New issue
Advanced search Search tips

Issue 649017 link

Starred by 5 users
Status: Fixed
Owner:
eroman@chromium.org
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 410574
issue 649026



Sign in to add a comment

[PKI library] Integrate the new path building with CertVerifier (so it can be used in Chrome)

Project Member Reported by eroman@chromium.org, Sep 21 2016 
At a high level, Chrome uses the CertVerifier interface (async) for certificate verification, but all the platform-specific implementations are connected through CertVerifierProc (sync).

This poses a complication in that the new path building code is asynchronous, so a drop-in CertVerifierProc (sync) for it is not appropriate.

The obvious integration point then would be to create a new CertVerifier for the new path builder, and forego MultiThreadedCertVerifier. That will mean hoisting out the logic that currently lives in CertVerifierProc which should be common to both, such as:

* Certificate blacklists/whitelists (i.e. CNNIC)
* Histograms around key sizes
* Baseline requirement restrictions on validity times
* Checking weak keys in chain

Comment 1 by eroman@chromium.org, Sep 21 2016

Blocking: 649026

Comment 2 by rsleevi@chromium.org, Sep 21 2016 

For what it's worth, I'm not sure the complexity costs of trying to abstract this logic in a way befitting to both exceed the complexity costs of duplicating the logic.

That is, from a refactoring standpoint, it doesn't seem to rise to the Rule of Three (refactor once you've implemented 3 times), and I'm not sure the risks (of losing sync between the two) are sufficiently great.

I'd be more inclined to KISS by not refactoring that logic out (but duplicating it), and then seeing as time evolves what the issues are, rather than taking it as an up-front refactoring. My experience with some of these up-front extractions is that we end up adding more complexity (from having to satisfy two consumers that are similar-but-different) than we save. But it's entirely possible I'm rather wrong here.

Comment 3 by eroman@chromium.org, Sep 21 2016 

There is a lot of code in cert_verify_proc.cc:

https://cs.chromium.org/chromium/src/net/cert/cert_verify_proc.cc?sq=package:chromium

There is no need to copy this for the new implementation. Extracting it should't hurt readability or generality, it is mostly just simple functions operating on inputs.

I think it would be a mistake to try and duplicate this code, especially since it is quite relevant to our security policies (wouldn't want the two to diverge).

What is your concern with making that code available to be called by the other integration point?

Comment 4 by eroman@chromium.org, Sep 21 2016 

As a concrete example consider IsPastSHA1DeprecationDate() [1]

I would argue for code health we should not be duplicating this policy across files.

I am in agreement that some of the ways in which these are integrated in CertVerifyProc needn't be fully extracted (for instance how we handle SHA1 will be part of SignaturePolicy), however I think we should leverage sharing the lower-level functions where we can.

[1]

https://cs.chromium.org/chromium/src/net/cert/cert_verify_proc.cc?sq=package:chromium&rcl=1474442403&l=178

Comment 5 by rsleevi@chromium.org, Sep 21 2016 

The choices of CertVerifyProc::Verify vs VerifyInternal are dictated by the constraints of the OS integration. Those constraints don't apply with regards to the new code.

I agree we don't want the two to diverge; however, I'm suggesting that the risk of divergence is, I believe, less than the overhead involved with abstracting that code.

1) IsBlacklisted and IsPublicKeyBlacklisted - should really be integrated into the CRLSet code; I'll try to find the bug I filed for it, but I don't think our pre-or-post blacklisting from CertVerifyProc::Verify() should exist long-term, but moved into the notion of a 'base' CRLSet
2) CheckOCSP - Should be part of the general path-building. I agree this makes sense to extract
3) Weak key logic - Should all be part of general path-building signature policy. It exists here precisely because we can't tell the OS we're not interested in these algorithms in the first place.
4) CA/B Forum BR policies - This is about non-unique hostnames and too-long validity. I would think this would be extracted into the policy verification logic we discussed.

I think IsPastSHA1DeprecationDate is something that we wouldn't want to extract. I think that's actually something we want as part of the signature policy as to whether we accept a signature. The dependency on X509Certificate is not something we'd want to spread with the new library; I would think instead we'd want to supply the validity period. In that sense, I'm specifically arguing we should be duplicating that policy across files, precisely because it's a fixed policy and constant.

