1 // Copyright 2021 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_WIN_H_ 6 #define NET_CERT_INTERNAL_TRUST_STORE_WIN_H_ 7 8 #include <vector> 9 10 #include "base/memory/ptr_util.h" 11 #include "base/synchronization/lock.h" 12 #include "base/win/wincrypt_shim.h" 13 #include "crypto/scoped_capi_types.h" 14 #include "net/base/net_export.h" 15 #include "net/cert/internal/platform_trust_store.h" 16 #include "third_party/boringssl/src/pki/trust_store.h" 17 18 namespace net { 19 20 // TrustStoreWin is an implementation of bssl::TrustStore which uses the Windows 21 // cert systems to find user-added trust anchors for path building. It ignores 22 // the Windows builtin trust anchors. This bssl::TrustStore is thread-safe (we 23 // think). 24 // TODO(crbug.com/40784682): confirm this is thread safe. 25 class NET_EXPORT TrustStoreWin : public PlatformTrustStore { 26 public: 27 struct NET_EXPORT_PRIVATE CertStores { 28 ~CertStores(); 29 CertStores(CertStores&& other); 30 CertStores& operator=(CertStores&& other); 31 32 // Create a CertStores object with the stores initialized with (empty) 33 // CERT_STORE_PROV_COLLECTION stores. 34 static CertStores CreateWithCollections(); 35 36 // Create a CertStores object with the stores pre-initialized with 37 // in-memory cert stores for testing purposes. 38 static CertStores CreateInMemoryStoresForTesting(); 39 40 // Create a CertStores object with null cert store pointers for testing 41 // purposes. 42 static CertStores CreateNullStoresForTesting(); 43 44 // Returns true if any of the cert stores are not initialized. is_nullCertStores45 bool is_null() const { 46 return !roots.get() || !intermediates.get() || !trusted_people.get() || 47 !disallowed.get() || !all.get(); 48 } 49 50 crypto::ScopedHCERTSTORE roots; 51 crypto::ScopedHCERTSTORE intermediates; 52 crypto::ScopedHCERTSTORE trusted_people; 53 crypto::ScopedHCERTSTORE disallowed; 54 crypto::ScopedHCERTSTORE all; 55 56 private: 57 CertStores(); 58 59 void InitializeAllCertsStore(); 60 }; 61 62 // Creates a TrustStoreWin. 63 TrustStoreWin(); 64 65 ~TrustStoreWin() override; 66 TrustStoreWin(const TrustStoreWin& other) = delete; 67 TrustStoreWin& operator=(const TrustStoreWin& other) = delete; 68 69 // Creates a TrustStoreWin for testing, which will treat `root_cert_store` 70 // as if it's the source of truth for roots for `GetTrust, 71 // and `intermediate_cert_store` as an extra store (in addition to 72 // root_cert_store) for locating certificates during `SyncGetIssuersOf`. 73 static std::unique_ptr<TrustStoreWin> CreateForTesting(CertStores stores); 74 75 // Loads user settings from Windows CertStores. If there are errors, 76 // the underlyingTrustStoreWin object may not read all Windows 77 // CertStores when making trust decisions. 78 void InitializeStores(); 79 80 void SyncGetIssuersOf(const bssl::ParsedCertificate* cert, 81 bssl::ParsedCertificateList* issuers) override; 82 83 bssl::CertificateTrust GetTrust(const bssl::ParsedCertificate* cert) override; 84 85 // net::PlatformTrustStore implementation: 86 std::vector<net::PlatformTrustStore::CertWithTrust> GetAllUserAddedCerts() 87 override; 88 89 private: 90 // Inner Impl class for use in initializing stores. 91 class Impl; 92 93 explicit TrustStoreWin(std::unique_ptr<Impl> impl); 94 95 // Loads user settings from Windows CertStores if not already done and 96 // returns pointer to the Impl. 97 Impl* MaybeInitializeAndGetImpl(); 98 99 base::Lock init_lock_; 100 std::unique_ptr<Impl> impl_ GUARDED_BY(init_lock_); 101 }; 102 103 } // namespace net 104 105 #endif // NET_CERT_INTERNAL_TRUST_STORE_WIN_H_ 106