OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "net/cert/internal/name_constraints.h" | 10 #include "net/cert/internal/name_constraints.h" |
(...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
336 } // namespace | 336 } // namespace |
337 | 337 |
338 // This implementation is structured to mimic the description of certificate | 338 // This implementation is structured to mimic the description of certificate |
339 // path verification given by RFC 5280 section 6.1. | 339 // path verification given by RFC 5280 section 6.1. |
340 // | 340 // |
341 // Unlike RFC 5280, the trust anchor is specified as the root certificate in | 341 // Unlike RFC 5280, the trust anchor is specified as the root certificate in |
342 // the chain. This root certificate is assumed to be trusted, and neither its | 342 // the chain. This root certificate is assumed to be trusted, and neither its |
343 // signature nor issuer name are verified. (It needn't be self-signed). | 343 // signature nor issuer name are verified. (It needn't be self-signed). |
344 bool VerifyCertificateChainAssumingTrustedRoot( | 344 bool VerifyCertificateChainAssumingTrustedRoot( |
345 const ParsedCertificateList& certs, | 345 const ParsedCertificateList& certs, |
346 // The trust store is only used for assertions. | |
347 const TrustStore& trust_store, | |
348 const SignaturePolicy* signature_policy, | 346 const SignaturePolicy* signature_policy, |
349 const der::GeneralizedTime& time) { | 347 const der::GeneralizedTime& time) { |
350 // An empty chain is necessarily invalid. | 348 // An empty chain is necessarily invalid. |
351 if (certs.empty()) | 349 if (certs.empty()) |
352 return false; | 350 return false; |
353 | 351 |
354 // IMPORTANT: the assumption being made is that the root certificate in | |
355 // the given path is the trust anchor (and has already been verified as | |
356 // such). | |
357 DCHECK(trust_store.IsTrustedCertificate(certs.back().get())); | |
358 | |
359 // Will contain a NameConstraints for each previous cert in the chain which | 352 // Will contain a NameConstraints for each previous cert in the chain which |
360 // had nameConstraints. This corresponds to the permitted_subtrees and | 353 // had nameConstraints. This corresponds to the permitted_subtrees and |
361 // excluded_subtrees state variables from RFC 5280. | 354 // excluded_subtrees state variables from RFC 5280. |
362 std::vector<const NameConstraints*> name_constraints_list; | 355 std::vector<const NameConstraints*> name_constraints_list; |
363 | 356 |
364 // |working_spki| is an amalgamation of 3 separate variables from RFC 5280: | 357 // |working_spki| is an amalgamation of 3 separate variables from RFC 5280: |
365 // * working_public_key | 358 // * working_public_key |
366 // * working_public_key_algorithm | 359 // * working_public_key_algorithm |
367 // * working_public_key_parameters | 360 // * working_public_key_parameters |
368 // | 361 // |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
440 | 433 |
441 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: | 434 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: |
442 // | 435 // |
443 // A certificate MUST NOT appear more than once in a prospective | 436 // A certificate MUST NOT appear more than once in a prospective |
444 // certification path. | 437 // certification path. |
445 | 438 |
446 return true; | 439 return true; |
447 } | 440 } |
448 | 441 |
449 } // namespace net | 442 } // namespace net |
OLD | NEW |