1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 6 #define NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 7 8 #include <vector> 9 10 #include "build/build_config.h" 11 #include "net/base/net_export.h" 12 #include "net/net_buildflags.h" 13 #include "third_party/boringssl/src/pki/parsed_certificate.h" 14 #include "third_party/boringssl/src/pki/trust_store.h" 15 16 namespace net { 17 18 // The SystemTrustStore interface is used to encapsulate a bssl::TrustStore for 19 // the current platform, with some extra bells and whistles. Implementations 20 // must be thread-safe. 21 // 22 // This is primarily used to abstract out the platform-specific bits that 23 // relate to configuring the bssl::TrustStore needed for path building. 24 class SystemTrustStore { 25 public: 26 virtual ~SystemTrustStore() = default; 27 28 // Returns an aggregate bssl::TrustStore that can be used by the path builder. 29 // The store composes the system trust store (if implemented) with manually 30 // added trust anchors added via AddTrustAnchor(). This pointer is non-owned, 31 // and valid only for the lifetime of |this|. Any bssl::TrustStore objects 32 // returned from this method must be thread-safe. 33 virtual bssl::TrustStore* GetTrustStore() = 0; 34 35 // IsKnownRoot() returns true if the given certificate originated from the 36 // system trust store and is a "standard" one. The meaning of "standard" is 37 // that it is one of default trust anchors for the system, as opposed to a 38 // user-installed one. 39 virtual bool IsKnownRoot(const bssl::ParsedCertificate* cert) const = 0; 40 41 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 42 // Returns the current version of the Chrome Root Store being used. If 43 // Chrome Root Store is not in use, returns 0. 44 virtual int64_t chrome_root_store_version() const = 0; 45 #endif 46 }; 47 48 #if BUILDFLAG(IS_FUCHSIA) 49 // Creates an instance of SystemTrustStore that wraps the current platform's SSL 50 // trust store. This cannot return nullptr. 51 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore(); 52 #endif 53 54 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 55 class TrustStoreChrome; 56 57 // Creates an instance of SystemTrustStore that wraps the current platform's SSL 58 // trust store for user added roots, but uses the Chrome Root Store trust 59 // anchors. This cannot return nullptr. 60 NET_EXPORT std::unique_ptr<SystemTrustStore> 61 CreateSslSystemTrustStoreChromeRoot( 62 std::unique_ptr<TrustStoreChrome> chrome_root); 63 64 NET_EXPORT_PRIVATE std::unique_ptr<SystemTrustStore> 65 CreateSystemTrustStoreChromeForTesting( 66 std::unique_ptr<TrustStoreChrome> trust_store_chrome, 67 std::unique_ptr<bssl::TrustStore> trust_store_system); 68 #endif // BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 69 70 #if BUILDFLAG(IS_MAC) 71 // Initializes trust cache on a worker thread, if the builtin verifier is 72 // enabled. 73 NET_EXPORT void InitializeTrustStoreMacCache(); 74 #endif 75 76 #if BUILDFLAG(IS_WIN) 77 // Initializes windows system trust store on a worker thread, if the builtin 78 // verifier is enabled. 79 NET_EXPORT void InitializeTrustStoreWinSystem(); 80 #endif 81 82 #if BUILDFLAG(IS_ANDROID) 83 // Initializes Android system trust store on a worker thread, if the builtin 84 // verifier is enabled. 85 NET_EXPORT void InitializeTrustStoreAndroid(); 86 #endif 87 88 } // namespace net 89 90 #endif // NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 91