| Index: net/cert/internal/verify_certificate_chain.h
|
| diff --git a/net/cert/internal/verify_certificate_chain.h b/net/cert/internal/verify_certificate_chain.h
|
| index a8b29176d756d8af2b38efe9b535606060a2eb74..8d1f044805192df088776b66f6a9b9f6f6c9a50e 100644
|
| --- a/net/cert/internal/verify_certificate_chain.h
|
| +++ b/net/cert/internal/verify_certificate_chain.h
|
| @@ -5,7 +5,7 @@
|
| #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
|
| #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
|
|
|
| -#include <set>
|
| +#include <vector>
|
|
|
| #include "base/compiler_specific.h"
|
| #include "base/memory/ref_counted.h"
|
| @@ -30,160 +30,72 @@
|
| CLIENT_AUTH,
|
| };
|
|
|
| -enum class InitialExplicitPolicy {
|
| - kFalse,
|
| - kTrue,
|
| -};
|
| -
|
| -enum class InitialPolicyMappingInhibit {
|
| - kFalse,
|
| - kTrue,
|
| -};
|
| -
|
| -enum class InitialAnyPolicyInhibit {
|
| - kFalse,
|
| - kTrue,
|
| -};
|
| -
|
| // VerifyCertificateChain() verifies an ordered certificate path in accordance
|
| -// with RFC 5280's "Certification Path Validation" algorithm (section 6).
|
| +// with RFC 5280 (with some modifications [1]).
|
| //
|
| -// -----------------------------------------
|
| -// Deviations from RFC 5280
|
| -// -----------------------------------------
|
| +// [1] Deviations from RFC 5280:
|
| //
|
| -// * If Extended Key Usage appears on intermediates, it is treated as
|
| -// a restriction on subordinate certificates.
|
| +// * If Extended Key Usage appears on intermediates it is treated as a
|
| +// restriction on subordinate certificates.
|
| //
|
| -// -----------------------------------------
|
| -// Additional responsibilities of the caller
|
| -// -----------------------------------------
|
| -//
|
| -// After successful path verification, the caller is responsible for
|
| -// subsequently checking:
|
| +// The caller is responsible for additionally checking:
|
| //
|
| // * The end-entity's KeyUsage before using its SPKI.
|
| -// * The end-entity's name/subjectAltName. Name constraints from intermediates
|
| -// will have already been applied, so it is sufficient to check the
|
| -// end-entity for a match.
|
| +// * The end-entity's name/subjectAltName (note that name constraints from
|
| +// intermediates will have already been applied, so just need to check
|
| +// the end-entity for a match).
|
| +// * Policies
|
| +//
|
| +// WARNING: This implementation is in progress, and is currently incomplete.
|
| +// Consult an OWNER before using it.
|
| +//
|
| +// TODO(eroman): Take a CertPath instead of ParsedCertificateList +
|
| +// TrustAnchor.
|
| //
|
| // ---------
|
| // Inputs
|
| // ---------
|
| //
|
| -// certs:
|
| -// A non-empty chain of DER-encoded certificates, listed in the
|
| -// "forward" direction. The first certificate is the target
|
| -// certificate to verify, and the last certificate has trustedness
|
| -// given by |last_cert_trust| (generally a trust anchor).
|
| +// cert_chain:
|
| +// A non-empty chain of N DER-encoded certificates, listed in the
|
| +// "forward" direction. The first certificate is the target certificate to
|
| +// verify, and the last certificate has trustedness given by
|
| +// |last_cert_trust|.
|
| //
|
| -// * certs[0] is the target certificate to verify.
|
| -// * certs[i+1] holds the certificate that issued cert_chain[i].
|
| -// * certs[N-1] the root certificate
|
| -//
|
| -// Note that THIS IS NOT identical in meaning to the same named
|
| -// "certs" input defined in RFC 5280 section 6.1.1.a. The differences
|
| -// are:
|
| -//
|
| -// * The order of certificates is reversed
|
| -// * In RFC 5280 "certs" DOES NOT include the trust anchor
|
| +// * cert_chain[0] is the target certificate to verify.
|
| +// * cert_chain[i+1] holds the certificate that issued cert_chain[i].
|
| +// * cert_chain[N-1] the root certificate
|
| //
|
| // last_cert_trust:
|
| -// Trustedness of |certs.back()|. The trustedness of |certs.back()|
|
| -// MUST BE decided by the caller -- this function takes it purely as
|
| -// an input. Moreover, the CertificateTrust can be used to specify
|
| -// trust anchor constraints.
|
| -//
|
| -// This combined with |certs.back()| (the root certificate) fills a
|
| -// similar role to "trust anchor information" defined in RFC 5280
|
| -// section 6.1.1.d.
|
| +// Trustedness of certs.back(). The trustedness of certs.back() MUST BE
|
| +// decided by the caller -- this function takes it purely as an input.
|
| +// Moreover, the CertificateTrust can be used to specify trust anchor
|
| +// constraints [1]
|
| //
|
| // signature_policy:
|
| // The policy to use when verifying signatures (what hash algorithms are
|
| // allowed, what length keys, what named curves, etc).
|
| //
|
| // time:
|
| -// The UTC time to use for expiration checks. This is equivalent to
|
| -// the input from RFC 5280 section 6.1.1:
|
| +// The UTC time to use for expiration checks.
|
| //
|
| -// (b) the current date/time.
|
| -//
|
| -// required_key_purpose:
|
| +// key_purpose:
|
| // The key purpose that the target certificate needs to be valid for.
|
| -//
|
| -// user_initial_policy_set:
|
| -// This is equivalent to the same named input in RFC 5280 section
|
| -// 6.1.1:
|
| -//
|
| -// (c) user-initial-policy-set: A set of certificate policy
|
| -// identifiers naming the policies that are acceptable to the
|
| -// certificate user. The user-initial-policy-set contains the
|
| -// special value any-policy if the user is not concerned about
|
| -// certificate policy.
|
| -//
|
| -// initial_policy_mapping_inhibit:
|
| -// This is equivalent to the same named input in RFC 5280 section
|
| -// 6.1.1:
|
| -//
|
| -// (e) initial-policy-mapping-inhibit, which indicates if policy
|
| -// mapping is allowed in the certification path.
|
| -//
|
| -// initial_explicit_policy:
|
| -// This is equivalent to the same named input in RFC 5280 section
|
| -// 6.1.1:
|
| -//
|
| -// (f) initial-explicit-policy, which indicates if the path must be
|
| -// valid for at least one of the certificate policies in the
|
| -// user-initial-policy-set.
|
| -//
|
| -// initial_any_policy_inhibit:
|
| -// This is equivalent to the same named input in RFC 5280 section
|
| -// 6.1.1:
|
| -//
|
| -// (g) initial-any-policy-inhibit, which indicates whether the
|
| -// anyPolicy OID should be processed if it is included in a
|
| -// certificate.
|
| //
|
| // ---------
|
| // Outputs
|
| // ---------
|
| -//
|
| -// user_constrained_policy_set:
|
| -// Can be null. If non-null, |user_constrained_policy_set| will be filled
|
| -// with the matching policies (intersected with user_initial_policy_set).
|
| -// This is equivalent to the same named output in X.509 section 10.2.
|
| -// Note that it is OK for this to point to input user_initial_policy_set.
|
| -//
|
| // errors:
|
| // Must be non-null. The set of errors/warnings encountered while
|
| // validating the path are appended to this structure. If verification
|
| // failed, then there is guaranteed to be at least 1 high severity error
|
| // written to |errors|.
|
| //
|
| -// -------------------------
|
| -// Trust Anchor constraints
|
| -// -------------------------
|
| -//
|
| -// Conceptually, VerifyCertificateChain() sets RFC 5937's
|
| -// "enforceTrustAnchorConstraints" to true.
|
| -//
|
| -// One specifies trust anchor constraints using the |last_cert_trust|
|
| -// parameter in conjunction with extensions appearing in |certs.back()|.
|
| -//
|
| -// The trust anchor |certs.back()| is always passed as a certificate to
|
| -// this function, however the manner in which that certificate is
|
| -// interpreted depends on |last_cert_trust|:
|
| -//
|
| -// TRUSTED_ANCHOR:
|
| -//
|
| -// No properties from the root certificate, other than its Subject and
|
| -// SPKI, are checked during verification. This is the usual
|
| -// interpretation for a "trust anchor".
|
| -//
|
| -// TRUSTED_ANCHOR_WITH_CONSTRAINTS:
|
| -//
|
| -// Only a subset of extensions and properties from the certificate are checked,
|
| -// as described by RFC 5937.
|
| +// [1] Conceptually VerifyCertificateChain() sets RFC 5937's
|
| +// "enforceTrustAnchorConstraints" to true. And one specifies whether to
|
| +// interpret a root certificate as having trust anchor constraints through the
|
| +// |last_cert_trust| parameter. The constraints are just a subset of the
|
| +// extensions present in the certificate:
|
| //
|
| // * Signature: No
|
| // * Validity (expiration): No
|
| @@ -192,24 +104,17 @@
|
| // * Basic constraints: Yes, but only the pathlen (CA=false is accepted)
|
| // * Name constraints: Yes
|
| // * Certificate policies: Not currently, TODO(crbug.com/634453)
|
| -// * Policy Mappings: No
|
| // * inhibitAnyPolicy: Not currently, TODO(crbug.com/634453)
|
| // * PolicyConstraints: Not currently, TODO(crbug.com/634452)
|
| //
|
| // The presence of any other unrecognized extension marked as critical fails
|
| // validation.
|
| -NET_EXPORT void VerifyCertificateChain(
|
| - const ParsedCertificateList& certs,
|
| - const CertificateTrust& last_cert_trust,
|
| - const SignaturePolicy* signature_policy,
|
| - const der::GeneralizedTime& time,
|
| - KeyPurpose required_key_purpose,
|
| - InitialExplicitPolicy initial_explicit_policy,
|
| - const std::set<der::Input>& user_initial_policy_set,
|
| - InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
|
| - InitialAnyPolicyInhibit initial_any_policy_inhibit,
|
| - std::set<der::Input>* user_constrained_policy_set,
|
| - CertPathErrors* errors);
|
| +NET_EXPORT void VerifyCertificateChain(const ParsedCertificateList& certs,
|
| + const CertificateTrust& last_cert_trust,
|
| + const SignaturePolicy* signature_policy,
|
| + const der::GeneralizedTime& time,
|
| + KeyPurpose required_key_purpose,
|
| + CertPathErrors* errors);
|
|
|
| // TODO(crbug.com/634443): Move exported errors to a central location?
|
| extern CertErrorId kValidityFailedNotAfter;
|
|
|
Chromium Code Reviews
Issue 2918063002:
Revert of Add policies support to VerifyCertificateChain(). (Closed)
