// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef BSSL_PKI_TRUST_STORE_H_ #define BSSL_PKI_TRUST_STORE_H_ #include #include #include "cert_issuer_source.h" #include "parsed_certificate.h" namespace bssl { enum class CertificateTrustType { // This certificate is explicitly blocked (distrusted). DISTRUSTED, // The trustedness of this certificate is unknown (inherits trust from // its issuer). UNSPECIFIED, // This certificate is a trust anchor (as defined by RFC 5280). TRUSTED_ANCHOR, // This certificate can be used as a trust anchor (as defined by RFC 5280) or // a trusted leaf, depending on context. TRUSTED_ANCHOR_OR_LEAF, // This certificate is a directly trusted leaf. TRUSTED_LEAF, LAST = TRUSTED_ANCHOR }; // Describes the level of trust in a certificate. struct OPENSSL_EXPORT CertificateTrust { static constexpr CertificateTrust ForTrustAnchor() { CertificateTrust result; result.type = CertificateTrustType::TRUSTED_ANCHOR; return result; } static constexpr CertificateTrust ForTrustAnchorOrLeaf() { CertificateTrust result; result.type = CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF; return result; } static constexpr CertificateTrust ForTrustedLeaf() { CertificateTrust result; result.type = CertificateTrustType::TRUSTED_LEAF; return result; } static constexpr CertificateTrust ForUnspecified() { CertificateTrust result; return result; } static constexpr CertificateTrust ForDistrusted() { CertificateTrust result; result.type = CertificateTrustType::DISTRUSTED; return result; } constexpr CertificateTrust WithEnforceAnchorExpiry(bool value = true) const { CertificateTrust result = *this; result.enforce_anchor_expiry = value; return result; } constexpr CertificateTrust WithEnforceAnchorConstraints( bool value = true) const { CertificateTrust result = *this; result.enforce_anchor_constraints = value; return result; } constexpr CertificateTrust WithRequireAnchorBasicConstraints( bool value = true) const { CertificateTrust result = *this; result.require_anchor_basic_constraints = value; return result; } constexpr CertificateTrust WithRequireLeafSelfSigned( bool value = true) const { CertificateTrust result = *this; result.require_leaf_selfsigned = value; return result; } bool IsTrustAnchor() const; bool IsTrustLeaf() const; bool IsDistrusted() const; bool HasUnspecifiedTrust() const; std::string ToDebugString() const; static std::optional FromDebugString( const std::string &trust_string); // The overall type of trust. CertificateTrustType type = CertificateTrustType::UNSPECIFIED; // Optionally, enforce extra bits on trust anchors. If these are false, the // only fields in a trust anchor certificate that are meaningful are its // name and SPKI. bool enforce_anchor_expiry = false; bool enforce_anchor_constraints = false; // Require that X.509v3 trust anchors have a basicConstraints extension. // X.509v1 and X.509v2 trust anchors do not support basicConstraints and are // not affected. // Additionally, this setting only has effect if `enforce_anchor_constraints` // is true, which also requires that the extension assert CA=true. bool require_anchor_basic_constraints = false; // Optionally, require trusted leafs to be self-signed to be trusted. bool require_leaf_selfsigned = false; }; // Interface for finding intermediates / trust anchors, and testing the // trustedness of certificates. class OPENSSL_EXPORT TrustStore : public CertIssuerSource { public: TrustStore(); TrustStore(const TrustStore &) = delete; TrustStore &operator=(const TrustStore &) = delete; // Returns the trusted of |cert|, which must be non-null. virtual CertificateTrust GetTrust(const ParsedCertificate *cert) = 0; // Disable async issuers for TrustStore, as it isn't needed. void AsyncGetIssuersOf(const ParsedCertificate *cert, std::unique_ptr *out_req) final; }; } // namespace bssl #endif // BSSL_PKI_TRUST_STORE_H_