| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/system_trust_store.h" | 5 #ifndef NET_CERT_KNOWN_ROOTS_MAC_H_ |
| 6 #define NET_CERT_KNOWN_ROOTS_MAC_H_ |
| 6 | 7 |
| 7 #if defined(USE_NSS_CERTS) | |
| 8 #include <cert.h> | |
| 9 #include <pk11pub.h> | |
| 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) | |
| 11 #include <Security/Security.h> | 8 #include <Security/Security.h> |
| 12 #endif | |
| 13 | |
| 14 #include "base/memory/ptr_util.h" | |
| 15 #include "net/cert/internal/trust_store_collection.h" | |
| 16 #include "net/cert/internal/trust_store_in_memory.h" | |
| 17 | |
| 18 #if defined(USE_NSS_CERTS) | |
| 19 #include "crypto/nss_util.h" | |
| 20 #include "net/cert/internal/cert_issuer_source_nss.h" | |
| 21 #include "net/cert/internal/trust_store_nss.h" | |
| 22 #include "net/cert/scoped_nss_types.h" | |
| 23 #elif defined(OS_MACOSX) && !defined(OS_IOS) | |
| 24 #include "net/cert/internal/trust_store_mac.h" | |
| 25 #endif | |
| 26 | 9 |
| 27 namespace net { | 10 namespace net { |
| 28 | 11 |
| 29 namespace { | 12 // IsKnownRoot returns true if the given certificate is one that we believe |
| 13 // is a standard (as opposed to user-installed) root. |
| 14 // |
| 15 // NOTE: The first call will lazily initialize the known roots, which requires |
| 16 // holding crypto::GetMacSecurityServicesLock(). Callers must therefore either |
| 17 // acquire that lock prior to calling this, or eagerly initialize beforehand |
| 18 // using InitializeKnownRoots(). |
| 19 bool IsKnownRoot(SecCertificateRef cert); |
| 30 | 20 |
| 31 // Abstract implementation of SystemTrustStore to be used as a base class. | 21 // Calling this is optional as initialization will otherwise be done lazily when |
| 32 // Handles the addition of additional trust anchors. | 22 // calling IsKnownRoot(). When calling this, the current thread must NOT already |
| 33 class BaseSystemTrustStore : public SystemTrustStore { | 23 // be holding/ crypto::GetMacSecurityServicesLock(). |
| 34 public: | 24 void InitializeKnownRoots(); |
| 35 BaseSystemTrustStore() { | |
| 36 trust_store_.AddTrustStore(&additional_trust_store_); | |
| 37 } | |
| 38 | |
| 39 void AddTrustAnchor(const scoped_refptr<TrustAnchor>& trust_anchor) override { | |
| 40 additional_trust_store_.AddTrustAnchor(trust_anchor); | |
| 41 } | |
| 42 | |
| 43 TrustStore* GetTrustStore() override { return &trust_store_; } | |
| 44 | |
| 45 CertIssuerSource* GetCertIssuerSource() override { return nullptr; } | |
| 46 | |
| 47 bool IsAdditionalTrustAnchor( | |
| 48 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | |
| 49 return additional_trust_store_.Contains(trust_anchor.get()); | |
| 50 } | |
| 51 | |
| 52 protected: | |
| 53 TrustStoreCollection trust_store_; | |
| 54 TrustStoreInMemory additional_trust_store_; | |
| 55 }; | |
| 56 | |
| 57 } // namespace | |
| 58 | |
| 59 #if defined(USE_NSS_CERTS) | |
| 60 namespace { | |
| 61 | |
| 62 class SystemTrustStoreNSS : public BaseSystemTrustStore { | |
| 63 public: | |
| 64 explicit SystemTrustStoreNSS() : trust_store_nss_(trustSSL) { | |
| 65 trust_store_.AddTrustStore(&trust_store_nss_); | |
| 66 } | |
| 67 | |
| 68 CertIssuerSource* GetCertIssuerSource() override { | |
| 69 return &cert_issuer_source_nss_; | |
| 70 } | |
| 71 | |
| 72 bool UsesSystemTrustStore() const override { return true; } | |
| 73 | |
| 74 // IsKnownRoot returns true if the given trust anchor is a standard one (as | |
| 75 // opposed to a user-installed root) | |
| 76 bool IsKnownRoot( | |
| 77 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | |
| 78 // TODO(eroman): Based on how the TrustAnchors are created by this | |
