xref: /aosp_15_r20/external/cronet/third_party/boringssl/src/pki/trust_store.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef BSSL_PKI_TRUST_STORE_H_
6 #define BSSL_PKI_TRUST_STORE_H_
7 
8 #include <optional>
9 
10 #include <openssl/base.h>
11 
12 #include "cert_issuer_source.h"
13 #include "parsed_certificate.h"
14 
15 namespace bssl {
16 
17 enum class CertificateTrustType {
18   // This certificate is explicitly blocked (distrusted).
19   DISTRUSTED,
20 
21   // The trustedness of this certificate is unknown (inherits trust from
22   // its issuer).
23   UNSPECIFIED,
24 
25   // This certificate is a trust anchor (as defined by RFC 5280).
26   TRUSTED_ANCHOR,
27 
28   // This certificate can be used as a trust anchor (as defined by RFC 5280) or
29   // a trusted leaf, depending on context.
30   TRUSTED_ANCHOR_OR_LEAF,
31 
32   // This certificate is a directly trusted leaf.
33   TRUSTED_LEAF,
34 
35   LAST = TRUSTED_ANCHOR
36 };
37 
38 // Describes the level of trust in a certificate.
39 struct OPENSSL_EXPORT CertificateTrust {
ForTrustAnchorCertificateTrust40   static constexpr CertificateTrust ForTrustAnchor() {
41     CertificateTrust result;
42     result.type = CertificateTrustType::TRUSTED_ANCHOR;
43     return result;
44   }
45 
ForTrustAnchorOrLeafCertificateTrust46   static constexpr CertificateTrust ForTrustAnchorOrLeaf() {
47     CertificateTrust result;
48     result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF;
49     return result;
50   }
51 
ForTrustedLeafCertificateTrust52   static constexpr CertificateTrust ForTrustedLeaf() {
53     CertificateTrust result;
54     result.type = CertificateTrustType::TRUSTED_LEAF;
55     return result;
56   }
57 
ForUnspecifiedCertificateTrust58   static constexpr CertificateTrust ForUnspecified() {
59     CertificateTrust result;
60     return result;
61   }
62 
ForDistrustedCertificateTrust63   static constexpr CertificateTrust ForDistrusted() {
64     CertificateTrust result;
65     result.type = CertificateTrustType::DISTRUSTED;
66     return result;
67   }
68 
69   constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const {
70     CertificateTrust result = *this;
71     result.enforce_anchor_expiry = value;
72     return result;
73   }
74 
75   constexpr CertificateTrust WithEnforceAnchorConstraints(
76       bool value = true) const {
77     CertificateTrust result = *this;
78     result.enforce_anchor_constraints = value;
79     return result;
80   }
81 
82   constexpr CertificateTrust WithRequireAnchorBasicConstraints(
83       bool value = true) const {
84     CertificateTrust result = *this;
85     result.require_anchor_basic_constraints = value;
86     return result;
87   }
88 
89   constexpr CertificateTrust WithRequireLeafSelfSigned(
90       bool value = true) const {
91     CertificateTrust result = *this;
92     result.require_leaf_selfsigned = value;
93     return result;
94   }
95 
96   bool IsTrustAnchor() const;
97   bool IsTrustLeaf() const;
98   bool IsDistrusted() const;
99   bool HasUnspecifiedTrust() const;
100 
101   std::string ToDebugString() const;
102 
103   static std::optional<CertificateTrust> FromDebugString(
104       const std::string &trust_string);
105 
106   // The overall type of trust.
107   CertificateTrustType type = CertificateTrustType::UNSPECIFIED;
108 
109   // Optionally, enforce extra bits on trust anchors. If these are false, the
110   // only fields in a trust anchor certificate that are meaningful are its
111   // name and SPKI.
112   bool enforce_anchor_expiry = false;
113   bool enforce_anchor_constraints = false;
114   // Require that X.509v3 trust anchors have a basicConstraints extension.
115   // X.509v1 and X.509v2 trust anchors do not support basicConstraints and are
116   // not affected.
117   // Additionally, this setting only has effect if `enforce_anchor_constraints`
118   // is true, which also requires that the extension assert CA=true.
119   bool require_anchor_basic_constraints = false;
120 
121   // Optionally, require trusted leafs to be self-signed to be trusted.
122   bool require_leaf_selfsigned = false;
123 };
124 
125 // Interface for finding intermediates / trust anchors, and testing the
126 // trustedness of certificates.
127 class OPENSSL_EXPORT TrustStore : public CertIssuerSource {
128  public:
129   TrustStore();
130 
131   TrustStore(const TrustStore &) = delete;
132   TrustStore &operator=(const TrustStore &) = delete;
133 
134   // Returns the trusted of |cert|, which must be non-null.
135   virtual CertificateTrust GetTrust(const ParsedCertificate *cert) = 0;
136 
137   // Disable async issuers for TrustStore, as it isn't needed.
138   void AsyncGetIssuersOf(const ParsedCertificate *cert,
139                          std::unique_ptr<Request> *out_req) final;
140 };
141 
142 }  // namespace bssl
143 
144 #endif  // BSSL_PKI_TRUST_STORE_H_
145