src/net/cert/internal/verify_certificate_chain.h - external/github.com/google/proto-quic - Git at Google

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_

 #include <vector>

 #include "base/compiler_specific.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/der/input.h"

 namespace net {

 namespace der {
 struct GeneralizedTime;
 }

 class SignaturePolicy;
 class TrustAnchor;

 // VerifyCertificateChain() verifies a certificate path (chain) based on the
 // rules in RFC 5280. The caller is responsible for building the path and
 // finding the trust anchor.
 //
 // WARNING: This implementation is in progress, and is currently incomplete.
 // Consult an OWNER before using it.
 //
 // TODO(eroman): Take a CertPath instead of ParsedCertificateList +
 //               TrustAnchor.
 //
 // ---------
 // Inputs
 // ---------
 //
 //   cert_chain:
 //     A non-empty chain of N DER-encoded certificates, listed in the
 //     "forward" direction.
 //
 //      * cert_chain[0] is the target certificate to verify.
 //      * cert_chain[i+1] holds the certificate that issued cert_chain[i].
 //      * cert_chain[N-1] must be issued by the trust anchor.
 //
 //   trust_anchor:
 //     Contains the trust anchor (root) used to verify the chain. Must be
 //     non-null.
 //
 //   signature_policy:
 //     The policy to use when verifying signatures (what hash algorithms are
 //     allowed, what length keys, what named curves, etc).
 //
 //   time:
 //     The UTC time to use for expiration checks.
 //
 // ---------
 // Outputs
 // ---------
 //
 //   Returns true if the target certificate can be verified.
 //
 //   errors:
 //     Must be non-null. The set of errors/warnings encountered while
 //     validating the path are appended to this structure. There is no
 //     guarantee that on success |errors| is empty, or conversely that
 //     on failure |errors| is non-empty. Consumers must only use the
 //     boolean return value to determine success/failure.
 NET_EXPORT bool VerifyCertificateChain(const ParsedCertificateList& certs,
                                        const TrustAnchor* trust_anchor,
                                        const SignaturePolicy* signature_policy,
                                        const der::GeneralizedTime& time,
                                        CertErrors* errors) WARN_UNUSED_RESULT;

 // TODO(crbug.com/634443): Move exported errors to a central location?
 extern CertErrorId kValidityFailedNotAfter;
 extern CertErrorId kValidityFailedNotBefore;

 }  // namespace net

 #endif  // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
	// Copyright 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
	#define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_

	#include <vector>

	#include "base/compiler_specific.h"
	#include "base/memory/ref_counted.h"
	#include "net/base/net_export.h"
	#include "net/cert/internal/cert_errors.h"
	#include "net/cert/internal/parsed_certificate.h"
	#include "net/der/input.h"

	namespace net {

	namespace der {
	struct GeneralizedTime;
	}

	class SignaturePolicy;
	class TrustAnchor;

	// VerifyCertificateChain() verifies a certificate path (chain) based on the
	// rules in RFC 5280. The caller is responsible for building the path and
	// finding the trust anchor.
	//
	// WARNING: This implementation is in progress, and is currently incomplete.
	// Consult an OWNER before using it.
	//
	// TODO(eroman): Take a CertPath instead of ParsedCertificateList +
	// TrustAnchor.
	//
	// ---------
	// Inputs
	// ---------
	//
	// cert_chain:
	// A non-empty chain of N DER-encoded certificates, listed in the
	// "forward" direction.
	//
	// * cert_chain[0] is the target certificate to verify.
	// * cert_chain[i+1] holds the certificate that issued cert_chain[i].
	// * cert_chain[N-1] must be issued by the trust anchor.
	//
	// trust_anchor:
	// Contains the trust anchor (root) used to verify the chain. Must be
	// non-null.
	//
	// signature_policy:
	// The policy to use when verifying signatures (what hash algorithms are
	// allowed, what length keys, what named curves, etc).
	//
	// time:
	// The UTC time to use for expiration checks.
	//
	// ---------
	// Outputs
	// ---------
	//
	// Returns true if the target certificate can be verified.
	//
	// errors:
	// Must be non-null. The set of errors/warnings encountered while
	// validating the path are appended to this structure. There is no
	// guarantee that on success \|errors\| is empty, or conversely that
	// on failure \|errors\| is non-empty. Consumers must only use the
	// boolean return value to determine success/failure.
	NET_EXPORT bool VerifyCertificateChain(const ParsedCertificateList& certs,
	const TrustAnchor* trust_anchor,
	const SignaturePolicy* signature_policy,
	const der::GeneralizedTime& time,
	CertErrors* errors) WARN_UNUSED_RESULT;

	// TODO(crbug.com/634443): Move exported errors to a central location?
	extern CertErrorId kValidityFailedNotAfter;
	extern CertErrorId kValidityFailedNotBefore;

	} // namespace net

	#endif // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_