net/cert/internal/path_builder.h - Issue 2832703002: Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/internal/path_builder.h

Issue 2832703002: Allow the TrustStore interface to return matching intermediates, and identify distrusted certs. (Closed)

Patch Set: fix cert_verify_tool Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« components/cast_certificate/cast_cert_validator_unittest.cc ('K') | « net/cert/internal/cert_issuer_source_nss_unittest.cc ('k') | net/cert/internal/path_builder.cc » ('j') | net/cert/internal/path_builder.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: net/cert/internal/path_builder.h

diff --git a/net/cert/internal/path_builder.h b/net/cert/internal/path_builder.h

index 361e745602f69184cbffa58165ace5959f8ed9fd..04a571a9a3bb3ec47cd2f4023bae0431c5e56b54 100644

--- a/net/cert/internal/path_builder.h

+++ b/net/cert/internal/path_builder.h

@@ -32,17 +32,18 @@ class SignaturePolicy;

// By convention:

// certs[0] is the target certificate

// certs[i] was issued by certs[i+1]

-// certs.back() was issued by trust_anchor

+// certs.back() is the root certificate.

-// TODO(eroman): The current code doesn't allow for the target certificate to

-// be the trust anchor. Should it?

+// Note that the final certificate may or may not be a trust achor -- inspect

+// |last_cert_trust| to determine it (or use GetTrustedCert())

struct NET_EXPORT CertPath {

CertPath();

~CertPath();

- scoped_refptr<TrustAnchor> trust_anchor;

+ // Contains information on whether certs.back() is trusted.

+ CertificateTrust last_cert_trust;

- // Path in the forward direction (path[0] is the target cert).

+ // Path in the forward direction (see class description).

ParsedCertificateList certs;

// Resets the path to empty path (same as if default constructed).

@@ -50,6 +51,10 @@ struct NET_EXPORT CertPath {

// TODO(eroman): Can we remove this? Unclear on how this relates to validity.

bool IsEmpty() const;

+ // Returns the chain's root certificate or nullptr if the chain doesn't chain

+ // to a trust anchor.

+ const ParsedCertificate* GetTrustedCert() const;

};

// Checks whether a certificate is trusted by building candidate paths to trust

@@ -116,7 +121,7 @@ class NET_EXPORT CertPathBuilder {

// for the lifetime of the CertPathBuilder.

CertPathBuilder(scoped_refptr<ParsedCertificate> cert,

- const TrustStore* trust_store,

+ TrustStore* trust_store,

const SignaturePolicy* signature_policy,

const der::GeneralizedTime& time,

KeyPurpose key_purpose,