1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BSSL_PKI_TRUST_STORE_IN_MEMORY_H_ 6 #define BSSL_PKI_TRUST_STORE_IN_MEMORY_H_ 7 8 #include <set> 9 #include <unordered_map> 10 11 #include <openssl/base.h> 12 13 #include "trust_store.h" 14 15 namespace bssl { 16 17 // A very simple implementation of a TrustStore, which contains a set of 18 // certificates and their trustedness. 19 class OPENSSL_EXPORT TrustStoreInMemory : public TrustStore { 20 public: 21 TrustStoreInMemory(); 22 23 TrustStoreInMemory(const TrustStoreInMemory &) = delete; 24 TrustStoreInMemory &operator=(const TrustStoreInMemory &) = delete; 25 26 ~TrustStoreInMemory() override; 27 28 // Returns whether the TrustStore is in the initial empty state. 29 bool IsEmpty() const; 30 31 // Empties the trust store, resetting it to original state. 32 void Clear(); 33 34 // Adds a certificate with the specified trust settings. Both trusted and 35 // distrusted certificates require a full DER match. 36 void AddCertificate(std::shared_ptr<const ParsedCertificate> cert, 37 const CertificateTrust &trust); 38 39 // Adds a certificate as a trust anchor (only the SPKI and subject will be 40 // used during verification). 41 void AddTrustAnchor(std::shared_ptr<const ParsedCertificate> cert); 42 43 // Adds a certificate as a trust anchor which will have expiration enforced. 44 // See VerifyCertificateChain for details. 45 void AddTrustAnchorWithExpiration( 46 std::shared_ptr<const ParsedCertificate> cert); 47 48 // Adds a certificate as a trust anchor and extracts anchor constraints from 49 // the certificate. See VerifyCertificateChain for details. 50 void AddTrustAnchorWithConstraints( 51 std::shared_ptr<const ParsedCertificate> cert); 52 53 // TODO(eroman): This is marked "ForTest" as the current implementation 54 // requires an exact match on the certificate DER (a wider match by say 55 // issuer/serial is probably what we would want for a real implementation). 56 void AddDistrustedCertificateForTest( 57 std::shared_ptr<const ParsedCertificate> cert); 58 59 // Distrusts the provided SPKI. This will override any other trust (e.g. if a 60 // certificate is passed into AddTrustAnchor() and the certificate's SPKI is 61 // passed into AddDistrustedCertificateBySPKI(), GetTrust() will return 62 // CertificateTrust::ForDistrusted()). 63 void AddDistrustedCertificateBySPKI(std::string spki); 64 65 // Adds a certificate to the store, that is neither trusted nor untrusted. 66 void AddCertificateWithUnspecifiedTrust( 67 std::shared_ptr<const ParsedCertificate> cert); 68 69 // TrustStore implementation: 70 void SyncGetIssuersOf(const ParsedCertificate *cert, 71 ParsedCertificateList *issuers) override; 72 CertificateTrust GetTrust(const ParsedCertificate *cert) override; 73 74 // Returns true if the trust store contains the given ParsedCertificate 75 // (matches by DER). 76 bool Contains(const ParsedCertificate *cert) const; 77 78 private: 79 struct Entry { 80 Entry(); 81 Entry(const Entry &other); 82 ~Entry(); 83 84 std::shared_ptr<const ParsedCertificate> cert; 85 CertificateTrust trust; 86 }; 87 88 // Multimap from normalized subject -> Entry. 89 std::unordered_multimap<std::string_view, Entry> entries_; 90 91 // Set of distrusted SPKIs. 92 std::set<std::string, std::less<>> distrusted_spkis_; 93 94 // Returns the `Entry` matching `cert`, or `nullptr` if not in the trust 95 // store. 96 const Entry *GetEntry(const ParsedCertificate *cert) const; 97 }; 98 99 } // namespace bssl 100 101 #endif // BSSL_PKI_TRUST_STORE_IN_MEMORY_H_ 102