Issue 635200 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	eroman@chromium.org
Closed:	Aug 2016
Components:	Internals>Network>Certificate
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Blocking:
issue 410574

[PKI library] Support trust anchor constraints

Project Member Reported by eroman@chromium.org, Aug 6 2016

Issue description

Add support for specifying RFC 5937 style anchor constraints on trust anchors.

See also  issue 634509  -- previously was specifying trust anchors as full-blown certificate and processing any extensions similar to anchor constraints.

One approach would be to represent the anchor constraints as the corresponding Extensions.

Comment 1 by eroman@chromium.org, Aug 9 2016

Owner: eroman@chromium.org
Status: Assigned (was: Untriaged)

Project Member

Comment 2 by bugdroid1@chromium.org, Aug 12 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2

commit 82ab15b8a6f7873ab9d520ad5c32142ec033dfe2
Author: eroman <eroman@chromium.org>
Date: Fri Aug 12 00:00:28 2016

Refactor some certificate verification tests in preparation to adding
trust anchor constraints.

BUG= 635200 

Review-Url: https://codereview.chromium.org/2233233002
Cr-Commit-Position: refs/heads/master@{#411458}

[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/nist_pkits_unittest.h
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/path_builder_unittest.cc
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/test_helpers.cc
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/test_helpers.h
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/verify_certificate_chain_typed_unittest.h
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/cert/internal/verify_certificate_chain_unittest.cc
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/README
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/basic-constraints-pathlen-0-self-issued.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/common.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/expired-intermediate.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/expired-root.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/expired-target-notBefore.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/expired-target.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-basic-constraints-pathlen-0-self-issued.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-expired-intermediate.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-expired-root.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-expired-target-notBefore.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-expired-target.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-basic-constraints-ca-false.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-basic-constraints-not-critical.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-lacks-basic-constraints.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-lacks-signing-key-usage.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-signed-with-md5.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-unknown-critical-extension.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-intermediate-unknown-non-critical-extension.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-key-rollover.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-non-self-signed-root.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-and-intermediate.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-has-keycertsign-but-not-ca.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-has-pathlen-but-not-ca.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-not-end-entity.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-signed-by-512bit-rsa.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-signed-using-ecdsa.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-signed-with-md5.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-unknown-critical-extension.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-target-wrong-signature.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-unknown-root.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-violates-basic-constraints-pathlen-0.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/generate-violates-pathlen-1-root.py
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-basic-constraints-ca-false.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-signed-with-md5.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-unknown-critical-extension.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/intermediate-unknown-non-critical-extension.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/issuer-and-subject-not-byte-for-byte-equal-anchor.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/issuer-and-subject-not-byte-for-byte-equal.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/key-rollover-longrolloverchain.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/key-rollover-newchain.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/key-rollover-oldchain.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/key-rollover-rolloverchain.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/non-self-signed-root.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-and-intermediate.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-has-keycertsign-but-not-ca.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-has-pathlen-but-not-ca.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-not-end-entity.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-signed-by-512bit-rsa.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-signed-using-ecdsa.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-signed-with-md5.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-unknown-critical-extension.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/target-wrong-signature.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/unknown-root.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/violates-basic-constraints-pathlen-0.pem
[modify] https://crrev.com/82ab15b8a6f7873ab9d520ad5c32142ec033dfe2/net/data/verify_certificate_chain_unittest/violates-pathlen-1-root.pem

Comment 3 by eroman@chromium.org, Aug 16 2016

Status: Started (was: Assigned)

https://codereview.chromium.org/2245643004/

Project Member

Comment 4 by bugdroid1@chromium.org, Aug 17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f781f34f09fe2f3c5117f71de47e38d9bb59bad

commit 7f781f34f09fe2f3c5117f71de47e38d9bb59bad
Author: eroman <eroman@chromium.org>
Date: Wed Aug 17 00:51:47 2016

Support trust anchor constraints, by specifying them as a certificate.

BUG= 635200 ,410574

Review-Url: https://codereview.chromium.org/2245643004
Cr-Commit-Position: refs/heads/master@{#412402}

[modify] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/cert/internal/test_helpers.cc
[modify] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/cert/internal/trust_store.cc
[modify] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/cert/internal/trust_store.h
[modify] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/cert/internal/verify_certificate_chain_typed_unittest.h
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/constrained-non-self-signed-root.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/constrained-root-basic-constraints-ca-false.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/constrained-root-lacks-basic-constraints.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/expired-constrained-root.pem
[rename] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/expired-unconstrained-root.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-constrained-non-self-signed-root.py
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-constrained-root-basic-constraints-ca-false.py
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-constrained-root-lacks-basic-constraints.py
[copy] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-expired-constrained-root.py
[rename] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-expired-unconstrained-root.py
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-unconstrained-non-self-signed-root.py
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-unconstrained-root-basic-constraints-ca-false.py
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-unconstrained-root-lacks-basic-constraints.py
[copy] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-violates-pathlen-1-constrained-root.py
[rename] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/generate-violates-pathlen-1-unconstrained-root.py
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/unconstrained-non-self-signed-root.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/unconstrained-root-basic-constraints-ca-false.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/unconstrained-root-lacks-basic-constraints.pem
[add] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/violates-pathlen-1-constrained-root.pem
[rename] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/data/verify_certificate_chain_unittest/violates-pathlen-1-unconstrained-root.pem
[modify] https://crrev.com/7f781f34f09fe2f3c5117f71de47e38d9bb59bad/net/net.gypi

Project Member

Comment 5 by bugdroid1@chromium.org, Aug 19 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108

commit 46826c6ee250b07ad5d0ef2ab7c9ea3281b40108
Author: eroman <eroman@chromium.org>
Date: Fri Aug 19 01:44:02 2016

Enable trust anchor constraints for the built-in Cast roots.

Cast Root CA
  * Now has its pathlen:2 constraint (once again) enforced

Cast CRL Root CA
  * Now has its pathlen:1 constraint (one again) enforced

BUG= 635200 

Review-Url: https://codereview.chromium.org/2255623003
Cr-Commit-Position: refs/heads/master@{#413015}

[modify] https://crrev.com/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108/components/cast_certificate/cast_cert_validator.cc
[modify] https://crrev.com/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108/components/cast_certificate/cast_cert_validator_unittest.cc
[modify] https://crrev.com/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108/components/cast_certificate/cast_crl.cc
[modify] https://crrev.com/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108/components/cast_certificate/cast_crl_unittest.cc
[add] https://crrev.com/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108/components/test/data/cast_certificate/certificates/expired_root.pem
[add] https://crrev.com/46826c6ee250b07ad5d0ef2ab7c9ea3281b40108/components/test/data/cast_certificate/certificates/violates_root_pathlen_constraint.pem

Comment 6 by eroman@chromium.org, Aug 19 2016

Status: Fixed (was: Started)

►

Issue 635200 link

Issue metadata

[PKI library] Support trust anchor constraints

Issue description

Comment 1 by eroman@chromium.org, Aug 9 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Aug 12 2016

Comment 2 Deleted

Comment 3 by eroman@chromium.org, Aug 16 2016

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Aug 17 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Aug 19 2016

Comment 5 Deleted

Comment 6 by eroman@chromium.org, Aug 19 2016

Comment 6 Deleted

Sign in to add a comment