net/cert/client_cert_verifier.h - Issue 1474983003: Support for client certs in ssl_server_socket.

Side by Side Diff: net/cert/client_cert_verifier.h

Issue 1474983003: Support for client certs in ssl_server_socket. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addresses reviewer comments Created 5 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #ifndef NET_CERT_CLIENT_CERT_VERIFIER_H_

	6 #define NET_CERT_CLIENT_CERT_VERIFIER_H_

	7

	8 namespace net {

	9

	10 class BoundNetLog;
	Ryan Sleevi 2015/12/17 03:47:35 Unused? Unused? ryanchung 2015/12/18 00:00:55 Done. Show quoted text On 2015/12/17 03:47:35, Ryan Sleevi wrote: > Unused? Done.
	11 class X509Certificate;

	12

	13 // ClientCertVerifier represents a service for verifying certificates.

	14 class ClientCertVerifier {

	15 public:

	16 virtual ~ClientCertVerifier() {}

	17

	18 // Verifies the given certificate as a client certificate.

	19 // Returns OK if successful or an error code upon failure.

	20 virtual int Verify(X509Certificate* cert) = 0;
	Ryan Sleevi 2015/12/17 03:47:35 DESIGN: Why isn't this interface asynchronous? I t DESIGN: Why isn't this interface asynchronous? I think if we're looking to export/support this API (which I'm not really wanting to, but I guess Cast needs it), we shouldn't be doing it blocking. ryanchung 2015/12/18 00:00:55 I believe OpenSSL only supports synchronous client Show quoted text On 2015/12/17 03:47:35, Ryan Sleevi wrote: > DESIGN: Why isn't this interface asynchronous? I think if we're looking to > export/support this API (which I'm not really wanting to, but I guess Cast needs > it), we shouldn't be doing it blocking. I believe OpenSSL only supports synchronous client certificate verification at the moment. http://crbug.com/347402 Ryan Sleevi 2015/12/18 00:07:09 But the Chrome interface should be designed for as Show quoted text On 2015/12/18 00:00:55, Ryan Chung wrote: > I believe OpenSSL only supports synchronous client certificate verification at > the moment. http://crbug.com/347402 But the Chrome interface should be designed for asynchronicity, and if it gives an asynchronous result, the binding code (to OpenSSL) should then fail. But we shouldn't be writing new //net code that assumes synchronous responses, even if a third-party library demands it. In the worst case, we'd offload the OpenSSL operation to a dedicated thread, and then spin a waitloop on that thread to complete the asynchronous operation (this is how we handled NSS callbacks that demand synchronicity on fundamentally asynchronous events) davidben 2015/12/19 00:24:24 Teaching BoringSSL to be asynchronous with certifi Show quoted text On 2015/12/18 00:07:09, Ryan Sleevi wrote: > On 2015/12/18 00:00:55, Ryan Chung wrote: > > I believe OpenSSL only supports synchronous client certificate verification at > > the moment. http://crbug.com/347402 > > But the Chrome interface should be designed for asynchronicity, and if it gives > an asynchronous result, the binding code (to OpenSSL) should then fail. > > But we shouldn't be writing new //net code that assumes synchronous responses, > even if a third-party library demands it. In the worst case, we'd offload the > OpenSSL operation to a dedicated thread, and then spin a waitloop on that thread > to complete the asynchronous operation (this is how we handled NSS callbacks > that demand synchronicity on fundamentally asynchronous events) Teaching BoringSSL to be asynchronous with certificate verification should certainly be doable. It's one more interface to change later when we rid ourselves of the legacy X.509 stack, but whatever. It should also work to do the verification after the handshake, like SSLClientSocketOpenSSL does. The two subtleties are: 1. Unless you implement the session cache externally, which seems more trouble than is worth it, the sessions with bad verifications will end up in the session cache. This is actually just fine as long as you verify on both new handshakes and resumptions. 2. If you don't like the certificate, you'll decide too late to be able to send an alert to the client. That means that the client won't know to try again. This may not be something that matters to Cast. I also don't actually mind making it synchronous to start with. I'm assuming that Cast's needs for client certificate verification aren't that complex and won't require anything crazy like AIA chasing. And it'd already have to verify CertificateVerify signatures synchronously, so if we're only worried about signature verification, this isn't a big deal. ryanchung 2016/01/14 00:16:40 I updated the interface. For now, verification wil Show quoted text On 2015/12/18 00:07:09, Ryan Sleevi wrote: > On 2015/12/18 00:00:55, Ryan Chung wrote: > > I believe OpenSSL only supports synchronous client certificate verification at > > the moment. http://crbug.com/347402 > > But the Chrome interface should be designed for asynchronicity, and if it gives > an asynchronous result, the binding code (to OpenSSL) should then fail. I updated the interface. For now, verification will fail if it gives an asynchronous result.
	21 };

	22

	23 } // namespace net

	24

	25 #endif // NET_CERT_CLIENT_CERT_VERIFIER_H_

OLD	NEW

« no previous file with comments | « net/cert/cert_verify_result.h ('k') | net/cert/mock_client_cert_verifier.h » ('j') | net/socket/ssl_server_socket_openssl.cc » ('J')