Clang-format all of pki.
Before making further changes. This pass is without
InsertBraces, will follow up with InsertBraces
for separate review
Bug: 659
Change-Id: Ie311dcd932aec5f98c16573f9326b1918a639adf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64067
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/pki/asn1_util.cc b/pki/asn1_util.cc
index 148c39d..4e34412 100644
--- a/pki/asn1_util.cc
+++ b/pki/asn1_util.cc
@@ -4,10 +4,10 @@
#include "asn1_util.h"
-#include "parse_certificate.h"
-#include "input.h"
-#include "parser.h"
#include <optional>
+#include "input.h"
+#include "parse_certificate.h"
+#include "parser.h"
namespace bssl::asn1 {
@@ -17,7 +17,7 @@
// sets |*tbs_certificate| ready to parse the Subject. If parsing
// fails, this function returns false and |*tbs_certificate| is left in an
// undefined state.
-bool SeekToSubject(der::Input in, der::Parser* tbs_certificate) {
+bool SeekToSubject(der::Input in, der::Parser *tbs_certificate) {
// From RFC 5280, section 4.1
// Certificate ::= SEQUENCE {
// tbsCertificate TBSCertificate,
@@ -71,7 +71,7 @@
// sets |*tbs_certificate| ready to parse the SubjectPublicKeyInfo. If parsing
// fails, this function returns false and |*tbs_certificate| is left in an
// undefined state.
-bool SeekToSPKI(der::Input in, der::Parser* tbs_certificate) {
+bool SeekToSPKI(der::Input in, der::Parser *tbs_certificate) {
return SeekToSubject(in, tbs_certificate) &&
// Skip over Subject.
tbs_certificate->SkipTag(der::kSequence);
@@ -85,9 +85,8 @@
// ready to parse the Extensions. If extensions are not present, it sets
// |*extensions_present| to false and |*extensions_parser| is left in an
// undefined state.
-bool SeekToExtensions(der::Input in,
- bool* extensions_present,
- der::Parser* extensions_parser) {
+bool SeekToExtensions(der::Input in, bool *extensions_present,
+ der::Parser *extensions_parser) {
bool present;
der::Parser tbs_cert_parser;
if (!SeekToSPKI(in, &tbs_cert_parser))
@@ -150,10 +149,9 @@
// successful. |*out_extension_present| will be true iff the extension was
// found. In the case where it was found, |*out_extension| will describe the
// extension, or is undefined on parse error or if the extension is missing.
-bool ExtractExtensionWithOID(std::string_view cert,
- der::Input extension_oid,
- bool* out_extension_present,
- ParsedExtension* out_extension) {
+bool ExtractExtensionWithOID(std::string_view cert, der::Input extension_oid,
+ bool *out_extension_present,
+ ParsedExtension *out_extension) {
der::Parser extensions;
bool extensions_present;
if (!SeekToExtensions(der::Input(cert), &extensions_present, &extensions))
@@ -183,7 +181,7 @@
} // namespace
bool ExtractSubjectFromDERCert(std::string_view cert,
- std::string_view* subject_out) {
+ std::string_view *subject_out) {
der::Parser parser;
if (!SeekToSubject(der::Input(cert), &parser))
return false;
@@ -194,8 +192,7 @@
return true;
}
-bool ExtractSPKIFromDERCert(std::string_view cert,
- std::string_view* spki_out) {
+bool ExtractSPKIFromDERCert(std::string_view cert, std::string_view *spki_out) {
der::Parser parser;
if (!SeekToSPKI(der::Input(cert), &parser))
return false;
@@ -207,7 +204,7 @@
}
bool ExtractSubjectPublicKeyFromSPKI(std::string_view spki,
- std::string_view* spk_out) {
+ std::string_view *spk_out) {
// From RFC 5280, Section 4.1
// SubjectPublicKeyInfo ::= SEQUENCE {
// algorithm AlgorithmIdentifier,
@@ -256,9 +253,8 @@
}
bool ExtractSignatureAlgorithmsFromDERCert(
- std::string_view cert,
- std::string_view* cert_signature_algorithm_sequence,
- std::string_view* tbs_signature_algorithm_sequence) {
+ std::string_view cert, std::string_view *cert_signature_algorithm_sequence,
+ std::string_view *tbs_signature_algorithm_sequence) {
// From RFC 5280, section 4.1
// Certificate ::= SEQUENCE {
// tbsCertificate TBSCertificate,
@@ -309,9 +305,9 @@
bool ExtractExtensionFromDERCert(std::string_view cert,
std::string_view extension_oid,
- bool* out_extension_present,
- bool* out_extension_critical,
- std::string_view* out_contents) {
+ bool *out_extension_present,
+ bool *out_extension_critical,
+ std::string_view *out_contents) {
*out_extension_present = false;
*out_extension_critical = false;
*out_contents = std::string_view();
diff --git a/pki/asn1_util.h b/pki/asn1_util.h
index af0b176..365c6ed 100644
--- a/pki/asn1_util.h
+++ b/pki/asn1_util.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_ASN1_UTIL_H_
#define BSSL_PKI_ASN1_UTIL_H_
-#include "fillins/openssl_util.h"
#include <string_view>
+#include "fillins/openssl_util.h"
@@ -15,29 +15,28 @@
// ExtractSubjectFromDERCert parses the DER encoded certificate in |cert| and
// extracts the bytes of the X.501 Subject. On successful return, |subject_out|
// is set to contain the Subject, pointing into |cert|.
