Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(116)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/internal/verify_certificate_chain.h

Issue 1923433002: Certificate path builder for new certificate verification library (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/internal/path_builder_pkits_unittest.cc ('K') | « net/cert/internal/trust_store.cc ('k') | net/cert/internal/verify_certificate_chain.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/internal/verify_certificate_chain.h
diff --git a/net/cert/internal/verify_certificate_chain.h b/net/cert/internal/verify_certificate_chain.h
index 291c843d9ed60ecb8f0fac7cf42f66a956a81712..06cd55500dbcb7387a6dd7a715d4960e877c6163 100644
--- a/net/cert/internal/verify_certificate_chain.h
+++ b/net/cert/internal/verify_certificate_chain.h
@@ -22,8 +22,9 @@ class ParsedCertificate;
class SignaturePolicy;
class TrustStore;
-// VerifyCertificateChain() verifies a certificate path (chain) based on the
-// rules in RFC 5280.
+// VerifyCertificateChainAssumingTrustedRoot() verifies a certificate path
+// (chain) based on the rules in RFC 5280. The caller is responsible for
+// building the path and ensuring the chain ends in a trusted root certificate.
//
// WARNING: This implementation is in progress, and is currently incomplete.
// Consult an OWNER before using it.
@@ -38,11 +39,11 @@ class TrustStore;
//
// * cert_chain[0] is the target certificate to verify.
// * cert_chain[i+1] holds the certificate that issued cert_chain[i].
-// * cert_chain[N-1] must be the trust anchor, or have been directly
-// issued by a trust anchor.
+// * cert_chain[N-1] must be the trust anchor.
//
// trust_store:
-// Contains the set of trusted public keys (and their names).
+// Contains the set of trusted public keys (and their names). This is only
+// used to DCHECK that the final cert is a trust anchor.
//
// signature_policy:
// The policy to use when verifying signatures (what hash algorithms are
@@ -51,28 +52,17 @@ class TrustStore;
// time:
// The UTC time to use for expiration checks.
//
-// trusted_chain_out:
-// The vector to populate with the verified trusted certificate chain.
-// * trusted_chain_out[0] is the target certificate verified.
-// * trusted_chain_out[i+1] holds the certificate that issued
-// trusted_chain_out[i].
-// * trusted_chain_out[N-1] is the trust anchor.
-// If a nullptr is passed, this parameter is ignored.
-// If the target certificate can not be verified, this parameter is
-// ignored.
-//
// ---------
// Outputs
// ---------
//
// Returns true if the target certificate can be verified.
-NET_EXPORT bool VerifyCertificateChain(
- const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain,
+NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot(
+ const std::vector<scoped_refptr<ParsedCertificate>>& certs,
+ // The trust store is only used for assertions.
const TrustStore& trust_store,
const SignaturePolicy* signature_policy,
- const der::GeneralizedTime& time,
- std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out)
- WARN_UNUSED_RESULT;
+ const der::GeneralizedTime& time) WARN_UNUSED_RESULT;
} // namespace net
« net/cert/internal/path_builder_pkits_unittest.cc ('K') | « net/cert/internal/trust_store.cc ('k') | net/cert/internal/verify_certificate_chain.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698