Documentation: Change |...| to `...` for code references in comments 11/N This CL includes the result of running util/update_comment_style.py over *.cc files in pki/, and fixing omissions manually if necessary. Bug: 42290410 Change-Id: Ic9610d6d8813617d38ac83dcb0101f9b6a6a6964 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/96150 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Lily Chen <chlily@google.com>
diff --git a/pki/certificate.cc b/pki/certificate.cc index 8d50d49..cbbca0f 100644 --- a/pki/certificate.cc +++ b/pki/certificate.cc
@@ -31,7 +31,7 @@ std::shared_ptr<const bssl::ParsedCertificate> ParseCertificateFromDer( bssl::Span<const uint8_t>cert, std::string *out_diagnostic) { bssl::ParseCertificateOptions default_options{}; - // We follow Chromium in setting |allow_invalid_serial_numbers| in order to + // We follow Chromium in setting `allow_invalid_serial_numbers` in order to // not choke on 21-byte serial numbers, which are common. davidben explains // why: //
diff --git a/pki/certificate_policies.cc b/pki/certificate_policies.cc index 8937fbe..e3bcbf9 100644 --- a/pki/certificate_policies.cc +++ b/pki/certificate_policies.cc
@@ -46,9 +46,9 @@ DEFINE_CERT_ERROR_ID(kPolicyQualifierInfoTrailingData, "PolicyQualifierInfo has trailing data"); -// Minimally parse policyQualifiers, storing in |policy_qualifiers| if non-null. +// Minimally parse policyQualifiers, storing in `policy_qualifiers` if non-null. // If a policy qualifier other than User Notice/CPS is present, parsing -// will fail if |restrict_to_known_qualifiers| was set to true. +// will fail if `restrict_to_known_qualifiers` was set to true. bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers, der::Parser *policy_qualifiers_sequence_parser, std::vector<PolicyQualifierInfo> *policy_qualifiers,
diff --git a/pki/certificate_policies_unittest.cc b/pki/certificate_policies_unittest.cc index ba14490..3542097 100644 --- a/pki/certificate_policies_unittest.cc +++ b/pki/certificate_policies_unittest.cc
@@ -46,7 +46,7 @@ }; // Run the tests with all possible values for -// |fail_parsing_unknown_qualifier_oids|. +// `fail_parsing_unknown_qualifier_oids`. INSTANTIATE_TEST_SUITE_P(All, ParseCertificatePoliciesExtensionOidsTest, testing::Bool());
diff --git a/pki/crl.cc b/pki/crl.cc index fcd6499..f64a140 100644 --- a/pki/crl.cc +++ b/pki/crl.cc
@@ -408,7 +408,7 @@ return CRLRevocationStatus::REVOKED; } - // |cert| is not present in the revokedCertificates list. + // `cert` is not present in the revokedCertificates list. return CRLRevocationStatus::GOOD; } @@ -626,7 +626,7 @@ // cases of key rollover without requiring additional CRL issuer cert // discovery & path building. // TODO(https://crbug.com/749276): should this loop start at - // |target_cert_index|? There doesn't seem to be anything in the specs that + // `target_cert_index`? There doesn't seem to be anything in the specs that // precludes a CRL signed by a self-issued cert from covering itself. On the // other hand it seems like a pretty weird thing to allow and causes NIST // PKITS 4.5.3 to pass when it seems like it would not be intended to (since @@ -639,7 +639,7 @@ // path MUST be the same as the trust anchor used to validate // the target certificate. // - // As the |issuer_cert| is from the already validated chain, it is already + // As the `issuer_cert` is from the already validated chain, it is already // known to chain to the same trust anchor as the target certificate. if (der::Input(StringAsBytes(normalized_crl_issuer)) != issuer_cert->normalized_subject()) { @@ -669,7 +669,7 @@ // in Section 5.3.3, then set the cert_status variable to the // indicated reason as described in step (i). // - // CRL is valid and covers |target_cert|, check if |target_cert| is present + // CRL is valid and covers `target_cert`, check if `target_cert` is present // in the revokedCertificates sequence. return GetCRLStatusForCert(target_cert->tbs().serial_number, tbs_cert_list.version, @@ -678,7 +678,7 @@ // 6.3.3 (k,l) skipped. This implementation does not support reason codes. } - // Did not find the issuer & signer of |raw_crl| in |valid_chain|. + // Did not find the issuer & signer of `raw_crl` in `valid_chain`. return CRLRevocationStatus::UNKNOWN; }
diff --git a/pki/merkle_tree.cc b/pki/merkle_tree.cc index 9ebaa2b..2308a60 100644 --- a/pki/merkle_tree.cc +++ b/pki/merkle_tree.cc
@@ -47,7 +47,7 @@ } // namespace -// Computes HASH(0x01 || left || right) and saves the result to |out|. +// Computes HASH(0x01 || left || right) and saves the result to `out`. void HashNode(TreeHashConstSpan left, TreeHashConstSpan right, TreeHashSpan out) { static const uint8_t header = 0x01; @@ -229,7 +229,7 @@ if (!subtree.IsValid() || !subtree.Contains(index)) { return std::nullopt; } - // Re-root |index| inside of |subtree|. + // Re-root `index` inside of `subtree`. index -= subtree.start; return EvaluateMerkleSubtreeConsistencyProof( subtree.Size(), {index, index + 1}, inclusion_proof, entry_hash);
diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc index 454d8b9..f85ba25 100644 --- a/pki/name_constraints.cc +++ b/pki/name_constraints.cc
@@ -53,7 +53,7 @@ // will match "bar.com" but not "foo.bar.com". enum WildcardMatchType { WILDCARD_PARTIAL_MATCH, WILDCARD_FULL_MATCH }; -// Returns true if |name| falls in the subtree defined by |dns_constraint|. +// Returns true if `name` falls in the subtree defined by `dns_constraint`. // RFC 5280 section 4.2.1.10: // DNS name restrictions are expressed as host.example.com. Any DNS // name that can be constructed by simply adding zero or more labels @@ -61,7 +61,7 @@ // example, www.host.example.com would satisfy the constraint but // host1.example.com would not. // -// |wildcard_matching| controls handling of wildcard names (|name| starts with +// `wildcard_matching` controls handling of wildcard names (`name` starts with // "*."). Wildcard handling is not specified by RFC 5280, but certificate // verification allows it, name constraints must check it similarly. bool DNSNameMatches(std::string_view name, std::string_view dns_constraint, @@ -122,10 +122,10 @@ return false; } -// Parses a GeneralSubtrees |value| and store the contents in |subtrees|. -// The individual values stored into |subtrees| are not validated by this +// Parses a GeneralSubtrees `value` and store the contents in `subtrees`. +// The individual values stored into `subtrees` are not validated by this // function. -// NOTE: |subtrees| is not pre-initialized by the function(it is expected to be +// NOTE: `subtrees` is not pre-initialized by the function(it is expected to be // a default initialized object), and it will be modified regardless of the // return value. [[nodiscard]] bool ParseGeneralSubtrees(der::Input value, @@ -420,7 +420,7 @@ (constrained_name_types() & GENERAL_NAME_RFC822_NAME)) { if (!FindEmailAddressesInName(subject_rdn_sequence, &subject_email_addresses_to_check)) { - // Error parsing |subject_rdn_sequence|. + // Error parsing `subject_rdn_sequence`. errors->AddError(cert_errors::kNotPermittedByNameConstraints); return; }