Comment 6 by eroman@chromium.org, Sep 21 2016 

Thanks for the feedback Ryan!

We will thoughtfully pick which parts to share and which to duplicate; I will make a note of the areas you have hi lighted, and be sure to include you in the reviews.

I am also keen on trying to share as much as possible of cert_verify_proc_unittest.cc. So at a minimum we can have a common set of tests, even if the underlying implementation for some logic/policies ends up duplicated.

Comment 7 by eroman@chromium.org, Oct 13 2016

Owner: eroman@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 28 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/994db999829331ea3b982d9c9ec469fde22de21d

commit 994db999829331ea3b982d9c9ec469fde22de21d
Author: eroman <eroman@chromium.org>
Date: Mon Nov 28 23:23:33 2016

Remove dependence on a message loop for net::PathBuilder.

 * Path building now can only complete synchronously
 * Access to trust store is done synchronously
 * The network dependencies (AIA fetching) will block the thread

BUG= 649017 

Review-Url: https://codereview.chromium.org/2453093004
Cr-Commit-Position: refs/heads/master@{#434769}

[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/components/cast_certificate/cast_cert_validator.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/components/cast_certificate/cast_crl.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/cert_net_fetcher.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source_aia.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source_aia.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source_aia_unittest.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source_static.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source_static.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/cert_issuer_source_static_unittest.cc
[delete] https://crrev.com/51bd862726d0e4e66afbb5fac91eab02c6260060/net/cert/internal/completion_status.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/path_builder.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/path_builder.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/path_builder_pkits_unittest.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/path_builder_unittest.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_collection.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_collection.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_collection_unittest.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_in_memory.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_in_memory.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_nss.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_nss.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert/internal/trust_store_nss_unittest.cc
[delete] https://crrev.com/51bd862726d0e4e66afbb5fac91eab02c6260060/net/cert/internal/trust_store_test_helpers.cc
[delete] https://crrev.com/51bd862726d0e4e66afbb5fac91eab02c6260060/net/cert/internal/trust_store_test_helpers.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert_net/cert_net_fetcher_impl.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert_net/cert_net_fetcher_impl.h
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/cert_net/cert_net_fetcher_impl_unittest.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/net.gypi
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/tools/cert_verify_tool/cert_verify_tool.cc
[modify] https://crrev.com/994db999829331ea3b982d9c9ec469fde22de21d/net/tools/cert_verify_tool/verify_using_path_builder.cc
Project Member

Comment 9 by bugdroid1@chromium.org, Jan 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b28b2b66578c862d563727cc3f30cf84aae942f0

commit b28b2b66578c862d563727cc3f30cf84aae942f0
Author: eroman <eroman@chromium.org>
Date: Fri Jan 06 01:44:02 2017

[refactor] Extract the CertVerifyResult assignment of has_md2, has_md4,
has_md5, has_sha1, has_sha1_leaf to a helper function.

This change is a prelude to simplifying the
CertVerifyProcWeakDigestTest tests.

BUG= 649017 

Review-Url: https://codereview.chromium.org/2610903003
Cr-Commit-Position: refs/heads/master@{#441801}

[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc.h
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc_android.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc_ios.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc_mac.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc_nss.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc_openssl.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/cert_verify_proc_win.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/x509_certificate.h
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/x509_certificate_ios.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/x509_certificate_mac.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/x509_certificate_nss.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/x509_certificate_openssl.cc
[modify] https://crrev.com/b28b2b66578c862d563727cc3f30cf84aae942f0/net/cert/x509_certificate_win.cc
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/accb81312b4555356dd49253d156e4a8b9eac784

commit accb81312b4555356dd49253d156e4a8b9eac784
Author: eroman <eroman@chromium.org>
Date: Tue Jan 10 07:13:11 2017

Refactor the assignment of CertVerifyResult::has_md2, etc.

