Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(26)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2245643004: Support trust anchor constraints, by specifying them as a certificate. (Closed)

Created:
4 years, 4 months ago by eroman
Modified:
4 years, 4 months ago
Reviewers:
mattm
CC:
chromium-reviews, cbentzel+watch_chromium.org, sheretov+watch_chromium.org, dougsteed+watch_chromium.org, vadimgo+watch_chromium.org, ryanchung+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Support trust anchor constraints, by specifying them as a certificate. BUG=635200, 410574 Committed: https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad Cr-Commit-Position: refs/heads/master@{#412402}

Patch Set 1 #

Patch Set 2 : better align with RFC #

Patch Set 3 : passes tests #

Patch Set 4 : checkpoint #

Total comments: 1

Patch Set 5 : update another bug number #

Total comments: 2

Patch Set 6 : address matt's feedback #

Patch Set 7 : remove cast changes (splitting into separate CL) #

Patch Set 8 : update gypi #

Unified diffs Side-by-side diffs Delta from patch set Stats (+2604 lines, -803 lines) Patch
M net/cert/internal/test_helpers.cc View 3 chunks +8 lines, -2 lines 0 comments Download
M net/cert/internal/trust_store.h View 1 2 3 4 2 chunks +57 lines, -18 lines 0 comments Download
M net/cert/internal/trust_store.cc View 1 2 chunks +9 lines, -3 lines 0 comments Download
M net/cert/internal/verify_certificate_chain.cc View 1 6 chunks +68 lines, -8 lines 0 comments Download
M net/cert/internal/verify_certificate_chain_typed_unittest.h View 4 chunks +55 lines, -7 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/constrained-non-self-signed-root.pem View 1 chunk +281 lines, -0 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/constrained-root-basic-constraints-ca-false.pem View 1 2 1 chunk +282 lines, -0 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/constrained-root-lacks-basic-constraints.pem View 1 chunk +278 lines, -0 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/expired-constrained-root.pem View 1 2 1 chunk +282 lines, -0 lines 0 comments Download
D net/data/verify_certificate_chain_unittest/expired-root.pem View 1 chunk +0 lines, -281 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/expired-unconstrained-root.pem View 1 2 3 4 5 1 chunk +3 lines, -2 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-constrained-non-self-signed-root.py View 2 chunks +9 lines, -5 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-constrained-root-basic-constraints-ca-false.py View 1 2 1 chunk +9 lines, -8 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-constrained-root-lacks-basic-constraints.py View 1 chunk +6 lines, -4 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-expired-constrained-root.py View 1 2 2 chunks +5 lines, -5 lines 0 comments Download
D net/data/verify_certificate_chain_unittest/generate-expired-root.py View 1 chunk +0 lines, -34 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-expired-unconstrained-root.py View 1 2 3 4 5 1 chunk +2 lines, -1 line 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-unconstrained-non-self-signed-root.py View 2 chunks +8 lines, -4 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-unconstrained-root-basic-constraints-ca-false.py View 2 chunks +9 lines, -7 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-unconstrained-root-lacks-basic-constraints.py View 1 chunk +5 lines, -3 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-violates-pathlen-1-constrained-root.py View 1 2 2 chunks +4 lines, -4 lines 0 comments Download
D net/data/verify_certificate_chain_unittest/generate-violates-pathlen-1-root.py View 1 chunk +0 lines, -32 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/generate-violates-pathlen-1-unconstrained-root.py View 1 chunk +1 line, -1 line 0 comments Download
A net/data/verify_certificate_chain_unittest/unconstrained-non-self-signed-root.pem View 1 chunk +281 lines, -0 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/unconstrained-root-basic-constraints-ca-false.pem View 1 chunk +282 lines, -0 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/unconstrained-root-lacks-basic-constraints.pem View 1 chunk +278 lines, -0 lines 0 comments Download
A net/data/verify_certificate_chain_unittest/violates-pathlen-1-constrained-root.pem View 1 2 1 chunk +370 lines, -0 lines 0 comments Download
D net/data/verify_certificate_chain_unittest/violates-pathlen-1-root.pem View 1 chunk +0 lines, -370 lines 0 comments Download
A + net/data/verify_certificate_chain_unittest/violates-pathlen-1-unconstrained-root.pem View 1 chunk +2 lines, -2 lines 0 comments Download
M net/net.gypi View 1 2 3 4 5 6 7 2 chunks +10 lines, -2 lines 0 comments Download

Messages

Total messages: 21 (14 generated)
eroman
4 years, 4 months ago (2016-08-16 00:02:15 UTC) #3
eroman
https://codereview.chromium.org/2245643004/diff/60001/net/cert/internal/verify_certificate_chain.cc File net/cert/internal/verify_certificate_chain.cc (right): https://codereview.chromium.org/2245643004/diff/60001/net/cert/internal/verify_certificate_chain.cc#newcode346 net/cert/internal/verify_certificate_chain.cc:346: name_constraints_list->push_back(&cert.name_constraints()); I don't yet have a test for this ...
4 years, 4 months ago (2016-08-16 00:03:01 UTC) #4
mattm
lgtm https://codereview.chromium.org/2245643004/diff/80001/net/data/verify_certificate_chain_unittest/generate-expired-unconstrained-root.py File net/data/verify_certificate_chain_unittest/generate-expired-unconstrained-root.py (right): https://codereview.chromium.org/2245643004/diff/80001/net/data/verify_certificate_chain_unittest/generate-expired-unconstrained-root.py#newcode9 net/data/verify_certificate_chain_unittest/generate-expired-unconstrained-root.py:9: enforced.""" missing )
4 years, 4 months ago (2016-08-16 22:00:06 UTC) #5
eroman
Thanks for the review! Note I removed the changed Cast files from this CL (splitting ...
4 years, 4 months ago (2016-08-16 22:59:12 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2245643004/140001
4 years, 4 months ago (2016-08-17 00:47:57 UTC) #17
commit-bot: I haz the power
Committed patchset #8 (id:140001)
4 years, 4 months ago (2016-08-17 00:52:06 UTC) #19
commit-bot: I haz the power
4 years, 4 months ago (2016-08-17 00:53:59 UTC) #21
Message was sent while issue was closed. 
Patchset 8 (id:??) landed as
https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad
Cr-Commit-Position: refs/heads/master@{#412402}

Powered by Google App Engine
This is Rietveld 408576698