Chromium Code Reviews Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_CERT_CERT_VERIFY_PROC_NSS_H_ | 5 #ifndef NET_CERT_CERT_VERIFY_PROC_NSS_H_ |
| 6 #define NET_CERT_CERT_VERIFY_PROC_NSS_H_ | 6 #define NET_CERT_CERT_VERIFY_PROC_NSS_H_ |
| 7 | 7 |
| 8 #include <certt.h> | 8 #include <certt.h> |
| 9 | 9 |
| 10 #include "net/base/net_export.h" | 10 #include "net/base/net_export.h" |
| 11 #include "net/cert/cert_verify_proc.h" | 11 #include "net/cert/cert_verify_proc.h" |
| 12 | 12 |
| 13 namespace net { | 13 namespace net { |
| 14 | 14 |
| 15 // Performs certificate path construction and validation using NSS's libpkix. | 15 // Performs certificate path construction and validation using NSS's libpkix. |
| 16 class NET_EXPORT_PRIVATE CertVerifyProcNSS : public CertVerifyProc { | 16 class NET_EXPORT_PRIVATE CertVerifyProcNSS : public CertVerifyProc { |
| 17 public: | 17 public: |
| 18 CertVerifyProcNSS(); | 18 CertVerifyProcNSS(); |
| 19 | 19 |
| 20 bool SupportsAdditionalTrustAnchors() const override; | 20 bool SupportsAdditionalTrustAnchors() const override; |
| 21 bool SupportsOCSPStapling() const override; | |
| 21 | 22 |
| 22 protected: | 23 protected: |
| 23 ~CertVerifyProcNSS() override; | 24 ~CertVerifyProcNSS() override; |
| 24 | 25 |
| 25 // Like VerifyInternal, but adds a |chain_verify_callback| to override trust | 26 // Like VerifyInternal, but adds a |chain_verify_callback| to override trust |
| 26 // decisions. See the documentation for CERTChainVerifyCallback and | 27 // decisions. See the documentation for CERTChainVerifyCallback and |
| 27 // CERTChainVerifyCallbackFunc in NSS's lib/certdb/certt.h. | 28 // CERTChainVerifyCallbackFunc in NSS's lib/certdb/certt.h. |
| 28 int VerifyInternalImpl(X509Certificate* cert, | 29 int VerifyInternalImpl(X509Certificate* cert, |
| 29 const std::string& hostname, | 30 const std::string& hostname, |
| 31 const std::string& ocsp_response, | |
| 30 int flags, | 32 int flags, |
| 31 CRLSet* crl_set, | 33 CRLSet* crl_set, |
| 32 const CertificateList& additional_trust_anchors, | 34 const CertificateList& additional_trust_anchors, |
| 33 CERTChainVerifyCallback* chain_verify_callback, | 35 CERTChainVerifyCallback* chain_verify_callback, |
| 34 CertVerifyResult* verify_result); | 36 CertVerifyResult* verify_result); |
| 35 | 37 |
| 36 private: | 38 private: |
| 37 int VerifyInternal(X509Certificate* cert, | 39 int VerifyInternal(X509Certificate* cert, |
| 38 const std::string& hostname, | 40 const std::string& hostname, |
| 41 const std::string& ocsp_response, | |
| 39 int flags, | 42 int flags, |
| 40 CRLSet* crl_set, | 43 CRLSet* crl_set, |
| 41 const CertificateList& additional_trust_anchors, | 44 const CertificateList& additional_trust_anchors, |
| 42 CertVerifyResult* verify_result) override; | 45 CertVerifyResult* verify_result) override; |
| 46 | |
| 47 #if defined(USE_NSS_CERTS) | |
| 48 using CacheOCSPResponseFromSideChannelFunction = | |
| 49 SECStatus (*)(CERTCertDBHandle* handle, | |
| 50 CERTCertificate* cert, | |
| 51 PRTime time, | |
| 52 SECItem* encodedResponse, | |
| 53 void* pwArg); | |
| 54 CacheOCSPResponseFromSideChannelFunction | |
|
Ryan Sleevi
2015/04/23 01:41:23
Const-this, since it will definitely be hit on mul
davidben
2015/04/23 20:41:47
Done.
| |
| 55 cache_ocsp_response_from_side_channel_; | |
| 56 #endif | |
| 43 }; | 57 }; |
| 44 | 58 |
| 45 } // namespace net | 59 } // namespace net |
| 46 | 60 |
| 47 #endif // NET_CERT_CERT_VERIFY_PROC_NSS_H_ | 61 #endif // NET_CERT_CERT_VERIFY_PROC_NSS_H_ |
| OLD | NEW |
