• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
6 #define NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
7 
8 #include <cert.h>
9 #include <certt.h>
10 
11 #include "crypto/scoped_nss_types.h"
12 #include "net/base/net_export.h"
13 #include "net/cert/pki/trust_store.h"
14 #include "net/cert/scoped_nss_types.h"
15 #include "third_party/abseil-cpp/absl/types/variant.h"
16 
17 namespace net {
18 
19 // TrustStoreNSS is an implementation of TrustStore which uses NSS to find trust
20 // anchors for path building. This TrustStore is thread-safe.
21 class NET_EXPORT TrustStoreNSS : public TrustStore {
22  public:
23   enum SystemTrustSetting {
24     kUseSystemTrust,
25     kIgnoreSystemTrust,
26   };
27 
28   struct UseTrustFromAllUserSlots : absl::monostate {};
29   using UserSlotTrustSetting =
30       absl::variant<UseTrustFromAllUserSlots, crypto::ScopedPK11Slot>;
31 
32   class ResultDebugData : public base::SupportsUserData::Data {
33    public:
34     enum class SlotFilterType {
35       kDontFilter,
36       kDoNotAllowUserSlots,
37       kAllowSpecifiedUserSlot
38     };
39 
40     explicit ResultDebugData(bool ignore_system_trust_settings,
41                              SlotFilterType slot_filter_type);
42 
43     static const ResultDebugData* Get(const base::SupportsUserData* debug_data);
44     static void Create(bool ignore_system_trust_settings,
45                        SlotFilterType slot_filter_type,
46                        base::SupportsUserData* debug_data);
47 
48     // base::SupportsUserData::Data implementation:
49     std::unique_ptr<Data> Clone() override;
50 
ignore_system_trust_settings()51     bool ignore_system_trust_settings() const {
52       return ignore_system_trust_settings_;
53     }
54 
slot_filter_type()55     SlotFilterType slot_filter_type() const { return slot_filter_type_; }
56 
57    private:
58     const bool ignore_system_trust_settings_;
59     const SlotFilterType slot_filter_type_;
60   };
61 
62   // Creates a TrustStoreNSS which will find anchors that are trusted for
63   // SSL server auth.
64   //
65   // |system_trust_setting| configures the use of trust from the builtin roots.
66   // If |system_trust_setting| is kIgnoreSystemTrust, trust settings from the
67   // builtin roots slot with the Mozilla CA Policy attribute will not be used.
68   //
69   // |user_slot_trust_setting| configures the use of trust from user slots:
70   //  * UseTrustFromAllUserSlots: all user slots will be allowed.
71   //  * nullptr: no user slots will be allowed.
72   //  * non-null PK11Slot: the specified slot will be allowed.
73   TrustStoreNSS(SystemTrustSetting system_trust_setting,
74                 UserSlotTrustSetting user_slot_trust_setting);
75 
76   TrustStoreNSS(const TrustStoreNSS&) = delete;
77   TrustStoreNSS& operator=(const TrustStoreNSS&) = delete;
78 
79   ~TrustStoreNSS() override;
80 
81   // CertIssuerSource implementation:
82   void SyncGetIssuersOf(const ParsedCertificate* cert,
83                         ParsedCertificateList* issuers) override;
84 
85   // TrustStore implementation:
86   CertificateTrust GetTrust(const ParsedCertificate* cert,
87                             base::SupportsUserData* debug_data) override;
88 
89   struct ListCertsResult {
90     ListCertsResult(ScopedCERTCertificate cert, CertificateTrust trust);
91     ~ListCertsResult();
92     ListCertsResult(ListCertsResult&& other);
93     ListCertsResult& operator=(ListCertsResult&& other);
94 
95     ScopedCERTCertificate cert;
96     CertificateTrust trust;
97   };
98   std::vector<ListCertsResult> ListCertsIgnoringNSSRoots();
99 
100  private:
101   bool IsCertAllowedForTrust(CERTCertificate* cert) const;
102   CertificateTrust GetTrustForNSSTrust(const CERTCertTrust& trust) const;
103 
104   CertificateTrust GetTrustIgnoringSystemTrust(
105       const ParsedCertificate* cert,
106       base::SupportsUserData* debug_data) const;
107 
108   CertificateTrust GetTrustIgnoringSystemTrust(
109       CERTCertificate* nss_cert,
110       base::SupportsUserData* debug_data) const;
111 
112   CertificateTrust GetTrustWithSystemTrust(
113       const ParsedCertificate* cert,
114       base::SupportsUserData* debug_data) const;
115 
116   // |ignore_system_certs_trust_settings_| specifies if the system trust
117   // settings should be considered when determining a cert's trustworthiness.
118   const bool ignore_system_trust_settings_ = false;
119 
120   // |user_slot_trust_setting_| specifies which slots certificates must be
121   // stored on to be allowed to be trusted. The possible values are:
122   //
123   // |user_slot_trust_setting_| is UseTrustFromAllUserSlots: Allow trust
124   // settings from any user slots.
125   //
126   // |user_slot_trust_setting_| is a ScopedPK11Slot: Allow
127   // certificates from the specified slot to be trusted. If the slot is nullptr,
128   // trust from user slots will not be used.
129   const UserSlotTrustSetting user_slot_trust_setting_;
130 };
131 
132 }  // namespace net
133 
134 #endif  // NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
135