1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 6 #define NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 7 8 #include <vector> 9 10 #include "build/build_config.h" 11 #include "net/base/net_export.h" 12 #include "net/cert/pki/parsed_certificate.h" 13 #include "net/net_buildflags.h" 14 15 namespace net { 16 17 class TrustStore; 18 19 // The SystemTrustStore interface is used to encapsulate a TrustStore for the 20 // current platform, with some extra bells and whistles. Implementations must be 21 // thread-safe. 22 // 23 // This is primarily used to abstract out the platform-specific bits that 24 // relate to configuring the TrustStore needed for path building. 25 class SystemTrustStore { 26 public: 27 virtual ~SystemTrustStore() = default; 28 29 // Returns an aggregate TrustStore that can be used by the path builder. The 30 // store composes the system trust store (if implemented) with manually added 31 // trust anchors added via AddTrustAnchor(). This pointer is non-owned, and 32 // valid only for the lifetime of |this|. Any TrustStore objects returned from 33 // this method must be thread-safe. 34 virtual TrustStore* GetTrustStore() = 0; 35 36 // Returns false if the implementation of SystemTrustStore doesn't actually 37 // make use of the system's trust store. This might be the case for 38 // unsupported platforms. In the case where this returns false, the trust 39 // store returned by GetTrustStore() is made up solely of the manually added 40 // trust anchors (via AddTrustAnchor()). 41 // 42 // TODO(hchao): Rename this to something more sensible now that we're 43 // introducing the idea of a Chrome Root Store that doesn't use all parts of a 44 // system's trust store. 45 virtual bool UsesSystemTrustStore() const = 0; 46 47 // IsKnownRoot() returns true if the given certificate originated from the 48 // system trust store and is a "standard" one. The meaning of "standard" is 49 // that it is one of default trust anchors for the system, as opposed to a 50 // user-installed one. 51 virtual bool IsKnownRoot(const ParsedCertificate* cert) const = 0; 52 53 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 54 // Returns the current version of the Chrome Root Store being used. If 55 // Chrome Root Store is not in use, returns 0. 56 virtual int64_t chrome_root_store_version() = 0; 57 #endif 58 }; 59 60 // Creates an instance of SystemTrustStore that wraps the current platform's SSL 61 // trust store. This cannot return nullptr, even in the case where system trust 62 // store integration is not supported. 63 // 64 // In cases where system trust store integration is not supported, the 65 // SystemTrustStore will not give access to the platform's SSL trust store, to 66 // avoid trusting a CA that the user has disabled on their system. In this 67 // case, UsesSystemTrustStore() will return false, and only manually-added trust 68 // anchors will be used. 69 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore(); 70 71 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 72 class TrustStoreChrome; 73 74 // Creates an instance of SystemTrustStore that wraps the current platform's SSL 75 // trust store for user added roots, but uses the Chrome Root Store trust 76 // anchors. This cannot return nullptr, even in the case where system trust 77 // store integration is not supported. 78 // 79 // In cases where system trust store integration is not supported, the 80 // SystemTrustStore will not give access to the Chrome Root Store, to avoid 81 // trusting a CA that the user has disabled on their system. In this case, 82 // UsesSystemTrustStore() will return false, and only manually-added trust 83 // anchors will be used. 84 NET_EXPORT std::unique_ptr<SystemTrustStore> 85 CreateSslSystemTrustStoreChromeRoot( 86 std::unique_ptr<TrustStoreChrome> chrome_root); 87 88 NET_EXPORT_PRIVATE std::unique_ptr<SystemTrustStore> 89 CreateSystemTrustStoreChromeForTesting( 90 std::unique_ptr<TrustStoreChrome> trust_store_chrome, 91 std::unique_ptr<TrustStore> trust_store_system); 92 #endif // BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 93 94 // Creates an instance of SystemTrustStore that initially does not have any 95 // trust roots. (This is the same trust store implementation that will be 96 // returned by CreateSslSystemTrustStore() on platforms where system trust 97 // store integration is not supported.) 98 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateEmptySystemTrustStore(); 99 100 #if BUILDFLAG(IS_MAC) 101 // Initializes trust cache on a worker thread, if the builtin verifier is 102 // enabled. 103 NET_EXPORT void InitializeTrustStoreMacCache(); 104 #endif 105 106 #if BUILDFLAG(IS_WIN) 107 // Initializes windows system trust store on a worker thread, if the builtin 108 // verifier is enabled. 109 NET_EXPORT void InitializeTrustStoreWinSystem(); 110 #endif 111 112 #if BUILDFLAG(IS_ANDROID) 113 // Initializes Android system trust store on a worker thread, if the builtin 114 // verifier is enabled. 115 NET_EXPORT void InitializeTrustStoreAndroid(); 116 #endif 117 118 } // namespace net 119 120 #endif // NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 121