| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/system_trust_store.h" | 5 #include "net/cert/internal/system_trust_store.h" |
| 6 | 6 |
| 7 #if defined(USE_NSS_CERTS) | 7 #if defined(USE_NSS_CERTS) |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 11 #include <Security/Security.h> | 11 #include <Security/Security.h> |
| 12 #endif | 12 #endif |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "net/cert/internal/trust_store_collection.h" | 15 #include "net/cert/internal/trust_store_collection.h" |
| 16 #include "net/cert/internal/trust_store_in_memory.h" | 16 #include "net/cert/internal/trust_store_in_memory.h" |
| 17 | 17 |
| 18 #if defined(USE_NSS_CERTS) | 18 #if defined(USE_NSS_CERTS) |
| 19 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 20 #include "net/cert/internal/cert_issuer_source_nss.h" | |
| 21 #include "net/cert/internal/trust_store_nss.h" | 20 #include "net/cert/internal/trust_store_nss.h" |
| 22 #include "net/cert/scoped_nss_types.h" | 21 #include "net/cert/scoped_nss_types.h" |
| 23 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 22 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 24 #include "net/cert/internal/trust_store_mac.h" | 23 #include "net/cert/internal/trust_store_mac.h" |
| 25 #endif | 24 #endif |
| 26 | 25 |
| 27 namespace net { | 26 namespace net { |
| 28 | 27 |
| 29 namespace { | 28 namespace { |
| 30 | 29 |
| 31 // Abstract implementation of SystemTrustStore to be used as a base class. | 30 // Abstract implementation of SystemTrustStore to be used as a base class. |
| 32 // Handles the addition of additional trust anchors. | 31 // Handles the addition of additional trust anchors. |
| 33 class BaseSystemTrustStore : public SystemTrustStore { | 32 class BaseSystemTrustStore : public SystemTrustStore { |
| 34 public: | 33 public: |
| 35 BaseSystemTrustStore() { | 34 BaseSystemTrustStore() { |
| 36 trust_store_.AddTrustStore(&additional_trust_store_); | 35 trust_store_.AddTrustStore(&additional_trust_store_); |
| 37 } | 36 } |
| 38 | 37 |
| 39 void AddTrustAnchor(const scoped_refptr<TrustAnchor>& trust_anchor) override { | 38 void AddTrustAnchor(const scoped_refptr<TrustAnchor>& trust_anchor) override { |
| 40 additional_trust_store_.AddTrustAnchor(trust_anchor); | 39 additional_trust_store_.AddTrustAnchor(trust_anchor); |
| 41 } | 40 } |
| 42 | 41 |
| 43 TrustStore* GetTrustStore() override { return &trust_store_; } | 42 TrustStore* GetTrustStore() override { return &trust_store_; } |
| 44 | 43 |
| 45 CertIssuerSource* GetCertIssuerSource() override { return nullptr; } | |
| 46 | |
| 47 bool IsAdditionalTrustAnchor( | 44 bool IsAdditionalTrustAnchor( |
| 48 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 45 const scoped_refptr<TrustAnchor>& trust_anchor) const override { |
| 49 return additional_trust_store_.Contains(trust_anchor.get()); | 46 return additional_trust_store_.Contains(trust_anchor.get()); |
| 50 } | 47 } |
| 51 | 48 |
| 52 protected: | 49 protected: |
| 53 TrustStoreCollection trust_store_; | 50 TrustStoreCollection trust_store_; |
| 54 TrustStoreInMemory additional_trust_store_; | 51 TrustStoreInMemory additional_trust_store_; |
| 55 }; | 52 }; |
| 56 | 53 |
| 57 } // namespace | 54 } // namespace |
| 58 | 55 |
| 59 #if defined(USE_NSS_CERTS) | 56 #if defined(USE_NSS_CERTS) |
| 60 namespace { | 57 namespace { |
| 61 | 58 |
| 62 class SystemTrustStoreNSS : public BaseSystemTrustStore { | 59 class SystemTrustStoreNSS : public BaseSystemTrustStore { |
| 63 public: | 60 public: |
| 64 explicit SystemTrustStoreNSS() : trust_store_nss_(trustSSL) { | 61 explicit SystemTrustStoreNSS() : trust_store_nss_(trustSSL) { |
| 65 trust_store_.AddTrustStore(&trust_store_nss_); | 62 trust_store_.AddTrustStore(&trust_store_nss_); |
| 66 } | 63 } |
| 67 | 64 |
| 68 CertIssuerSource* GetCertIssuerSource() override { | |
| 69 return &cert_issuer_source_nss_; | |
| 70 } | |
| 71 | |
| 72 bool UsesSystemTrustStore() const override { return true; } | 65 bool UsesSystemTrustStore() const override { return true; } |
| 73 | 66 |
| 74 // IsKnownRoot returns true if the given trust anchor is a standard one (as | 67 // IsKnownRoot returns true if the given trust anchor is a standard one (as |
