OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ | 5 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ |
6 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ | 6 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "base/compiler_specific.h" | 10 #include "base/compiler_specific.h" |
11 #include "base/memory/ref_counted.h" | 11 #include "base/memory/ref_counted.h" |
12 #include "net/base/net_export.h" | 12 #include "net/base/net_export.h" |
| 13 #include "net/cert/internal/parsed_certificate.h" |
13 #include "net/der/input.h" | 14 #include "net/der/input.h" |
14 | 15 |
15 namespace net { | 16 namespace net { |
16 | 17 |
17 namespace der { | 18 namespace der { |
18 struct GeneralizedTime; | 19 struct GeneralizedTime; |
19 } | 20 } |
20 | 21 |
21 class ParsedCertificate; | |
22 class SignaturePolicy; | 22 class SignaturePolicy; |
23 class TrustStore; | 23 class TrustStore; |
24 | 24 |
25 // VerifyCertificateChain() verifies a certificate path (chain) based on the | 25 // VerifyCertificateChainAssumingTrustedRoot() verifies a certificate path |
26 // rules in RFC 5280. | 26 // (chain) based on the rules in RFC 5280. The caller is responsible for |
| 27 // building the path and ensuring the chain ends in a trusted root certificate. |
27 // | 28 // |
28 // WARNING: This implementation is in progress, and is currently incomplete. | 29 // WARNING: This implementation is in progress, and is currently incomplete. |
29 // Consult an OWNER before using it. | 30 // Consult an OWNER before using it. |
30 // | 31 // |
31 // --------- | 32 // --------- |
32 // Inputs | 33 // Inputs |
33 // --------- | 34 // --------- |
34 // | 35 // |
35 // cert_chain: | 36 // cert_chain: |
36 // A non-empty chain of N DER-encoded certificates, listed in the | 37 // A non-empty chain of N DER-encoded certificates, listed in the |
37 // "forward" direction. | 38 // "forward" direction. |
38 // | 39 // |
39 // * cert_chain[0] is the target certificate to verify. | 40 // * cert_chain[0] is the target certificate to verify. |
40 // * cert_chain[i+1] holds the certificate that issued cert_chain[i]. | 41 // * cert_chain[i+1] holds the certificate that issued cert_chain[i]. |
41 // * cert_chain[N-1] must be the trust anchor, or have been directly | 42 // * cert_chain[N-1] must be the trust anchor. |
42 // issued by a trust anchor. | |
43 // | 43 // |
44 // trust_store: | 44 // trust_store: |
45 // Contains the set of trusted public keys (and their names). | 45 // Contains the set of trusted public keys (and their names). This is only |
| 46 // used to DCHECK that the final cert is a trust anchor. |
46 // | 47 // |
47 // signature_policy: | 48 // signature_policy: |
48 // The policy to use when verifying signatures (what hash algorithms are | 49 // The policy to use when verifying signatures (what hash algorithms are |
49 // allowed, what length keys, what named curves, etc). | 50 // allowed, what length keys, what named curves, etc). |
50 // | 51 // |
51 // time: | 52 // time: |
52 // The UTC time to use for expiration checks. | 53 // The UTC time to use for expiration checks. |
53 // | 54 // |
54 // trusted_chain_out: | |
55 // The vector to populate with the verified trusted certificate chain. | |
56 // * trusted_chain_out[0] is the target certificate verified. | |
57 // * trusted_chain_out[i+1] holds the certificate that issued | |
58 // trusted_chain_out[i]. | |
59 // * trusted_chain_out[N-1] is the trust anchor. | |
60 // If a nullptr is passed, this parameter is ignored. | |
61 // If the target certificate can not be verified, this parameter is | |
62 // ignored. | |
63 // | |
64 // --------- | 55 // --------- |
65 // Outputs | 56 // Outputs |
66 // --------- | 57 // --------- |
67 // | 58 // |
68 // Returns true if the target certificate can be verified. | 59 // Returns true if the target certificate can be verified. |
69 NET_EXPORT bool VerifyCertificateChain( | 60 NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot( |
70 const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain, | 61 const ParsedCertificateList& certs, |
| 62 // The trust store is only used for assertions. |
71 const TrustStore& trust_store, | 63 const TrustStore& trust_store, |
72 const SignaturePolicy* signature_policy, | 64 const SignaturePolicy* signature_policy, |
73 const der::GeneralizedTime& time, | 65 const der::GeneralizedTime& time) WARN_UNUSED_RESULT; |
74 std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out) | |
75 WARN_UNUSED_RESULT; | |
76 | 66 |
77 } // namespace net | 67 } // namespace net |
78 | 68 |
79 #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ | 69 #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_ |
OLD | NEW |