Chromium Code Reviews Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/cert/internal/verify_certificate_chain.h |
| diff --git a/net/cert/internal/verify_certificate_chain.h b/net/cert/internal/verify_certificate_chain.h |
| index 291c843d9ed60ecb8f0fac7cf42f66a956a81712..3e7363f8aaeb61c77fd2baf66accadc4d3dc1a50 100644 |
| --- a/net/cert/internal/verify_certificate_chain.h |
| +++ b/net/cert/internal/verify_certificate_chain.h |
| @@ -21,9 +21,11 @@ struct GeneralizedTime; |
| class ParsedCertificate; |
| class SignaturePolicy; |
| class TrustStore; |
| +using ParsedCertificateList = std::vector<scoped_refptr<ParsedCertificate>>; |
|
eroman
2016/07/01 23:49:29
Same comment as earlier.
mattm
2016/07/02 02:21:51
Done.
|
| -// VerifyCertificateChain() verifies a certificate path (chain) based on the |
| -// rules in RFC 5280. |
| +// VerifyCertificateChainAssumingTrustedRoot() verifies a certificate path |
| +// (chain) based on the rules in RFC 5280. The caller is responsible for |
| +// building the path and ensuring the chain ends in a trusted root certificate. |
| // |
| // WARNING: This implementation is in progress, and is currently incomplete. |
| // Consult an OWNER before using it. |
| @@ -38,11 +40,11 @@ class TrustStore; |
| // |
| // * cert_chain[0] is the target certificate to verify. |
| // * cert_chain[i+1] holds the certificate that issued cert_chain[i]. |
| -// * cert_chain[N-1] must be the trust anchor, or have been directly |
| -// issued by a trust anchor. |
| +// * cert_chain[N-1] must be the trust anchor. |
| // |
| // trust_store: |
| -// Contains the set of trusted public keys (and their names). |
| +// Contains the set of trusted public keys (and their names). This is only |
| +// used to DCHECK that the final cert is a trust anchor. |
| // |
| // signature_policy: |
| // The policy to use when verifying signatures (what hash algorithms are |
| @@ -51,28 +53,17 @@ class TrustStore; |
| // time: |
| // The UTC time to use for expiration checks. |
| // |
| -// trusted_chain_out: |
| -// The vector to populate with the verified trusted certificate chain. |
| -// * trusted_chain_out[0] is the target certificate verified. |
| -// * trusted_chain_out[i+1] holds the certificate that issued |
| -// trusted_chain_out[i]. |
| -// * trusted_chain_out[N-1] is the trust anchor. |
| -// If a nullptr is passed, this parameter is ignored. |
| -// If the target certificate can not be verified, this parameter is |
| -// ignored. |
| -// |
| // --------- |
| // Outputs |
| // --------- |
| // |
| // Returns true if the target certificate can be verified. |
| -NET_EXPORT bool VerifyCertificateChain( |
| - const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain, |
| +NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot( |
| + const ParsedCertificateList& certs, |
| + // The trust store is only used for assertions. |
| const TrustStore& trust_store, |
| const SignaturePolicy* signature_policy, |
| - const der::GeneralizedTime& time, |
| - std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out) |
| - WARN_UNUSED_RESULT; |
| + const der::GeneralizedTime& time) WARN_UNUSED_RESULT; |
| } // namespace net |
