| Index: net/cert/internal/verify_certificate_chain.cc
|
| diff --git a/net/cert/internal/verify_certificate_chain.cc b/net/cert/internal/verify_certificate_chain.cc
|
| index 73bd6f1361da5648dda73b37d3958cfab303e599..baef57a04a8a93b14f08a6e850b1c3c381d14556 100644
|
| --- a/net/cert/internal/verify_certificate_chain.cc
|
| +++ b/net/cert/internal/verify_certificate_chain.cc
|
| @@ -9,7 +9,6 @@
|
| #include "base/logging.h"
|
| #include "net/cert/internal/name_constraints.h"
|
| #include "net/cert/internal/parse_certificate.h"
|
| -#include "net/cert/internal/parsed_certificate.h"
|
| #include "net/cert/internal/signature_algorithm.h"
|
| #include "net/cert/internal/signature_policy.h"
|
| #include "net/cert/internal/trust_store.h"
|
| @@ -336,9 +335,6 @@ WARN_UNUSED_RESULT bool WrapUp(const ParsedCertificate& cert) {
|
|
|
| } // namespace
|
|
|
| -// TODO(eroman): Move this into existing anonymous namespace.
|
| -namespace {
|
| -
|
| // This implementation is structured to mimic the description of certificate
|
| // path verification given by RFC 5280 section 6.1.
|
| //
|
| @@ -346,7 +342,7 @@ namespace {
|
| // the chain. This root certificate is assumed to be trusted, and neither its
|
| // signature nor issuer name are verified. (It needn't be self-signed).
|
| bool VerifyCertificateChainAssumingTrustedRoot(
|
| - const std::vector<scoped_refptr<ParsedCertificate>>& certs,
|
| + const ParsedCertificateList& certs,
|
| // The trust store is only used for assertions.
|
| const TrustStore& trust_store,
|
| const SignaturePolicy* signature_policy,
|
| @@ -450,56 +446,4 @@ bool VerifyCertificateChainAssumingTrustedRoot(
|
| return true;
|
| }
|
|
|
| -// TODO(eroman): This function is a temporary hack in the absence of full
|
| -// path building. It may insert 1 certificate at the root of the
|
| -// chain to ensure that the path's root certificate is a trust anchor.
|
| -//
|
| -// Beyond this no other verification is done on the chain. The caller is
|
| -// responsible for verifying the subsequent chain's correctness.
|
| -WARN_UNUSED_RESULT bool BuildSimplePathToTrustAnchor(
|
| - const TrustStore& trust_store,
|
| - std::vector<scoped_refptr<ParsedCertificate>>* certs) {
|
| - if (certs->empty())
|
| - return false;
|
| -
|
| - // Check if the current root certificate is trusted. If it is then no
|
| - // extra work is needed.
|
| - if (trust_store.IsTrustedCertificate(certs->back().get()))
|
| - return true;
|
| -
|
| - std::vector<scoped_refptr<ParsedCertificate>> trust_anchors;
|
| - trust_store.FindTrustAnchorsByNormalizedName(
|
| - certs->back()->normalized_issuer(), &trust_anchors);
|
| - if (trust_anchors.empty())
|
| - return false;
|
| - // TODO(mattm): this only tries the first match, even if there are multiple.
|
| - certs->push_back(std::move(trust_anchors[0]));
|
| - return true;
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| -bool VerifyCertificateChain(
|
| - const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain,
|
| - const TrustStore& trust_store,
|
| - const SignaturePolicy* signature_policy,
|
| - const der::GeneralizedTime& time,
|
| - std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out) {
|
| - if (cert_chain.empty())
|
| - return false;
|
| -
|
| - std::vector<scoped_refptr<ParsedCertificate>> full_chain = cert_chain;
|
| -
|
| - // Modify the certificate chain so that its root is a trusted certificate.
|
| - if (!BuildSimplePathToTrustAnchor(trust_store, &full_chain))
|
| - return false;
|
| -
|
| - // Verify the chain.
|
| - bool success = VerifyCertificateChainAssumingTrustedRoot(
|
| - full_chain, trust_store, signature_policy, time);
|
| - if (success && trusted_chain_out != nullptr)
|
| - *trusted_chain_out = std::move(full_chain);
|
| - return success;
|
| -}
|
| -
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master