This allows unconditionally enabling the tests in
cert_verify_proc_unittest.cc,

Previously the assignment of weak hash algorithms was done by each
CertVerifyProc::VerifyInternal() implementation, whereas now it is
done internally by CertVerifyProc::Verify() after VerifyInternal() has
run.

The downside to this approach is that at this layer there is ambiguity
as to which certificates are trusted and hence should be skipped for
determining if the chain contains weak hash algorithms.

This ambiguity results in some  differences in the reporting of
"has_md2", "has_md4", "has_md5", "hash_sha1", "has_sha1_leaf" when
verification has failed (The final intermediate is assumed to be the
trust anchor and is skipped).

BUG= 649017 

Review-Url: https://codereview.chromium.org/2627523002
Cr-Commit-Position: refs/heads/master@{#442522}

[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc.h
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_android.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_ios.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_mac.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_nss.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_openssl.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_unittest.cc
[modify] https://crrev.com/accb81312b4555356dd49253d156e4a8b9eac784/net/cert/cert_verify_proc_win.cc
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/19f85676701186e6ac1de7c625fffcab4a83d701

commit 19f85676701186e6ac1de7c625fffcab4a83d701
Author: eroman <eroman@chromium.org>
Date: Thu Jan 12 08:20:14 2017

Re-enable the omitted tests in path_builder_unittest.cc.

This also fixes a problem introduced by
994db999829331ea3b982d9c9ec469fde22de21d.

BUG= 649017 

Review-Url: https://codereview.chromium.org/2597003002
Cr-Commit-Position: refs/heads/master@{#443184}

[modify] https://crrev.com/19f85676701186e6ac1de7c625fffcab4a83d701/net/cert/internal/path_builder.cc
[modify] https://crrev.com/19f85676701186e6ac1de7c625fffcab4a83d701/net/cert/internal/path_builder_unittest.cc
Project Member

Comment 12 by bugdroid1@chromium.org, Feb 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a51779b5e41d1d8e1498e8dc10d4795b5988515f

commit a51779b5e41d1d8e1498e8dc10d4795b5988515f
Author: eroman <eroman@chromium.org>
Date: Fri Feb 03 22:10:14 2017

Parameterize the CertVerifyProc tests so they can be run with
implementations other than CertVerifyProc::CreateDefault().

BUG= 649017 

Review-Url: https://codereview.chromium.org/2629093002
Cr-Commit-Position: refs/heads/master@{#448086}

[modify] https://crrev.com/a51779b5e41d1d8e1498e8dc10d4795b5988515f/net/cert/cert_verify_proc_unittest.cc
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 16 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8ccd62d4dadcfbef51508e3b57615140faa8739b

commit 8ccd62d4dadcfbef51508e3b57615140faa8739b
Author: eroman <eroman@chromium.org>
Date: Thu Mar 16 23:54:26 2017

Add initial CertVerifyProcBuiltin.

This is an implementation of CertVerifyProc that uses the Chromium PathBuilder to validate certificates.

This doesn't handle everything yet (and one of the tests is disabled).

BUG= 649017 

Review-Url: https://codereview.chromium.org/2755483008
Cr-Commit-Position: refs/heads/master@{#457613}

[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/BUILD.gn
[add] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/cert_verify_proc_builtin.cc
[add] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/cert_verify_proc_builtin.h
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/cert_verify_proc_unittest.cc
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/cert_errors.cc
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/cert_errors.h
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/path_builder.h
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/signature_policy.cc
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/signature_policy.h
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/trust_store_in_memory.cc
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/trust_store_in_memory.h
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/8ccd62d4dadcfbef51508e3b57615140faa8739b/net/cert/internal/verify_certificate_chain.h
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 19 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f628d6b4367d88b92e0bcf56886450e26ed58d55

commit f628d6b4367d88b92e0bcf56886450e26ed58d55
Author: eroman <eroman@chromium.org>
Date: Wed Apr 19 22:47:27 2017

[refactor] Extract the platform-specific TrustStore instantiations and
setup for path building.

Has the side-effect of adding the Mac trust store integration to
CertVerifyProcBuiltin (however doesn't enable the tests yet as some
more work needed).

BUG= 649017 

Review-Url: https://codereview.chromium.org/2829783002
Cr-Commit-Position: refs/heads/master@{#465794}

[modify] https://crrev.com/f628d6b4367d88b92e0bcf56886450e26ed58d55/net/BUILD.gn
[modify] https://crrev.com/f628d6b4367d88b92e0bcf56886450e26ed58d55/net/cert/cert_verify_proc_builtin.cc
[add] https://crrev.com/f628d6b4367d88b92e0bcf56886450e26ed58d55/net/cert/internal/system_trust_store.cc
[add] https://crrev.com/f628d6b4367d88b92e0bcf56886450e26ed58d55/net/cert/internal/system_trust_store.h
[modify] https://crrev.com/f628d6b4367d88b92e0bcf56886450e26ed58d55/net/tools/cert_verify_tool/verify_using_path_builder.cc
Project Member

Comment 16 by bugdroid1@chromium.org, Apr 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2971fd2585293ba4b3731965b80a3e338806dab

commit f2971fd2585293ba4b3731965b80a3e338806dab
Author: eroman <eroman@chromium.org>
Date: Thu Apr 20 20:10:45 2017

Extract IsKnownRoot() functionality for testing if a certificate is a
standard root.

This way it can be re-used by the builtin cert verifier too.

BUG= 649017 

Review-Url: https://codereview.chromium.org/2833623002
Cr-Commit-Position: refs/heads/master@{#466100}

[modify] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/BUILD.gn
[modify] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/cert_verify_proc_mac.cc
[modify] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/cert_verify_proc_nss.cc
[modify] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/cert_verify_proc_win.cc
[modify] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/internal/system_trust_store.cc
[add] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/known_roots_mac.cc
[add] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/known_roots_mac.h
[add] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/known_roots_nss.cc
[add] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/known_roots_nss.h
[add] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/known_roots_win.cc
[add] https://crrev.com/f2971fd2585293ba4b3731965b80a3e338806dab/net/cert/known_roots_win.h
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a938c3d286c77d7b769a9b7dc31bab8a309d19b

commit 2a938c3d286c77d7b769a9b7dc31bab8a309d19b
Author: eroman <eroman@chromium.org>
Date: Fri Apr 28 23:16:58 2017

Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

* Make TrustStore implement CertIssuerSource
* Add a method for getting trust/distrust of a certificate
* Remove the TrustAnchor abstraction

All the integrations (including CertVerifyProc) required full certificates anyway, so TrustAnchor ended up being more of a hindrance than benefit.

BUG= 649017 
TBR=dougsteed@chromium.org

Review-Url: https://codereview.chromium.org/2832703002
Cr-Commit-Position: refs/heads/master@{#468175}

[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/components/cast_certificate/cast_cert_validator.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/components/cast_certificate/cast_cert_validator_test_helpers.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/components/cast_certificate/cast_cert_validator_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/components/cast_certificate/cast_crl.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/BUILD.gn
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/cert_errors.cc
[delete] https://crrev.com/c731464f86c6a5c5c3f2b64890e04b38750896fc/net/cert/internal/cert_issuer_source_nss.cc
[delete] https://crrev.com/c731464f86c6a5c5c3f2b64890e04b38750896fc/net/cert/internal/cert_issuer_source_nss.h
[delete] https://crrev.com/c731464f86c6a5c5c3f2b64890e04b38750896fc/net/cert/internal/cert_issuer_source_nss_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/path_builder.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/path_builder.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/path_builder_pkits_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/path_builder_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/system_trust_store.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/system_trust_store.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/test_helpers.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/test_helpers.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_collection.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_collection.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_collection_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_in_memory.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_in_memory.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_mac.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_mac.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_mac_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_nss.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_nss.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/trust_store_nss_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/verify_certificate_chain.h
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/cert/internal/verify_certificate_chain_unittest.cc
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/data/verify_certificate_chain_unittest/constrained-root-bad-eku.pem
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/data/verify_certificate_chain_unittest/generate-constrained-root-bad-eku.py
[modify] https://crrev.com/2a938c3d286c77d7b769a9b7dc31bab8a309d19b/net/tools/cert_verify_tool/verify_using_path_builder.cc
Project Member

Comment 18 by bugdroid1@chromium.org, Sep 1 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e9476168b2a00b5e367bec302032a90bbd8ceff9

commit e9476168b2a00b5e367bec302032a90bbd8ceff9
Author: Matt Mueller <mattm@chromium.org>
Date: Fri Sep 01 19:10:16 2017

net::PathBuilder: remove use of DoLoop pattern in CertPathBuilder

Bug:  649017 
Change-Id: I20d0d347f2a282cafb23e149de2d0f19616c41a4
Reviewed-on: https://chromium-review.googlesource.com/646293
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#499249}
[modify] https://crrev.com/e9476168b2a00b5e367bec302032a90bbd8ceff9/net/cert/internal/path_builder.cc
[modify] https://crrev.com/e9476168b2a00b5e367bec302032a90bbd8ceff9/net/cert/internal/path_builder.h
Project Member

Comment 19 by bugdroid1@chromium.org, Sep 1 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a290c8024bea4c915dd8d81b1a4153dd75e81db2

commit a290c8024bea4c915dd8d81b1a4153dd75e81db2
Author: Matt Mueller <mattm@chromium.org>
Date: Fri Sep 01 21:24:54 2017

net::PathBuilder: remove use of DoLoop pattern in CertPathIter

Bug:  649017 
Change-Id: I5d7d407bb960e7a593a6e1bbc3dcee3d25eb5ea5
Reviewed-on: https://chromium-review.googlesource.com/642355
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#499304}
[modify] https://crrev.com/a290c8024bea4c915dd8d81b1a4153dd75e81db2/net/cert/internal/path_builder.cc
Project Member

Comment 20 by bugdroid1@chromium.org, Sep 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/78fdc5431c7692f300c2acc90691b35b4e7cefe0

commit 78fdc5431c7692f300c2acc90691b35b4e7cefe0
Author: Eric Roman <eroman@chromium.org>
Date: Thu Sep 28 01:17:53 2017

Add support for CRLSet to CertVerifyProcBuiltin.

Bug:  649017 
Change-Id: I7196aeafa9674dfd5e25cb828d4acb464f4c0a2e
Reviewed-on: https://chromium-review.googlesource.com/686043
Reviewed-by: Matt Mueller <mattm@chromium.org>
Commit-Queue: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504856}
[modify] https://crrev.com/78fdc5431c7692f300c2acc90691b35b4e7cefe0/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/78fdc5431c7692f300c2acc90691b35b4e7cefe0/net/cert/cert_verify_proc_unittest.cc
Project Member

Comment 22 by bugdroid1@chromium.org, Oct 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d

commit f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d
Author: Eric Roman <eroman@chromium.org>
Date: Wed Oct 11 01:25:02 2017

Add a mechanism for CertPathBuilderDelegate to add custom information
to processed paths.

This also changes the signature for
CertPathBuilderDelegate::CheckPathAfterVerification() so delegates have
access to the newly added |delegate_data|, as well as
|user_constrained_policy_set| (used by subsequent CLs).

Bug:  649017 , 649000 
Change-Id: Id8dda3f1ee5ca06c23c8dd97308c126cd1143393
Reviewed-on: https://chromium-review.googlesource.com/707926
Commit-Queue: Eric Roman <eroman@chromium.org>
Reviewed-by: Luke Halliwell <halliwell@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507848}
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/components/cast_certificate/cast_cert_validator.cc
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/components/cast_certificate/cast_crl.cc
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/components/cast_certificate/cast_crl.h
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/path_builder.cc
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/path_builder.h
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/path_builder_unittest.cc
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/simple_path_builder_delegate.cc
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/simple_path_builder_delegate.h
[modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/tools/cert_verify_tool/verify_using_path_builder.cc
Project Member

Comment 24 by bugdroid1@chromium.org, Oct 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b09b37a9eeb8731ea31cce852ee55925a89ca83c

commit b09b37a9eeb8731ea31cce852ee55925a89ca83c
Author: Eric Roman <eroman@chromium.org>
Date: Fri Oct 13 04:59:18 2017

Make CertVerifyProcInternalTest.EVVerificationMultipleOID not depend on
online revocation checking.

