| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ | 5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ |
| 6 #define NET_CERT_CERT_VERIFY_PROC_H_ | 6 #define NET_CERT_CERT_VERIFY_PROC_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 | 31 |
| 32 // Verifies the certificate against the given hostname as an SSL server | 32 // Verifies the certificate against the given hostname as an SSL server |
| 33 // certificate. Returns OK if successful or an error code upon failure. | 33 // certificate. Returns OK if successful or an error code upon failure. |
| 34 // | 34 // |
| 35 // The |*verify_result| structure, including the |verify_result->cert_status| | 35 // The |*verify_result| structure, including the |verify_result->cert_status| |
| 36 // bitmask, is always filled out regardless of the return value. If the | 36 // bitmask, is always filled out regardless of the return value. If the |
| 37 // certificate has multiple errors, the corresponding status flags are set in | 37 // certificate has multiple errors, the corresponding status flags are set in |
| 38 // |verify_result->cert_status|, and the error code for the most serious | 38 // |verify_result->cert_status|, and the error code for the most serious |
| 39 // error is returned. | 39 // error is returned. |
| 40 // | 40 // |
| 41 // |ocsp_response|, if non-empty, is a stapled OCSP response to use. |
| 42 // |
| 41 // |flags| is bitwise OR'd of VerifyFlags: | 43 // |flags| is bitwise OR'd of VerifyFlags: |
| 42 // | 44 // |
| 43 // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate | 45 // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate |
| 44 // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet | 46 // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet |
| 45 // based revocation checking is always enabled, regardless of this flag, if | 47 // based revocation checking is always enabled, regardless of this flag, if |
| 46 // |crl_set| is given. | 48 // |crl_set| is given. |
| 47 // | 49 // |
| 48 // If VERIFY_EV_CERT is set in |flags| too, EV certificate verification is | 50 // If VERIFY_EV_CERT is set in |flags| too, EV certificate verification is |
| 49 // performed. | 51 // performed. |
| 50 // | 52 // |
| 51 // |crl_set| points to an optional CRLSet structure which can be used to | 53 // |crl_set| points to an optional CRLSet structure which can be used to |
| 52 // avoid revocation checks over the network. | 54 // avoid revocation checks over the network. |
| 53 // | 55 // |
| 54 // |additional_trust_anchors| lists certificates that can be trusted when | 56 // |additional_trust_anchors| lists certificates that can be trusted when |
| 55 // building a certificate chain, in addition to the anchors known to the | 57 // building a certificate chain, in addition to the anchors known to the |
| 56 // implementation. | 58 // implementation. |
| 57 int Verify(X509Certificate* cert, | 59 int Verify(X509Certificate* cert, |
| 58 const std::string& hostname, | 60 const std::string& hostname, |
| 61 const std::string& ocsp_response, |
| 59 int flags, | 62 int flags, |
| 60 CRLSet* crl_set, | 63 CRLSet* crl_set, |
| 61 const CertificateList& additional_trust_anchors, | 64 const CertificateList& additional_trust_anchors, |
| 62 CertVerifyResult* verify_result); | 65 CertVerifyResult* verify_result); |
| 63 | 66 |
| 64 // Returns true if the implementation supports passing additional trust | 67 // Returns true if the implementation supports passing additional trust |
| 65 // anchors to the Verify() call. The |additional_trust_anchors| parameter | 68 // anchors to the Verify() call. The |additional_trust_anchors| parameter |
| 66 // passed to Verify() is ignored when this returns false. | 69 // passed to Verify() is ignored when this returns false. |
| 67 virtual bool SupportsAdditionalTrustAnchors() const = 0; | 70 virtual bool SupportsAdditionalTrustAnchors() const = 0; |
| 68 | 71 |
| 72 // Returns true if the implementation supports passing a stapled OCSP response |
| 73 // to the Verify() call. The |ocsp_response| parameter passed to Verify() is |
| 74 // ignored when this returns false. |
| 75 virtual bool SupportsOCSPStapling() const = 0; |
| 76 |
| 69 protected: | 77 protected: |
| 70 CertVerifyProc(); | 78 CertVerifyProc(); |
| 71 virtual ~CertVerifyProc(); | 79 virtual ~CertVerifyProc(); |
| 72 | 80 |
| 73 private: | 81 private: |
| 74 friend class base::RefCountedThreadSafe<CertVerifyProc>; | 82 friend class base::RefCountedThreadSafe<CertVerifyProc>; |
| 75 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); | 83 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); |
| 76 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity); | 84 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity); |
| 77 | 85 |
| 78 // Performs the actual verification using the desired underlying | 86 // Performs the actual verification using the desired underlying |
| 79 // cryptographic library. On entry, |verify_result->verified_cert| | 87 // cryptographic library. On entry, |verify_result->verified_cert| |
| 80 // is set to |cert|, the unverified chain. If no chain is built, the | 88 // is set to |cert|, the unverified chain. If no chain is built, the |
| 81 // value must be left untouched. | 89 // value must be left untouched. |
| 82 virtual int VerifyInternal(X509Certificate* cert, | 90 virtual int VerifyInternal(X509Certificate* cert, |
| 83 const std::string& hostname, | 91 const std::string& hostname, |
| 92 const std::string& ocsp_response, |
| 84 int flags, | 93 int flags, |
| 85 CRLSet* crl_set, | 94 CRLSet* crl_set, |
| 86 const CertificateList& additional_trust_anchors, | 95 const CertificateList& additional_trust_anchors, |
| 87 CertVerifyResult* verify_result) = 0; | 96 CertVerifyResult* verify_result) = 0; |
| 88 | 97 |
| 89 // Returns true if |cert| is explicitly blacklisted. | 98 // Returns true if |cert| is explicitly blacklisted. |
| 90 static bool IsBlacklisted(X509Certificate* cert); | 99 static bool IsBlacklisted(X509Certificate* cert); |
| 91 | 100 |
| 92 // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which | 101 // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which |
| 93 // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked. | 102 // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked. |
| (...skipping 19 matching lines...) Expand all Loading... |
| 113 // requirement they expire within 7 years after the effective date of the BRs | 122 // requirement they expire within 7 years after the effective date of the BRs |
| 114 // (i.e. by 1 July 2019). | 123 // (i.e. by 1 July 2019). |
| 115 static bool HasTooLongValidity(const X509Certificate& cert); | 124 static bool HasTooLongValidity(const X509Certificate& cert); |
| 116 | 125 |
| 117 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); | 126 DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); |
| 118 }; | 127 }; |
| 119 | 128 |
| 120 } // namespace net | 129 } // namespace net |
| 121 | 130 |
| 122 #endif // NET_CERT_CERT_VERIFY_PROC_H_ | 131 #endif // NET_CERT_CERT_VERIFY_PROC_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss