net/base/cert_verify_result.h - Issue 6874039: Return the constructed certificate chain in X509Certificate::Verify()

Side by Side Diff: net/base/cert_verify_result.h

Issue 6874039: Return the constructed certificate chain in X509Certificate::Verify() (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Ensure the EE cert is marked as a TLS server cert, not a CA cert Created 9 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_BASE_CERT_VERIFY_RESULT_H_	5 #ifndef NET_BASE_CERT_VERIFY_RESULT_H_

6 #define NET_BASE_CERT_VERIFY_RESULT_H_	6 #define NET_BASE_CERT_VERIFY_RESULT_H_

7 #pragma once	7 #pragma once

8	8

9 #include <vector>	9 #include <vector>

10	10

	11 #include "base/memory/ref_counted.h"

11 #include "net/base/x509_cert_types.h"	12 #include "net/base/x509_cert_types.h"

12	13

13 namespace net {	14 namespace net {

14	15

15 // The result of certificate verification. Eventually this may contain the	16 class X509Certificate;

16 // certificate chain that was constructed during certificate verification.	17

	18 // The result of certificate verification.

17 class CertVerifyResult {	19 class CertVerifyResult {

18 public:	20 public:

19 CertVerifyResult();	21 CertVerifyResult();

20 ~CertVerifyResult();	22 ~CertVerifyResult();

21	23

22 void Reset();	24 void Reset();

23	25

24 // Bitmask of CERT_STATUS_* from net/base/cert_status_flags.h	26 // The certificate and chain that were constructed during verification.
	wtc 2011/07/26 00:16:35 Nit: were => was because only the chain was constr Nit: were => was because only the chain was constructed.
	27 // Note that the though the verified certificate will match the originally

	28 // supplied certificate, the intermediate certificates stored within may

	29 // be substantially different.
	agl 2011/04/18 13:50:27 I think it's worth noting that, in the event of a I think it's worth noting that, in the event of a verification failure, this will contain the chain as supplied by the server.
	30 scoped_refptr<X509Certificate> verified_cert;
	wtc 2011/04/20 23:39:30 It's better to return a CertificateList to avoid t It's better to return a CertificateList to avoid the confusion. Ryan Sleevi 2011/04/20 23:44:34 As implemented, this means that the subject, issue Show quoted text On 2011/04/20 23:39:30, wtc wrote: > It's better to return a CertificateList to avoid the > confusion. As implemented, this means that the subject, issuer, and validity dates for every intermediate and root must be parsed, even though they are never accessed by Chromium on Windows/Mac, and the parsed results are ignored in the Linux/CrOS certificate viewer in favour of accessing NSS directly. This is in line with the comments on http://codereview.chromium.org/2944008/ , so I'll defer any changes until we discuss the issues raised there.
	31

	32 // Bitmask of CERT_STATUS_* from net/base/cert_status_flags.h. Note that

	33 // these status flags apply to the certificate chain returned in

	34 // \|verified_certificate\|, rather than the originally supplied certificate
	wtc 2011/07/26 00:16:35 Typo: verified_certificate => verified_cert Typo: verified_certificate => verified_cert
	35 // chain.

25 int cert_status;	36 int cert_status;

26	37

27 // Properties of the certificate chain.	38 // Properties of the certificate chain.

28 bool has_md5;	39 bool has_md5;

29 bool has_md2;	40 bool has_md2;

30 bool has_md4;	41 bool has_md4;

31 bool has_md5_ca;	42 bool has_md5_ca;

32 bool has_md2_ca;	43 bool has_md2_ca;

33	44

34 // If the certificate was successfully verified then this contains the SHA1	45 // If the certificate was successfully verified then this contains the SHA1

35 // fingerprints of the SubjectPublicKeyInfos of the chain. The fingerprint	46 // fingerprints of the SubjectPublicKeyInfos of the chain. The fingerprint

36 // from the leaf certificate will be the first element of the vector.	47 // from the leaf certificate will be the first element of the vector.

37 std::vector<SHA1Fingerprint> public_key_hashes;	48 std::vector<SHA1Fingerprint> public_key_hashes;

38	49

39 // is_issued_by_known_root is true if we recognise the root CA as a standard	50 // is_issued_by_known_root is true if we recognise the root CA as a standard

40 // root. If it isn't then it's probably the case that this certificate was	51 // root. If it isn't then it's probably the case that this certificate was

41 // generated by a MITM proxy whose root has been installed locally. This is	52 // generated by a MITM proxy whose root has been installed locally. This is

42 // meaningless if the certificate was not trusted.	53 // meaningless if the certificate was not trusted.

43 bool is_issued_by_known_root;	54 bool is_issued_by_known_root;

44 };	55 };

45	56

46 } // namespace net	57 } // namespace net

47	58

48 #endif // NET_BASE_CERT_VERIFY_RESULT_H_	59 #endif // NET_BASE_CERT_VERIFY_RESULT_H_

OLD	NEW

« no previous file with comments | « no previous file | net/base/cert_verify_result.cc » ('j') | net/base/cert_verify_result.cc » ('J')