1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 6 #define NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 7 8 #include "base/containers/span.h" 9 #include "build/build_config.h" 10 #include "net/base/net_export.h" 11 #include "net/cert/internal/platform_trust_store.h" 12 #include "net/net_buildflags.h" 13 #include "third_party/boringssl/src/pki/parsed_certificate.h" 14 #include "third_party/boringssl/src/pki/trust_store.h" 15 16 namespace net { 17 18 struct ChromeRootCertConstraints; 19 20 // The SystemTrustStore interface is used to encapsulate a bssl::TrustStore for 21 // the current platform, with some extra bells and whistles. Implementations 22 // must be thread-safe. 23 // 24 // This is primarily used to abstract out the platform-specific bits that 25 // relate to configuring the bssl::TrustStore needed for path building. 26 class SystemTrustStore { 27 public: 28 virtual ~SystemTrustStore() = default; 29 30 // Returns an aggregate bssl::TrustStore that can be used by the path builder. 31 // The store composes the system trust store (if implemented) with manually 32 // added trust anchors added via AddTrustAnchor(). This pointer is non-owned, 33 // and valid only for the lifetime of |this|. Any bssl::TrustStore objects 34 // returned from this method must be thread-safe. 35 virtual bssl::TrustStore* GetTrustStore() = 0; 36 37 // IsKnownRoot() returns true if the given certificate originated from the 38 // system trust store and is a "standard" one. The meaning of "standard" is 39 // that it is one of default trust anchors for the system, as opposed to a 40 // user-installed one. (It may *also* be trusted as a user-installed root.) 41 virtual bool IsKnownRoot(const bssl::ParsedCertificate* cert) const = 0; 42 43 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 44 // Returns the PlatformTrustStore that can be used to look for 45 // platform-specific user-added trust settings. This pointer is non-owned, 46 // and valid only for the lifetime of |this|. Any net::PlatformTrustStore 47 // objects returned from this method must be thread-safe. 48 // 49 // May return null if there is no PlatformTrustStore. 50 virtual net::PlatformTrustStore* GetPlatformTrustStore() = 0; 51 52 // IsLocallyTrustedRoot returns true if the given certificate is trusted in 53 // the user-installed root store. (It may *also* be trusted in the Chrome 54 // Root Store.) 55 virtual bool IsLocallyTrustedRoot( 56 const bssl::ParsedCertificate* trust_anchor) = 0; 57 58 // Returns the current version of the Chrome Root Store being used. If 59 // Chrome Root Store is not in use, returns 0. 60 virtual int64_t chrome_root_store_version() const = 0; 61 62 // Returns the Chrome Root Store constraints for `cert`, or nullptr if the 63 // certificate is not constrained. 64 virtual base::span<const ChromeRootCertConstraints> GetChromeRootConstraints( 65 const bssl::ParsedCertificate* cert) const = 0; 66 #endif 67 }; 68 69 #if BUILDFLAG(IS_FUCHSIA) 70 // Creates an instance of SystemTrustStore that wraps the current platform's SSL 71 // trust store. This cannot return nullptr. 72 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore(); 73 #endif 74 75 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 76 class TrustStoreChrome; 77 78 // Creates an instance of SystemTrustStore that wraps the current platform's SSL 79 // trust store for user added roots, but uses the Chrome Root Store trust 80 // anchors. This cannot return nullptr. 81 NET_EXPORT std::unique_ptr<SystemTrustStore> 82 CreateSslSystemTrustStoreChromeRoot( 83 std::unique_ptr<TrustStoreChrome> chrome_root); 84 85 // Creates an instance of SystemTrustStore that only uses the Chrome Root Store 86 // trust anchors. 87 // This cannot return nullptr. 88 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateChromeOnlySystemTrustStore( 89 std::unique_ptr<TrustStoreChrome> chrome_root); 90 91 NET_EXPORT_PRIVATE std::unique_ptr<SystemTrustStore> 92 CreateSystemTrustStoreChromeForTesting( 93 std::unique_ptr<TrustStoreChrome> trust_store_chrome, 94 std::unique_ptr<net::PlatformTrustStore> trust_store_system); 95 #endif // BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 96 97 #if BUILDFLAG(IS_MAC) 98 // Initializes trust cache on a worker thread, if the builtin verifier is 99 // enabled. 100 NET_EXPORT void InitializeTrustStoreMacCache(); 101 #endif 102 103 #if BUILDFLAG(IS_WIN) 104 // Initializes windows system trust store on a worker thread, if the builtin 105 // verifier is enabled. 106 NET_EXPORT void InitializeTrustStoreWinSystem(); 107 #endif 108 109 #if BUILDFLAG(IS_ANDROID) 110 // Initializes Android system trust store on a worker thread, if the builtin 111 // verifier is enabled. 112 NET_EXPORT void InitializeTrustStoreAndroid(); 113 #endif 114 115 } // namespace net 116 117 #endif // NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_ 118