// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "path_builder.h" #include <cassert> #include <memory> #include <set> #include <unordered_set> #include <openssl/base.h> #include <openssl/pki/verify_error.h> #include <openssl/sha.h> #include "cert_issuer_source.h" #include "certificate_policies.h" #include "common_cert_errors.h" #include "parse_certificate.h" #include "parse_name.h" // For CertDebugString. #include "parser.h" #include "string_util.h" #include "trust_store.h" #include "verify_certificate_chain.h" #include "verify_name_match.h" BSSL_NAMESPACE_BEGIN namespace { CertIssuerSources; // Returns a hex-encoded sha256 of the DER-encoding of |cert|. std::string FingerPrintParsedCertificate(const bssl::ParsedCertificate *cert) { … } // TODO(mattm): decide how much debug logging to keep. std::string CertDebugString(const ParsedCertificate *cert) { … } std::string PathDebugString(const ParsedCertificateList &certs) { … } // This structure describes a certificate and its trust level. Note that |cert| // may be null to indicate an "empty" entry. struct IssuerEntry { … }; enum KeyIdentifierMatch { … }; // Returns an integer that represents the relative ordering of |issuer| for // prioritizing certificates in path building based on |issuer|'s // subjectKeyIdentifier and |target|'s authorityKeyIdentifier. Lower return // values indicate higer priority. KeyIdentifierMatch CalculateKeyIdentifierMatch( const ParsedCertificate *target, const ParsedCertificate *issuer) { … } // Returns an integer that represents the relative ordering of |issuer| based // on |issuer_trust| and authorityKeyIdentifier matching for prioritizing // certificates in path building. Lower return values indicate higer priority. int TrustAndKeyIdentifierMatchToOrder(const ParsedCertificate *target, const ParsedCertificate *issuer, const CertificateTrust &issuer_trust) { … } // CertIssuersIter iterates through the intermediates from |cert_issuer_sources| // which may be issuers of |cert|. class CertIssuersIter { … }; CertIssuersIter::CertIssuersIter( std::shared_ptr<const ParsedCertificate> in_cert, CertIssuerSources *cert_issuer_sources, TrustStore *trust_store) : … { … } void CertIssuersIter::GetNextIssuer(IssuerEntry *out) { … } void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) { … } void CertIssuersIter::DoAsyncIssuerQuery() { … } void CertIssuersIter::SortRemainingIssuers() { … } // CertIssuerIterPath tracks which certs are present in the path and prevents // paths from being built which repeat any certs (including different versions // of the same cert, based on Subject+SubjectAltName+SPKI). // (RFC 5280 forbids duplicate certificates per section 6.1, and RFC 4158 // further recommends disallowing the same Subject+SubjectAltName+SPKI in // section 2.4.2.) class CertIssuerIterPath { … }; } // namespace const ParsedCertificate *CertPathBuilderResultPath::GetTrustedCert() const { … } // CertPathIter generates possible paths from |cert| to a trust anchor in // |trust_store|, using intermediates from the |cert_issuer_source| objects if // necessary. class CertPathIter { … }; CertPathIter::CertPathIter(std::shared_ptr<const ParsedCertificate> cert, TrustStore *trust_store) : … { … } void CertPathIter::AddCertIssuerSource(CertIssuerSource *cert_issuer_source) { … } bool CertPathIter::GetNextPath(ParsedCertificateList *out_certs, CertificateTrust *out_last_cert_trust, CertPathErrors *out_errors, CertPathBuilderDelegate *delegate, uint32_t *iteration_count, const uint32_t max_iteration_count, const uint32_t max_path_building_depth) { … } CertPathBuilderResultPath::CertPathBuilderResultPath() = default; CertPathBuilderResultPath::~CertPathBuilderResultPath() = default; bool CertPathBuilderResultPath::IsValid() const { … } VerifyError CertPathBuilderResultPath::GetVerifyError() const { … } CertPathBuilder::Result::Result() = default; CertPathBuilder::Result::Result(Result &&) = default; CertPathBuilder::Result::~Result() = default; CertPathBuilder::Result &CertPathBuilder::Result::operator=(Result &&) = default; bool CertPathBuilder::Result::HasValidPath() const { … } bool CertPathBuilder::Result::AnyPathContainsError(CertErrorId error_id) const { … } const VerifyError CertPathBuilder::Result::GetBestPathVerifyError() const { … } const CertPathBuilderResultPath *CertPathBuilder::Result::GetBestValidPath() const { … } const CertPathBuilderResultPath * CertPathBuilder::Result::GetBestPathPossiblyInvalid() const { … } CertPathBuilder::CertPathBuilder( std::shared_ptr<const ParsedCertificate> cert, TrustStore *trust_store, CertPathBuilderDelegate *delegate, const der::GeneralizedTime &time, KeyPurpose key_purpose, InitialExplicitPolicy initial_explicit_policy, const std::set<der::Input> &user_initial_policy_set, InitialPolicyMappingInhibit initial_policy_mapping_inhibit, InitialAnyPolicyInhibit initial_any_policy_inhibit) : … { … } CertPathBuilder::~CertPathBuilder() = default; void CertPathBuilder::AddCertIssuerSource( CertIssuerSource *cert_issuer_source) { … } void CertPathBuilder::SetIterationLimit(uint32_t limit) { … } void CertPathBuilder::SetDepthLimit(uint32_t limit) { … } void CertPathBuilder::SetValidPathLimit(size_t limit) { … } void CertPathBuilder::SetExploreAllPaths(bool explore_all_paths) { … } CertPathBuilder::Result CertPathBuilder::Run() { … } void CertPathBuilder::AddResultPath( std::unique_ptr<CertPathBuilderResultPath> result_path) { … } BSSL_NAMESPACE_END
Codebase Browser
chromium