boringssl/pki/trust_store.h

// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef BSSL_PKI_TRUST_STORE_H_
#define BSSL_PKI_TRUST_STORE_H_

#include <optional>

#include <openssl/base.h>

#include "cert_issuer_source.h"
#include "parsed_certificate.h"

namespace bssl {

enum class CertificateTrustType {
  // This certificate is explicitly blocked (distrusted).
  DISTRUSTED,

  // The trustedness of this certificate is unknown (inherits trust from
  // its issuer).
  UNSPECIFIED,

  // This certificate is a trust anchor (as defined by RFC 5280).
  TRUSTED_ANCHOR,

  // This certificate can be used as a trust anchor (as defined by RFC 5280) or
  // a trusted leaf, depending on context.
  TRUSTED_ANCHOR_OR_LEAF,

  // This certificate is a directly trusted leaf.
  TRUSTED_LEAF,

  LAST = TRUSTED_ANCHOR
};

// Describes the level of trust in a certificate.
struct OPENSSL_EXPORT CertificateTrust {
  static constexpr CertificateTrust ForTrustAnchor() {
    CertificateTrust result;
    result.type = CertificateTrustType::TRUSTED_ANCHOR;
    return result;
  }

  static constexpr CertificateTrust ForTrustAnchorOrLeaf() {
    CertificateTrust result;
    result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF;
    return result;
  }

  static constexpr CertificateTrust ForTrustedLeaf() {
    CertificateTrust result;
    result.type = CertificateTrustType::TRUSTED_LEAF;
    return result;
  }

  static constexpr CertificateTrust ForUnspecified() {
    CertificateTrust result;
    return result;
  }

  static constexpr CertificateTrust ForDistrusted() {
    CertificateTrust result;
    result.type = CertificateTrustType::DISTRUSTED;
    return result;
  }

  constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const {
    CertificateTrust result = *this;
    result.enforce_anchor_expiry = value;
    return result;
  }

  constexpr CertificateTrust WithEnforceAnchorConstraints(
      bool value = true) const {
    CertificateTrust result = *this;
    result.enforce_anchor_constraints = value;
    return result;
  }

  constexpr CertificateTrust WithRequireAnchorBasicConstraints(
      bool value = true) const {
    CertificateTrust result = *this;
    result.require_anchor_basic_constraints = value;
    return result;
  }

  constexpr CertificateTrust WithRequireLeafSelfSigned(
      bool value = true) const {
    CertificateTrust result = *this;
    result.require_leaf_selfsigned = value;
    return result;
  }

  bool IsTrustAnchor() const;
  bool IsTrustLeaf() const;
  bool IsDistrusted() const;
  bool HasUnspecifiedTrust() const;

  std::string ToDebugString() const;

  static std::optional<CertificateTrust> FromDebugString(
      const std::string &trust_string);

  // The overall type of trust.
  CertificateTrustType type = CertificateTrustType::UNSPECIFIED;

  // Optionally, enforce extra bits on trust anchors. If these are false, the
  // only fields in a trust anchor certificate that are meaningful are its
  // name and SPKI.
  bool enforce_anchor_expiry = false;
  bool enforce_anchor_constraints = false;
  // Require that X.509v3 trust anchors have a basicConstraints extension.
  // X.509v1 and X.509v2 trust anchors do not support basicConstraints and are
  // not affected.
  // Additionally, this setting only has effect if `enforce_anchor_constraints`
  // is true, which also requires that the extension assert CA=true.
  bool require_anchor_basic_constraints = false;

  // Optionally, require trusted leafs to be self-signed to be trusted.
  bool require_leaf_selfsigned = false;
};

// Interface for finding intermediates / trust anchors, and testing the
// trustedness of certificates.
class OPENSSL_EXPORT TrustStore : public CertIssuerSource {
 public:
  TrustStore();

  TrustStore(const TrustStore &) = delete;
  TrustStore &operator=(const TrustStore &) = delete;

  // Returns the trusted of |cert|, which must be non-null.
  virtual CertificateTrust GetTrust(const ParsedCertificate *cert) = 0;

  // Disable async issuers for TrustStore, as it isn't needed.
  void AsyncGetIssuersOf(const ParsedCertificate *cert,
                         std::unique_ptr<Request> *out_req) final;
};

}  // namespace bssl

#endif  // BSSL_PKI_TRUST_STORE_H_
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago			`// Copyright 2016 The Chromium Authors`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`#ifndef BSSL_PKI_TRUST_STORE_H_`
			`#define BSSL_PKI_TRUST_STORE_H_`

Clang-format all of pki. Before making further changes. This pass is without InsertBraces, will follow up with InsertBraces for separate review Bug: 659 Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> 1 year ago			`#include <optional>`
Remove fillins/openssl_util The only user of the tiny utility class to clear the error stack was verify_certificate_chain, which can have it in it's anonymous namespace. It was however, used to great effect as a horrible dirty cheat to get us openssl/base.h during the conversion. That time is past, so just let us include <openssl/base.h> normally, and get rid of this. Bug: 668 Change-Id: Ie8537d5b1d6789acb35182f3d781f7505ad79109 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64188 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: Bob Beck <bbe@google.com> 12 months ago
			`#include <openssl/base.h>`

Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago			`#include "cert_issuer_source.h"`
			`#include "parsed_certificate.h"`

