1 // Copyright 2021 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_INTERNAL_TRUST_STORE_WIN_H_ 6 #define NET_CERT_INTERNAL_TRUST_STORE_WIN_H_ 7 8 #include "base/memory/ptr_util.h" 9 #include "base/synchronization/lock.h" 10 #include "base/win/wincrypt_shim.h" 11 #include "crypto/scoped_capi_types.h" 12 #include "net/base/net_export.h" 13 #include "third_party/boringssl/src/pki/trust_store.h" 14 15 namespace net { 16 17 // TrustStoreWin is an implementation of bssl::TrustStore which uses the Windows 18 // cert systems to find user-added trust anchors for path building. It ignores 19 // the Windows builtin trust anchors. This bssl::TrustStore is thread-safe (we 20 // think). 21 // TODO(https://crbug.com/1239270): confirm this is thread safe. 22 class NET_EXPORT TrustStoreWin : public bssl::TrustStore { 23 public: 24 struct NET_EXPORT_PRIVATE CertStores { 25 ~CertStores(); 26 CertStores(CertStores&& other); 27 CertStores& operator=(CertStores&& other); 28 29 // Create a CertStores object with the stores initialized with (empty) 30 // CERT_STORE_PROV_COLLECTION stores. 31 static CertStores CreateWithCollections(); 32 33 // Create a CertStores object with the stores pre-initialized with 34 // in-memory cert stores for testing purposes. 35 static CertStores CreateInMemoryStoresForTesting(); 36 37 // Create a CertStores object with null cert store pointers for testing 38 // purposes. 39 static CertStores CreateNullStoresForTesting(); 40 41 // Returns true if any of the cert stores are not initialized. is_nullCertStores42 bool is_null() const { 43 return !roots.get() || !intermediates.get() || !trusted_people.get() || 44 !disallowed.get() || !all.get(); 45 } 46 47 crypto::ScopedHCERTSTORE roots; 48 crypto::ScopedHCERTSTORE intermediates; 49 crypto::ScopedHCERTSTORE trusted_people; 50 crypto::ScopedHCERTSTORE disallowed; 51 crypto::ScopedHCERTSTORE all; 52 53 private: 54 CertStores(); 55 56 void InitializeAllCertsStore(); 57 }; 58 59 // Creates a TrustStoreWin. 60 TrustStoreWin(); 61 62 ~TrustStoreWin() override; 63 TrustStoreWin(const TrustStoreWin& other) = delete; 64 TrustStoreWin& operator=(const TrustStoreWin& other) = delete; 65 66 // Creates a TrustStoreWin for testing, which will treat `root_cert_store` 67 // as if it's the source of truth for roots for `GetTrust, 68 // and `intermediate_cert_store` as an extra store (in addition to 69 // root_cert_store) for locating certificates during `SyncGetIssuersOf`. 70 static std::unique_ptr<TrustStoreWin> CreateForTesting(CertStores stores); 71 72 // Loads user settings from Windows CertStores. If there are errors, 73 // the underlyingTrustStoreWin object may not read all Windows 74 // CertStores when making trust decisions. 75 void InitializeStores(); 76 77 void SyncGetIssuersOf(const bssl::ParsedCertificate* cert, 78 bssl::ParsedCertificateList* issuers) override; 79 80 bssl::CertificateTrust GetTrust(const bssl::ParsedCertificate* cert) override; 81 82 private: 83 // Inner Impl class for use in initializing stores. 84 class Impl; 85 86 explicit TrustStoreWin(std::unique_ptr<Impl> impl); 87 88 // Loads user settings from Windows CertStores if not already done and 89 // returns pointer to the Impl. 90 Impl* MaybeInitializeAndGetImpl(); 91 92 base::Lock init_lock_; 93 std::unique_ptr<Impl> impl_ GUARDED_BY(init_lock_); 94 }; 95 96 } // namespace net 97 98 #endif // NET_CERT_INTERNAL_TRUST_STORE_WIN_H_ 99