Add initial code for verifying a certificate chain.

net/cert/internal/verify_certificate_chain.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
+#define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
+
+#include <stdint.h>
+
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_ptr.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+namespace der {
+class Input;
+struct GeneralizedTime;
+}
+
+class SignaturePolicy;
+
+struct NET_EXPORT TrustedRoot {

[davidben, 2015/11/19 22:24:02]

Optional: The spec seems to say "trust anchor" everywhere, so maybe TrustAnchor?
Though we do say "known root". *shrug* Your call.

[eroman, 2015/12/03 04:45:12]

Done.

+  ~TrustedRoot();
+
+  // DER-encoded SubjectPublicKeyInfo for the trusted key.
+  std::string spki;
+
+  // DER-encoded "Name" corresponding with this key.
+  std::string name;
+};
+
+// A very simple implementation of a TrustStore, which contains mappings from a
+// name to a correspoding public key for trusted roots.
+struct NET_EXPORT TrustStore {
+  TrustStore();
+  ~TrustStore();
+
+  std::vector<TrustedRoot> roots;
+};
+
+// VerifyCertificateChain() verifies a certificate path (chain) based on the
+// rules in RFC 5280.
+//
+// WARNING: This implementation is in progress, and is currently
+// incomplete. DO NOT USE IT. You have been warned.
+//
+// ---------
+// Inputs
+// ---------
+//
+//   cert_chain:
+//     A non-empty chain of N DER-encoded certificates, listed in the
+//     "forward" direction.
+//
+//      * cert_chain[0] is the target certificate to verify.
+//      * cert_chain[i+1] holds the certificate that issued cert_chain[i].
+//      * cert_chain[N-1] must have been issued by a trusted root.
+//
+//   trust_store:
+//     Contains the set of public keys (and their names) that are trusted as
+//     roots.
+//
+//   signature_policy:
+//     The policy to use when verifying signature (what hash algorithms are
+//     allowed, what length keys, what named curves, etc).
+//
+//   time:
+//     The UTC time to use for expiration checks.
+//
+// ---------
+// Outputs
+// ---------
+//
+//   returns true if the target certificate can be verified and is an
+//   end-entity certificate.
+NET_EXPORT bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
+                                       const TrustStore& trust_store,
+                                       const SignaturePolicy* signature_policy,
+                                       const der::GeneralizedTime& time)
+    WARN_UNUSED_RESULT;
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_