1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_PKI_TRUST_STORE_IN_MEMORY_H_ 6 #define NET_CERT_PKI_TRUST_STORE_IN_MEMORY_H_ 7 8 #include <unordered_map> 9 10 #include "net/base/net_export.h" 11 #include "net/cert/pki/trust_store.h" 12 13 namespace net { 14 15 // A very simple implementation of a TrustStore, which contains a set of 16 // certificates and their trustedness. 17 class NET_EXPORT TrustStoreInMemory : public TrustStore { 18 public: 19 TrustStoreInMemory(); 20 21 TrustStoreInMemory(const TrustStoreInMemory&) = delete; 22 TrustStoreInMemory& operator=(const TrustStoreInMemory&) = delete; 23 24 ~TrustStoreInMemory() override; 25 26 // Returns whether the TrustStore is in the initial empty state. 27 bool IsEmpty() const; 28 29 // Empties the trust store, resetting it to original state. 30 void Clear(); 31 32 // Adds a certificate with the specified trust settings. Both trusted and 33 // distrusted certificates require a full DER match. 34 void AddCertificate(std::shared_ptr<const ParsedCertificate> cert, 35 const CertificateTrust& trust); 36 37 // Adds a certificate as a trust anchor (only the SPKI and subject will be 38 // used during verification). 39 void AddTrustAnchor(std::shared_ptr<const ParsedCertificate> cert); 40 41 // Adds a certificate as a trust anchor which will have expiration enforced. 42 // See VerifyCertificateChain for details. 43 void AddTrustAnchorWithExpiration( 44 std::shared_ptr<const ParsedCertificate> cert); 45 46 // Adds a certificate as a trust anchor and extracts anchor constraints from 47 // the certificate. See VerifyCertificateChain for details. 48 void AddTrustAnchorWithConstraints( 49 std::shared_ptr<const ParsedCertificate> cert); 50 51 // TODO(eroman): This is marked "ForTest" as the current implementation 52 // requires an exact match on the certificate DER (a wider match by say 53 // issuer/serial is probably what we would want for a real implementation). 54 void AddDistrustedCertificateForTest( 55 std::shared_ptr<const ParsedCertificate> cert); 56 57 // Adds a certificate to the store, that is neither trusted nor untrusted. 58 void AddCertificateWithUnspecifiedTrust( 59 std::shared_ptr<const ParsedCertificate> cert); 60 61 // TrustStore implementation: 62 void SyncGetIssuersOf(const ParsedCertificate* cert, 63 ParsedCertificateList* issuers) override; 64 CertificateTrust GetTrust(const ParsedCertificate* cert, 65 base::SupportsUserData* debug_data) override; 66 67 // Returns true if the trust store contains the given ParsedCertificate 68 // (matches by DER). 69 bool Contains(const ParsedCertificate* cert) const; 70 71 private: 72 struct Entry { 73 Entry(); 74 Entry(const Entry& other); 75 ~Entry(); 76 77 std::shared_ptr<const ParsedCertificate> cert; 78 CertificateTrust trust; 79 }; 80 81 // Multimap from normalized subject -> Entry. 82 std::unordered_multimap<std::string_view, Entry> entries_; 83 84 // Returns the `Entry` matching `cert`, or `nullptr` if not in the trust 85 // store. 86 const Entry* GetEntry(const ParsedCertificate* cert) const; 87 }; 88 89 } // namespace net 90 91 #endif // NET_CERT_PKI_TRUST_STORE_IN_MEMORY_H_ 92