| 75 // opposed to a user-installed root) | 68 // opposed to a user-installed root) |
| 76 bool IsKnownRoot( | 69 bool IsKnownRoot( |
| 77 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 70 const scoped_refptr<TrustAnchor>& trust_anchor) const override { |
| 78 // TODO(eroman): Based on how the TrustAnchors are created by this | 71 // TODO(eroman): Based on how the TrustAnchors are created by this |
| 79 // integration, there will always be an associated certificate. However this | 72 // integration, there will always be an associated certificate. However this |
| 80 // contradicts the API for TrustAnchor that states it is optional. | 73 // contradicts the API for TrustAnchor that states it is optional. |
| 81 DCHECK(trust_anchor->cert()); | 74 DCHECK(trust_anchor->cert()); |
| (...skipping 23 matching lines...) Expand all Loading... |
| 105 bool IsKnownRoot(CERTCertificate* root) const { | 98 bool IsKnownRoot(CERTCertificate* root) const { |
| 106 if (!root || !root->slot) | 99 if (!root || !root->slot) |
| 107 return false; | 100 return false; |
| 108 | 101 |
| 109 // This magic name is taken from | 102 // This magic name is taken from |
| 110 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw
/builtins/constants.c&rev=1.13&mark=86,89#79 | 103 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw
/builtins/constants.c&rev=1.13&mark=86,89#79 |
| 111 return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects"); | 104 return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects"); |
| 112 } | 105 } |
| 113 | 106 |
| 114 TrustStoreNSS trust_store_nss_; | 107 TrustStoreNSS trust_store_nss_; |
| 115 CertIssuerSourceNSS cert_issuer_source_nss_; | |
| 116 }; | 108 }; |
| 117 | 109 |
| 118 } // namespace | 110 } // namespace |
| 119 | 111 |
| 120 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 112 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 121 return base::MakeUnique<SystemTrustStoreNSS>(); | 113 return base::MakeUnique<SystemTrustStoreNSS>(); |
| 122 } | 114 } |
| 123 | 115 |
| 124 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 116 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 125 | 117 |
| 126 class SystemTrustStoreMac : public BaseSystemTrustStore { | 118 class SystemTrustStoreMac : public BaseSystemTrustStore { |
| 127 public: | 119 public: |
| 128 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { | 120 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { |
| 129 trust_store_.AddTrustStore(&trust_store_mac_); | 121 trust_store_.AddTrustStore(&trust_store_mac_); |
| 130 } | 122 } |
| 131 | 123 |
| 132 CertIssuerSource* GetCertIssuerSource() override { | |
| 133 // TODO(eroman): Should this return something? | |
| 134 return nullptr; | |
| 135 } | |
| 136 | |
| 137 bool UsesSystemTrustStore() const override { return true; } | 124 bool UsesSystemTrustStore() const override { return true; } |
| 138 | 125 |
| 139 // IsKnownRoot returns true if the given trust anchor is a standard one (as | 126 // IsKnownRoot returns true if the given trust anchor is a standard one (as |
| 140 // opposed to a user-installed root) | 127 // opposed to a user-installed root) |
| 141 bool IsKnownRoot( | 128 bool IsKnownRoot( |
| 142 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 129 const scoped_refptr<TrustAnchor>& trust_anchor) const override { |
| 143 // TODO(eroman): Implement. | 130 // TODO(eroman): Implement. |
| 144 return false; | 131 return false; |
| 145 } | 132 } |
| 146 | 133 |
| (...skipping 15 matching lines...) Expand all Loading... |
| 162 return false; | 149 return false; |
| 163 } | 150 } |
| 164 }; | 151 }; |
| 165 | 152 |
| 166 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 153 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 167 return base::MakeUnique<DummySystemTrustStore>(); | 154 return base::MakeUnique<DummySystemTrustStore>(); |
| 168 } | 155 } |
| 169 #endif | 156 #endif |
| 170 | 157 |
| 171 } // namespace net | 158 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2832703002:
Allow the TrustStore interface to return matching intermediates, and identify distrusted certs. (Closed)