diff --git a/pki/ocsp.cc b/pki/ocsp.cc index d0f9708..e968e4d 100644 --- a/pki/ocsp.cc +++ b/pki/ocsp.cc
@@ -86,8 +86,8 @@ namespace { -// Parses |raw_tlv| to extract an OCSP RevokedInfo (RFC 6960) and stores the -// result in the OCSPCertStatus |out|. Returns whether the parsing was +// Parses `raw_tlv` to extract an OCSP RevokedInfo (RFC 6960) and stores the +// result in the OCSPCertStatus `out`. Returns whether the parsing was // successful. // // RevokedInfo ::= SEQUENCE { @@ -132,8 +132,8 @@ return !parser.HasMore(); } -// Parses |raw_tlv| to extract an OCSP CertStatus (RFC 6960) and stores the -// result in the OCSPCertStatus |out|. Returns whether the parsing was +// Parses `raw_tlv` to extract an OCSP CertStatus (RFC 6960) and stores the +// result in the OCSPCertStatus `out`. Returns whether the parsing was // successful. // // CertStatus ::= CHOICE { @@ -169,7 +169,7 @@ return !parser.HasMore(); } -// Writes the hash of |value| as an OCTET STRING to |cbb|, using |hash_type| as +// Writes the hash of `value` as an OCTET STRING to `cbb`, using `hash_type` as // the algorithm. Returns true on success. bool AppendHashAsOctetString(const EVP_MD *hash_type, CBB *cbb, der::Input value) { @@ -243,8 +243,8 @@ namespace { -// Parses |raw_tlv| to extract a ResponderID (RFC 6960) and stores the -// result in the ResponderID |out|. Returns whether the parsing was successful. +// Parses `raw_tlv` to extract a ResponderID (RFC 6960) and stores the +// result in the ResponderID `out`. Returns whether the parsing was successful. // // ResponderID ::= CHOICE { // byName [1] Name, @@ -363,8 +363,8 @@ namespace { -// Parses |raw_tlv| to extract a BasicOCSPResponse (RFC 6960) and stores the -// result in the OCSPResponse |out|. Returns whether the parsing was +// Parses `raw_tlv` to extract a BasicOCSPResponse (RFC 6960) and stores the +// result in the OCSPResponse `out`. Returns whether the parsing was // successful. // // BasicOCSPResponse ::= SEQUENCE { @@ -492,7 +492,7 @@ return false; } - // As per RFC 6960 Section 4.2.1, the value of |response| SHALL be the DER + // As per RFC 6960 Section 4.2.1, the value of `response` SHALL be the DER // encoding of BasicOCSPResponse. der::Input response; if (!bytes_parser.ReadTag(CBS_ASN1_OCTETSTRING, &response)) { @@ -511,7 +511,7 @@ namespace { -// Checks that the |type| hash of |value| is equal to |hash| +// Checks that the `type` hash of `value` is equal to `hash` bool VerifyHash(const EVP_MD *type, der::Input hash, der::Input value) { unsigned value_hash_len; uint8_t value_hash[EVP_MAX_MD_SIZE]; @@ -527,7 +527,7 @@ // to say, the value of subjectPublicKey without the leading unused bit // count octet. // -// Returns true on success and fills |*spk_tlv| with the result. +// Returns true on success and fills `*spk_tlv` with the result. // // From RFC 5280, Section 4.1 // SubjectPublicKeyInfo ::= SEQUENCE { @@ -545,7 +545,7 @@ // The subjectPublicKey field includes the unused bit count. For this // application, the unused bit count must be zero, and is not included in // the result. We extract the subjectPubicKey bit string, verify the first - // byte is 0, and if so set |spk_tlv| to the remaining bytes. + // byte is 0, and if so set `spk_tlv` to the remaining bytes. if (!CBS_get_asn1(&outer, &inner, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&inner, &alg, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&inner, &spk, CBS_ASN1_BITSTRING) || @@ -556,7 +556,7 @@ return true; } -// Checks the OCSPCertID |id| identifies |certificate|. +// Checks the OCSPCertID `id` identifies `certificate`. bool CheckCertIDMatchesCertificate( const OCSPCertID &id, const ParsedCertificate *certificate, const ParsedCertificate *issuer_certificate) { @@ -618,7 +618,7 @@ {}, &errors); } -// Checks that the ResponderID |id| matches the certificate |cert| either +// Checks that the ResponderID `id` matches the certificate `cert` either // by verifying the name matches that of the certificate or that the hash // matches the certificate's public key hash (RFC 6960, 4.2.2.3). [[nodiscard]] bool CheckResponderIDMatchesCertificate( @@ -646,8 +646,8 @@ return false; } -// Verifies that |responder_certificate| has been authority for OCSP signing, -// delegated to it by |issuer_certificate|. +// Verifies that `responder_certificate` has been authority for OCSP signing, +// delegated to it by `issuer_certificate`. // // TODO(eroman): No revocation checks are done (see id-pkix-ocsp-nocheck in the // spec). extension). @@ -694,8 +694,8 @@ } // Verifies that the OCSP response has a valid signature using -// |issuer_certificate|, or an authorized responder issued by -// |issuer_certificate| for OCSP signing. +// `issuer_certificate`, or an authorized responder issued by +// `issuer_certificate` for OCSP signing. [[nodiscard]] bool VerifyOCSPResponseSignature( const OCSPResponse &response, const OCSPResponseData &response_data, const ParsedCertificate *issuer_certificate) { @@ -712,7 +712,7 @@ // Otherwise search through the provided certificates for the Authorized // Responder. Want a certificate that: // (1) Matches the OCSP Responder ID. - // (2) Has been given authority for OCSP signing by |issuer_certificate|. + // (2) Has been given authority for OCSP signing by `issuer_certificate`. // (3) Has signed the OCSP response using its public key. for (const auto &responder_cert_tlv : response.certs) { std::shared_ptr<const ParsedCertificate> cur_responder_certificate = @@ -809,7 +809,7 @@ return true; } -// Loops through the OCSPSingleResponses to find the best match for |cert|. +// Loops through the OCSPSingleResponses to find the best match for `cert`. OCSPRevocationStatus GetRevocationStatusForCert( const OCSPResponseData &response_data, const ParsedCertificate *cert, const ParsedCertificate *issuer_certificate, @@ -895,7 +895,7 @@ return OCSPRevocationStatus::UNKNOWN; } - // RFC 6960 defines all responses |response_status| != SUCCESSFUL as error + // RFC 6960 defines all responses `response_status` != SUCCESSFUL as error // responses. No revocation information is provided on error responses, and // the OCSPResponseData structure is not set. if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) {
diff --git a/pki/ocsp_unittest.cc b/pki/ocsp_unittest.cc index 0a6cd30..13ab78f 100644 --- a/pki/ocsp_unittest.cc +++ b/pki/ocsp_unittest.cc
@@ -218,7 +218,7 @@ CreateOCSPGetURL(cert.get(), issuer.get(), GetParam()); ASSERT_TRUE(url); - // Try to extract the encoded data and compare against |request_data|. + // Try to extract the encoded data and compare against `request_data`. // // A known answer output test would be better as this just reverses the logic // from the implementation file.
