| Index: net/cert/internal/verify_certificate_chain.h
|
| diff --git a/net/cert/internal/verify_certificate_chain.h b/net/cert/internal/verify_certificate_chain.h
|
| index 2b4a7abe0b7a10aebb944e0718e38e0b1fb8c876..ec22a63d89f8d813a215ad97bb38065af0d382e3 100644
|
| --- a/net/cert/internal/verify_certificate_chain.h
|
| +++ b/net/cert/internal/verify_certificate_chain.h
|
| @@ -7,12 +7,16 @@
|
|
|
| #include <stdint.h>
|
|
|
| +#include <map>
|
| #include <memory>
|
| #include <string>
|
| +#include <unordered_map>
|
| #include <vector>
|
|
|
| #include "base/compiler_specific.h"
|
| +#include "base/memory/ref_counted.h"
|
| #include "net/base/net_export.h"
|
| +#include "net/cert/internal/name_constraints.h"
|
| #include "net/cert/internal/parse_certificate.h"
|
| #include "net/der/input.h"
|
|
|
| @@ -24,9 +28,16 @@ struct GeneralizedTime;
|
|
|
| class SignaturePolicy;
|
|
|
| -// Represents a trust anchor (i.e. a trusted root certificate).
|
| -class NET_EXPORT TrustAnchor {
|
| +// XXX Rename, better comment
|
| +// Represents a certificate, including top-level parsing and normalized name
|
| +// values. The certificate is not completely parsed and validated, only the
|
| +// validation performed by ParseCertificate, ParseTbsCertificate and
|
| +// NormalizeName is done.
|
| +class NET_EXPORT CertThing : public base::RefCountedThreadSafe<CertThing> {
|
| public:
|
| + // Map from OID to ParsedExtension.
|
| + using ExtensionsMap = std::map<der::Input, ParsedExtension>;
|
| +
|
| // The certificate data for this trust anchor may either be owned internally
|
| // (INTERNAL_COPY) or owned externally (EXTERNAL_REFERENCE). When it is
|
| // owned internally the data is held by |cert_data_|
|
| @@ -35,28 +46,55 @@ class NET_EXPORT TrustAnchor {
|
| EXTERNAL_REFERENCE,
|
| };
|
|
|
| - TrustAnchor();
|
| - ~TrustAnchor();
|
| -
|
| - // Creates a TrustAnchor given a DER-encoded certificate. Returns nullptr on
|
| + // Creates a CertThing given a DER-encoded certificate. Returns nullptr on
|
| // failure. Failure will occur if the certificate data cannot be parsed to
|
| // find a subject.
|
| //
|
| // The provided certificate data is either copied, or aliased, depending on
|
| // the value of |source|. See the comments for DataSource for details.
|
| - static std::unique_ptr<TrustAnchor> CreateFromCertificateData(
|
| - const uint8_t* data,
|
| - size_t length,
|
| - DataSource source);
|
| -
|
| - // Returns true if the trust anchor matches |name|. In other words, returns
|
| - // true if the certificate's subject matches |name|.
|
| - bool MatchesName(const der::Input& name) const;
|
| -
|
| - // Returns the DER-encoded certificate data for this trust anchor.
|
| - const der::Input& cert() const { return cert_; }
|
| + static scoped_refptr<CertThing> CreateFromCertificateData(const uint8_t* data,
|
| + size_t length,
|
| + DataSource source);
|
| + static scoped_refptr<CertThing> CreateFromCertificateCopy(
|
| + const base::StringPiece& data);
|
| +
|
| + // Returns the DER-encoded certificate data for this cert.
|
| + const der::Input& der_cert() const { return cert_; }
|
| +
|
| + const ParsedCertificate& parsed_cert() const { return parsed_cert_; }
|
| + const ParsedTbsCertificate& parsed_tbs() const { return parsed_tbs_; }
|
| +
|
| + // Returns the DER-encoded normalized subject value (not including outer
|
| + // Sequence tag).
|
| + const std::string& normalized_subject() const { return normalized_subject_; }
|
| + // Returns the DER-encoded normalized issuer value (not including outer
|
| + // Sequence tag).
|
| + const std::string& normalized_issuer() const { return normalized_issuer_; }
|
| +
|
| + // Returns true if the certificate had a SubjectAltName extension.
|
| + bool has_subject_alt_names() const { return subject_alt_names_ != nullptr; }
|
| + // Returns the ParsedExtension struct for the SubjectAltName extension.
|
| + // If the cert did not have a SubjectAltName extension, this will be a
|
| + // default-initialized ParsedExtension struct.
|
| + const ParsedExtension& subject_alt_names_extension() const {
|
| + return subject_alt_names_extension_;
|
| + }
|
| + // Returns the GeneralNames class parsed from SubjectAltName extension, orr
|
| + // nullptr if no SubjectAltName extension was present.
|
| + const GeneralNames* subject_alt_names() const {
|
| + return subject_alt_names_.get();
|
| + }
|
| +
|
| + // Returns a map of unhandled extensions (excludes the ones above).
