Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(56)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verifier.h

Issue 1994353002: Update CertVerifier::Verify to use RequestParams instead (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@request_params
Patch Set: Rebased Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « ios/web/net/cert_verifier_block_adapter.cc ('k') | net/cert/cert_verifier.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verifier.h
diff --git a/net/cert/cert_verifier.h b/net/cert/cert_verifier.h
index 4e36688c5a188d29c453b216955325dec804ee82..52d7c3b2142fad6d6caac6b13d558a2a6350760a 100644
--- a/net/cert/cert_verifier.h
+++ b/net/cert/cert_verifier.h
@@ -10,6 +10,7 @@
#include <vector>
#include "base/macros.h"
+#include "base/memory/ref_counted.h"
#include "net/base/completion_callback.h"
#include "net/base/hash_value.h"
#include "net/base/net_export.h"
@@ -76,30 +77,57 @@ class NET_EXPORT CertVerifier {
VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS = 1 << 4,
};
- // The parameters for doing a Verify(). |certificate|, |hostname|, and
- // |flags| are required. The rest are optional.
+ // Parameters to verify |certificate| against the supplied
+ // |hostname| as an SSL server.
+ //
+ // |hostname| should be a canonicalized hostname (in A-Label form) or IP
+ // address in string form, following the rules of a URL host portion. In
+ // the case of |hostname| being a domain name, it may contain a trailing
+ // dot (e.g. "example.com."), as used to signal to DNS not to perform
+ // suffix search, and it will safely be ignored. If |hostname| is an IPv6
+ // address, it MUST be in URL form - that is, surrounded in square
+ // brackets, such as "[::1]".
+ //
+ // |flags| is a bitwise OR of VerifyFlags.
+ //
+ // |ocsp_response| is optional, but if non-empty, should contain an OCSP
+ // response obtained via OCSP stapling. It may be ignored by the
+ // CertVerifier.
+ //
+ // |additional_trust_anchors| is optional, but if non-empty, should contain
+ // additional certificates to be treated as trust anchors. It may be ignored
+ // by the CertVerifier.
class NET_EXPORT RequestParams {
public:
- RequestParams(X509Certificate* certificate,
+ RequestParams(scoped_refptr<X509Certificate> certificate,
const std::string& hostname,
int flags,
const std::string& ocsp_response,
- const CertificateList& additional_trust_anchors);
+ CertificateList additional_trust_anchors);
RequestParams(const RequestParams& other);
~RequestParams();
+ const scoped_refptr<X509Certificate>& certificate() const {
+ return certificate_;
+ }
const std::string& hostname() const { return hostname_; }
int flags() const { return flags_; }
- const std::vector<SHA1HashValue> request_data() const {
- return request_data_;
+ const std::string& ocsp_response() const { return ocsp_response_; }
+ const CertificateList& additional_trust_anchors() const {
+ return additional_trust_anchors_;
}
bool operator<(const RequestParams& other) const;
private:
+ scoped_refptr<X509Certificate> certificate_;
std::string hostname_;
int flags_;
- std::vector<SHA1HashValue> request_data_;
+ std::string ocsp_response_;
+ CertificateList additional_trust_anchors_;
+
+ // Used to optimize sorting/indexing comparisons.
+ std::string key_;
};
// When the verifier is destroyed, all certificate verification requests are
@@ -115,17 +143,6 @@ class NET_EXPORT CertVerifier {
// |verify_result->cert_status|, and the error code for the most serious
// error is returned.
//
- // |ocsp_response|, if non-empty, is a stapled OCSP response to use.
- //
- // |flags| is bitwise OR'd of VerifyFlags.
- // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation
- // checking is performed.
- //
- // If VERIFY_EV_CERT is set in |flags| too, EV certificate verification is
- // performed. If |flags| is VERIFY_EV_CERT (that is,
- // VERIFY_REV_CHECKING_ENABLED is not set), EV certificate verification will
- // not be performed.
- //
// |crl_set| points to an optional CRLSet structure which can be used to
// avoid revocation checks over the network.
//
@@ -140,12 +157,7 @@ class NET_EXPORT CertVerifier {
// If Verify() completes synchronously then |out_req| *may* be reset to
// nullptr. However it is not guaranteed that all implementations will reset
// it in this case.
- //
- // TODO(rsleevi): Update this to use RequestParams as part of the signature.
- virtual int Verify(X509Certificate* cert,
- const std::string& hostname,
- const std::string& ocsp_response,
- int flags,
+ virtual int Verify(const RequestParams& params,
CRLSet* crl_set,
CertVerifyResult* verify_result,
const CompletionCallback& callback,
« no previous file with comments | « ios/web/net/cert_verifier_block_adapter.cc ('k') | net/cert/cert_verifier.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698