Bug:  649017 
Change-Id: Ic0b1485a87d30caed4d1dab9b8fb4f0a6d30c12a
Reviewed-on: https://chromium-review.googlesource.com/710745
Reviewed-by: Matt Mueller <mattm@chromium.org>
Commit-Queue: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508597}
[modify] https://crrev.com/b09b37a9eeb8731ea31cce852ee55925a89ca83c/net/cert/cert_verify_proc_unittest.cc
Project Member

Comment 25 by bugdroid1@chromium.org, Oct 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ea9d169b92c905f75a3bf6dc7bf23678b104e63b

commit ea9d169b92c905f75a3bf6dc7bf23678b104e63b
Author: Eric Roman <eroman@chromium.org>
Date: Sun Oct 15 21:01:51 2017

Add overloads for EVRootCAMetadata which take a der::Input for the OID.

Bug:  649017 
Change-Id: I7b0e836d9ea771bc486a6be353bb23759c18b774
Reviewed-on: https://chromium-review.googlesource.com/714377
Commit-Queue: Eric Roman <eroman@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508960}
[modify] https://crrev.com/ea9d169b92c905f75a3bf6dc7bf23678b104e63b/net/cert/ev_root_ca_metadata.cc
[modify] https://crrev.com/ea9d169b92c905f75a3bf6dc7bf23678b104e63b/net/cert/ev_root_ca_metadata.h
[modify] https://crrev.com/ea9d169b92c905f75a3bf6dc7bf23678b104e63b/net/cert/ev_root_ca_metadata_unittest.cc
Project Member

Comment 26 by bugdroid1@chromium.org, Oct 17 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5f8d9d2008026c187174c23b0f77bc169f444e3c

commit 5f8d9d2008026c187174c23b0f77bc169f444e3c
Author: Eric Roman <eroman@chromium.org>
Date: Tue Oct 17 02:32:52 2017

Implement EVRootCAMetadata for Fuschia.

Bug:  762380 ,  649017 
Change-Id: Ice9f4c558974d39a44cb67e02f2da82ff4af7fa5
Reviewed-on: https://chromium-review.googlesource.com/721266
Reviewed-by: Matt Mueller <mattm@chromium.org>
Commit-Queue: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509224}
[modify] https://crrev.com/5f8d9d2008026c187174c23b0f77bc169f444e3c/net/cert/ev_root_ca_metadata.cc
[modify] https://crrev.com/5f8d9d2008026c187174c23b0f77bc169f444e3c/net/cert/ev_root_ca_metadata.h
[modify] https://crrev.com/5f8d9d2008026c187174c23b0f77bc169f444e3c/net/url_request/url_request_unittest.cc

Comment 29 by eroman@chromium.org, Oct 19 2017

Status: Fixed (was: Assigned)
Complete enough that I will mark this as fixed.
Project Member

Comment 30 by bugdroid1@chromium.org, Jan 27 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b25892702325fd4534617ce18a657d16cb4ba627

commit b25892702325fd4534617ce18a657d16cb4ba627
Author: Matt Mueller <mattm@chromium.org>
Date: Sat Jan 27 16:41:26 2018

net::CertVerifyProcBuiltin: do AIA fetching (if requested by VERIFY_CERT_IO_ENABLED)

Also call SetGlobalCertNetFetcher on OS_FUCHSIA (where CertVerifyProcBuiltin is the default).

Bug:  649017 , 762380 
Change-Id: I39ee5de34dd96914189f323ecbaffabfc645b642
Reviewed-on: https://chromium-review.googlesource.com/884841
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532227}
[modify] https://crrev.com/b25892702325fd4534617ce18a657d16cb4ba627/chrome/browser/io_thread.cc
[modify] https://crrev.com/b25892702325fd4534617ce18a657d16cb4ba627/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/b25892702325fd4534617ce18a657d16cb4ba627/net/url_request/url_request_unittest.cc

Sign in to add a comment