1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_NSS_H_ 6 #define NET_CERT_INTERNAL_TRUST_STORE_NSS_H_ 7 8 #include <cert.h> 9 #include <certt.h> 10 11 #include <vector> 12 13 #include "crypto/scoped_nss_types.h" 14 #include "net/base/net_export.h" 15 #include "net/cert/internal/platform_trust_store.h" 16 #include "net/cert/scoped_nss_types.h" 17 #include "third_party/abseil-cpp/absl/types/variant.h" 18 #include "third_party/boringssl/src/pki/trust_store.h" 19 20 namespace net { 21 22 // TrustStoreNSS is an implementation of bssl::TrustStore which uses NSS to find 23 // trust anchors for path building. This bssl::TrustStore is thread-safe. 24 class NET_EXPORT TrustStoreNSS : public PlatformTrustStore { 25 public: 26 struct UseTrustFromAllUserSlots : absl::monostate {}; 27 using UserSlotTrustSetting = 28 absl::variant<UseTrustFromAllUserSlots, crypto::ScopedPK11Slot>; 29 30 // Creates a TrustStoreNSS which will find anchors that are trusted for 31 // SSL server auth. (Trust settings from the builtin roots slot with the 32 // Mozilla CA Policy attribute will not be used.) 33 // 34 // |user_slot_trust_setting| configures the use of trust from user slots: 35 // * UseTrustFromAllUserSlots: all user slots will be allowed. 36 // * PK11Slot: the specified slot will be allowed. Must not be nullptr. 37 explicit TrustStoreNSS(UserSlotTrustSetting user_slot_trust_setting); 38 39 TrustStoreNSS(const TrustStoreNSS&) = delete; 40 TrustStoreNSS& operator=(const TrustStoreNSS&) = delete; 41 42 ~TrustStoreNSS() override; 43 44 // bssl::CertIssuerSource implementation: 45 void SyncGetIssuersOf(const bssl::ParsedCertificate* cert, 46 bssl::ParsedCertificateList* issuers) override; 47 48 // bssl::TrustStore implementation: 49 bssl::CertificateTrust GetTrust(const bssl::ParsedCertificate* cert) override; 50 51 // net::PlatformTrustStore implementation: 52 std::vector<net::PlatformTrustStore::CertWithTrust> GetAllUserAddedCerts() 53 override; 54 55 struct ListCertsResult { 56 ListCertsResult(ScopedCERTCertificate cert, bssl::CertificateTrust trust); 57 ~ListCertsResult(); 58 ListCertsResult(ListCertsResult&& other); 59 ListCertsResult& operator=(ListCertsResult&& other); 60 61 ScopedCERTCertificate cert; 62 bssl::CertificateTrust trust; 63 }; 64 std::vector<ListCertsResult> ListCertsIgnoringNSSRoots(); 65 66 private: 67 bssl::CertificateTrust GetTrustForNSSTrust(const CERTCertTrust& trust) const; 68 69 bssl::CertificateTrust GetTrustIgnoringSystemTrust( 70 CERTCertificate* nss_cert) const; 71 72 // |user_slot_trust_setting_| specifies which slots certificates must be 73 // stored on to be allowed to be trusted. The possible values are: 74 // 75 // |user_slot_trust_setting_| is UseTrustFromAllUserSlots: Allow trust 76 // settings from any user slots. 77 // 78 // |user_slot_trust_setting_| is a ScopedPK11Slot: Allow 79 // certificates from the specified slot to be trusted. Must not be nullptr. 80 const UserSlotTrustSetting user_slot_trust_setting_; 81 }; 82 83 } // namespace net 84 85 #endif // NET_CERT_INTERNAL_TRUST_STORE_NSS_H_ 86