blob: 03d06beb973784c881fa3ad742498995294ced7f [file] [log] [blame]
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
#define BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
#include <set>
#include <unordered_map>
#include <openssl/base.h>
#include "trust_store.h"
BSSL_NAMESPACE_BEGIN
// A very simple implementation of a TrustStore, which contains a set of
// certificates and their trustedness.
class OPENSSL_EXPORT TrustStoreInMemory : public TrustStore {
public:
TrustStoreInMemory();
TrustStoreInMemory(const TrustStoreInMemory &) = delete;
TrustStoreInMemory &operator=(const TrustStoreInMemory &) = delete;
~TrustStoreInMemory() override;
// Returns whether the TrustStore is in the initial empty state.
bool IsEmpty() const;
// Empties the trust store, resetting it to original state.
void Clear();
// Adds a certificate with the specified trust settings. Both trusted and
// distrusted certificates require a full DER match.
void AddCertificate(std::shared_ptr<const ParsedCertificate> cert,
const CertificateTrust &trust);
// Adds a certificate as a trust anchor (only the SPKI and subject will be
// used during verification).
void AddTrustAnchor(std::shared_ptr<const ParsedCertificate> cert);
// Adds a certificate as a trust anchor which will have expiration enforced.
// See VerifyCertificateChain for details.
void AddTrustAnchorWithExpiration(
std::shared_ptr<const ParsedCertificate> cert);
// Adds a certificate as a trust anchor and extracts anchor constraints from
// the certificate. See VerifyCertificateChain for details.
void AddTrustAnchorWithConstraints(
std::shared_ptr<const ParsedCertificate> cert);
// TODO(eroman): This is marked "ForTest" as the current implementation
// requires an exact match on the certificate DER (a wider match by say
// issuer/serial is probably what we would want for a real implementation).
void AddDistrustedCertificateForTest(
std::shared_ptr<const ParsedCertificate> cert);
// Distrusts the provided SPKI. This will override any other trust (e.g. if a
// certificate is passed into AddTrustAnchor() and the certificate's SPKI is
// passed into AddDistrustedCertificateBySPKI(), GetTrust() will return
// CertificateTrust::ForDistrusted()).
void AddDistrustedCertificateBySPKI(std::string spki);
// Adds a certificate to the store, that is neither trusted nor untrusted.
void AddCertificateWithUnspecifiedTrust(
std::shared_ptr<const ParsedCertificate> cert);
// TrustStore implementation:
void SyncGetIssuersOf(const ParsedCertificate *cert,
ParsedCertificateList *issuers) override;
CertificateTrust GetTrust(const ParsedCertificate *cert) override;
// Returns true if the trust store contains the given ParsedCertificate
// (matches by DER).
bool Contains(const ParsedCertificate *cert) const;
private:
struct Entry {
Entry();
Entry(const Entry &other);
~Entry();
std::shared_ptr<const ParsedCertificate> cert;
CertificateTrust trust;
};
// Multimap from normalized subject -> Entry.
std::unordered_multimap<std::string_view, Entry> entries_;
// Set of distrusted SPKIs.
std::set<std::string, std::less<>> distrusted_spkis_;
// Returns the `Entry` matching `cert`, or `nullptr` if not in the trust
// store.
const Entry *GetEntry(const ParsedCertificate *cert) const;
};
BSSL_NAMESPACE_END
#endif // BSSL_PKI_TRUST_STORE_IN_MEMORY_H_