| Index: net/cert/internal/verify_certificate_chain.h
|
| diff --git a/net/cert/internal/verify_certificate_chain.h b/net/cert/internal/verify_certificate_chain.h
|
| index 2b4a7abe0b7a10aebb944e0718e38e0b1fb8c876..8b1d92f694749a53b30a3854f4b693288bd93d55 100644
|
| --- a/net/cert/internal/verify_certificate_chain.h
|
| +++ b/net/cert/internal/verify_certificate_chain.h
|
| @@ -24,8 +24,12 @@ struct GeneralizedTime;
|
|
|
| class SignaturePolicy;
|
|
|
| -// Represents a trust anchor (i.e. a trusted root certificate).
|
| -class NET_EXPORT TrustAnchor {
|
| +// XXX Rename, better comment
|
| +// Represents a certificate, including top-level parsing and normalized name
|
| +// values. The certificate is not completely parsed and validated, only the
|
| +// validation performed by ParseCertificate, ParseTbsCertificate and
|
| +// NormalizeName is done.
|
| +class NET_EXPORT CertThing {
|
| public:
|
| // The certificate data for this trust anchor may either be owned internally
|
| // (INTERNAL_COPY) or owned externally (EXTERNAL_REFERENCE). When it is
|
| @@ -35,28 +39,44 @@ class NET_EXPORT TrustAnchor {
|
| EXTERNAL_REFERENCE,
|
| };
|
|
|
| - TrustAnchor();
|
| - ~TrustAnchor();
|
| + ~CertThing();
|
|
|
| - // Creates a TrustAnchor given a DER-encoded certificate. Returns nullptr on
|
| + // Creates a CertThing given a DER-encoded certificate. Returns nullptr on
|
| // failure. Failure will occur if the certificate data cannot be parsed to
|
| // find a subject.
|
| //
|
| // The provided certificate data is either copied, or aliased, depending on
|
| // the value of |source|. See the comments for DataSource for details.
|
| - static std::unique_ptr<TrustAnchor> CreateFromCertificateData(
|
| + static std::unique_ptr<CertThing> CreateFromCertificateData(
|
| const uint8_t* data,
|
| size_t length,
|
| DataSource source);
|
| + static std::unique_ptr<CertThing> CreateFromCertificateCopy(
|
| + const base::StringPiece& data);
|
| +
|
| + // XXX docs
|
| + std::unique_ptr<CertThing> Clone() const;
|
|
|
| // Returns true if the trust anchor matches |name|. In other words, returns
|
| // true if the certificate's subject matches |name|.
|
| bool MatchesName(const der::Input& name) const;
|
|
|
| - // Returns the DER-encoded certificate data for this trust anchor.
|
| - const der::Input& cert() const { return cert_; }
|
| + // Returns the DER-encoded certificate data for this cert.
|
| + const der::Input& der_cert() const { return cert_; }
|
| +
|
| + const ParsedCertificate& parsed_cert() const { return parsed_cert_; }
|
| + const ParsedTbsCertificate& parsed_tbs() const { return parsed_tbs_; }
|
| +
|
| + // Returns the DER-encoded normalized subject value (not including outer
|
| + // Sequence tag).
|
| + const std::string& normalized_subject() const { return normalized_subject_; }
|
| + // Returns the DER-encoded normalized issuer value (not including outer
|
| + // Sequence tag).
|
| + const std::string& normalized_issuer() const { return normalized_issuer_; }
|
|
|
| private:
|
| + CertThing();
|
| +
|
| // The backing store for the certificate data. This is only applicable when
|
| // the trust anchor was initialized using DataSource::INTERNAL_COPY.
|
| std::vector<uint8_t> cert_data_;
|
| @@ -68,10 +88,15 @@ class NET_EXPORT TrustAnchor {
|
| // Points to the raw certificate DER.
|
| der::Input cert_;
|
|
|
| - // Points to the subject TLV for the certificate.
|
| - der::Input name_;
|
| + ParsedCertificate parsed_cert_;
|
| + ParsedTbsCertificate parsed_tbs_;
|
| +
|
| + // Normalized DER-encoded Subject (not including outer Sequence tag).
|
| + std::string normalized_subject_;
|
| + // Normalized DER-encoded Issuer (not including outer Sequence tag).
|
| + std::string normalized_issuer_;
|
|
|
| - DISALLOW_COPY_AND_ASSIGN(TrustAnchor);
|
| + DISALLOW_COPY_AND_ASSIGN(CertThing);
|
| };
|
|
|
| // A very simple implementation of a TrustStore, which contains a set of
|
| @@ -99,8 +124,11 @@ class NET_EXPORT TrustStore {
|
|
|
| // Returns the trust anchor that matches |name|, or nullptr if there is none.
|
| // TODO(eroman): There may be multiple matches.
|
| - const TrustAnchor* FindTrustAnchorByName(const der::Input& name) const
|
| + const CertThing* FindTrustAnchorByName(const der::Input& name) const
|
| WARN_UNUSED_RESULT;
|
| + // XXX Add docs. Remove above version? Should take der::Input?
|
| + std::vector<const CertThing*> FindTrustAnchorsByNormalizedName(
|
| + const std::string& normalized_name) const WARN_UNUSED_RESULT;
|
|
|
| // Returns true if |cert_der| matches a certificate in the TrustStore.
|
| bool IsTrustedCertificate(const der::Input& cert_der) const
|
| @@ -109,9 +137,9 @@ class NET_EXPORT TrustStore {
|
| private:
|
| bool AddTrustedCertificate(const uint8_t* data,
|
| size_t length,
|
| - TrustAnchor::DataSource source) WARN_UNUSED_RESULT;
|
| + CertThing::DataSource source) WARN_UNUSED_RESULT;
|
|
|
| - std::vector<std::unique_ptr<TrustAnchor>> anchors_;
|
| + std::vector<std::unique_ptr<CertThing>> anchors_;
|
|
|
| DISALLOW_COPY_AND_ASSIGN(TrustStore);
|
| };
|
| @@ -155,6 +183,13 @@ NET_EXPORT bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
|
| const der::GeneralizedTime& time)
|
| WARN_UNUSED_RESULT;
|
|
|
| +NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot(
|
| + const std::vector<std::unique_ptr<CertThing>>& certs,
|
| + // The trust store is only used for assertions.
|
| + const TrustStore& trust_store,
|
| + const SignaturePolicy* signature_policy,
|
| + const der::GeneralizedTime& time) WARN_UNUSED_RESULT;
|
| +
|
| } // namespace net
|
|
|
| #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
|
|
|
Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master