Google Git
Sign in
cobalt / cobalt / 25902c6cb1ab9cfd8ae2ee6b0fb52953f73deda5 / . / net / cert / internal / trust_store_mac.h
blob: 44dc50659f210027a0ea053273dc2fb5c2946f93 [file] [log] [blame]
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
#define NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
#include <CoreFoundation/CoreFoundation.h>
#include "base/gtest_prod_util.h"
#include "base/mac/scoped_cftyperef.h"
#include "net/base/net_export.h"
#include "net/cert/pki/trust_store.h"
namespace net {
// TrustStoreMac is an implementation of TrustStore which uses macOS keychain
// to find trust anchors for path building. Trust state is cached, so a single
// TrustStoreMac instance should be created and used for all verifications of a
// given policy.
// TrustStoreMac objects are threadsafe and methods may be called from multiple
// threads simultaneously. It is the owner's responsibility to ensure the
// TrustStoreMac object outlives any threads accessing it.
class NET_EXPORT TrustStoreMac : public TrustStore {
public:
// Bits representing different conditions encountered while evaluating
// the trustSettings returned by SecTrustSettingsCopyTrustSettings.
enum TrustDebugInfo {
// The trustSettings array was empty.
TRUST_SETTINGS_ARRAY_EMPTY = 1 << 0,
// One of the trustSettings dictionaries was empty.
TRUST_SETTINGS_DICT_EMPTY = 1 << 1,
// One of the trustSettings dictionaries contained an unknown key.
TRUST_SETTINGS_DICT_UNKNOWN_KEY = 1 << 2,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsPolicy key.
TRUST_SETTINGS_DICT_CONTAINS_POLICY = 1 << 3,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsPolicy key with a value that was not a SecPolicyRef.
TRUST_SETTINGS_DICT_INVALID_POLICY_TYPE = 1 << 4,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsApplication key.
TRUST_SETTINGS_DICT_CONTAINS_APPLICATION = 1 << 5,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsPolicyString key.
TRUST_SETTINGS_DICT_CONTAINS_POLICY_STRING = 1 << 6,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsKeyUsage key.
TRUST_SETTINGS_DICT_CONTAINS_KEY_USAGE = 1 << 7,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsResult key.
TRUST_SETTINGS_DICT_CONTAINS_RESULT = 1 << 8,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsResult key with a value that was not a CFNumber or
// could not be represented by a signed int.
TRUST_SETTINGS_DICT_INVALID_RESULT_TYPE = 1 << 9,
// One of the trustSettings dictionaries contained a
// kSecTrustSettingsAllowedError key.
TRUST_SETTINGS_DICT_CONTAINS_ALLOWED_ERROR = 1 << 10,
// SecTrustSettingsCopyTrustSettings returned a value other than
// errSecSuccess or errSecItemNotFound.
COPY_TRUST_SETTINGS_ERROR = 1 << 11,
};
// NOTE: When updating this enum, also update ParamToTrustImplType in
// system_trust_store.cc
enum class TrustImplType {
// Values 1 and 3 were used for implementation strategies that have since
// been removed.
kUnknown = 0,
kSimple = 2,
kDomainCacheFullCerts = 4,
kKeychainCacheFullCerts = 5,
};
class ResultDebugData : public base::SupportsUserData::Data {
public:
static const ResultDebugData* Get(const base::SupportsUserData* debug_data);
static ResultDebugData* GetOrCreate(base::SupportsUserData* debug_data);
void UpdateTrustDebugInfo(int trust_debug_info, TrustImplType impl_type);
// base::SupportsUserData::Data implementation:
std::unique_ptr<Data> Clone() override;
// Returns a bitfield of TrustDebugInfo flags. If multiple GetTrust calls
// were done with the same SupportsUserData object, this will return the
// union of all the TrustDebugInfo flags.
int combined_trust_debug_info() const { return combined_trust_debug_info_; }
// Returns an enum representing which trust implementation was used.
TrustImplType trust_impl() const { return trust_impl_; }
private:
int combined_trust_debug_info_ = 0;
TrustImplType trust_impl_ = TrustImplType::kUnknown;
};
// Creates a TrustStoreMac which will find anchors that are trusted for
// |policy_oid|. For list of possible policy values, see:
// https://developer.apple.com/reference/security/1667150-certificate_key_and_trust_servic/1670151-standard_policies_for_specific_c?language=objc
// |impl| selects which internal implementation is used for checking trust
// settings.
TrustStoreMac(CFStringRef policy_oid, TrustImplType impl);
TrustStoreMac(const TrustStoreMac&) = delete;
TrustStoreMac& operator=(const TrustStoreMac&) = delete;
~TrustStoreMac() override;
// Initializes the trust cache, if it isn't already initialized.
void InitializeTrustCache() const;
// TrustStore implementation:
void SyncGetIssuersOf(const ParsedCertificate* cert,
ParsedCertificateList* issuers) override;
CertificateTrust GetTrust(const ParsedCertificate* cert,
base::SupportsUserData* debug_data) override;
private:
class TrustImpl;
class TrustImplDomainCacheFullCerts;
class TrustImplKeychainCacheFullCerts;
class TrustImplNoCache;
// Finds certificates in the OS keychains whose Subject matches |name_data|.
// The result is an array of CRYPTO_BUFFERs containing the DER certificate
// data.
static std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>
FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data);
// Returns the OS-normalized issuer of |cert|.
// macOS internally uses a normalized form of subject/issuer names for
// comparing, roughly similar to RFC3280's normalization scheme. The
// normalized form is used for any database lookups and comparisons.
static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
const ParsedCertificate* cert);
std::unique_ptr<TrustImpl> trust_cache_;
};
} // namespace net
#endif // NET_CERT_INTERNAL_TRUST_STORE_MAC_H_