			`namespace bssl {`

			`enum class CertificateTrustType {`
			`// This certificate is explicitly blocked (distrusted).`
			`DISTRUSTED,`

			`// The trustedness of this certificate is unknown (inherits trust from`
			`// its issuer).`
			`UNSPECIFIED,`

			`// This certificate is a trust anchor (as defined by RFC 5280).`
			`TRUSTED_ANCHOR,`

			`// This certificate can be used as a trust anchor (as defined by RFC 5280) or`
			`// a trusted leaf, depending on context.`
			`TRUSTED_ANCHOR_OR_LEAF,`

			`// This certificate is a directly trusted leaf.`
			`TRUSTED_LEAF,`

			`LAST = TRUSTED_ANCHOR`
			`};`

			`// Describes the level of trust in a certificate.`
			`struct OPENSSL_EXPORT CertificateTrust {`
			`static constexpr CertificateTrust ForTrustAnchor() {`
			`CertificateTrust result;`
			`result.type = CertificateTrustType::TRUSTED_ANCHOR;`
			`return result;`
			`}`

			`static constexpr CertificateTrust ForTrustAnchorOrLeaf() {`
			`CertificateTrust result;`
			`result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF;`
			`return result;`
			`}`

			`static constexpr CertificateTrust ForTrustedLeaf() {`
			`CertificateTrust result;`
			`result.type = CertificateTrustType::TRUSTED_LEAF;`
			`return result;`
			`}`

			`static constexpr CertificateTrust ForUnspecified() {`
			`CertificateTrust result;`
			`return result;`
			`}`

			`static constexpr CertificateTrust ForDistrusted() {`
			`CertificateTrust result;`
			`result.type = CertificateTrustType::DISTRUSTED;`
			`return result;`
			`}`

			`constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const {`
			`CertificateTrust result = *this;`
			`result.enforce_anchor_expiry = value;`
			`return result;`
			`}`

			`constexpr CertificateTrust WithEnforceAnchorConstraints(`
			`bool value = true) const {`
			`CertificateTrust result = *this;`
			`result.enforce_anchor_constraints = value;`
			`return result;`
			`}`

			`constexpr CertificateTrust WithRequireAnchorBasicConstraints(`
			`bool value = true) const {`
			`CertificateTrust result = *this;`
			`result.require_anchor_basic_constraints = value;`
			`return result;`
			`}`

			`constexpr CertificateTrust WithRequireLeafSelfSigned(`
			`bool value = true) const {`
			`CertificateTrust result = *this;`
			`result.require_leaf_selfsigned = value;`
			`return result;`
			`}`

			`bool IsTrustAnchor() const;`
			`bool IsTrustLeaf() const;`
			`bool IsDistrusted() const;`
			`bool HasUnspecifiedTrust() const;`

			`std::string ToDebugString() const;`

			`static std::optional<CertificateTrust> FromDebugString(`
Clang-format all of pki. Before making further changes. This pass is without InsertBraces, will follow up with InsertBraces for separate review Bug: 659 Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> 1 year ago			`const std::string &trust_string);`
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago
			`// The overall type of trust.`
			`CertificateTrustType type = CertificateTrustType::UNSPECIFIED;`

			`// Optionally, enforce extra bits on trust anchors. If these are false, the`
			`// only fields in a trust anchor certificate that are meaningful are its`
			`// name and SPKI.`
			`bool enforce_anchor_expiry = false;`
			`bool enforce_anchor_constraints = false;`
			`// Require that X.509v3 trust anchors have a basicConstraints extension.`
			`// X.509v1 and X.509v2 trust anchors do not support basicConstraints and are`
			`// not affected.`
			// Additionally, this setting only has effect if `enforce_anchor_constraints`
			`// is true, which also requires that the extension assert CA=true.`
			`bool require_anchor_basic_constraints = false;`

			`// Optionally, require trusted leafs to be self-signed to be trusted.`
			`bool require_leaf_selfsigned = false;`
			`};`

			`// Interface for finding intermediates / trust anchors, and testing the`
			`// trustedness of certificates.`
			`class OPENSSL_EXPORT TrustStore : public CertIssuerSource {`
			`public:`
			`TrustStore();`

Clang-format all of pki. Before making further changes. This pass is without InsertBraces, will follow up with InsertBraces for separate review Bug: 659 Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> 1 year ago			`TrustStore(const TrustStore &) = delete;`
			`TrustStore &operator=(const TrustStore &) = delete;`
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago
			`// Returns the trusted of \|cert\|, which must be non-null.`
Clang-format all of pki. Before making further changes. This pass is without InsertBraces, will follow up with InsertBraces for separate review Bug: 659 Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> 1 year ago			`virtual CertificateTrust GetTrust(const ParsedCertificate *cert) = 0;`
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago
			`// Disable async issuers for TrustStore, as it isn't needed.`
Clang-format all of pki. Before making further changes. This pass is without InsertBraces, will follow up with InsertBraces for separate review Bug: 659 Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> 1 year ago			`void AsyncGetIssuersOf(const ParsedCertificate *cert,`
			`std::unique_ptr<Request> *out_req) final;`
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago			`};`

Clang-format all of pki. Before making further changes. This pass is without InsertBraces, will follow up with InsertBraces for separate review Bug: 659 Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> 1 year ago			`} // namespace bssl`
Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com> 2 years ago
			`#endif // BSSL_PKI_TRUST_STORE_H_`