diff --git a/pki/parse_certificate.cc b/pki/parse_certificate.cc index a9aed00..a673528 100644 --- a/pki/parse_certificate.cc +++ b/pki/parse_certificate.cc
@@ -84,7 +84,7 @@ DEFINE_CERT_ERROR_ID(kSerialNumberNotValidInteger, "Serial number is not a valid INTEGER"); -// Returns true if |input| is a SEQUENCE and nothing else. +// Returns true if `input` is a SEQUENCE and nothing else. [[nodiscard]] bool IsSequenceTLV(der::Input input) { der::Parser parser(input); der::Parser unused_sequence_parser; @@ -95,8 +95,8 @@ return !parser.HasMore(); } -// Reads a SEQUENCE from |parser| and writes the full tag-length-value into -// |out|. On failure |parser| may or may not have been advanced. +// Reads a SEQUENCE from `parser` and writes the full tag-length-value into +// `out`. On failure `parser` may or may not have been advanced. [[nodiscard]] bool ReadSequenceTLV(der::Parser *parser, der::Input *out) { return parser->ReadRawTLV(out) && IsSequenceTLV(*out); } @@ -139,7 +139,7 @@ return !parser.HasMore(); } -// Returns true if every bit in |bits| is zero (including empty). +// Returns true if every bit in `bits` is zero (including empty). [[nodiscard]] bool BitStringIsAllZeros(const der::BitString &bits) { // Note that it is OK to read from the unused bits, since BitString parsing // guarantees they are all zero. @@ -262,7 +262,7 @@ bool VerifySerialNumber(der::Input value, bool warnings_only, CertErrors *errors) { - // If |warnings_only| was set to true, the exact same errors will be logged, + // If `warnings_only` was set to true, the exact same errors will be logged, // only they will be logged with a lower severity (warning rather than error). CertError::Severity error_severity = warnings_only ? CertError::SEVERITY_WARNING : CertError::SEVERITY_HIGH; @@ -362,7 +362,7 @@ der::Input *out_signature_algorithm_tlv, der::BitString *out_signature_value, CertErrors *out_errors) { - // |out_errors| is optional. But ensure it is non-null for the remainder of + // `out_errors` is optional. But ensure it is non-null for the remainder of // this function. CertErrors unused_errors; if (!out_errors) { @@ -435,13 +435,13 @@ bool ParseTbsCertificate(der::Input tbs_tlv, const ParseCertificateOptions &options, ParsedTbsCertificate *out, CertErrors *errors) { - // The rest of this function assumes that |errors| is non-null. + // The rest of this function assumes that `errors` is non-null. CertErrors unused_errors; if (!errors) { errors = &unused_errors; } - // TODO(crbug.com/634443): Add useful error information to |errors|. + // TODO(crbug.com/634443): Add useful error information to `errors`. der::Parser parser(tbs_tlv); @@ -590,7 +590,7 @@ // Note that there IS an extension point at the end of TBSCertificate // (according to RFC 5912), so from that interpretation, unconsumed data would - // be allowed in |tbs_parser|. + // be allowed in `tbs_parser`. // // However because only v1, v2, and v3 certificates are supported by the // parsing, there shouldn't be any subsequent data in those versions, so
diff --git a/pki/parse_certificate_unittest.cc b/pki/parse_certificate_unittest.cc index 6407813..3c307bd 100644 --- a/pki/parse_certificate_unittest.cc +++ b/pki/parse_certificate_unittest.cc
@@ -45,7 +45,7 @@ return std::string("testdata/parse_certificate_unittest/") + file_name; } -// Loads certificate data and expectations from the PEM file |file_name|. +// Loads certificate data and expectations from the PEM file `file_name`. // Verifies that parsing the Certificate matches expectations: // * If expected to fail, emits the expected errors // * If expected to succeeds, the parsed fields match expectations @@ -138,11 +138,11 @@ RunCertificateTest("cert_algorithm_not_sequence.pem"); } -// Loads tbsCertificate data and expectations from the PEM file |file_name|. +// Loads tbsCertificate data and expectations from the PEM file `file_name`. // Verifies that parsing the TBSCertificate succeeds, and each parsed field // matches the expectations. // -// TODO(eroman): Get rid of the |expected_version| parameter -- this should be +// TODO(eroman): Get rid of the `expected_version` parameter -- this should be // encoded in the test expectations file. void RunTbsCertificateTestGivenVersion(const std::string &file_name, CertificateVersion expected_version) {
diff --git a/pki/parse_name.cc b/pki/parse_name.cc index a51edf9..ed43494 100644 --- a/pki/parse_name.cc +++ b/pki/parse_name.cc
@@ -26,7 +26,7 @@ namespace { -// Returns a string containing the dotted numeric form of |oid|, or an empty +// Returns a string containing the dotted numeric form of `oid`, or an empty // string on error. std::string OidToString(der::Input oid) { CBS cbs;
diff --git a/pki/parse_name_unittest.cc b/pki/parse_name_unittest.cc index f3e436d..1ed831f 100644 --- a/pki/parse_name_unittest.cc +++ b/pki/parse_name_unittest.cc
@@ -21,10 +21,10 @@ namespace { // Loads test data from file. The filename is constructed from the parameters: -// |prefix| describes the type of data being tested, e.g. "ascii", +// `prefix` describes the type of data being tested, e.g. "ascii", // "unicode_bmp", "unicode_supplementary", and "invalid". -// |value_type| indicates what ASN.1 type is used to encode the data. -// |suffix| indicates any additional modifications, such as caseswapping, +// `value_type` indicates what ASN.1 type is used to encode the data. +// `suffix` indicates any additional modifications, such as caseswapping, // whitespace adding, etc. ::testing::AssertionResult LoadTestData(const std::string &prefix, const std::string &value_type,
diff --git a/pki/parse_values.cc b/pki/parse_values.cc index 1e5e14a..978ba0c 100644 --- a/pki/parse_values.cc +++ b/pki/parse_values.cc
@@ -52,8 +52,8 @@ return false; } -// Reads a positive decimal number with |digits| digits and stores it in -// |*out|. This function does not check that the type of |*out| is large +// Reads a positive decimal number with `digits` digits and stores it in +// `*out`. This function does not check that the type of `*out` is large // enough to hold 10^digits - 1; the caller must choose an appropriate type // based on the number of digits they wish to parse. template <typename UINT> @@ -137,7 +137,7 @@ } // Returns the number of bytes of numeric precision in a DER encoded INTEGER -// value. |in| must be a valid DER encoding of an INTEGER for this to work. +// value. `in` must be a valid DER encoding of an INTEGER for this to work. // // Normally the precision of the number is exactly in.size(). However when // encoding positive numbers using DER it is possible to have a leading zero @@ -149,7 +149,7 @@ der::ByteReader reader(in); uint8_t first_byte; if (!reader.ReadByte(&first_byte)) { - return 0; // Not valid DER as |in| was empty. + return 0; // Not valid DER as `in` was empty. } if (first_byte == 0 && in.size() > 1) { @@ -246,13 +246,13 @@ } // Within a byte, bits are ordered from most significant to least significant. - // Convert |bit_index| to an index within the |byte_index| byte, measured from + // Convert `bit_index` to an index within the `byte_index` byte, measured from // its least significant bit. uint8_t bit_index_in_byte = 7 - (bit_index - byte_index * 8); // BIT STRING parsing already guarantees that unused bits in a byte are zero // (otherwise it wouldn't be valid DER). Therefore it isn't necessary to check - // |unused_bits_| + // `unused_bits_` uint8_t byte = bytes_[byte_index]; return 0 != (byte & (1 << bit_index_in_byte)); }
diff --git a/pki/parsed_certificate.cc b/pki/parsed_certificate.cc index ce94394..647c508 100644 --- a/pki/parsed_certificate.cc +++ b/pki/parsed_certificate.cc
@@ -91,7 +91,7 @@ std::shared_ptr<const ParsedCertificate> ParsedCertificate::Create( bssl::UniquePtr<CRYPTO_BUFFER> backing_data, const ParseCertificateOptions &options, CertErrors *errors) { - // |errors| is an optional parameter, but to keep the code simpler, use a + // `errors` is an optional parameter, but to keep the code simpler, use a // dummy object when one wasn't provided. CertErrors unused_errors; if (!errors) {
diff --git a/pki/parsed_certificate_unittest.cc b/pki/parsed_certificate_unittest.cc index b6ecce1..0e50f7b 100644 --- a/pki/parsed_certificate_unittest.cc +++ b/pki/parsed_certificate_unittest.cc
