1 // Copyright 2021 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_CHROME_H_ 6 #define NET_CERT_INTERNAL_TRUST_STORE_CHROME_H_ 7 8 #include "base/containers/span.h" 9 #include "net/base/net_export.h" 10 #include "net/cert/root_store_proto_lite/root_store.pb.h" 11 #include "third_party/abseil-cpp/absl/types/optional.h" 12 #include "third_party/boringssl/src/pki/trust_store.h" 13 #include "third_party/boringssl/src/pki/trust_store_in_memory.h" 14 15 namespace net { 16 17 struct ChromeRootCertInfo { 18 base::span<const uint8_t> root_cert_der; 19 }; 20 21 // ChromeRootStoreData is a container class that stores all of the Chrome Root 22 // Store data in a single class. 23 class NET_EXPORT ChromeRootStoreData { 24 public: 25 // CreateChromeRootStoreData converts |proto| into a usable 26 // ChromeRootStoreData object. Returns absl::nullopt if the passed in 27 // proto has errors in it (e.g. an unparsable DER-encoded certificate). 28 static absl::optional<ChromeRootStoreData> CreateChromeRootStoreData( 29 const chrome_root_store::RootStore& proto); 30 ~ChromeRootStoreData(); 31 32 ChromeRootStoreData(const ChromeRootStoreData& other); 33 ChromeRootStoreData(ChromeRootStoreData&& other); 34 ChromeRootStoreData& operator=(const ChromeRootStoreData& other); 35 ChromeRootStoreData& operator=(ChromeRootStoreData&& other); 36 anchors()37 const bssl::ParsedCertificateList anchors() const { return anchors_; } version()38 int64_t version() const { return version_; } 39 40 private: 41 ChromeRootStoreData(); 42 43 bssl::ParsedCertificateList anchors_; 44 int64_t version_; 45 }; 46 47 // TrustStoreChrome contains the Chrome Root Store, as described at 48 // https://g.co/chrome/root-policy 49 class NET_EXPORT TrustStoreChrome : public bssl::TrustStore { 50 public: 51 // Creates a TrustStoreChrome that uses a copy of `certs`, instead of the 52 // default Chrome Root Store. 53 static std::unique_ptr<TrustStoreChrome> CreateTrustStoreForTesting( 54 base::span<const ChromeRootCertInfo> certs, 55 int64_t version); 56 57 // Creates a TrustStoreChrome that uses the compiled in Chrome Root Store. 58 TrustStoreChrome(); 59 60 // Creates a TrustStoreChrome that uses the passed in anchors as 61 // the contents of the Chrome Root Store. 62 TrustStoreChrome(const ChromeRootStoreData& anchors); 63 ~TrustStoreChrome() override; 64 65 TrustStoreChrome(const TrustStoreChrome& other) = delete; 66 TrustStoreChrome& operator=(const TrustStoreChrome& other) = delete; 67 68 // bssl::TrustStore implementation: 69 void SyncGetIssuersOf(const bssl::ParsedCertificate* cert, 70 bssl::ParsedCertificateList* issuers) override; 71 bssl::CertificateTrust GetTrust(const bssl::ParsedCertificate* cert) override; 72 73 // Returns true if the trust store contains the given bssl::ParsedCertificate 74 // (matches by DER). 75 bool Contains(const bssl::ParsedCertificate* cert) const; 76 version()77 int64_t version() const { return version_; } 78 79 private: 80 TrustStoreChrome(base::span<const ChromeRootCertInfo> certs, 81 bool certs_are_static, 82 int64_t version); 83 bssl::TrustStoreInMemory trust_store_; 84 int64_t version_; 85 }; 86 87 // Returns the version # of the Chrome Root Store that was compiled into the 88 // binary. 89 NET_EXPORT int64_t CompiledChromeRootStoreVersion(); 90 91 // Returns the anchors of the Chrome Root Store that were compiled into the 92 // binary. 93 NET_EXPORT bssl::ParsedCertificateList CompiledChromeRootStoreAnchors(); 94 95 } // namespace net 96 97 #endif // NET_CERT_INTERNAL_TRUST_STORE_CHROME_H_ 98