| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/system_trust_store.h" | 5 #include "net/cert/internal/system_trust_store.h" |
| 6 | 6 |
| 7 #if defined(USE_NSS_CERTS) | 7 #if defined(USE_NSS_CERTS) |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 11 #include <Security/Security.h> | 11 #include <Security/Security.h> |
| 12 #endif | 12 #endif |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "net/cert/internal/trust_store_collection.h" | 15 #include "net/cert/internal/trust_store_collection.h" |
| 16 #include "net/cert/internal/trust_store_in_memory.h" | 16 #include "net/cert/internal/trust_store_in_memory.h" |
| 17 | 17 |
| 18 #if defined(USE_NSS_CERTS) | 18 #if defined(USE_NSS_CERTS) |
| 19 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 20 #include "net/cert/internal/cert_issuer_source_nss.h" | |
| 21 #include "net/cert/internal/trust_store_nss.h" | 20 #include "net/cert/internal/trust_store_nss.h" |
| 22 #include "net/cert/known_roots_nss.h" | 21 #include "net/cert/known_roots_nss.h" |
| 23 #include "net/cert/scoped_nss_types.h" | 22 #include "net/cert/scoped_nss_types.h" |
| 24 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 23 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 25 #include "net/cert/internal/trust_store_mac.h" | 24 #include "net/cert/internal/trust_store_mac.h" |
| 26 #include "net/cert/known_roots_mac.h" | 25 #include "net/cert/known_roots_mac.h" |
| 27 #include "net/cert/x509_util_mac.h" | 26 #include "net/cert/x509_util_mac.h" |
| 28 #endif | 27 #endif |
| 29 | 28 |
| 30 namespace net { | 29 namespace net { |
| 31 | 30 |
| 32 namespace { | 31 namespace { |
| 33 | 32 |
| 34 // Abstract implementation of SystemTrustStore to be used as a base class. | 33 // Abstract implementation of SystemTrustStore to be used as a base class. |
| 35 // Handles the addition of additional trust anchors. | 34 // Handles the addition of additional trust anchors. |
| 36 class BaseSystemTrustStore : public SystemTrustStore { | 35 class BaseSystemTrustStore : public SystemTrustStore { |
| 37 public: | 36 public: |
| 38 BaseSystemTrustStore() { | 37 BaseSystemTrustStore() { |
| 39 trust_store_.AddTrustStore(&additional_trust_store_); | 38 trust_store_.AddTrustStore(&additional_trust_store_); |
| 40 } | 39 } |
| 41 | 40 |
| 42 void AddTrustAnchor(const scoped_refptr<TrustAnchor>& trust_anchor) override { | 41 void AddTrustAnchor( |
| 42 const scoped_refptr<ParsedCertificate>& trust_anchor) override { |
| 43 additional_trust_store_.AddTrustAnchor(trust_anchor); | 43 additional_trust_store_.AddTrustAnchor(trust_anchor); |
| 44 } | 44 } |
| 45 | 45 |
| 46 TrustStore* GetTrustStore() override { return &trust_store_; } | 46 TrustStore* GetTrustStore() override { return &trust_store_; } |
| 47 | 47 |
| 48 CertIssuerSource* GetCertIssuerSource() override { return nullptr; } | |
| 49 | |
| 50 bool IsAdditionalTrustAnchor( | 48 bool IsAdditionalTrustAnchor( |
| 51 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 49 const ParsedCertificate* trust_anchor) const override { |
| 52 return additional_trust_store_.Contains(trust_anchor.get()); | 50 return additional_trust_store_.Contains(trust_anchor); |
| 53 } | 51 } |
| 54 | 52 |
| 55 protected: | 53 protected: |
| 56 TrustStoreCollection trust_store_; | 54 TrustStoreCollection trust_store_; |
| 57 TrustStoreInMemory additional_trust_store_; | 55 TrustStoreInMemory additional_trust_store_; |
| 58 }; | 56 }; |
| 59 | 57 |
| 60 } // namespace | 58 } // namespace |
| 61 | 59 |
| 62 #if defined(USE_NSS_CERTS) | 60 #if defined(USE_NSS_CERTS) |
| 63 namespace { | 61 namespace { |
| 64 | 62 |
| 65 class SystemTrustStoreNSS : public BaseSystemTrustStore { | 63 class SystemTrustStoreNSS : public BaseSystemTrustStore { |
| 66 public: | 64 public: |
| 67 explicit SystemTrustStoreNSS() : trust_store_nss_(trustSSL) { | 65 explicit SystemTrustStoreNSS() : trust_store_nss_(trustSSL) { |
| 68 trust_store_.AddTrustStore(&trust_store_nss_); | 66 trust_store_.AddTrustStore(&trust_store_nss_); |
| 69 } | 67 } |
| 70 | 68 |
| 71 CertIssuerSource* GetCertIssuerSource() override { | |
| 72 return &cert_issuer_source_nss_; | |
| 73 } | |
| 74 | |
| 75 bool UsesSystemTrustStore() const override { return true; } | 69 bool UsesSystemTrustStore() const override { return true; } |
| 76 | 70 |
| 77 // IsKnownRoot returns true if the given trust anchor is a standard one (as | 71 // IsKnownRoot returns true if the given trust anchor is a standard one (as |
| 78 // opposed to a user-installed root) | 72 // opposed to a user-installed root) |
| 79 bool IsKnownRoot( | 73 bool IsKnownRoot(const ParsedCertificate* trust_anchor) const override { |
| 80 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | |
| 81 // TODO(eroman): Based on how the TrustAnchors are created by this | |
| 82 // integration, there will always be an associated certificate. However this | |
| 83 // contradicts the API for TrustAnchor that states it is optional. | |
| 84 DCHECK(trust_anchor->cert()); | |
| 85 | |
| 86 // TODO(eroman): The overall approach of IsKnownRoot() is inefficient -- it | 74 // TODO(eroman): The overall approach of IsKnownRoot() is inefficient -- it |
| 87 // requires searching for the trust anchor by DER in NSS, however path | 75 // requires searching for the trust anchor by DER in NSS, however path |
| 88 // building already had a handle to it. | 76 // building already had a handle to it. |
| 89 SECItem der_cert; | 77 SECItem der_cert; |
| 90 der_cert.data = | 78 der_cert.data = const_cast<uint8_t*>(trust_anchor->der_cert().UnsafeData()); |
| 91 const_cast<uint8_t*>(trust_anchor->cert()->der_cert().UnsafeData()); | 79 der_cert.len = trust_anchor->der_cert().Length(); |
| 92 der_cert.len = trust_anchor->cert()->der_cert().Length(); | |
| 93 der_cert.type = siDERCertBuffer; | 80 der_cert.type = siDERCertBuffer; |
| 94 ScopedCERTCertificate nss_cert( | 81 ScopedCERTCertificate nss_cert( |
| 95 CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert)); | 82 CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert)); |
| 96 if (!nss_cert) | 83 if (!nss_cert) |
| 97 return false; | 84 return false; |
| 98 | 85 |
| 99 return net::IsKnownRoot(nss_cert.get()); | 86 if (!net::IsKnownRoot(nss_cert.get())) |
| 87 return false; |
| 88 |
| 89 return trust_anchor->der_cert() == |
| 90 der::Input(nss_cert->derCert.data, nss_cert->derCert.len); |
| 100 } | 91 } |
| 101 | 92 |
| 102 private: | 93 private: |
| 103 TrustStoreNSS trust_store_nss_; | 94 TrustStoreNSS trust_store_nss_; |
| 104 CertIssuerSourceNSS cert_issuer_source_nss_; | |
| 105 }; | 95 }; |
| 106 | 96 |
| 107 } // namespace | 97 } // namespace |
| 108 | 98 |
| 109 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 99 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 110 return base::MakeUnique<SystemTrustStoreNSS>(); | 100 return base::MakeUnique<SystemTrustStoreNSS>(); |
| 111 } | 101 } |
| 112 | 102 |
| 113 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 103 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 114 | 104 |
| 115 // TODO(eroman): Compose with test roots added via cert/test_roots.h | 105 // TODO(eroman): Compose with test roots added via cert/test_roots.h |
| 116 class SystemTrustStoreMac : public BaseSystemTrustStore { | 106 class SystemTrustStoreMac : public BaseSystemTrustStore { |
| 117 public: | 107 public: |
| 118 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { | 108 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { |
| 119 InitializeKnownRoots(); | 109 InitializeKnownRoots(); |
| 120 trust_store_.AddTrustStore(&trust_store_mac_); | 110 trust_store_.AddTrustStore(&trust_store_mac_); |
| 121 } | 111 } |
| 122 | 112 |
| 123 CertIssuerSource* GetCertIssuerSource() override { | |
| 124 // TODO(eroman): Implement. | |
| 125 return nullptr; | |
| 126 } | |
| 127 | |
| 128 bool UsesSystemTrustStore() const override { return true; } | 113 bool UsesSystemTrustStore() const override { return true; } |
| 129 | 114 |
| 130 // IsKnownRoot returns true if the given trust anchor is a standard one (as | 115 // IsKnownRoot returns true if the given trust anchor is a standard one (as |
| 131 // opposed to a user-installed root) | 116 // opposed to a user-installed root) |
| 132 bool IsKnownRoot( | 117 bool IsKnownRoot(const ParsedCertificate* trust_anchor) const override { |
| 133 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 118 der::Input bytes = trust_anchor->der_cert(); |
| 134 if (!trust_anchor->cert()) | |
| 135 return false; | |
| 136 | |
| 137 der::Input bytes = trust_anchor->cert()->der_cert(); | |
| 138 base::ScopedCFTypeRef<SecCertificateRef> cert_ref = | 119 base::ScopedCFTypeRef<SecCertificateRef> cert_ref = |
| 139 x509_util::CreateSecCertificateFromBytes(bytes.UnsafeData(), | 120 x509_util::CreateSecCertificateFromBytes(bytes.UnsafeData(), |
| 140 bytes.Length()); | 121 bytes.Length()); |
| 141 if (!cert_ref) | 122 if (!cert_ref) |
| 142 return false; | 123 return false; |
| 143 | 124 |
| 144 return net::IsKnownRoot(cert_ref); | 125 return net::IsKnownRoot(cert_ref); |
| 145 } | 126 } |
| 146 | 127 |
| 147 private: | 128 private: |
| 148 TrustStoreMac trust_store_mac_; | 129 TrustStoreMac trust_store_mac_; |
| 149 }; | 130 }; |
| 150 | 131 |
| 151 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 132 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 152 return base::MakeUnique<SystemTrustStoreMac>(); | 133 return base::MakeUnique<SystemTrustStoreMac>(); |
| 153 } | 134 } |
| 154 #else | 135 #else |
| 155 | 136 |
| 156 class DummySystemTrustStore : public BaseSystemTrustStore { | 137 class DummySystemTrustStore : public BaseSystemTrustStore { |
| 157 public: | 138 public: |
| 158 bool UsesSystemTrustStore() const override { return false; } | 139 bool UsesSystemTrustStore() const override { return false; } |
| 159 | 140 |
| 160 bool IsKnownRoot( | 141 bool IsKnownRoot(const ParsedCertificate* trust_anchor) const override { |
| 161 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | |
| 162 return false; | 142 return false; |
| 163 } | 143 } |
| 164 }; | 144 }; |
| 165 | 145 |
| 166 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 146 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 167 return base::MakeUnique<DummySystemTrustStore>(); | 147 return base::MakeUnique<DummySystemTrustStore>(); |
| 168 } | 148 } |
| 169 #endif | 149 #endif |
| 170 | 150 |
| 171 } // namespace net | 151 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2832703002:
Allow the TrustStore interface to return matching intermediates, and identify distrusted certs. (Closed)
