• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_TRUST_STORE_H_
6 #define BSSL_PKI_TRUST_STORE_H_
7 
8 #include "fillins/openssl_util.h"
9 
10 #include "cert_issuer_source.h"
11 #include "parsed_certificate.h"
12 #include <optional>
13 
14 namespace bssl {
15 
16 enum class CertificateTrustType {
17   // This certificate is explicitly blocked (distrusted).
18   DISTRUSTED,
19 
20   // The trustedness of this certificate is unknown (inherits trust from
21   // its issuer).
22   UNSPECIFIED,
23 
24   // This certificate is a trust anchor (as defined by RFC 5280).
25   TRUSTED_ANCHOR,
26 
27   // This certificate can be used as a trust anchor (as defined by RFC 5280) or
28   // a trusted leaf, depending on context.
29   TRUSTED_ANCHOR_OR_LEAF,
30 
31   // This certificate is a directly trusted leaf.
32   TRUSTED_LEAF,
33 
34   LAST = TRUSTED_ANCHOR
35 };
36 
37 // Describes the level of trust in a certificate.
38 struct OPENSSL_EXPORT CertificateTrust {
ForTrustAnchorCertificateTrust39   static constexpr CertificateTrust ForTrustAnchor() {
40     CertificateTrust result;
41     result.type = CertificateTrustType::TRUSTED_ANCHOR;
42     return result;
43   }
44 
ForTrustAnchorOrLeafCertificateTrust45   static constexpr CertificateTrust ForTrustAnchorOrLeaf() {
46     CertificateTrust result;
47     result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF;
48     return result;
49   }
50 
ForTrustedLeafCertificateTrust51   static constexpr CertificateTrust ForTrustedLeaf() {
52     CertificateTrust result;
53     result.type = CertificateTrustType::TRUSTED_LEAF;
54     return result;
55   }
56 
ForUnspecifiedCertificateTrust57   static constexpr CertificateTrust ForUnspecified() {
58     CertificateTrust result;
59     return result;
60   }
61 
ForDistrustedCertificateTrust62   static constexpr CertificateTrust ForDistrusted() {
63     CertificateTrust result;
64     result.type = CertificateTrustType::DISTRUSTED;
65     return result;
66   }
67 
68   constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const {
69     CertificateTrust result = *this;
70     result.enforce_anchor_expiry = value;
71     return result;
72   }
73 
74   constexpr CertificateTrust WithEnforceAnchorConstraints(
75       bool value = true) const {
76     CertificateTrust result = *this;
77     result.enforce_anchor_constraints = value;
78     return result;
79   }
80 
81   constexpr CertificateTrust WithRequireAnchorBasicConstraints(
82       bool value = true) const {
83     CertificateTrust result = *this;
84     result.require_anchor_basic_constraints = value;
85     return result;
86   }
87 
88   constexpr CertificateTrust WithRequireLeafSelfSigned(
89       bool value = true) const {
90     CertificateTrust result = *this;
91     result.require_leaf_selfsigned = value;
92     return result;
93   }
94 
95   bool IsTrustAnchor() const;
96   bool IsTrustLeaf() const;
97   bool IsDistrusted() const;
98   bool HasUnspecifiedTrust() const;
99 
100   std::string ToDebugString() const;
101 
102   static std::optional<CertificateTrust> FromDebugString(
103       const std::string& trust_string);
104 
105   // The overall type of trust.
106   CertificateTrustType type = CertificateTrustType::UNSPECIFIED;
107 
108   // Optionally, enforce extra bits on trust anchors. If these are false, the
109   // only fields in a trust anchor certificate that are meaningful are its
110   // name and SPKI.
111   bool enforce_anchor_expiry = false;
112   bool enforce_anchor_constraints = false;
113   // Require that X.509v3 trust anchors have a basicConstraints extension.
114   // X.509v1 and X.509v2 trust anchors do not support basicConstraints and are
115   // not affected.
116   // Additionally, this setting only has effect if `enforce_anchor_constraints`
117   // is true, which also requires that the extension assert CA=true.
118   bool require_anchor_basic_constraints = false;
119 
120   // Optionally, require trusted leafs to be self-signed to be trusted.
121   bool require_leaf_selfsigned = false;
122 };
123 
124 // Interface for finding intermediates / trust anchors, and testing the
125 // trustedness of certificates.
126 class OPENSSL_EXPORT TrustStore : public CertIssuerSource {
127  public:
128   TrustStore();
129 
130   TrustStore(const TrustStore&) = delete;
131   TrustStore& operator=(const TrustStore&) = delete;
132 
133   // Returns the trusted of |cert|, which must be non-null.
134   virtual CertificateTrust GetTrust(const ParsedCertificate* cert) = 0;
135 
136   // Disable async issuers for TrustStore, as it isn't needed.
137   void AsyncGetIssuersOf(const ParsedCertificate* cert,
138                          std::unique_ptr<Request>* out_req) final;
139 };
140 
141 }  // namespace net
142 
143 #endif  // BSSL_PKI_TRUST_STORE_H_
144