Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(313)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/verify_certificate_chain.cc

Issue 2126803004: WIP: NSS trust store integration for path builder. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert-command-line-path-builder-add_certpathbuilder
Patch Set: . Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/verify_certificate_chain.h ('k') | net/cert/internal/verify_certificate_chain_pkits_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/verify_certificate_chain.h" 5 #include "net/cert/internal/verify_certificate_chain.h"
6 6
7 #include <memory> 7 #include <memory>
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "net/cert/internal/name_constraints.h" 10 #include "net/cert/internal/name_constraints.h"
(...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after
336 } // namespace 336 } // namespace
337 337
338 // This implementation is structured to mimic the description of certificate 338 // This implementation is structured to mimic the description of certificate
339 // path verification given by RFC 5280 section 6.1. 339 // path verification given by RFC 5280 section 6.1.
340 // 340 //
341 // Unlike RFC 5280, the trust anchor is specified as the root certificate in 341 // Unlike RFC 5280, the trust anchor is specified as the root certificate in
342 // the chain. This root certificate is assumed to be trusted, and neither its 342 // the chain. This root certificate is assumed to be trusted, and neither its
343 // signature nor issuer name are verified. (It needn't be self-signed). 343 // signature nor issuer name are verified. (It needn't be self-signed).
344 bool VerifyCertificateChainAssumingTrustedRoot( 344 bool VerifyCertificateChainAssumingTrustedRoot(
345 const ParsedCertificateList& certs, 345 const ParsedCertificateList& certs,
346 // The trust store is only used for assertions.
347 const TrustStore& trust_store,
348 const SignaturePolicy* signature_policy, 346 const SignaturePolicy* signature_policy,
349 const der::GeneralizedTime& time) { 347 const der::GeneralizedTime& time) {
350 // An empty chain is necessarily invalid. 348 // An empty chain is necessarily invalid.
351 if (certs.empty()) 349 if (certs.empty())
352 return false; 350 return false;
353 351
354 // IMPORTANT: the assumption being made is that the root certificate in
355 // the given path is the trust anchor (and has already been verified as
356 // such).
357 DCHECK(trust_store.IsTrustedCertificate(certs.back().get()));
358
359 // Will contain a NameConstraints for each previous cert in the chain which 352 // Will contain a NameConstraints for each previous cert in the chain which
360 // had nameConstraints. This corresponds to the permitted_subtrees and 353 // had nameConstraints. This corresponds to the permitted_subtrees and
361 // excluded_subtrees state variables from RFC 5280. 354 // excluded_subtrees state variables from RFC 5280.
362 std::vector<const NameConstraints*> name_constraints_list; 355 std::vector<const NameConstraints*> name_constraints_list;
363 356
364 // |working_spki| is an amalgamation of 3 separate variables from RFC 5280: 357 // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
365 // * working_public_key 358 // * working_public_key
366 // * working_public_key_algorithm 359 // * working_public_key_algorithm
367 // * working_public_key_parameters 360 // * working_public_key_parameters
368 // 361 //
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after
440 433
441 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: 434 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
442 // 435 //
443 // A certificate MUST NOT appear more than once in a prospective 436 // A certificate MUST NOT appear more than once in a prospective
444 // certification path. 437 // certification path.
445 438
446 return true; 439 return true;
447 } 440 }
448 441
449 } // namespace net 442 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/verify_certificate_chain.h ('k') | net/cert/internal/verify_certificate_chain_pkits_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698