@@ -31,7 +31,7 @@ return std::string("testdata/parse_certificate_unittest/") + file_name; } -// Reads and parses a certificate from the PEM file |file_name|. +// Reads and parses a certificate from the PEM file `file_name`. // // Returns nullptr if the certificate parsing failed, and verifies that any // errors match the ERRORS block in the .pem file. @@ -55,7 +55,7 @@ data.size(), nullptr)), options, &errors); - // The errors are baselined for |!allow_invalid_serial_numbers|. So if + // The errors are baselined for `!allow_invalid_serial_numbers`. So if // requesting a non-default option skip the error checks. // TODO(eroman): This is ugly. if (!options.allow_invalid_serial_numbers) {
diff --git a/pki/path_builder.cc b/pki/path_builder.cc index 53597b6..8a36f16 100644 --- a/pki/path_builder.cc +++ b/pki/path_builder.cc
@@ -43,7 +43,7 @@ using CertIssuerSources = std::vector<CertIssuerSource *>; -// Returns a hex-encoded sha256 of the DER-encoding of |cert|. +// Returns a hex-encoded sha256 of the DER-encoding of `cert`. std::string FingerPrintParsedCertificate(const bssl::ParsedCertificate *cert) { uint8_t digest[SHA256_DIGEST_LENGTH]; SHA256(cert->der_cert().data(), cert->der_cert().size(), digest); @@ -73,7 +73,7 @@ return s; } -// This structure describes a certificate and its trust level. Note that |cert| +// This structure describes a certificate and its trust level. Note that `cert` // may be null to indicate an "empty" entry. struct IssuerEntry { std::shared_ptr<const ParsedCertificate> cert; @@ -82,19 +82,19 @@ }; enum KeyIdentifierMatch { - // |target| has a keyIdentifier and it matches |issuer|'s + // `target` has a keyIdentifier and it matches `issuer`'s // subjectKeyIdentifier. kMatch = 0, - // |target| does not have authorityKeyIdentifier or |issuer| does not have + // `target` does not have authorityKeyIdentifier or `issuer` does not have // subjectKeyIdentifier. kNoData = 1, - // |target|'s authorityKeyIdentifier does not match |issuer|. + // `target`'s authorityKeyIdentifier does not match `issuer`. kMismatch = 2, }; -// Returns an integer that represents the relative ordering of |issuer| for -// prioritizing certificates in path building based on |issuer|'s -// subjectKeyIdentifier and |target|'s authorityKeyIdentifier. Lower return +// Returns an integer that represents the relative ordering of `issuer` for +// prioritizing certificates in path building based on `issuer`'s +// subjectKeyIdentifier and `target`'s authorityKeyIdentifier. Lower return // values indicate higher priority. KeyIdentifierMatch CalculateKeyIdentifierMatch( const ParsedCertificate *target, const ParsedCertificate *issuer) { @@ -118,8 +118,8 @@ return kNoData; } -// Returns an integer that represents the relative ordering of |issuer| based -// on |issuer_trust| and authorityKeyIdentifier matching for prioritizing +// Returns an integer that represents the relative ordering of `issuer` based +// on `issuer_trust` and authorityKeyIdentifier matching for prioritizing // certificates in path building. Lower return values indicate higher priority. int TrustAndKeyIdentifierMatchToOrder(const ParsedCertificate *target, const ParsedCertificate *issuer, @@ -175,12 +175,12 @@ return -1; } -// CertIssuersIter iterates through the intermediates from |cert_issuer_sources| -// which may be issuers of |cert|. +// CertIssuersIter iterates through the intermediates from `cert_issuer_sources` +// which may be issuers of `cert`. class CertIssuersIter { public: - // Constructs the CertIssuersIter. |*cert_issuer_sources|, and - // |*trust_store| must be valid for the lifetime of the CertIssuersIter. + // Constructs the CertIssuersIter. `*cert_issuer_sources`, and + // `*trust_store` must be valid for the lifetime of the CertIssuersIter. CertIssuersIter(std::shared_ptr<const ParsedCertificate> cert, CertIssuerSources *cert_issuer_sources, TrustStore *trust_store); @@ -188,18 +188,18 @@ CertIssuersIter(const CertIssuersIter &) = delete; CertIssuersIter &operator=(const CertIssuersIter &) = delete; - // Gets the next candidate issuer, or clears |*out| when all issuers have been + // Gets the next candidate issuer, or clears `*out` when all issuers have been // exhausted. void GetNextIssuer(IssuerEntry *out); - // Returns true if candidate issuers were found for |cert_|. + // Returns true if candidate issuers were found for `cert_`. bool had_non_skipped_issuers() const { return issuers_.size() > skipped_issuer_count_; } void increment_skipped_issuer_count() { skipped_issuer_count_++; } - // Returns the |cert| for which issuers are being retrieved. + // Returns the `cert` for which issuers are being retrieved. const ParsedCertificate *cert() const { return cert_.get(); } std::shared_ptr<const ParsedCertificate> reference_cert() const { return cert_; @@ -210,10 +210,10 @@ void MaybeAddMTCIssuer(); void DoAsyncIssuerQuery(); - // Returns true if |issuers_| contains unconsumed certificates. + // Returns true if `issuers_` contains unconsumed certificates. bool HasCurrentIssuer() const { return cur_issuer_ < issuers_.size(); } - // Sorts the remaining entries in |issuers_| in the preferred order to + // Sorts the remaining entries in `issuers_` in the preferred order to // explore. Does not change the ordering for indices before cur_issuer_. void SortRemainingIssuers(); @@ -221,15 +221,15 @@ CertIssuerSources *cert_issuer_sources_; TrustStore *trust_store_; - // The list of issuers for |cert_|. This is added to incrementally (first + // The list of issuers for `cert_`. This is added to incrementally (first // synchronous results, then possibly multiple times as asynchronous results // arrive.) The issuers may be re-sorted each time new issuers are added, but - // only the results from |cur_| onwards should be sorted, since the earlier + // only the results from `cur_` onwards should be sorted, since the earlier // results were already returned. - // Elements should not be removed from |issuers_| once added, since - // |present_issuers_| will point to data owned by the certs. + // Elements should not be removed from `issuers_` once added, since + // `present_issuers_` will point to data owned by the certs. std::vector<IssuerEntry> issuers_; - // The index of the next cert in |issuers_| to return. + // The index of the next cert in `issuers_` to return. size_t cur_issuer_ = 0; // The number of issuers that were skipped due to the loop checker. size_t skipped_issuer_count_ = 0; @@ -237,10 +237,10 @@ // ordering needs to be checked. bool issuers_needs_sort_ = false; - // Set of DER-encoded values for the certs in |issuers_|. Used to prevent + // Set of DER-encoded values for the certs in `issuers_`. Used to prevent // duplicates. This is based on the full DER of the cert to allow different // versions of the same certificate to be tried in different candidate paths. - // This points to data owned by |issuers_|. + // This points to data owned by `issuers_`. std::unordered_set<std::string_view> present_issuers_; // Tracks which requests have been made yet. @@ -300,7 +300,7 @@ // Still have issuers that haven't been returned yet, return the highest // priority one (head of remaining list). A reference to the returned issuer - // is retained, since |present_issuers_| points to data owned by it. + // is retained, since `present_issuers_` points to data owned by it. *out = issuers_[cur_issuer_++]; return; } @@ -377,8 +377,8 @@ return std::tie(issuer1.trust_and_key_id_match_ordering, issuer2_self_issued, // Newer(larger) notBefore & notAfter dates are - // preferred, hence |issuer2| is on the LHS of - // the comparison and |issuer1| on the RHS. + // preferred, hence `issuer2` is on the LHS of + // the comparison and `issuer1` on the RHS. issuer2.cert->tbs().validity_not_before, issuer2.cert->tbs().validity_not_after) < std::tie(issuer2.trust_and_key_id_match_ordering, @@ -398,13 +398,13 @@ // section 2.4.2.) class CertIssuerIterPath { public: - // Returns true if |cert| is already present in the path. + // Returns true if `cert` is already present in the path. bool IsPresent(const ParsedCertificate *cert) const { return present_certs_.find(GetKey(cert)) != present_certs_.end(); } - // Appends |cert_issuers_iter| to the path. The cert referred to by - // |cert_issuers_iter| must not be present in the path already. + // Appends `cert_issuers_iter` to the