OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ | 5 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ |
6 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ | 6 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "base/compiler_specific.h" | 10 #include "base/compiler_specific.h" |
11 #include "base/memory/ref_counted.h" | 11 #include "base/memory/ref_counted.h" |
12 #include "net/base/net_export.h" | 12 #include "net/base/net_export.h" |
13 #include "net/der/input.h" | 13 #include "net/der/input.h" |
14 | 14 |
15 namespace net { | 15 namespace net { |
16 | 16 |
17 namespace der { | 17 namespace der { |
18 struct GeneralizedTime; | 18 struct GeneralizedTime; |
19 } | 19 } |
20 | 20 |
21 class ParsedCertificate; | 21 class ParsedCertificate; |
22 class SignaturePolicy; | 22 class SignaturePolicy; |
23 class TrustStore; | 23 class TrustStore; |
24 using ParsedCertificateList = std::vector<scoped_refptr<ParsedCertificate>>; | |
eroman
2016/07/01 23:49:29
Same comment as earlier.
mattm
2016/07/02 02:21:51
Done.
| |
24 | 25 |
25 // VerifyCertificateChain() verifies a certificate path (chain) based on the | 26 // VerifyCertificateChainAssumingTrustedRoot() verifies a certificate path |
26 // rules in RFC 5280. | 27 // (chain) based on the rules in RFC 5280. The caller is responsible for |
28 // building the path and ensuring the chain ends in a trusted root certificate. | |
27 // | 29 // |
28 // WARNING: This implementation is in progress, and is currently incomplete. | 30 // WARNING: This implementation is in progress, and is currently incomplete. |
29 // Consult an OWNER before using it. | 31 // Consult an OWNER before using it. |
30 // | 32 // |
31 // --------- | 33 // --------- |
32 // Inputs | 34 // Inputs |
33 // --------- | 35 // --------- |
34 // | 36 // |
35 // cert_chain: | 37 // cert_chain: |
36 // A non-empty chain of N DER-encoded certificates, listed in the | 38 // A non-empty chain of N DER-encoded certificates, listed in the |
37 // "forward" direction. | 39 // "forward" direction. |
38 // | 40 // |
39 // * cert_chain[0] is the target certificate to verify. | 41 // * cert_chain[0] is the target certificate to verify. |
40 // * cert_chain[i+1] holds the certificate that issued cert_chain[i]. | 42 // * cert_chain[i+1] holds the certificate that issued cert_chain[i]. |
41 // * cert_chain[N-1] must be the trust anchor, or have been directly | 43 // * cert_chain[N-1] must be the trust anchor. |
42 // issued by a trust anchor. | |
43 // | 44 // |
44 // trust_store: | 45 // trust_store: |
45 // Contains the set of trusted public keys (and their names). | 46 // Contains the set of trusted public keys (and their names). This is only |
47 // used to DCHECK that the final cert is a trust anchor. | |
46 // | 48 // |
47 // signature_policy: | 49 // signature_policy: |
48 // The policy to use when verifying signatures (what hash algorithms are | 50 // The policy to use when verifying signatures (what hash algorithms are |
49 // allowed, what length keys, what named curves, etc). | 51 // allowed, what length keys, what named curves, etc). |
50 // | 52 // |
51 // time: | 53 // time: |
52 // The UTC time to use for expiration checks. | 54 // The UTC time to use for expiration checks. |
53 // | 55 // |
54 // trusted_chain_out: | |
55 // The vector to populate with the verified trusted certificate chain. | |
56 // * trusted_chain_out[0] is the target certificate verified. | |
57 // * trusted_chain_out[i+1] holds the certificate that issued | |
58 // trusted_chain_out[i]. | |
59 // * trusted_chain_out[N-1] is the trust anchor. | |
60 // If a nullptr is passed, this parameter is ignored. | |
61 // If the target certificate can not be verified, this parameter is | |
62 // ignored. | |
63 // | |
64 // --------- | 56 // --------- |
65 // Outputs | 57 // Outputs |
66 // --------- | 58 // --------- |
67 // | 59 // |
68 // Returns true if the target certificate can be verified. | 60 // Returns true if the target certificate can be verified. |
69 NET_EXPORT bool VerifyCertificateChain( | 61 NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot( |
70 const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain, | 62 const ParsedCertificateList& certs, |
63 // The trust store is only used for assertions. | |
71 const TrustStore& trust_store, | 64 const TrustStore& trust_store, |
72 const SignaturePolicy* signature_policy, | 65 const SignaturePolicy* signature_policy, |
73 const der::GeneralizedTime& time, | 66 const der::GeneralizedTime& time) WARN_UNUSED_RESULT; |
74 std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out) | |
75 WARN_UNUSED_RESULT; | |
76 | 67 |
77 } // namespace net | 68 } // namespace net |
78 | 69 |
79 #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ | 70 #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ |
OLD | NEW |