1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_MAC_H_ 6 #define NET_CERT_INTERNAL_TRUST_STORE_MAC_H_ 7 8 #include <CoreFoundation/CoreFoundation.h> 9 10 #include "base/apple/scoped_cftyperef.h" 11 #include "base/gtest_prod_util.h" 12 #include "net/base/net_export.h" 13 #include "third_party/boringssl/src/pki/trust_store.h" 14 15 namespace net { 16 17 // TrustStoreMac is an implementation of bssl::TrustStore which uses macOS 18 // keychain to find trust anchors for path building. Trust state is cached, so a 19 // single TrustStoreMac instance should be created and used for all 20 // verifications of a given policy. TrustStoreMac objects are threadsafe and 21 // methods may be called from multiple threads simultaneously. It is the owner's 22 // responsibility to ensure the TrustStoreMac object outlives any threads 23 // accessing it. 24 class NET_EXPORT TrustStoreMac : public bssl::TrustStore { 25 public: 26 // NOTE: When updating this enum, also update ParamToTrustImplType in 27 // system_trust_store.cc 28 enum class TrustImplType { 29 // Values 1 and 3 were used for implementation strategies that have since 30 // been removed. 31 kUnknown = 0, 32 kSimple = 2, 33 kDomainCacheFullCerts = 4, 34 kKeychainCacheFullCerts = 5, 35 }; 36 37 // Creates a TrustStoreMac which will find anchors that are trusted for 38 // |policy_oid|. For list of possible policy values, see: 39 // https://developer.apple.com/reference/security/1667150-certificate_key_and_trust_servic/1670151-standard_policies_for_specific_c?language=objc 40 // |impl| selects which internal implementation is used for checking trust 41 // settings. 42 TrustStoreMac(CFStringRef policy_oid, TrustImplType impl); 43 44 TrustStoreMac(const TrustStoreMac&) = delete; 45 TrustStoreMac& operator=(const TrustStoreMac&) = delete; 46 47 ~TrustStoreMac() override; 48 49 // Initializes the trust cache, if it isn't already initialized. 50 void InitializeTrustCache() const; 51 52 // bssl::TrustStore implementation: 53 void SyncGetIssuersOf(const bssl::ParsedCertificate* cert, 54 bssl::ParsedCertificateList* issuers) override; 55 bssl::CertificateTrust GetTrust(const bssl::ParsedCertificate* cert) override; 56 57 private: 58 class TrustImpl; 59 class TrustImplDomainCacheFullCerts; 60 class TrustImplKeychainCacheFullCerts; 61 class TrustImplNoCache; 62 63 // Finds certificates in the OS keychains whose Subject matches |name_data|. 64 // The result is an array of CRYPTO_BUFFERs containing the DER certificate 65 // data. 66 static std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> 67 FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data); 68 69 // Returns the OS-normalized issuer of |cert|. 70 // macOS internally uses a normalized form of subject/issuer names for 71 // comparing, roughly similar to RFC3280's normalization scheme. The 72 // normalized form is used for any database lookups and comparisons. 73 static base::apple::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer( 74 const bssl::ParsedCertificate* cert); 75 76 std::unique_ptr<TrustImpl> trust_cache_; 77 }; 78 79 } // namespace net 80 81 #endif // NET_CERT_INTERNAL_TRUST_STORE_MAC_H_ 82