Mirror of BoringSSL (grpc依赖)
https://boringssl.googlesource.com/boringssl
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
144 lines
4.2 KiB
144 lines
4.2 KiB
// Copyright 2016 The Chromium Authors |
|
// Use of this source code is governed by a BSD-style license that can be |
|
// found in the LICENSE file. |
|
|
|
#ifndef BSSL_PKI_TRUST_STORE_H_ |
|
#define BSSL_PKI_TRUST_STORE_H_ |
|
|
|
#include <optional> |
|
|
|
#include <openssl/base.h> |
|
|
|
#include "cert_issuer_source.h" |
|
#include "parsed_certificate.h" |
|
|
|
namespace bssl { |
|
|
|
enum class CertificateTrustType { |
|
// This certificate is explicitly blocked (distrusted). |
|
DISTRUSTED, |
|
|
|
// The trustedness of this certificate is unknown (inherits trust from |
|
// its issuer). |
|
UNSPECIFIED, |
|
|
|
// This certificate is a trust anchor (as defined by RFC 5280). |
|
TRUSTED_ANCHOR, |
|
|
|
// This certificate can be used as a trust anchor (as defined by RFC 5280) or |
|
// a trusted leaf, depending on context. |
|
TRUSTED_ANCHOR_OR_LEAF, |
|
|
|
// This certificate is a directly trusted leaf. |
|
TRUSTED_LEAF, |
|
|
|
LAST = TRUSTED_ANCHOR |
|
}; |
|
|
|
// Describes the level of trust in a certificate. |
|
struct OPENSSL_EXPORT CertificateTrust { |
|
static constexpr CertificateTrust ForTrustAnchor() { |
|
CertificateTrust result; |
|
result.type = CertificateTrustType::TRUSTED_ANCHOR; |
|
return result; |
|
} |
|
|
|
static constexpr CertificateTrust ForTrustAnchorOrLeaf() { |
|
CertificateTrust result; |
|
result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF; |
|
return result; |
|
} |
|
|
|
static constexpr CertificateTrust ForTrustedLeaf() { |
|
CertificateTrust result; |
|
result.type = CertificateTrustType::TRUSTED_LEAF; |
|
return result; |
|
} |
|
|
|
static constexpr CertificateTrust ForUnspecified() { |
|
CertificateTrust result; |
|
return result; |
|
} |
|
|
|
static constexpr CertificateTrust ForDistrusted() { |
|
CertificateTrust result; |
|
result.type = CertificateTrustType::DISTRUSTED; |
|
return result; |
|
} |
|
|
|
constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const { |
|
CertificateTrust result = *this; |
|
result.enforce_anchor_expiry = value; |
|
return result; |
|
} |
|
|
|
constexpr CertificateTrust WithEnforceAnchorConstraints( |
|
bool value = true) const { |
|
CertificateTrust result = *this; |
|
result.enforce_anchor_constraints = value; |
|
return result; |
|
} |
|
|
|
constexpr CertificateTrust WithRequireAnchorBasicConstraints( |
|
bool value = true) const { |
|
CertificateTrust result = *this; |
|
result.require_anchor_basic_constraints = value; |
|
return result; |
|
} |
|
|
|
constexpr CertificateTrust WithRequireLeafSelfSigned( |
|
bool value = true) const { |
|
CertificateTrust result = *this; |
|
result.require_leaf_selfsigned = value; |
|
return result; |
|
} |
|
|
|
bool IsTrustAnchor() const; |
|
bool IsTrustLeaf() const; |
|
bool IsDistrusted() const; |
|
bool HasUnspecifiedTrust() const; |
|
|
|
std::string ToDebugString() const; |
|
|
|
static std::optional<CertificateTrust> FromDebugString( |
|
const std::string &trust_string); |
|
|
|
// The overall type of trust. |
|
CertificateTrustType type = CertificateTrustType::UNSPECIFIED; |
|
|
|
// Optionally, enforce extra bits on trust anchors. If these are false, the |
|
// only fields in a trust anchor certificate that are meaningful are its |
|
// name and SPKI. |
|
bool enforce_anchor_expiry = false; |
|
bool enforce_anchor_constraints = false; |
|
// Require that X.509v3 trust anchors have a basicConstraints extension. |
|
// X.509v1 and X.509v2 trust anchors do not support basicConstraints and are |
|
// not affected. |
|
// Additionally, this setting only has effect if `enforce_anchor_constraints` |
|
// is true, which also requires that the extension assert CA=true. |
|
bool require_anchor_basic_constraints = false; |
|
|
|
// Optionally, require trusted leafs to be self-signed to be trusted. |
|
bool require_leaf_selfsigned = false; |
|
}; |
|
|
|
// Interface for finding intermediates / trust anchors, and testing the |
|
// trustedness of certificates. |
|
class OPENSSL_EXPORT TrustStore : public CertIssuerSource { |
|
public: |
|
TrustStore(); |
|
|
|
TrustStore(const TrustStore &) = delete; |
|
TrustStore &operator=(const TrustStore &) = delete; |
|
|
|
// Returns the trusted of |cert|, which must be non-null. |
|
virtual CertificateTrust GetTrust(const ParsedCertificate *cert) = 0; |
|
|
|
// Disable async issuers for TrustStore, as it isn't needed. |
|
void AsyncGetIssuersOf(const ParsedCertificate *cert, |
|
std::unique_ptr<Request> *out_req) final; |
|
}; |
|
|
|
} // namespace bssl |
|
|
|
#endif // BSSL_PKI_TRUST_STORE_H_
|
|
|