path. The cert referred to by + // `cert_issuers_iter` must not be present in the path already. void Append(std::unique_ptr<CertIssuersIter> cert_issuers_iter) { bool added = present_certs_.insert(GetKey(cert_issuers_iter->cert())).second; @@ -419,7 +419,7 @@ cur_path_.pop_back(); } - // Copies the ParsedCertificate elements of the current path to |*out_path|. + // Copies the ParsedCertificate elements of the current path to `*out_path`. void CopyPath(ParsedCertificateList *out_path) { out_path->clear(); for (const auto &node : cur_path_) { @@ -464,7 +464,7 @@ std::vector<std::unique_ptr<CertIssuersIter>> cur_path_; - // This refers to data owned by |cur_path_|. + // This refers to data owned by `cur_path_`. // TODO(mattm): use unordered_set. Requires making a hash function for Key. std::set<Key> present_certs_; }; @@ -490,8 +490,8 @@ return nullptr; } -// CertPathIter generates possible paths from |cert| to a trust anchor in -// |trust_store|, using intermediates from the |cert_issuer_source| objects if +// CertPathIter generates possible paths from `cert` to a trust anchor in +// `trust_store`, using intermediates from the `cert_issuer_source` objects if // necessary. class CertPathIter { public: @@ -502,18 +502,18 @@ CertPathIter &operator=(const CertPathIter &) = delete; // Adds a CertIssuerSource to provide intermediates for use in path building. - // The |*cert_issuer_source| must remain valid for the lifetime of the + // The `*cert_issuer_source` must remain valid for the lifetime of the // CertPathIter. void AddCertIssuerSource(CertIssuerSource *cert_issuer_source); - // Gets the next candidate path, and fills it into |out_certs| and - // |out_last_cert_trust|. Note that the returned path is unverified and must + // Gets the next candidate path, and fills it into `out_certs` and + // `out_last_cert_trust`. Note that the returned path is unverified and must // still be run through a chain validator. If a candidate path could not be - // built, a partial path will be returned and |out_errors| will have an error + // built, a partial path will be returned and `out_errors` will have an error // added. // If the return value is true, GetNextPath may be called again to backtrack // and continue path building. Once all paths have been exhausted returns - // false. If deadline or iteration limit is exceeded, sets |out_certs| to the + // false. If deadline or iteration limit is exceeded, sets `out_certs` to the // current path being explored and returns false. bool GetNextPath(ParsedCertificateList *out_certs, TrustAnchor *out_last_cert_trust, CertPathErrors *out_errors, @@ -538,7 +538,7 @@ CertPathIter::CertPathIter(std::shared_ptr<const ParsedCertificate> cert, TrustStore *trust_store) : trust_store_(trust_store) { - // Initialize |next_issuer_| to the target certificate. + // Initialize `next_issuer_` to the target certificate. next_issuer_.cert = std::move(cert); next_issuer_.trust = TrustAnchor(trust_store_->GetTrust(next_issuer_.cert.get())); @@ -1068,8 +1068,8 @@ if (!out_result_.HasValidPath()) { const CertPathBuilderResultPath *old_best_path = out_result_.GetBestPathPossiblyInvalid(); - // If |result_path| is a valid path or if the previous best result did not - // end in a trust anchor but the |result_path| does, then update the best + // If `result_path` is a valid path or if the previous best result did not + // end in a trust anchor but the `result_path` does, then update the best // result to the new result. if (result_path->IsValid() || (!result_path->last_cert_trust.HasUnspecifiedTrust() && old_best_path &&
diff --git a/pki/path_builder_unittest.cc b/pki/path_builder_unittest.cc index 1be1598..ee1a852 100644 --- a/pki/path_builder_unittest.cc +++ b/pki/path_builder_unittest.cc
@@ -738,7 +738,7 @@ // building is expected to fail in this case. path_builder.SetIterationLimit(1); } else { - // The other tests in this file exercise the case that |SetIterationLimit| + // The other tests in this file exercise the case that `SetIterationLimit` // isn't called. Therefore set a sufficient limit for the path to be // found. path_builder.SetIterationLimit(5); @@ -924,7 +924,7 @@ // Therefore, building is expected to fail. path_builder.SetDepthLimit(2); } else { - // The other tests in this file exercise the case that |SetDepthLimit| + // The other tests in this file exercise the case that `SetDepthLimit` // isn't called. Therefore, set a sufficient limit for the path to be // found. path_builder.SetDepthLimit(5); @@ -1726,8 +1726,8 @@ TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); - // The oldintermediate is supplied synchronously by |sync_certs1| and - // another copy of oldintermediate is supplied synchronously by |sync_certs2|. + // The oldintermediate is supplied synchronously by `sync_certs1` and + // another copy of oldintermediate is supplied synchronously by `sync_certs2`. // The path target <- oldintermediate <- newroot should be built first, // though it won't verify. It should not be attempted again even though // oldintermediate was supplied twice. @@ -1796,7 +1796,7 @@ TrustStoreInMemory trust_store; trust_store.AddTrustAnchor(newroot_); - // The oldintermediate and newroot are supplied synchronously by |sync_certs|. + // The oldintermediate and newroot are supplied synchronously by `sync_certs`. CertIssuerSourceStatic sync_certs; sync_certs.AddCert(oldintermediate_); sync_certs.AddCert(newroot_dupe); @@ -2065,13 +2065,13 @@ ASSERT_EQ(3u, test_.chain.size()); } - // Runs the path builder for the target certificate while |distrusted_cert| is - // blocked, and |delegate| if non-null. + // Runs the path builder for the target certificate while `distrusted_cert` is + // blocked, and `delegate` if non-null. CertPathBuilder::Result RunPathBuilder( const std::shared_ptr<const ParsedCertificate> &distrusted_cert, CertPathBuilderDelegate *optional_delegate) { - // Set up the trust store such that |distrusted_cert| is blocked, and - // the root is trusted (except if it was |distrusted_cert|). + // Set up the trust store such that `distrusted_cert` is blocked, and + // the root is trusted (except if it was `distrusted_cert`). TrustStoreInMemory trust_store; if (distrusted_cert != test_.chain.back()) { trust_store.AddTrustAnchor(test_.chain.back()); @@ -2117,7 +2117,7 @@ PathBuilderDistrustTest() = default; protected: - // Runs the path builder for the target certificate while |distrusted_cert| is + // Runs the path builder for the target certificate while `distrusted_cert` is // blocked. CertPathBuilder::Result RunPathBuilderWithDistrustedCert( const std::shared_ptr<const ParsedCertificate> &distrusted_cert) { @@ -3047,8 +3047,8 @@ // Path builder should have built paths to both trusted roots. ASSERT_EQ(2U, result.paths.size()); - // |root1| should have been preferred because it is self-issued, even though - // the notBefore date is older than |root1_cross|. + // `root1` should have been preferred because it is self-issued, even though + // the notBefore date is older than `root1_cross`. EXPECT_TRUE(result.paths[0]->IsValid()); ASSERT_EQ(2U, result.paths[0]->certs.size()); EXPECT_EQ(target, result.paths[0]->certs[0]);
diff --git a/pki/path_builder_verify_certificate_chain_unittest.cc b/pki/path_builder_verify_certificate_chain_unittest.cc index 5313b2b..b15496a 100644 --- a/pki/path_builder_verify_certificate_chain_unittest.cc +++ b/pki/path_builder_verify_certificate_chain_unittest.cc
@@ -38,7 +38,7 @@ intermediate_cert_issuer_source.AddCert(test.chain[i]); } - // First cert in the |chain| is the target. + // First cert in the `chain` is the target. CertPathBuilder path_builder( test.chain.front(), &trust_store, &path_builder_delegate, test.time, test.key_purpose, test.initial_explicit_policy,
diff --git a/pki/pem.cc b/pki/pem.cc index c5f84bc..b70fc95 100644 --- a/pki/pem.cc +++ b/pki/pem.cc
@@ -111,7 +111,7 @@ } // If the block did not match any acceptable type, move past it and - // continue the search. Otherwise, |pos_| has been updated to the most + // continue the search. Otherwise, `pos_` has been updated to the most // appropriate search position to continue searching from and should not // be adjusted. if (it == block_types_.end()) {
diff --git a/pki/signature_algorithm.cc b/pki/signature_algorithm.cc index f81c922..715bfc2 100644 --- a/pki/signature_algorithm.cc +++ b/pki/signature_algorithm.cc
