF, 33 34 LAST = TRUSTED_ANCHOR 35 }; 36 37 // Describes the level of trust in a certificate. 38 struct NET_EXPORT CertificateTrust { ForTrustAnchorCertificateTrust39 static constexpr CertificateTrust ForTrustAnchor() { 40 CertificateTrust result; 41 result.type = CertificateTrustType::TRUSTED_ANCHOR; 42 return result; 43 } 44 ForTrustAnchorOrLeafCertificateTrust45 static constexpr CertificateTrust ForTrustAnchorOrLeaf() { 46 CertificateTrust result; 47 result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF; 48 return result; 49 } 50 ForTrustedLeafCertificateTrust51 static constexpr CertificateTrust ForTrustedLeaf() { 52 CertificateTrust result; 53 result.type = CertificateTrustType::TRUSTED_LEAF; 54 return result; 55 } 56 ForUnspecifiedCertificateTrust57 static constexpr CertificateTrust ForUnspecified() { 58 CertificateTrust result; 59 return result; 60 } 61 ForDistrustedCertificateTrust62 static constexpr CertificateTrust ForDistrusted() { 63 CertificateTrust result; 64 result.type = CertificateTrustType::DISTRUSTED; 65 return result; 66 } 67 68 constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const { 69 CertificateTrust result = *this; 70 result.enforce_anchor_expiry = value; 71 return result; 72 } 73 74 constexpr CertificateTrust WithEnforceAnchorConstraints( 75 bool value = true) const { 76 CertificateTrust result = *this; 77 result.enforce_anchor_constraints = value; 78 return result; 79 } 80 81 constexpr CertificateTrust WithRequireAnchorBasicConstraints( 82 bool value = true) const { 83 CertificateTrust result = *this; 84 result.require_anchor_basic_constraints = value; 85 return result; 86 } 87 88 constexpr CertificateTrust WithRequireLeafSelfSigned( 89 bool value = true) const { 90 CertificateTrust result = *this; 91 result.require_leaf_selfsigned = value; 92 return result; 93 } 94 95 bool IsTrustAnchor() const; 96 bool IsTrustLeaf() const; 97 bool IsDistrusted() const; 98 bool HasUnspecifiedTrust() const; 99 100 std::string ToDebugString() const; 101 102 static absl::optional<CertificateTrust> FromDebugString( 103 const std::string& trust_string); 104 105 // The overall type of trust. 106 CertificateTrustType type = CertificateTrustType::UNSPECIFIED; 107 108 // Optionally, enforce extra bits on trust anchors. If these are false, the 109 // only fields in a trust anchor certificate that are meaningful are its 110 // name and SPKI. 111 bool enforce_anchor_expiry = false; 112 bool enforce_anchor_constraints = false; 113 // Require that X.509v3 trust anchors have a basicConstraints extension. 114 // X.509v1 and X.509v2 trust anchors do not support basicConstraints and are 115 // not affected. 116 // Additionally, this setting only has effect if `enforce_anchor_constraints` 117 // is true, which also requires that the extension assert CA=true. 118 bool require_anchor_basic_constraints = false; 119 120 // Optionally, require trusted leafs to be self-signed to be trusted. 121 bool require_leaf_selfsigned = false; 122 }; 123 124 // Interface for finding intermediates / trust anchors, and testing the 125 // trustedness of certificates. 126 class NET_EXPORT TrustStore : public CertIssuerSource { 127 public: 128 TrustStore(); 129 130 TrustStore(const TrustStore&) = delete; 131 TrustStore& operator=(const TrustStore&) = delete; 132 133 // Returns the trusted of |cert|, which must be non-null. 134 // 135 // Optionally, if |debug_data| is non-null, debug information may be added 136 // (any added Data must implement the Clone method.) The same |debug_data| 137 // object may be passed to multiple GetTrust calls for a single verification, 138 // so implementations should check whether they already added data with a 139 // certain key and update it instead of overwriting it. 140 virtual CertificateTrust GetTrust(const ParsedCertificate* cert, 141 base::SupportsUserData* debug_data) = 0; 142 143 // Disable async issuers for TrustStore, as it isn't needed. 144 // TODO(mattm): Pass debug_data here too. 145 void AsyncGetIssuersOf(const ParsedCertificate* cert, 146 std::unique_ptr<Request>* out_req) final; 147 }; 148 149 } // namespace net 150 151 #endif // NET_CERT_PKI_TRUST_STORE_H_ 152