Add hooks for injecting custom logic into the pathbuilding/verification process.
This mechanism should be able to support things like:
* Revocation check using CRLSet
* Baseline requirement enforcements -- like max TTL, SHA1 cert validity time
* Rejecting certificates with weak keys and signatures
* Verifying HPKP pins
Some of the above are currently layered on differently in Chromium's cert verifiers so may not in practice use the mechanism, but are reasonable motivating examples.
As a strawman, the API shape could be something simple like a callback to answer the question “Are you OK with this cert chain?” after constructing a possible chain, or more generally a callback for each certificate added to the chain during building.
The mechanism will need to play nicely with the error reporting, and also prioritizaiton in the case of rejection.
Comment 1 by eroman@chromium.org
, Aug 4 2016