@@ -28,7 +28,7 @@ // These OIDs do not reference libcrypto's OBJ table, as that table is very // large and includes many more OIDs than we need. However, where OIDs are -// already in the table, we reuse the |OBJ_ENC_*| constants to avoid needing to +// already in the table, we reuse the `OBJ_ENC_*` constants to avoid needing to // specify them a second time. // From RFC 5912:
diff --git a/pki/simple_path_builder_delegate_unittest.cc b/pki/simple_path_builder_delegate_unittest.cc index 568cce6..cb61b6f 100644 --- a/pki/simple_path_builder_delegate_unittest.cc +++ b/pki/simple_path_builder_delegate_unittest.cc
@@ -34,7 +34,7 @@ namespace { -// Reads the public key and algorithm from the test data at |file_name|. +// Reads the public key and algorithm from the test data at `file_name`. void ReadTestCase(const char *file_name, SignatureAlgorithm *signature_algorithm, bssl::UniquePtr<EVP_PKEY> *public_key) {
diff --git a/pki/test_helpers.cc b/pki/test_helpers.cc index 3d7762f..ada0b86 100644 --- a/pki/test_helpers.cc +++ b/pki/test_helpers.cc
@@ -58,7 +58,7 @@ return true; } -// Returns a string containing the dotted numeric form of |oid|, or a +// Returns a string containing the dotted numeric form of `oid`, or a // hex-encoded string on error. std::string OidToString(der::Input oid) { CBS cbs; @@ -144,12 +144,12 @@ std::string file_data = ReadTestFileToString(file_path_ascii); // mappings_copy is used to keep track of which mappings have already been - // satisfied (by nulling the |value| field). This is used to track when + // satisfied (by nulling the `value` field). This is used to track when // blocks are multiply defined. std::vector<PemBlockMapping> mappings_copy(mappings, mappings + mappings_length); - // Build the |pem_headers| vector needed for PEMTokenzier. + // Build the `pem_headers` vector needed for PEMTokenzier. std::vector<std::string> pem_headers; for (const auto &mapping : mappings_copy) { pem_headers.push_back(mapping.block_name); @@ -288,7 +288,7 @@ // For details on the file format refer to: // net/data/verify_certificate_chain_unittest/README. if (GetValue("chain: ", line_piece, &value, &has_chain)) { - // Interpret the |chain| path as being relative to the .test file. + // Interpret the `chain` path as being relative to the .test file. size_t slash = file_path_ascii.rfind('/'); if (slash == std::string::npos) { ADD_FAILURE() << "Bad path - expecting slashes";
diff --git a/pki/trust_store.cc b/pki/trust_store.cc index 2119031..ac9af61 100644 --- a/pki/trust_store.cc +++ b/pki/trust_store.cc
@@ -279,7 +279,7 @@ // Section 5.2's note for initial experimentation also says to use UTF8String // to represent the attribute's value rather than RELATIVE-OID. - // Convert the relative OID |log_id| to a string. This can fail. + // Convert the relative OID `log_id` to a string. This can fail. CBS log_id_oid(log_id); bssl::UniquePtr<char> log_id_text(CBS_asn1_relative_oid_to_text(&log_id_oid)); if (!log_id_text) {
diff --git a/pki/verify.cc b/pki/verify.cc index 1ee57ff..1a03854 100644 --- a/pki/verify.cc +++ b/pki/verify.cc
@@ -48,7 +48,7 @@ std::optional<std::shared_ptr<const ParsedCertificate>> InternalParseCertificate(Span<const uint8_t> cert, std::string *out_diagnostic) { ParseCertificateOptions default_options{}; - // We follow Chromium in setting |allow_invalid_serial_numbers| in order to + // We follow Chromium in setting `allow_invalid_serial_numbers` in order to // not choke on 21-byte serial numbers, which are common. // // The reason for the discrepancy is that unsigned numbers with the high bit
diff --git a/pki/verify_certificate_chain.cc b/pki/verify_certificate_chain.cc index 82792d6..ddbc6c1 100644 --- a/pki/verify_certificate_chain.cc +++ b/pki/verify_certificate_chain.cc
@@ -90,7 +90,7 @@ return false; } -// Adds errors to |errors| if the certificate contains unconsumed _critical_ +// Adds errors to `errors` if the certificate contains unconsumed _critical_ // extensions. void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate &cert, CertErrors *errors, @@ -125,7 +125,7 @@ } } -// Returns true if |cert| was self-issued. The definition of self-issuance +// Returns true if `cert` was self-issued. The definition of self-issuance // comes from RFC 5280 section 6.1: // // A certificate is self-issued if the same DN appears in the subject @@ -140,7 +140,7 @@ return cert.normalized_subject() == cert.normalized_issuer(); } -// Adds errors to |errors| if |cert| is not valid at time |time|. +// Adds errors to `errors` if `cert` is not valid at time `time`. // // The certificate's validity requirements are described by RFC 5280 section // 4.1.2.5: @@ -158,7 +158,7 @@ } } -// Adds errors to |errors| if |cert| has internally inconsistent signature +// Adds errors to `errors` if `cert` has internally inconsistent signature // algorithms. // // X.509 certificates contain two different signature algorithms: @@ -218,7 +218,7 @@ return false; } -// Verify that |cert| can be used for |required_key_purpose|. +// Verify that `cert` can be used for `required_key_purpose`. void VerifyExtendedKeyUsage(const ParsedCertificate &cert, KeyPurpose required_key_purpose, CertErrors *errors, bool is_target_cert, bool is_target_cert_issuer) { @@ -600,7 +600,7 @@ // Gets the set of policies (in terms of root authority's policy domain) that // are valid at the bottom level of the policy graph, intersected with - // |user_initial_policy_set|. This is what X.509 calls + // `user_initial_policy_set`. This is what X.509 calls // "user-constrained-policy-set". // // This method may only be called once, after the policy graph is constructed. @@ -635,7 +635,7 @@ continue; } if (node.parent_policies.empty()) { - // |node|'s parent is anyPolicy, so this is in the root policy domain. + // `node`'s parent is anyPolicy, so this is in the root policy domain. // Add it to the set if it is also in user's list. if (user_has_any_policy || user_initial_policy_set.count(policy) > 0) { @@ -661,7 +661,7 @@ current_level_.has_any_policy = true; } - // Adds a node to the current level which is a child of |parent_policies| with + // Adds a node to the current level which is a child of `parent_policies` with // the specified policy. void AddNode(der::Input policy, std::vector<der::Input> parent_policies) { assert(policy != der::Input(kAnyPolicyOid)); @@ -675,7 +675,7 @@ AddNode(policy, {}); } - // Maps |issuer_policy| to |subject_policy|, as in RFC 5280, section 6.1.4, + // Maps `issuer_policy` to `subject_policy`, as in RFC 5280, section 6.1.4, // step b.1. void AddPolicyMapping(der::Input issuer_policy, der::Input subject_policy) { assert(issuer_policy != der::Input(kAnyPolicyOid)); @@ -684,7 +684,7 @@ return; } - // The mapping only applies if |issuer_policy| exists in the current level. + // The mapping only applies if `issuer_policy` exists in the current level. auto issuer_policy_iter = levels_.back().find(issuer_policy); if (issuer_policy_iter == levels_.back().end()) { // If there is no match, it can instead match anyPolicy. @@ -710,7 +710,7 @@ // in at StartLevel(). issuer_policy_iter->second.mapped = true; - // Add |subject_policy| to |issuer_policy|'s "expected_policy_set". + // Add `subject_policy` to `issuer_policy`'s "expected_policy_set". current_level_.expected_policy_map[subject_policy].push_back(issuer_policy); } @@ -781,7 +781,7 @@ bool *shortcircuit_chain_validation); // This function corresponds to RFC 5280 section 6.1.4's "Preparation for - // Certificate i+1" procedure. |cert| is expected to be an intermediate. + // Certificate i+1" procedure. `cert` is expected to be an intermediate. void PrepareForNextCertificate(const ParsedCertificate &cert, KeyPurpose key_purpose, CertErrors *errors); @@ -817,9 +817,9 @@ KeyPurpose required_key_purpose, CertErrors *errors); - // Parses |spki| to an EVP_PKEY and checks whether the public key is accepted - // by |delegate_|. On failure parsing returns nullptr. If either parsing the - // key or key policy failed, adds a high-severity error to |errors|. + // Parses `spki` to an EVP_PKEY and checks whether the public key is accepted + // by `delegate_`. On failure parsing returns nullptr. If either parsing the + // key or key policy failed, adds a high-severity error