Issue 2800993002: Add a key purpose parameter to Certificate PathBuilder.

Issue 2800993002: Add a key purpose parameter to Certificate PathBuilder. (Closed)

Created:
3 years, 8 months ago by eroman

Modified:
3 years, 8 months ago

Reviewers:
dougsteed, mattm

CC:
chromium-reviews, cbentzel+watch_chromium.org, net-reviews_chromium.org, dougsteed+watch_chromium.org, ryanchung+watch_chromium.org

Target Ref:
refs/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Add a key purpose parameter to Certificate PathBuilder. In this CL it is used to verify the Extended Key Usage. (A subsequent CL will add Key Usage checks.) BUG=634442 Review-Url: https://codereview.chromium.org/2800993002 Cr-Commit-Position: refs/heads/master@{#463714} Committed: https://chromium.googlesource.com/chromium/src/+/5d358265af599429828297cab308b27fc4f1e8aa

Patch Set 2 : add datafiles for ios build #

Total comments: 2

Patch Set 3 : More cast comments #

Total comments: 8

Patch Set 4 : Address matt's comments #

Patch Set 5 : fix ios by addind data files to deps #

Patch Set 6 : rebase (dependent CL landed) #

Patch Set 7 : Add missing break statements #

Patch Set 9 : Remove temporary review comment #

Patch Set 10 : rebase #

Created: 3 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+3431 lines, -55 lines)			Patch
M	components/cast_certificate/cast_cert_validator.cc	View	1 2 3 4 5 6 7 8	3 chunks	+1 line, -16 lines	0 comments	Download
M	components/cast_certificate/cast_crl.cc	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	net/BUILD.gn	View	1 2 3 4 5 6 7	3 chunks	+8 lines, -0 lines	0 comments	Download
M	net/cert/cert_verify_proc_builtin.cc	View	1 2 3	1 chunk	+2 lines, -1 line	0 comments	Download
M	net/cert/cert_verify_proc_unittest.cc	View		1 chunk	+3 lines, -0 lines	0 comments	Download
M	net/cert/internal/path_builder.h	View		3 chunks	+3 lines, -0 lines	0 comments	Download
M	net/cert/internal/path_builder.cc	View		2 chunks	+5 lines, -3 lines	0 comments	Download
M	net/cert/internal/path_builder_pkits_unittest.cc	View	1 2 3	1 chunk	+2 lines, -1 line	0 comments	Download
M	net/cert/internal/path_builder_unittest.cc	View	1 2 3 4 5	22 chunks	+24 lines, -22 lines	0 comments	Download
M	net/cert/internal/path_builder_verify_certificate_chain_unittest.cc	View		1 chunk	+2 lines, -1 line	0 comments	Download
M	net/cert/internal/test_helpers.h	View	1 2 3	2 chunks	+4 lines, -0 lines	0 comments	Download
M	net/cert/internal/test_helpers.cc	View	1 2 3	1 chunk	+3 lines, -3 lines	0 comments	Download
M	net/cert/internal/trust_store.h	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	net/cert/internal/verify_certificate_chain.h	View	1 2 3	3 chunks	+11 lines, -0 lines	0 comments	Download
M	net/cert/internal/verify_certificate_chain.cc	View	1 2 3 4 5 6	9 chunks	+66 lines, -3 lines	0 comments	Download
M	net/cert/internal/verify_certificate_chain_pkits_unittest.cc	View	1 2 3	1 chunk	+2 lines, -1 line	0 comments	Download
M	net/cert/internal/verify_certificate_chain_typed_unittest.h	View	1 2 3 4 5 6 7 8 9	3 chunks	+13 lines, -0 lines	0 comments	Download
M	net/cert/internal/verify_certificate_chain_unittest.cc	View		1 chunk	+2 lines, -1 line	0 comments	Download
A	net/data/verify_certificate_chain_unittest/constrained-root-bad-eku.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+299 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-constrained-root-bad-eku.py	View	1 2 3	1 chunk	+35 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-intermediate-restricts-eku-fail.py	View		1 chunk	+36 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-intermediate-restricts-eku-ok.py	View		1 chunk	+34 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-intermediate-sets-eku-any.py	View		1 chunk	+34 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-target-lacks-eku.py	View	1 2 3 4 5 6 7 8 9	1 chunk	+30 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py	View	1 2 3	1 chunk	+33 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-target-sets-eku-any.py	View		1 chunk	+31 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/generate-unconstrained-root-bad-eku.py	View	1 2 3	1 chunk	+32 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/intermediate-restricts-eku-fail.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+298 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/intermediate-restricts-eku-ok.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+291 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/intermediate-sets-eku-any.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+291 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/constrained-root-bad-eku/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/constrained-root-bad-eku/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/constrained-root-bad-eku/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-restricts-eku-fail/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-restricts-eku-fail/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-restricts-eku-fail/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-restricts-eku-ok/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-restricts-eku-ok/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-restricts-eku-ok/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-sets-eku-any/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-sets-eku-any/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/intermediate-sets-eku-any/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-lacks-eku/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-lacks-eku/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-lacks-eku/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-restricts-eku-fail/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-restricts-eku-fail/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-restricts-eku-fail/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-sets-eku-any/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-sets-eku-any/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/target-sets-eku-any/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/unconstrained-root-bad-eku/Intermediate.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/unconstrained-root-bad-eku/Root.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/keys/unconstrained-root-bad-eku/Target.key	View	1 2 3 4 5 6 7 8 9	1 chunk	+28 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/target-lacks-eku.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+285 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/target-restricts-eku-fail.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+295 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/target-sets-eku-any.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+287 lines, -0 lines	0 comments	Download
A	net/data/verify_certificate_chain_unittest/unconstrained-root-bad-eku.pem	View	1 2 3 4 5 6 7 8 9	1 chunk	+291 lines, -0 lines	0 comments	Download
M	net/tools/cert_verify_tool/cert_verify_tool.cc	View		1 chunk	+2 lines, -0 lines	0 comments	Download
M	net/tools/cert_verify_tool/verify_using_path_builder.cc	View	1 2 3 4	1 chunk	+2 lines, -1 line	0 comments	Download

