diff options
Diffstat (limited to 'chromium/net/cert/internal/verify_certificate_chain.h')
-rw-r--r-- | chromium/net/cert/internal/verify_certificate_chain.h | 47 |
1 files changed, 24 insertions, 23 deletions
diff --git a/chromium/net/cert/internal/verify_certificate_chain.h b/chromium/net/cert/internal/verify_certificate_chain.h index 291c843d9ed..d1ea57e0575 100644 --- a/chromium/net/cert/internal/verify_certificate_chain.h +++ b/chromium/net/cert/internal/verify_certificate_chain.h @@ -10,6 +10,8 @@ #include "base/compiler_specific.h" #include "base/memory/ref_counted.h" #include "net/base/net_export.h" +#include "net/cert/internal/cert_errors.h" +#include "net/cert/internal/parsed_certificate.h" #include "net/der/input.h" namespace net { @@ -18,16 +20,20 @@ namespace der { struct GeneralizedTime; } -class ParsedCertificate; class SignaturePolicy; +class TrustAnchor; class TrustStore; // VerifyCertificateChain() verifies a certificate path (chain) based on the -// rules in RFC 5280. +// rules in RFC 5280. The caller is responsible for building the path and +// finding the trust anchor. // // WARNING: This implementation is in progress, and is currently incomplete. // Consult an OWNER before using it. // +// TODO(eroman): Take a CertPath instead of ParsedCertificateList + +// TrustAnchor. +// // --------- // Inputs // --------- @@ -38,11 +44,11 @@ class TrustStore; // // * cert_chain[0] is the target certificate to verify. // * cert_chain[i+1] holds the certificate that issued cert_chain[i]. -// * cert_chain[N-1] must be the trust anchor, or have been directly -// issued by a trust anchor. +// * cert_chain[N-1] must be issued by the trust anchor. // -// trust_store: -// Contains the set of trusted public keys (and their names). +// trust_anchor: +// Contains the trust anchor (root) used to verify the chain. Must be +// non-null. // // signature_policy: // The policy to use when verifying signatures (what hash algorithms are @@ -51,28 +57,23 @@ class TrustStore; // time: // The UTC time to use for expiration checks. // -// trusted_chain_out: -// The vector to populate with the verified trusted certificate chain. -// * trusted_chain_out[0] is the target certificate verified. -// * trusted_chain_out[i+1] holds the certificate that issued -// trusted_chain_out[i]. -// * trusted_chain_out[N-1] is the trust anchor. -// If a nullptr is passed, this parameter is ignored. -// If the target certificate can not be verified, this parameter is -// ignored. -// // --------- // Outputs // --------- // // Returns true if the target certificate can be verified. -NET_EXPORT bool VerifyCertificateChain( - const std::vector<scoped_refptr<ParsedCertificate>>& cert_chain, - const TrustStore& trust_store, - const SignaturePolicy* signature_policy, - const der::GeneralizedTime& time, - std::vector<scoped_refptr<ParsedCertificate>>* trusted_chain_out) - WARN_UNUSED_RESULT; +// +// errors: +// Must be non-null. The set of errors/warnings encountered while +// validating the path are appended to this structure. There is no +// guarantee that on success |errors| is empty, or conversely that +// on failure |errors| is non-empty. Consumers must only use the +// boolean return value to determine success/failure. +NET_EXPORT bool VerifyCertificateChain(const ParsedCertificateList& certs, + const TrustAnchor* trust_anchor, + const SignaturePolicy* signature_policy, + const der::GeneralizedTime& time, + CertErrors* errors) WARN_UNUSED_RESULT; } // namespace net |