to `errors`. bssl::UniquePtr<EVP_PKEY> ParseAndCheckPublicKey(der::Input spki, CertErrors *errors); @@ -832,7 +832,7 @@ // excluded_subtrees state variables from RFC 5280. std::vector<const NameConstraints *> name_constraints_list_; - // |explicit_policy_| corresponds with the same named variable from RFC 5280 + // `explicit_policy_` corresponds with the same named variable from RFC 5280 // section 6.1.2: // // explicit_policy: an integer that indicates if a non-NULL @@ -845,7 +845,7 @@ // initial value is 0, otherwise the initial value is n+1. size_t explicit_policy_; - // |inhibit_any_policy_| corresponds with the same named variable from RFC + // `inhibit_any_policy_` corresponds with the same named variable from RFC // 5280 section 6.1.2: // // inhibit_anyPolicy: an integer that indicates whether the @@ -861,7 +861,7 @@ // initial value is n+1. size_t inhibit_any_policy_; - // |policy_mapping_| corresponds with the same named variable from RFC 5280 + // `policy_mapping_` corresponds with the same named variable from RFC 5280 // section 6.1.2: // // policy_mapping: an integer that indicates if policy mapping @@ -875,7 +875,7 @@ // otherwise the initial value is n+1. size_t policy_mapping_; - // |working_public_key_| is an amalgamation of 3 separate variables from RFC + // `working_public_key_` is an amalgamation of 3 separate variables from RFC // 5280: // * working_public_key // * working_public_key_algorithm @@ -883,30 +883,30 @@ // // They are combined for simplicity since the signature verification takes an // EVP_PKEY, and the parameter inheritance is not applicable for the supported - // key types. |working_public_key_| may be null if parsing failed. + // key types. `working_public_key_` may be null if parsing failed. // - // An approximate explanation of |working_public_key_| is this description + // An approximate explanation of `working_public_key_` is this description // from RFC 5280 section 6.1.2: // // working_public_key: the public key used to verify the // signature of a certificate. bssl::UniquePtr<EVP_PKEY> working_public_key_; - // |working_normalized_issuer_name_| is the normalized value of the + // `working_normalized_issuer_name_` is the normalized value of the // working_issuer_name variable in RFC 5280 section 6.1.2: // // working_issuer_name: the issuer distinguished name expected // in the next certificate in the chain. der::Input working_normalized_issuer_name_; - // |working_mtc_anchor_| is the trusted MTC Anchor that the chain-to-verify + // `working_mtc_anchor_` is the trusted MTC Anchor that the chain-to-verify // claims issued the next certificate in the chain, and should be used to - // verify that certificate. It is analogous to |working_public_key_|, except + // verify that certificate. It is analogous to `working_public_key_`, except // that MTCs don't have an EVP_PKEY that can be used to verify their // "signature" and instead have an MTCAnchor used for verification. const MTCAnchor *working_mtc_anchor_ = nullptr; - // |max_path_length_| corresponds with the same named variable in RFC 5280 + // `max_path_length_` corresponds with the same named variable in RFC 5280 // section 6.1.2. // // max_path_length: this integer is initialized to n, is @@ -1157,8 +1157,8 @@ // responsible for performing revocation checks. // Steps 5 and 4 are done in reverse order. Step 4 builds a value that gets - // embedded in step 5's MerkleTreeCertEntry |entry|, and then step 5 proceeds - // to prepend a value to |entry| and run all of that through a hash function. + // embedded in step 5's MerkleTreeCertEntry `entry`, and then step 5 proceeds + // to prepend a value to `entry` and run all of that through a hash function. // The input to the hash function is built up in a single buffer, which means // steps 5 and 4 are effectively done in reverse order. // @@ -1319,7 +1319,7 @@ } // Check the time range for the certificate's validity, ensuring it is valid - // at |time|. + // at `time`. // (RFC 5280 section 6.1.3 step a.2) VerifyTimeValidity(cert, time, errors); @@ -1373,8 +1373,8 @@ working_mtc_anchor_ = nullptr; // Note that steps e and f are omitted as they are handled by - // the assignment to |working_spki| above. See the definition - // of |working_spki|. + // the assignment to `working_spki` above. See the definition + // of `working_spki`. // From RFC 5280 section 6.1.4 step g: if (cert.has_name_constraints()) { @@ -1466,7 +1466,7 @@ } // Checks if the target certificate has the CA bit set. If it does, add -// the appropriate error or warning to |errors|. +// the appropriate error or warning to `errors`. void VerifyTargetCertIsNotCA(const ParsedCertificate &cert, KeyPurpose required_key_purpose, CertErrors *errors) { @@ -1583,7 +1583,7 @@ // policyConstraints and inhibitAnyPolicy extensions. ApplyPolicyConstraints(cert); - // If keyUsage is present, verify that |cert| has correct keyUsage bits for a + // If keyUsage is present, verify that `cert` has correct keyUsage bits for a // CA. This matches the handling for intermediates from RFC 5280 section // 6.1.4 step n. if (cert.has_key_usage() && @@ -1836,7 +1836,7 @@ for (size_t i = 0; i < certs.size(); ++i) { const size_t index_into_certs = certs.size() - i - 1; - // |is_target_cert| is true if the current certificate is the target + // `is_target_cert` is true if the current certificate is the target // certificate being verified. The target certificate isn't necessarily an // end-entity certificate. const bool is_target_cert = index_into_certs == 0;
diff --git a/pki/verify_name_match.cc b/pki/verify_name_match.cc index 5ede414..3e0a68e 100644 --- a/pki/verify_name_match.cc +++ b/pki/verify_name_match.cc
@@ -38,7 +38,7 @@ ENFORCE_ASCII, }; -// Normalizes |output|, a UTF-8 encoded string, as if it contained +// Normalizes `output`, a UTF-8 encoded string, as if it contained // only ASCII characters. // // This could be considered a partial subset of RFC 5280 rules, and @@ -49,7 +49,7 @@ // profile of RFC 4518, with case folding and whitespace compression. // However, because it is optional for 2459/3280 implementations and because // it's desirable to avoid the size cost of the StringPrep tables, -// this function treats |output| as if it was composed of ASCII. +// this function treats `output` as if it was composed of ASCII. // // That is, rather than folding all whitespace characters, it only // folds ' '. Rather than case folding using locale-aware handling, @@ -60,10 +60,10 @@ // required by RFC 3280), and is sufficient for those certificates // publicly deployed. // -// If |charset_enforcement| is not NO_ENFORCEMENT and |output| contains any +// If `charset_enforcement` is not NO_ENFORCEMENT and `output` contains any // characters not allowed in the specified charset, returns false. // -// NOTE: |output| will be modified regardless of the return. +// NOTE: `output` will be modified regardless of the return. [[nodiscard]] bool NormalizeDirectoryString( CharsetEnforcement charset_enforcement, std::string *output) { // Normalized version will always be equal or shorter than input. @@ -117,14 +117,14 @@ return true; } -// Converts the value of X509NameAttribute |attribute| to UTF-8, normalizes it, -// and stores in |output|. The type of |attribute| must be one of the types for +// Converts the value of X509NameAttribute `attribute` to UTF-8, normalizes it, +// and stores in `output`. The type of `attribute` must be one of the types for // which IsNormalizableDirectoryString is true. // -// If the value of |attribute| can be normalized, returns true and sets -// |output| to the case folded, normalized value. If the value of |attribute| +// If the value of `attribute` can be normalized, returns true and sets +// `output` to the case folded, normalized value. If the value of `attribute` // is invalid, returns false. -// NOTE: |output| will be modified regardless of the return. +// NOTE: `output` will be modified regardless of the return. [[nodiscard]] bool NormalizeValue(X509NameAttribute attribute, std::string *output, CertErrors *errors) { BSSL_CHECK(errors); @@ -162,7 +162,7 @@ return success; } -// Returns true if |tag| is a string type that NormalizeValue can handle. +// Returns true if `tag` is a string type that NormalizeValue can handle. bool IsNormalizableDirectoryString(CBS_ASN1_TAG