Messages

Total messages: 53 (39 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

mattm

https://codereview.chromium.org/2800993002/diff/20001/net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py File net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py (right): https://codereview.chromium.org/2800993002/diff/20001/net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py#newcode25 net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py:25: key_purpose = common.DEFAULT_KEY_PURPOSE specify server_auth explicitly? https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verify_certificate_chain.cc File net/cert/internal/verify_certificate_chain.cc ...

3 years, 8 months ago (2017-04-06 22:16:03 UTC) #11

eroman

https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verify_certificate_chain.cc File net/cert/internal/verify_certificate_chain.cc (right): https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verify_certificate_chain.cc#newcode450 net/cert/internal/verify_certificate_chain.cc:450: if (!trust_anchor.enforces_constraints()) On 2017/04/06 22:16:03, mattm wrote: > Should ...

3 years, 8 months ago (2017-04-07 00:39:40 UTC) #12

ryanchung

https://codereview.chromium.org/2800993002/diff/40001/components/cast_certificate/cast_cert_validator.cc File components/cast_certificate/cast_cert_validator.cc (right): https://codereview.chromium.org/2800993002/diff/40001/components/cast_certificate/cast_cert_validator.cc#newcode180 components/cast_certificate/cast_cert_validator.cc:180: // TODO(delete before landing): Doug/Cast OWNERs: the behavior after ...

3 years, 8 months ago (2017-04-07 02:02:47 UTC) #14

mattm

https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verify_certificate_chain.h File net/cert/internal/verify_certificate_chain.h (right): https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verify_certificate_chain.h#newcode28 net/cert/internal/verify_certificate_chain.h:28: KEY_PURPOSE_ANY, On 2017/04/07 00:39:40, eroman wrote: > On 2017/04/06 ...

3 years, 8 months ago (2017-04-07 02:56:37 UTC) #15

eroman

3 years, 8 months ago (2017-04-07 22:13:08 UTC) #18

https://codereview.chromium.org/2800993002/diff/20001/net/data/verify_certifi...
File
net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py
(right):

https://codereview.chromium.org/2800993002/diff/20001/net/data/verify_certifi...
net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py:25:
key_purpose = common.DEFAULT_KEY_PURPOSE
On 2017/04/06 22:16:03, mattm wrote:
> specify server_auth explicitly?

Done.

https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verif...
File net/cert/internal/verify_certificate_chain.cc (right):

https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verif...
net/cert/internal/verify_certificate_chain.cc:450: if
(!trust_anchor.enforces_constraints())
On 2017/04/07 00:39:40, eroman wrote:
> On 2017/04/06 22:16:03, mattm wrote:
> > Should it be checked on the trust anchor if it has enforces_constraints on?
> 
> Good point! Yes it should. I will update for this.

Done.

https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verif...
File net/cert/internal/verify_certificate_chain.h (right):

https://codereview.chromium.org/2800993002/diff/40001/net/cert/internal/verif...
net/cert/internal/verify_certificate_chain.h:28: KEY_PURPOSE_ANY,
On 2017/04/07 02:56:36, mattm wrote:
> On 2017/04/07 00:39:40, eroman wrote:
> > On 2017/04/06 22:16:03, mattm wrote:
> > > nit: With enum class I think it's fine to leave off the KEY_PURPOSE_
prefix
> > > since you always need to say KeyPurpose:: anyway.
> > 
> > I ran into a couple of problems with macro conflicts, which led me to these
> > verbose names :(
> > 
> > I don't remember the specific names that collided, but weird things happened
> on
> > Windows and Mac.
> > 
> > I can play with these some more and see if I can find something better. If I
> > could use the kCamelCase that would be ideal, but I don't think that is
> > consistent with our style guide...
> 
> Ugh, macro conflicts. Don't worry about it too much then, if you wanna just
> stick with these names that's fine too.

Checking with trybots now, I can definitely settle on something shorter.
I remember ANY was a problem so I have changed that to ANY_EKU.

eroman

+dougsteed for OWNERS approval on the first two files (cast_certificate/*) I explained the change in ...

3 years, 8 months ago (2017-04-07 23:44:16 UTC) #25

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2800993002/160001

3 years, 8 months ago (2017-04-11 16:14:07 UTC) #40

commit-bot: I haz the power

Try jobs failed on following builders: ios-device on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds/188383) ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED, ...

3 years, 8 months ago (2017-04-11 16:17:46 UTC) #42

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2800993002/180001

3 years, 8 months ago (2017-04-11 18:20:15 UTC) #50

commit-bot: I haz the power

3 years, 8 months ago (2017-04-11 19:14:55 UTC) #53

Message was sent while issue was closed.

Committed patchset #10 (id:180001) as
https://chromium.googlesource.com/chromium/src/+/5d358265af599429828297cab308...

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages