blob: b0b56a9ba9c9ea748eeb138f9169f782d7617b7e [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <CoreFoundation/CoreFoundation.h>
#include "base/gtest_prod_util.h"
#include "base/mac/scoped_cftyperef.h"
#include "base/memory/ref_counted.h"
#include "net/base/net_export.h"
#include "net/cert/internal/trust_store.h"
namespace net {
// TrustStoreMac is an implementation of TrustStore which uses macOS keychain
// to find trust anchors for path building.
class NET_EXPORT TrustStoreMac : public TrustStore {
// Creates a TrustStoreMac which will find anchors that are trusted for
// |policy_oid|. For list of possible policy values, see:
// TODO(mattm): policy oids are actually CFStrings, but the constants are
// defined as CFTypeRef in older SDK versions. Change |policy_oid| type to
// const CFStringRef when Chromium switches to building against the 10.11 SDK
// (or newer).
explicit TrustStoreMac(CFTypeRef policy_oid);
~TrustStoreMac() override;
// TrustStore implementation:
void SyncGetIssuersOf(const ParsedCertificate* cert,
ParsedCertificateList* issuers) override;
void GetTrust(const scoped_refptr<ParsedCertificate>& cert,
CertificateTrust* trust) const override;
FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, MultiRootNotTrusted);
FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, SystemCerts);
// Finds certificates in the OS keychains whose Subject matches |name_data|.
// The result is an array of SecCertificateRef.
static base::ScopedCFTypeRef<CFArrayRef>
FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data);
// Returns the OS-normalized issuer of |cert|.
// macOS internally uses a normalized form of subject/issuer names for
// comparing, roughly similar to RFC3280's normalization scheme. The
// normalized form is used for any database lookups and comparisons.
static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
const ParsedCertificate* cert);
const CFStringRef policy_oid_;
} // namespace net