| 79 // integration, there will always be an associated certificate. However this | |
| 80 // contradicts the API for TrustAnchor that states it is optional. | |
| 81 DCHECK(trust_anchor->cert()); | |
| 82 | |
| 83 // TODO(eroman): The overall approach of IsKnownRoot() is inefficient -- it | |
| 84 // requires searching for the trust anchor by DER in NSS, however path | |
| 85 // building already had a handle to it. | |
| 86 SECItem der_cert; | |
| 87 der_cert.data = | |
| 88 const_cast<uint8_t*>(trust_anchor->cert()->der_cert().UnsafeData()); | |
| 89 der_cert.len = trust_anchor->cert()->der_cert().Length(); | |
| 90 der_cert.type = siDERCertBuffer; | |
| 91 ScopedCERTCertificate nss_cert( | |
| 92 CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert)); | |
| 93 if (!nss_cert) | |
| 94 return false; | |
| 95 | |
| 96 return IsKnownRoot(nss_cert.get()); | |
| 97 } | |
| 98 | |
| 99 private: | |
| 100 // TODO(eroman): This function was copied verbatim from | |
| 101 // cert_verify_proc_nss.cc | |
| 102 // | |
| 103 // IsKnownRoot returns true if the given certificate is one that we believe | |
| 104 // is a standard (as opposed to user-installed) root. | |
| 105 bool IsKnownRoot(CERTCertificate* root) const { | |
| 106 if (!root || !root->slot) | |
| 107 return false; | |
| 108 | |
| 109 // This magic name is taken from | |
| 110 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw
/builtins/constants.c&rev=1.13&mark=86,89#79 | |
| 111 return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects"); | |
| 112 } | |
| 113 | |
| 114 TrustStoreNSS trust_store_nss_; | |
| 115 CertIssuerSourceNSS cert_issuer_source_nss_; | |
| 116 }; | |
| 117 | |
| 118 } // namespace | |
| 119 | |
| 120 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | |
| 121 return base::MakeUnique<SystemTrustStoreNSS>(); | |
| 122 } | |
| 123 | |
| 124 #elif defined(OS_MACOSX) && !defined(OS_IOS) | |
| 125 | |
| 126 class SystemTrustStoreMac : public BaseSystemTrustStore { | |
| 127 public: | |
| 128 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { | |
| 129 trust_store_.AddTrustStore(&trust_store_mac_); | |
| 130 } | |
| 131 | |
| 132 CertIssuerSource* GetCertIssuerSource() override { | |
| 133 // TODO(eroman): Should this return something? | |
| 134 return nullptr; | |
| 135 } | |
| 136 | |
| 137 bool UsesSystemTrustStore() const override { return true; } | |
| 138 | |
| 139 // IsKnownRoot returns true if the given trust anchor is a standard one (as | |
| 140 // opposed to a user-installed root) | |
| 141 bool IsKnownRoot( | |
| 142 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | |
| 143 // TODO(eroman): Implement. | |
| 144 return false; | |
| 145 } | |
| 146 | |
| 147 private: | |
| 148 TrustStoreMac trust_store_mac_; | |
| 149 }; | |
| 150 | |
| 151 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | |
| 152 return base::MakeUnique<SystemTrustStoreMac>(); | |
| 153 } | |
| 154 #else | |
| 155 | |
| 156 class DummySystemTrustStore : public BaseSystemTrustStore { | |
| 157 public: | |
| 158 bool UsesSystemTrustStore() const override { return false; } | |
| 159 | |
| 160 bool IsKnownRoot( | |
| 161 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | |
| 162 return false; | |
| 163 } | |
| 164 }; | |
| 165 | |
| 166 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | |
| 167 return base::MakeUnique<DummySystemTrustStore>(); | |
| 168 } | |
| 169 #endif | |
| 170 | 25 |
| 171 } // namespace net | 26 } // namespace net |
| 27 |
| 28 #endif // NET_CERT_KNOWN_ROOTS_MAC_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2833623002:
Extract IsKnownRoot() functionality for testing if a certificate is a (Closed)
