commit bc97b7a8e1952bab69fea961301a90e5ad3344e9
author Bob Beck <bbe@google.com> Tue Apr 18 08:35:15 2023 -0600
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Jun 22 19:34:39 2023 +0000
tree f59febcf515db04b416e3161cefe99906d5d63a0
parent ee194c75a65ca813fc78eb2cb7eca65ce344ec7b

Bring in the core of  chromium certificate verifier as libpki

Initially this leaves the canonical source in chrome, Additions
and fillins are committed directly, the chrome files are coverted
using the IMPORT script run from the pki directory for the moment.

The intention here is to continue frequent automatic conversion
(and avoid wholesale cosmetic changes in here for now) until
chrome converts to use these files in place of it's versions.
At that point these will become the definiative files, and the
IMPORT script can be tossed out.

A middle step along the way will be to change google3's verify.cc
in third_party/chromium_certificate_verifier to use this instead
of it's own extracted copy.

Status (and what is not done yet) being roughly tracked in README.md

Bug: chromium:1322914

Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>

pki/cert_error_id.h

diff --git a/pki/cert_error_id.h b/pki/cert_error_id.h
new file mode 100644
index 0000000..e77154b
--- /dev/null
+++ b/pki/cert_error_id.h
@@ -0,0 +1,38 @@
+// Copyright 2016 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BSSL_PKI_CERT_ERROR_ID_H_
+#define BSSL_PKI_CERT_ERROR_ID_H_
+
+#include "fillins/openssl_util.h"
+
+
+namespace bssl {
+
+// Each "class" of certificate error/warning has its own unique ID. This is
+// essentially like an error code, however the value is not stable. Under the
+// hood these IDs are pointers and use the process's address space to ensure
+// uniqueness.
+//
+// Equality of CertErrorId can be done using the == operator.
+//
+// To define new error IDs use the macro DEFINE_CERT_ERROR_ID().
+using CertErrorId = const void*;
+
+// DEFINE_CERT_ERROR_ID() creates a CertErrorId given a non-null C-string
+// literal. The string should be a textual name for the error which will appear
+// when pretty-printing errors for debugging. It should be ASCII.
+//
+// TODO(crbug.com/634443): Implement this -- add magic to ensure that storage
+//                         of identical strings isn't pool.
+#define DEFINE_CERT_ERROR_ID(name, c_str_literal) \
+  const CertErrorId name = c_str_literal
+
+// Returns a debug string for a CertErrorId. In practice this returns the
+// string literal given to DEFINE_CERT_ERROR_ID(), which is human-readable.
+OPENSSL_EXPORT const char* CertErrorIdToDebugString(CertErrorId id);
+
+}  // namespace net
+
+#endif  // BSSL_PKI_CERT_ERROR_ID_H_