This directory contains the core code for verifying server certificates. Limited support is also included for verifying client certificates, but only to the extent they chain to a server-supplied set of issuers.
Server certificate verification emphasizes the standards/policy for publicly trusted certificates:
The core logic of certificate verification is implemented synchronously, as it may need to integrate with synchronous OS-provided APIs. This synchronous implementation is performed through the CertVerifyProc interface, which is a thread-agnostic/thread-safe interface that can be used to verify certificates synchronously on arbitrary worker threads.
The top-level interface for verifying server certificates is the asynchronous CertVerifier.
MultiThreadedCertVerifier is an implementation of
CertVerifier that executes
CertVerifyProc synchronously on worker threads.
CertVerifyProcBuiltin is a cross-platform implementation which implements path building internally. It only relies on platform integrations for obtaining the trusted root certificates.
CertVerifyProc implementations are for integrating with the underlying platform‘s certificate verification library. For example, CertVerifyProcWin delegates certificate verification to Windows’ CryptoAPI.
Browser-specific policy checks are applied even when using the platform's certificate verifier. For instance, a certificate chain the OS deemed valid could ultimately be rejected by
CertVerifyProc since it independently checks the chain for CRLSet revocation, use of weak keys, Baseline Requirements validity, name constraints, weak signature algorithms, and more.