|
| + const ExtensionsMap& unconsumed_extensions() const {
|
| + return unconsumed_extensions_;
|
| + }
|
|
|
| private:
|
| + friend class base::RefCountedThreadSafe<CertThing>;
|
| + CertThing();
|
| + ~CertThing();
|
| +
|
| // The backing store for the certificate data. This is only applicable when
|
| // the trust anchor was initialized using DataSource::INTERNAL_COPY.
|
| std::vector<uint8_t> cert_data_;
|
| @@ -68,12 +106,27 @@ class NET_EXPORT TrustAnchor {
|
| // Points to the raw certificate DER.
|
| der::Input cert_;
|
|
|
| - // Points to the subject TLV for the certificate.
|
| - der::Input name_;
|
| + ParsedCertificate parsed_cert_;
|
| + ParsedTbsCertificate parsed_tbs_;
|
| +
|
| + // Normalized DER-encoded Subject (not including outer Sequence tag).
|
| + std::string normalized_subject_;
|
| + // Normalized DER-encoded Issuer (not including outer Sequence tag).
|
| + std::string normalized_issuer_;
|
|
|
| - DISALLOW_COPY_AND_ASSIGN(TrustAnchor);
|
| + // Raw SubjectAltName extension.
|
| + ParsedExtension subject_alt_names_extension_;
|
| + // Parsed SubjectAltName extension.
|
| + std::unique_ptr<GeneralNames> subject_alt_names_;
|
| +
|
| + // The remaining extensions (excludes the standard ones above).
|
| + ExtensionsMap unconsumed_extensions_;
|
| +
|
| + DISALLOW_COPY_AND_ASSIGN(CertThing);
|
| };
|
|
|
| +using CertVector = std::vector<scoped_refptr<CertThing>>;
|
| +
|
| // A very simple implementation of a TrustStore, which contains a set of
|
| // trusted certificates.
|
| class NET_EXPORT TrustStore {
|
| @@ -84,34 +137,22 @@ class NET_EXPORT TrustStore {
|
| // Empties the trust store, resetting it to original state.
|
| void Clear();
|
|
|
| - // Adds a trusted certificate to the store. The trust store makes a copy of
|
| - // the provided certificate data.
|
| - bool AddTrustedCertificate(const uint8_t* data,
|
| - size_t length) WARN_UNUSED_RESULT;
|
| - bool AddTrustedCertificate(const base::StringPiece& data) WARN_UNUSED_RESULT;
|
| + // Adds a trusted certificate to the store.
|
| + void AddTrustedCertificate(scoped_refptr<CertThing> anchor);
|
|
|
| - // This function is the same as AddTrustedCertificate() except the underlying
|
| - // data is not copied. The caller is responsible for ensuring that the data
|
| - // pointer remains alive and is not mutated for the lifetime of the
|
| - // TrustStore.
|
| - bool AddTrustedCertificateWithoutCopying(const uint8_t* data,
|
| - size_t length) WARN_UNUSED_RESULT;
|
| + // Returns the trust anchors that match |name| in |*matches|, if any.
|
| + void FindTrustAnchorsByNormalizedName(const std::string& normalized_name,
|
| + CertVector* matches) const;
|
|
|
| - // Returns the trust anchor that matches |name|, or nullptr if there is none.
|
| - // TODO(eroman): There may be multiple matches.
|
| - const TrustAnchor* FindTrustAnchorByName(const der::Input& name) const
|
| - WARN_UNUSED_RESULT;
|
| -
|
| - // Returns true if |cert_der| matches a certificate in the TrustStore.
|
| - bool IsTrustedCertificate(const der::Input& cert_der) const
|
| - WARN_UNUSED_RESULT;
|
| + // Returns true if |cert| matches a certificate in the TrustStore.
|
| + bool IsTrustedCertificate(const CertThing* cert) const WARN_UNUSED_RESULT;
|
|
|
| private:
|
| - bool AddTrustedCertificate(const uint8_t* data,
|
| - size_t length,
|
| - TrustAnchor::DataSource source) WARN_UNUSED_RESULT;
|
| -
|
| - std::vector<std::unique_ptr<TrustAnchor>> anchors_;
|
| + // Multimap from normalized subject -> CertThing.
|
| + std::unordered_multimap<base::StringPiece,
|
| + scoped_refptr<CertThing>,
|
| + base::StringPieceHash>
|
| + anchors_;
|
|
|
| DISALLOW_COPY_AND_ASSIGN(TrustStore);
|
| };
|
| @@ -155,6 +196,14 @@ NET_EXPORT bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
|
| const der::GeneralizedTime& time)
|
| WARN_UNUSED_RESULT;
|
|
|
| +// XXX docs.
|
| +NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot(
|
| + const std::vector<scoped_refptr<CertThing>>& certs,
|
| + // The trust store is only used for assertions.
|
| + const TrustStore& trust_store,
|
| + const SignaturePolicy* signature_policy,
|
| + const der::GeneralizedTime& time) WARN_UNUSED_RESULT;
|
| +
|
| } // namespace net
|
|
|
| #endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
|
|
|
Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master