Index: net/cert/internal/verify_certificate_chain.cc |
diff --git a/net/cert/internal/verify_certificate_chain.cc b/net/cert/internal/verify_certificate_chain.cc |
index 73bd6f1361da5648dda73b37d3958cfab303e599..baef57a04a8a93b14f08a6e850b1c3c381d14556 100644 |
--- a/net/cert/internal/verify_certificate_chain.cc |
+++ b/net/cert/internal/verify_certificate_chain.cc |
@@ -9,7 +9,6 @@ |
#include "base/logging.h" |
#include "net/cert/internal/name_constraints.h" |
#include "net/cert/internal/parse_certificate.h" |
-#include "net/cert/internal/parsed_certificate.h" |
#include "net/cert/internal/signature_algorithm.h" |
#include "net/cert/internal/signature_policy.h" |
#include "net/cert/internal/trust_store.h" |
@@ -336,9 +335,6 @@ WARN_UNUSED_RESULT bool WrapUp(const ParsedCertificate& cert) { |
} // namespace |
-// TODO(eroman): Move this into existing anonymous namespace. |
-namespace { |
- |
// This implementation is structured to mimic the description of certificate |
// path verification given by RFC 5280 section 6.1. |
// |
@@ -346,7 +342,7 @@ namespace { |
// the chain. This root certificate is assumed to be trusted, and neither its |
// signature nor issuer name are verified. (It needn't be self-signed). |
bool VerifyCertificateChainAssumingTrustedRoot( |
- const std::vector<scoped_refptr<ParsedCertificate>>& certs, |
+ const ParsedCertificateList& certs, |
// The trust store is only used for assertions. |
const TrustStore& trust_store, |
const SignaturePolicy* signature_policy, |
@@ -450,56 +446,4 @@ bool VerifyCertificateChainAssumingTrustedRoot( |
return true; |
} |
-// TODO(eroman): This function is a temporary hack in the absence of full |
-// path building. It may insert 1 certificate at the root of the |
-// chain to ensure that the path's root certificate is a trust anchor. |
-// |
-// Beyond this no other verification is done on the chain. The caller is |
-// responsible for verifying the subsequent chain's correctness. |
-WARN_UNUSED_RESULT bool BuildSimplePathToTrustAnchor( |
- const TrustStore& trust_store, |
- std::vector<scoped_refptr<ParsedCertificate>>* certs) { |
- if (certs->empty()) |
- return false; |
- |
- // Check if the current root certificate is trusted. If it is then no |
- // extra work is needed. |
- if (trust_store.IsTrustedCertificate(certs->back().get())) |
- return true; |
- |
- std::vector<scoped_refptr<ParsedCertificate>> trust_anchors; |
- trust_store.FindTrustAnchorsByNormalizedName( |
- certs->back()->normalized_issuer(), &trust_anchors); |
- if (trust_anchors.empty()) |
- return false; |
- // TODO(mattm): this only tries the first match, even if there are multiple. |
- certs->push_back(std::move(trust_anchors[0])); |
- return true; |
-} |
- |
-} // namespace |
- |
-bool VerifyCertificateChain( |
- const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain, |
- const TrustStore& trust_store, |
- const SignaturePolicy* signature_policy, |
- const der::GeneralizedTime& time, |
- std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out) { |
- if (cert_chain.empty()) |
- return false; |
- |
- std::vector<scoped_refptr<ParsedCertificate>> full_chain = cert_chain; |
- |
- // Modify the certificate chain so that its root is a trusted certificate. |
- if (!BuildSimplePathToTrustAnchor(trust_store, &full_chain)) |
- return false; |
- |
- // Verify the chain. |
- bool success = VerifyCertificateChainAssumingTrustedRoot( |
- full_chain, trust_store, signature_policy, time); |
- if (success && trusted_chain_out != nullptr) |
- *trusted_chain_out = std::move(full_chain); |
- return success; |
-} |
- |
} // namespace net |