Blame - pki/trust_store.cc - boringssl.git

blob: 8ca4120a0f8c36090e4b48136a557352cef2ea31 [file] [log] [blame]

Bob Beck	bc97b7a	2023-04-18 08:35:15 -0600	[diff] [blame]	1	// Copyright 2016 The Chromium Authors
				2	// Use of this source code is governed by a BSD-style license that can be
				3	// found in the LICENSE file.
				4
				5	#include "trust_store.h"
				6
				7	#include "string_util.h"
				8
				9	namespace bssl {
				10
				11	namespace {
				12
				13	constexpr char kUnspecifiedStr[] = "UNSPECIFIED";
				14	constexpr char kDistrustedStr[] = "DISTRUSTED";
				15	constexpr char kTrustedAnchorStr[] = "TRUSTED_ANCHOR";
				16	constexpr char kTrustedAnchorOrLeafStr[] = "TRUSTED_ANCHOR_OR_LEAF";
				17	constexpr char kTrustedLeafStr[] = "TRUSTED_LEAF";
				18
				19	constexpr char kEnforceAnchorExpiry[] = "enforce_anchor_expiry";
				20	constexpr char kEnforceAnchorConstraints[] = "enforce_anchor_constraints";
				21	constexpr char kRequireAnchorBasicConstraints[] =
				22	"require_anchor_basic_constraints";
				23	constexpr char kRequireLeafSelfsigned[] = "require_leaf_selfsigned";
				24
				25	} // namespace
				26
				27	bool CertificateTrust::IsTrustAnchor() const {
				28	switch (type) {
				29	case CertificateTrustType::DISTRUSTED:
				30	case CertificateTrustType::UNSPECIFIED:
				31	case CertificateTrustType::TRUSTED_LEAF:
				32	return false;
				33	case CertificateTrustType::TRUSTED_ANCHOR:
				34	case CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF:
				35	return true;
				36	}
				37
				38	assert(0); // NOTREACHED
				39	return false;
				40	}
				41
				42	bool CertificateTrust::IsTrustLeaf() const {
				43	switch (type) {
				44	case CertificateTrustType::TRUSTED_LEAF:
				45	case CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF:
				46	return true;
				47	case CertificateTrustType::DISTRUSTED:
				48	case CertificateTrustType::UNSPECIFIED:
				49	case CertificateTrustType::TRUSTED_ANCHOR:
				50	return false;
				51	}
				52
				53	assert(0); // NOTREACHED
				54	return false;
				55	}
				56
				57	bool CertificateTrust::IsDistrusted() const {
				58	switch (type) {
				59	case CertificateTrustType::DISTRUSTED:
				60	return true;
				61	case CertificateTrustType::UNSPECIFIED:
				62	case CertificateTrustType::TRUSTED_ANCHOR:
				63	case CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF:
				64	case CertificateTrustType::TRUSTED_LEAF:
				65	return false;
				66	}
				67
				68	assert(0); // NOTREACHED
				69	return false;
				70	}
				71
				72	bool CertificateTrust::HasUnspecifiedTrust() const {
				73	switch (type) {
				74	case CertificateTrustType::UNSPECIFIED:
				75	return true;
				76	case CertificateTrustType::DISTRUSTED:
				77	case CertificateTrustType::TRUSTED_ANCHOR:
				78	case CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF:
				79	case CertificateTrustType::TRUSTED_LEAF:
				80	return false;
				81	}
				82
				83	assert(0); // NOTREACHED
				84	return true;
				85	}
				86
				87	std::string CertificateTrust::ToDebugString() const {
				88	std::string result;
				89	switch (type) {
				90	case CertificateTrustType::UNSPECIFIED:
				91	result = kUnspecifiedStr;
				92	break;
				93	case CertificateTrustType::DISTRUSTED:
				94	result = kDistrustedStr;
				95	break;
				96	case CertificateTrustType::TRUSTED_ANCHOR:
				97	result = kTrustedAnchorStr;
				98	break;
				99	case CertificateTrustType::TRUSTED_ANCHOR_OR_LEAF:
				100	result = kTrustedAnchorOrLeafStr;
				101	break;
				102	case CertificateTrustType::TRUSTED_LEAF:
				103	result = kTrustedLeafStr;
				104	break;
				105	}
				106	if (enforce_anchor_expiry) {
				107	result += '+';
				108	result += kEnforceAnchorExpiry;
				109	}
				110	if (enforce_anchor_constraints) {
				111	result += '+';
				112	result += kEnforceAnchorConstraints;
				113	}
				114	if (require_anchor_basic_constraints) {
				115	result += '+';
				116	result += kRequireAnchorBasicConstraints;
				117	}
				118	if (require_leaf_selfsigned) {
				119	result += '+';
				120	result += kRequireLeafSelfsigned;
				121	}
				122	return result;
				123	}
				124
				125	// static
				126	std::optional<CertificateTrust> CertificateTrust::FromDebugString(
				127	const std::string& trust_string) {
				128	std::vector<std::string_view> split =
				129	string_util::SplitString(trust_string, '+');
				130
				131	if (split.empty()) {
				132	return std::nullopt;
				133	}
				134
				135	CertificateTrust trust;
				136
				137	if (string_util::IsEqualNoCase(split[0], kUnspecifiedStr)) {
				138	trust = CertificateTrust::ForUnspecified();
				139	} else if (string_util::IsEqualNoCase(split[0], kDistrustedStr)) {
				140	trust = CertificateTrust::ForDistrusted();
				141	} else if (string_util::IsEqualNoCase(split[0], kTrustedAnchorStr)) {
				142	trust = CertificateTrust::ForTrustAnchor();
				143	} else if (string_util::IsEqualNoCase(split[0], kTrustedAnchorOrLeafStr)) {
				144	trust = CertificateTrust::ForTrustAnchorOrLeaf();
				145	} else if (string_util::IsEqualNoCase(split[0], kTrustedLeafStr)) {
				146	trust = CertificateTrust::ForTrustedLeaf();
				147	} else {
				148	return std::nullopt;
				149	}
				150
				151	for (auto i = ++split.begin(); i != split.end(); ++i) {
				152	if (string_util::IsEqualNoCase(*i, kEnforceAnchorExpiry)) {
				153	trust = trust.WithEnforceAnchorExpiry();
				154	} else if (string_util::IsEqualNoCase(*i, kEnforceAnchorConstraints)) {
				155	trust = trust.WithEnforceAnchorConstraints();
				156	} else if (string_util::IsEqualNoCase(*i, kRequireAnchorBasicConstraints)) {
				157	trust = trust.WithRequireAnchorBasicConstraints();
				158	} else if (string_util::IsEqualNoCase(*i, kRequireLeafSelfsigned)) {
				159	trust = trust.WithRequireLeafSelfSigned();
				160	} else {
				161	return std::nullopt;
				162	}
				163	}
				164
				165	return trust;
				166	}
				167
				168	TrustStore::TrustStore() = default;
				169
				170	void TrustStore::AsyncGetIssuersOf(const ParsedCertificate* cert,
				171	std::unique_ptr<Request>* out_req) {
				172	out_req->reset();
				173	}
				174
				175	} // namespace net