Add distrust by SPKI to TrustStoreInMemory
Change-Id: I9dcb1ef1218ece2678688abe7459fb2d1dcb8854
Bug: chromium:1477317
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64308
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/pki/trust_store_in_memory.cc b/pki/trust_store_in_memory.cc
index 47fe6d4..3da1b8d 100644
--- a/pki/trust_store_in_memory.cc
+++ b/pki/trust_store_in_memory.cc
@@ -36,6 +36,10 @@
AddCertificate(std::move(cert), CertificateTrust::ForDistrusted());
}
+void TrustStoreInMemory::AddDistrustedCertificateBySPKI(std::string spki) {
+ distrusted_spkis_.insert(std::move(spki));
+}
+
void TrustStoreInMemory::AddCertificateWithUnspecifiedTrust(
std::shared_ptr<const ParsedCertificate> cert) {
AddCertificate(std::move(cert), CertificateTrust::ForUnspecified());
@@ -50,6 +54,12 @@
}
CertificateTrust TrustStoreInMemory::GetTrust(const ParsedCertificate *cert) {
+ // Check SPKI distrust first.
+ if (distrusted_spkis_.find(cert->tbs().spki_tlv.AsString()) !=
+ distrusted_spkis_.end()) {
+ return CertificateTrust::ForDistrusted();
+ }
+
const Entry *entry = GetEntry(cert);
return entry ? entry->trust : CertificateTrust::ForUnspecified();
}
diff --git a/pki/trust_store_in_memory.h b/pki/trust_store_in_memory.h
index 4fea8d1..59ae3a4 100644
--- a/pki/trust_store_in_memory.h
+++ b/pki/trust_store_in_memory.h
@@ -6,6 +6,7 @@
#define BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
#include <unordered_map>
+#include <set>
#include <openssl/base.h>
@@ -55,6 +56,12 @@
void AddDistrustedCertificateForTest(
std::shared_ptr<const ParsedCertificate> cert);
+ // Distrusts the provided SPKI. This will override any other trust (e.g. if a
+ // certificate is passed into AddTrustAnchor() and the certificate's SPKI is
+ // passed into AddDistrustedCertificateBySPKI(), GetTrust() will return
+ // CertificateTrust::ForDistrusted()).
+ void AddDistrustedCertificateBySPKI(std::string spki);
+
// Adds a certificate to the store, that is neither trusted nor untrusted.
void AddCertificateWithUnspecifiedTrust(
std::shared_ptr<const ParsedCertificate> cert);
@@ -81,6 +88,9 @@
// Multimap from normalized subject -> Entry.
std::unordered_multimap<std::string_view, Entry> entries_;
+ // Set of distrusted SPKIs.
+ std::set<std::string> distrusted_spkis_;
+
// Returns the `Entry` matching `cert`, or `nullptr` if not in the trust
// store.
const Entry *GetEntry(const ParsedCertificate *cert) const;
diff --git a/pki/trust_store_in_memory_unittest.cc b/pki/trust_store_in_memory_unittest.cc
new file mode 100644
index 0000000..92c3bb8
--- /dev/null
+++ b/pki/trust_store_in_memory_unittest.cc
@@ -0,0 +1,110 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "trust_store_in_memory.h"
+
+#include <gtest/gtest.h>
+#include "test_helpers.h"
+
+namespace bssl {
+namespace {
+
+class TrustStoreInMemoryTest : public testing::Test {
+ public:
+ void SetUp() override {
+ ParsedCertificateList chain;
+ ASSERT_TRUE(ReadCertChainFromFile(
+ "testdata/verify_certificate_chain_unittest/key-rollover/oldchain.pem",
+ &chain));
+
+ ASSERT_EQ(3U, chain.size());
+ target_ = chain[0];
+ oldintermediate_ = chain[1];
+ oldroot_ = chain[2];
+ ASSERT_TRUE(target_);
+ ASSERT_TRUE(oldintermediate_);
+ ASSERT_TRUE(oldroot_);
+
+ ASSERT_TRUE(
+ ReadCertChainFromFile("testdata/verify_certificate_chain_unittest/"
+ "key-rollover/longrolloverchain.pem",
+ &chain));
+
+ ASSERT_EQ(5U, chain.size());
+ newintermediate_ = chain[1];
+ newroot_ = chain[2];
+ newrootrollover_ = chain[3];
+ ASSERT_TRUE(newintermediate_);
+ ASSERT_TRUE(newroot_);
+ ASSERT_TRUE(newrootrollover_);
+ }
+
+ protected:
+ std::shared_ptr<const ParsedCertificate> oldroot_;
+ std::shared_ptr<const ParsedCertificate> newroot_;
+ std::shared_ptr<const ParsedCertificate> newrootrollover_;
+
+ std::shared_ptr<const ParsedCertificate> target_;
+ std::shared_ptr<const ParsedCertificate> oldintermediate_;
+ std::shared_ptr<const ParsedCertificate> newintermediate_;
+};
+
+TEST_F(TrustStoreInMemoryTest, OneRootTrusted) {
+ TrustStoreInMemory in_memory;
+ in_memory.AddTrustAnchor(newroot_);
+
+ // newroot_ is trusted.
+ CertificateTrust trust = in_memory.GetTrust(newroot_.get());
+ EXPECT_EQ(CertificateTrust::ForTrustAnchor().ToDebugString(),
+ trust.ToDebugString());
+
+ // oldroot_ is not.
+ trust = in_memory.GetTrust(oldroot_.get());
+ EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
+ trust.ToDebugString());
+}
+
+TEST_F(TrustStoreInMemoryTest, DistrustBySPKI) {
+ TrustStoreInMemory in_memory;
+ in_memory.AddDistrustedCertificateBySPKI(newroot_->tbs().spki_tlv.AsString());
+
+ // newroot_ is distrusted.
+ CertificateTrust trust = in_memory.GetTrust(newroot_.get());
+ EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
+ trust.ToDebugString());
+
+ // oldroot_ is unspecified.
+ trust = in_memory.GetTrust(oldroot_.get());
+ EXPECT_EQ(CertificateTrust::ForUnspecified().ToDebugString(),
+ trust.ToDebugString());
+
+ // newrootrollover_ is also distrusted because it has the same key.
+ trust = in_memory.GetTrust(newrootrollover_.get());
+ EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
+ trust.ToDebugString());
+}
+
+TEST_F(TrustStoreInMemoryTest, DistrustBySPKIOverridesTrust) {
+ TrustStoreInMemory in_memory;
+ in_memory.AddTrustAnchor(newroot_);
+ in_memory.AddDistrustedCertificateBySPKI(newroot_->tbs().spki_tlv.AsString());
+
+ // newroot_ is distrusted.
+ CertificateTrust trust = in_memory.GetTrust(newroot_.get());
+ EXPECT_EQ(CertificateTrust::ForDistrusted().ToDebugString(),
+ trust.ToDebugString());
+}
+
+} // namespace
+} // namespace bssl
diff --git a/sources.cmake b/sources.cmake
index f738b61..8edf805 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -414,6 +414,7 @@
pki/string_util_unittest.cc
pki/test_helpers.cc
pki/trust_store_collection_unittest.cc
+ pki/trust_store_in_memory_unittest.cc
pki/verify_certificate_chain_pkits_unittest.cc
pki/verify_certificate_chain_unittest.cc
pki/verify_name_match_unittest.cc