Need integration with system trust stores in order to verify certificates with PKI library.
(Matt is already working on this)
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c72913b94e4d44fb5b510b6f0e9e316c84004a9a commit c72913b94e4d44fb5b510b6f0e9e316c84004a9a Author: mattm <mattm@chromium.org> Date: Mon Aug 22 21:36:36 2016 Make TrustStore into an interface, move impl to TrustStoreInMemory. BUG= 635203 Review-Url: https://codereview.chromium.org/2252933002 Cr-Commit-Position: refs/heads/master@{#413540} [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/components/cast_certificate/cast_cert_validator.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/components/cast_certificate/cast_cert_validator_unittest.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/components/cast_certificate/cast_crl.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/components/cast_certificate/cast_crl_unittest.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/path_builder_pkits_unittest.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/path_builder_unittest.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/trust_store.cc [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/trust_store.h [add] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/trust_store_in_memory.cc [add] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/cert/internal/trust_store_in_memory.h [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/net.gypi [modify] https://crrev.com/c72913b94e4d44fb5b510b6f0e9e316c84004a9a/net/tools/cert_verify_tool/verify_using_path_builder.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e commit 9009fb22a7b7a80cb28164d0bef8d47daa2ef81e Author: mattm <mattm@chromium.org> Date: Sat Aug 27 00:21:33 2016 Allow TrustStore queries to be asynchronous. Also changes FindTrustAnchorsByNormalizedName to FindTrustAnchorsForCert, as some different implementations may do normalization differently. By passing in the target cert, the implementation can decide whether to use the pre-normalized issuer or the raw one. BUG= 635203 Review-Url: https://codereview.chromium.org/2266333002 Cr-Commit-Position: refs/heads/master@{#414875} [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/path_builder.cc [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/path_builder_unittest.cc [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/trust_store.cc [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/trust_store.h [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/trust_store_in_memory.cc [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/trust_store_in_memory.h [add] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/trust_store_test_helpers.cc [add] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/cert/internal/trust_store_test_helpers.h [modify] https://crrev.com/9009fb22a7b7a80cb28164d0bef8d47daa2ef81e/net/net.gypi
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9c63d444f0af74f7379839939412f5bd8341b590 commit 9c63d444f0af74f7379839939412f5bd8341b590 Author: mattm <mattm@chromium.org> Date: Sat Sep 03 00:45:51 2016 Add TrustStoreNSS and TrustStoreCollection BUG= 635203 Review-Url: https://codereview.chromium.org/2272493002 Cr-Commit-Position: refs/heads/master@{#416417} [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/BUILD.gn [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/path_builder.cc [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store.h [add] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_collection.cc [add] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_collection.h [add] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_collection_unittest.cc [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_in_memory.cc [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_in_memory.h [add] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_nss.cc [add] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_nss.h [add] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_nss_unittest.cc [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_test_helpers.cc [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/cert/internal/trust_store_test_helpers.h [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/net.gyp [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/net.gypi [modify] https://crrev.com/9c63d444f0af74f7379839939412f5bd8341b590/net/tools/cert_verify_tool/verify_using_path_builder.cc
Should this be marked fixed now?
There are still some todos: * Handling distrusted / blacklisted certs in NSS DB. * Getting intermediates from NSS DB.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4abbcdbf78201fd2f8447ba6934537770b99e4f1 commit 4abbcdbf78201fd2f8447ba6934537770b99e4f1 Author: mattm <mattm@chromium.org> Date: Wed Nov 30 20:23:13 2016 pki library: Add CertIssuerSourceNSS that retrieves intermediate certs from NSS. BUG= 635203 Review-Url: https://codereview.chromium.org/2535733003 Cr-Commit-Position: refs/heads/master@{#435398} [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/BUILD.gn [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/cert/internal/cert_issuer_source_nss.cc [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/cert/internal/cert_issuer_source_nss.h [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/cert/internal/cert_issuer_source_nss_unittest.cc [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/cert/internal/cert_issuer_source_static_unittest.cc [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/cert/internal/cert_issuer_source_sync_unittest.h [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/cert/internal/trust_store_nss.h [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/c1.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/c2.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/d.pem [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/e1.pem [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/e2.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/generate-certs.py [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/i1_1.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/i1_2.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/i2.pem [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/i3_1.pem [add] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/i3_2.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/data/cert_issuer_source_static_unittest/root.pem [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/net.gypi [modify] https://crrev.com/4abbcdbf78201fd2f8447ba6934537770b99e4f1/net/tools/cert_verify_tool/verify_using_path_builder.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/98a833ee0012c2f47c241237bfcb724d32da7a11 commit 98a833ee0012c2f47c241237bfcb724d32da7a11 Author: Matt Mueller <mattm@chromium.org> Date: Wed Sep 27 02:39:41 2017 pki library: handle distrusted status in TrustStoreNSS Bug: 635203 Change-Id: I4ad779cd5ad37b9bce3f88b3be294a0bb36d356a Reviewed-on: https://chromium-review.googlesource.com/685996 Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#504554} [modify] https://crrev.com/98a833ee0012c2f47c241237bfcb724d32da7a11/net/cert/internal/trust_store_nss.cc [modify] https://crrev.com/98a833ee0012c2f47c241237bfcb724d32da7a11/net/cert/internal/trust_store_nss_unittest.cc
I believe this was only left open due to not handling the "peer trust" bit, but we decided not to support that (see issue 814994 ). Closing.
Comment 1 by eroman@chromium.org
, Aug 6 2016Status: Assigned (was: Untriaged)