xref: /aosp_15_r20/external/cronet/net/cert/internal/trust_store_nss.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
6 #define NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
7 
8 #include <cert.h>
9 #include <certt.h>
10 
11 #include "crypto/scoped_nss_types.h"
12 #include "net/base/net_export.h"
13 #include "net/cert/scoped_nss_types.h"
14 #include "third_party/abseil-cpp/absl/types/variant.h"
15 #include "third_party/boringssl/src/pki/trust_store.h"
16 
17 namespace net {
18 
19 // TrustStoreNSS is an implementation of bssl::TrustStore which uses NSS to find
20 // trust anchors for path building. This bssl::TrustStore is thread-safe.
21 class NET_EXPORT TrustStoreNSS : public bssl::TrustStore {
22  public:
23   struct UseTrustFromAllUserSlots : absl::monostate {};
24   using UserSlotTrustSetting =
25       absl::variant<UseTrustFromAllUserSlots, crypto::ScopedPK11Slot>;
26 
27   // Creates a TrustStoreNSS which will find anchors that are trusted for
28   // SSL server auth. (Trust settings from the builtin roots slot with the
29   // Mozilla CA Policy attribute will not be used.)
30   //
31   // |user_slot_trust_setting| configures the use of trust from user slots:
32   //  * UseTrustFromAllUserSlots: all user slots will be allowed.
33   //  * nullptr: no user slots will be allowed.
34   //  * non-null PK11Slot: the specified slot will be allowed.
35   explicit TrustStoreNSS(UserSlotTrustSetting user_slot_trust_setting);
36 
37   TrustStoreNSS(const TrustStoreNSS&) = delete;
38   TrustStoreNSS& operator=(const TrustStoreNSS&) = delete;
39 
40   ~TrustStoreNSS() override;
41 
42   // bssl::CertIssuerSource implementation:
43   void SyncGetIssuersOf(const bssl::ParsedCertificate* cert,
44                         bssl::ParsedCertificateList* issuers) override;
45 
46   // bssl::TrustStore implementation:
47   bssl::CertificateTrust GetTrust(const bssl::ParsedCertificate* cert) override;
48 
49   struct ListCertsResult {
50     ListCertsResult(ScopedCERTCertificate cert, bssl::CertificateTrust trust);
51     ~ListCertsResult();
52     ListCertsResult(ListCertsResult&& other);
53     ListCertsResult& operator=(ListCertsResult&& other);
54 
55     ScopedCERTCertificate cert;
56     bssl::CertificateTrust trust;
57   };
58   std::vector<ListCertsResult> ListCertsIgnoringNSSRoots();
59 
60  private:
61   bssl::CertificateTrust GetTrustForNSSTrust(const CERTCertTrust& trust) const;
62 
63   bssl::CertificateTrust GetTrustIgnoringSystemTrust(
64       CERTCertificate* nss_cert) const;
65 
66   // |user_slot_trust_setting_| specifies which slots certificates must be
67   // stored on to be allowed to be trusted. The possible values are:
68   //
69   // |user_slot_trust_setting_| is UseTrustFromAllUserSlots: Allow trust
70   // settings from any user slots.
71   //
72   // |user_slot_trust_setting_| is a ScopedPK11Slot: Allow
73   // certificates from the specified slot to be trusted. If the slot is nullptr,
74   // trust from user slots will not be used.
75   const UserSlotTrustSetting user_slot_trust_setting_;
76 };
77 
78 }  // namespace net
79 
80 #endif  // NET_CERT_INTERNAL_TRUST_STORE_NSS_H_
81