tag) { switch (tag) { case CBS_ASN1_PRINTABLESTRING: @@ -183,7 +183,7 @@ } } -// Returns true if the value of X509NameAttribute |a| matches |b|. +// Returns true if the value of X509NameAttribute `a` matches `b`. bool VerifyValueMatch(X509NameAttribute a, X509NameAttribute b) { if (IsNormalizableDirectoryString(a.value_tag) && IsNormalizableDirectoryString(b.value_tag)) { @@ -204,9 +204,9 @@ return a.value == b.value; } -// Verifies that |a_parser| and |b_parser| are the same length and that every -// AttributeTypeAndValue in |a_parser| has a matching AttributeTypeAndValue in -// |b_parser|. +// Verifies that `a_parser` and `b_parser` are the same length and that every +// AttributeTypeAndValue in `a_parser` has a matching AttributeTypeAndValue in +// `b_parser`. bool VerifyRdnMatch(der::Parser *a_parser, der::Parser *b_parser) { RelativeDistinguishedName a_type_and_values, b_type_and_values; if (!ReadRdn(a_parser, &a_type_and_values) || @@ -243,8 +243,8 @@ b_type_and_values.erase(b_iter); } - // Every element in |a_type_and_values| had a matching element in - // |b_type_and_values|. + // Every element in `a_type_and_values` had a matching element in + // `b_type_and_values`. return true; } @@ -253,12 +253,12 @@ SUBTREE_MATCH, }; -// Verify that |a| matches |b|. If |match_type| is EXACT_MATCH, returns true if -// they are an exact match as defined by RFC 5280 7.1. If |match_type| is -// SUBTREE_MATCH, returns true if |a| is within the subtree defined by |b| as +// Verify that `a` matches `b`. If `match_type` is EXACT_MATCH, returns true if +// they are an exact match as defined by RFC 5280 7.1. If `match_type` is +// SUBTREE_MATCH, returns true if `a` is within the subtree defined by `b` as // defined by RFC 5280 7.1. // -// |a| and |b| are ASN.1 RDNSequence values (not including the Sequence tag), +// `a` and `b` are ASN.1 RDNSequence values (not including the Sequence tag), // defined in RFC 5280 section 4.1.2.4: // // Name ::= CHOICE { -- only one possibility for now -- @@ -299,7 +299,7 @@ return false; } - // Verify that RDNs in |a| and |b| match. + // Verify that RDNs in `a` and `b` match. der::Parser a_rdn_sequence(a); der::Parser b_rdn_sequence(b); while (a_rdn_sequence.HasMore() && b_rdn_sequence.HasMore()) {
diff --git a/pki/verify_name_match_unittest.cc b/pki/verify_name_match_unittest.cc index b461154..8d1f462 100644 --- a/pki/verify_name_match_unittest.cc +++ b/pki/verify_name_match_unittest.cc
@@ -25,10 +25,10 @@ namespace { // Loads test data from file. The filename is constructed from the parameters: -// |prefix| describes the type of data being tested, e.g. "ascii", +// `prefix` describes the type of data being tested, e.g. "ascii", // "unicode_bmp", "unicode_supplementary", and "invalid". -// |value_type| indicates what ASN.1 type is used to encode the data. -// |suffix| indicates any additional modifications, such as caseswapping, +// `value_type` indicates what ASN.1 type is used to encode the data. +// `suffix` indicates any additional modifications, such as caseswapping, // whitespace adding, etc. ::testing::AssertionResult LoadTestData(const std::string &prefix, const std::string &value_type, @@ -556,7 +556,7 @@ ASSERT_TRUE(LoadTestData("ascii", "PRINTABLESTRING", "unmangled", &valid)); std::string invalid; ASSERT_TRUE(LoadTestData("invalid", "RDN", "empty", &invalid)); - // For both |name| and |parent|, a RelativeDistinguishedName must have at + // For both `name` and `parent`, a RelativeDistinguishedName must have at // least one AttributeTypeAndValue. EXPECT_FALSE(VerifyNameInSubtree(SequenceValueFromString(valid), SequenceValueFromString(invalid)));
diff --git a/pki/verify_signed_data.cc b/pki/verify_signed_data.cc index 8ef58b8..d698fb3 100644 --- a/pki/verify_signed_data.cc +++ b/pki/verify_signed_data.cc
@@ -286,7 +286,7 @@ OpenSSLErrStackTracer err_tracer; bssl::ScopedEVP_MD_CTX ctx; - EVP_PKEY_CTX *pctx = nullptr; // Owned by |ctx|. + EVP_PKEY_CTX *pctx = nullptr; // Owned by `ctx`. if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key)) { return false;
diff --git a/pki/verify_signed_data_unittest.cc b/pki/verify_signed_data_unittest.cc index 76234aa..f321928 100644 --- a/pki/verify_signed_data_unittest.cc +++ b/pki/verify_signed_data_unittest.cc
@@ -39,7 +39,7 @@ FAILURE, }; -// Reads test data from |file_name| and runs VerifySignedData() over its +// Reads test data from `file_name` and runs VerifySignedData() over its // inputs. // // If expected_result was SUCCESS then the test will only succeed if
diff --git a/pki/verify_unittest.cc b/pki/verify_unittest.cc index b5b30a4..31205a3 100644 --- a/pki/verify_unittest.cc +++ b/pki/verify_unittest.cc
@@ -140,7 +140,7 @@ opts.leaf_cert = leaf; opts.intermediates = {intermediate1, intermediate2}; opts.time = 1499727444; - // Set the |max_path_building_depth| explicitly to test the non-default case. + // Set the `max_path_building_depth` explicitly to test the non-default case. // Depth of 5 is enough to successfully find a path. opts.max_path_building_depth = 5; std::unique_ptr<VerifyTrustStore> roots = MozillaRootStore(); @@ -254,12 +254,12 @@ std::string leaf_b_; std::string leaf_c_; - // the trusted subtree for [8, 13) that is used in |generic_cert_|, - // |bitflip_cert_|. + // the trusted subtree for [8, 13) that is used in `generic_cert_`, + // `bitflip_cert_`. TrustedSubtree generic_cert_subtree_; - // Subtree for |leaf_b_| which overlaps with |generic_cert_subtree_|. + // Subtree for `leaf_b_` which overlaps with `generic_cert_subtree_`. TrustedSubtree leaf_b_subtree_; - // Subtree for |leaf_c_| which does not overlap with any other subtrees. + // Subtree for `leaf_c_` which does not overlap with any other subtrees. TrustedSubtree leaf_c_subtree_; // Relative OID encoding of 32473.1, the log ID used for the MTC Anchor that @@ -270,7 +270,7 @@ TEST_F(VerifyMTCTest, SignaturelessMTC) { // Configure the trust store to trust the MTC anchor with the landmark subtree - // for |generic_cert_|. + // for `generic_cert_`. std::unique_ptr<VerifyTrustStore> trust_store = EmptyTrustStore(); std::vector<TrustedSubtree> trusted_subtrees = {generic_cert_subtree_}; auto mtc_anchor = std::make_shared<MTCAnchor>(MakeSpan(kAnchorLogId), @@ -284,7 +284,7 @@ } TEST_F(VerifyMTCTest, ExplicitlyTrustedLeaf) { - // Configure the trust store to directly trust the |generic_cert_| leaf. + // Configure the trust store to directly trust the `generic_cert_` leaf. std::unique_ptr<VerifyTrustStore> trust_store = EmptyTrustStore(); trust_store->trust_store->AddCertificate(CertFromString(generic_cert_), CertificateTrust::ForTrustedLeaf()); @@ -296,7 +296,7 @@ } TEST_F(VerifyMTCTest, ExplicitlyDistrustedLeaf) { - // Configure the trust store to trust the MTC anchor for |generic_cert_|, but + // Configure the trust store to trust the MTC anchor for `generic_cert_`, but // also to explicitly distrust that leaf. std::unique_ptr<VerifyTrustStore> trust_store = EmptyTrustStore(); trust_store->trust_store->AddCertificate(CertFromString(generic_cert_), @@ -344,7 +344,7 @@ } TEST_F(VerifyMTCTest, WrongLogID) { - // Trust the correct subtree for |generic_cert_| but with the wrong log ID. + // Trust the correct subtree for `generic_cert_` but with the wrong log ID. // Verifying the cert should fail because even though the proof evaluates to a // valid hash, the hash is for the wrong issuer. std::unique_ptr<VerifyTrustStore> trust_store = EmptyTrustStore(); @@ -362,7 +362,7 @@ TEST_F(VerifyMTCTest, ExpiredMTC) { // Configure the trust store to trust the MTC anchor with the landmark subtree - // for |generic_cert_|. + // for `generic_cert_`. std::unique_ptr<VerifyTrustStore> trust_store = EmptyTrustStore(); std::vector<TrustedSubtree> trusted_subtrees = {generic_cert_subtree_}; auto mtc_anchor = std::make_shared<MTCAnchor>(MakeSpan(kAnchorLogId), @@ -400,7 +400,7 @@ TEST_F(VerifyMTCTest, BadMTCAnchorHash) { // Test that an MTC isn't trusted if the MTCAnchor's TrustedSubtree has the // wrong hash. Configure the trust store to trust the MTC anchor with the - // landmark subtree for |generic_cert_|. + // landmark subtree for `generic_cert_`. std::unique_ptr<VerifyTrustStore> trust_store = EmptyTrustStore(); std::vector<TrustedSubtree> trusted_subtrees = {generic_cert_subtree_}; trusted_subtrees[0].hash[0] ^= 1;