// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/internal/trust_store_nss.h" #include <cert.h> #include <certdb.h> #include <certt.h> #include <pk11pub.h> #include <pkcs11n.h> #include <pkcs11t.h> #include <seccomon.h> #include <secmod.h> #include <secmodt.h> #include "base/containers/to_vector.h" #include "base/hash/sha1.h" #include "base/logging.h" #include "base/notreached.h" #include "base/strings/string_number_conversions.h" #include "build/chromeos_buildflags.h" #include "crypto/chaps_support.h" #include "crypto/nss_util.h" #include "crypto/nss_util_internal.h" #include "crypto/scoped_nss_types.h" #include "net/base/features.h" #include "net/cert/internal/platform_trust_store.h" #include "net/cert/scoped_nss_types.h" #include "net/cert/x509_util.h" #include "net/cert/x509_util_nss.h" #include "third_party/boringssl/src/pki/cert_errors.h" #include "third_party/boringssl/src/pki/parsed_certificate.h" #include "third_party/boringssl/src/pki/trust_store.h" #if BUILDFLAG(IS_CHROMEOS) && BUILDFLAG(IS_CHROMEOS_DEVICE) // TODO(crbug.com/40281745): We can remove these weak attributes in M123 or // later. Until then, these need to be declared with the weak attribute // since older platforms may not provide these symbols. extern "C" CERTCertList* CERT_CreateSubjectCertListForChromium( CERTCertList* certList, CERTCertDBHandle* handle, const SECItem* name, PRTime sorttime, PRBool validOnly, PRBool ignoreChaps) __attribute__((weak)); extern "C" CERTCertificate* CERT_FindCertByDERCertForChromium( CERTCertDBHandle* handle, SECItem* derCert, PRBool ignoreChaps) __attribute__((weak)); #endif // BUILDFLAG(IS_CHROMEOS) && BUILDFLAG(IS_CHROMEOS_DEVICE) namespace net { namespace { struct FreePK11GenericObjects { … }; ScopedPK11GenericObjects; // Get the list of all slots `nss_cert` is present in, along with the object // handle of the cert in each of those slots. // // (Note that there is a PK11_GetAllSlotsForCert function that *seems* like it // would be useful here, however it does not actually return all relevant // slots.) std::vector<std::pair<crypto::ScopedPK11Slot, CK_OBJECT_HANDLE>> GetAllSlotsAndHandlesForCert(CERTCertificate* nss_cert, bool ignore_chaps_module) { … } bool IsMozillaCaPolicyProvided(PK11SlotInfo* slot, CK_OBJECT_HANDLE cert_handle) { … } bool IsCertOnlyInNSSRoots(CERTCertificate* cert) { … } } // namespace TrustStoreNSS::ListCertsResult::ListCertsResult(ScopedCERTCertificate cert, bssl::CertificateTrust trust) : … { … } TrustStoreNSS::ListCertsResult::~ListCertsResult() = default; TrustStoreNSS::ListCertsResult::ListCertsResult(ListCertsResult&& other) = default; TrustStoreNSS::ListCertsResult& TrustStoreNSS::ListCertsResult::operator=( ListCertsResult&& other) = default; TrustStoreNSS::TrustStoreNSS(UserSlotTrustSetting user_slot_trust_setting) : … { … } TrustStoreNSS::~TrustStoreNSS() = default; void TrustStoreNSS::SyncGetIssuersOf(const bssl::ParsedCertificate* cert, bssl::ParsedCertificateList* issuers) { … } std::vector<TrustStoreNSS::ListCertsResult> TrustStoreNSS::ListCertsIgnoringNSSRoots() { … } // TODO(crbug.com/40850344): add histograms? (how often hits fast vs // medium vs slow path, timing of fast/medium/slow path/all, etc?) // TODO(crbug.com/40850344): NSS also seemingly has some magical // trusting of any self-signed cert with CKA_ID=0, if it doesn't have a // matching trust object. Do we need to do that too? (this pk11_isID0 thing: // https://searchfox.org/nss/source/lib/pk11wrap/pk11cert.c#357) bssl::CertificateTrust TrustStoreNSS::GetTrust( const bssl::ParsedCertificate* cert) { … } bssl::CertificateTrust TrustStoreNSS::GetTrustIgnoringSystemTrust( CERTCertificate* nss_cert) const { … } bssl::CertificateTrust TrustStoreNSS::GetTrustForNSSTrust( const CERTCertTrust& trust) const { … } std::vector<PlatformTrustStore::CertWithTrust> TrustStoreNSS::GetAllUserAddedCerts() { … } } // namespace net
Codebase Browser
chromium