-OPENSSL_EXPORT bool ExtractSubjectFromDERCert(
- std::string_view cert,
- std::string_view* subject_out);
+OPENSSL_EXPORT bool ExtractSubjectFromDERCert(std::string_view cert,
+ std::string_view *subject_out);
// ExtractSPKIFromDERCert parses the DER encoded certificate in |cert| and
// extracts the bytes of the SubjectPublicKeyInfo. On successful return,
// |spki_out| is set to contain the SPKI, pointing into |cert|.
OPENSSL_EXPORT bool ExtractSPKIFromDERCert(std::string_view cert,
- std::string_view* spki_out);
+ std::string_view *spki_out);
// ExtractSubjectPublicKeyFromSPKI parses the DER encoded SubjectPublicKeyInfo
// in |spki| and extracts the bytes of the SubjectPublicKey. On successful
// return, |spk_out| is set to contain the public key, pointing into |spki|.
-OPENSSL_EXPORT bool ExtractSubjectPublicKeyFromSPKI(
- std::string_view spki,
- std::string_view* spk_out);
+OPENSSL_EXPORT bool ExtractSubjectPublicKeyFromSPKI(std::string_view spki,
+ std::string_view *spk_out);
// HasCanSignHttpExchangesDraftExtension parses the DER encoded certificate
// in |cert| and extracts the canSignHttpExchangesDraft extension
// (https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html)
// if present. Returns true if the extension was present, and false if
// the extension was not present or if there was a parsing failure.
-OPENSSL_EXPORT bool HasCanSignHttpExchangesDraftExtension(std::string_view cert);
+OPENSSL_EXPORT bool HasCanSignHttpExchangesDraftExtension(
+ std::string_view cert);
// Extracts the two (SEQUENCE) tag-length-values for the signature
// AlgorithmIdentifiers in a DER encoded certificate. Does not use strict
@@ -52,9 +51,8 @@
// * |tbs_signature_algorithm_sequence| points at the TLV for
// TBSCertificate.algorithm.
OPENSSL_EXPORT bool ExtractSignatureAlgorithmsFromDERCert(
- std::string_view cert,
- std::string_view* cert_signature_algorithm_sequence,
- std::string_view* tbs_signature_algorithm_sequence);
+ std::string_view cert, std::string_view *cert_signature_algorithm_sequence,
+ std::string_view *tbs_signature_algorithm_sequence);
// Extracts the contents of the extension (if any) with OID |extension_oid| from
// the DER-encoded, X.509 certificate in |cert|.
@@ -65,11 +63,11 @@
// sets |*out_contents| to the contents of the extension (after unwrapping the
// OCTET STRING).
OPENSSL_EXPORT bool ExtractExtensionFromDERCert(std::string_view cert,
- std::string_view extension_oid,
- bool* out_extension_present,
- bool* out_extension_critical,
- std::string_view* out_contents);
+ std::string_view extension_oid,
+ bool *out_extension_present,
+ bool *out_extension_critical,
+ std::string_view *out_contents);
} // namespace bssl::asn1
-#endif // BSSL_PKI_ASN1_UTIL_H_
+#endif // BSSL_PKI_ASN1_UTIL_H_
diff --git a/pki/cert_error_id.cc b/pki/cert_error_id.cc
index 9d83ed2..81add1d 100644
--- a/pki/cert_error_id.cc
+++ b/pki/cert_error_id.cc
@@ -6,9 +6,9 @@
namespace bssl {
-const char* CertErrorIdToDebugString(CertErrorId id) {
+const char *CertErrorIdToDebugString(CertErrorId id) {
// The CertErrorId is simply a pointer for a C-string literal.
- return reinterpret_cast<const char*>(id);
+ return reinterpret_cast<const char *>(id);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/cert_error_id.h b/pki/cert_error_id.h
index e77154b..a9d7b54 100644
--- a/pki/cert_error_id.h
+++ b/pki/cert_error_id.h
@@ -18,7 +18,7 @@
// Equality of CertErrorId can be done using the == operator.
//
// To define new error IDs use the macro DEFINE_CERT_ERROR_ID().
-using CertErrorId = const void*;
+using CertErrorId = const void *;
// DEFINE_CERT_ERROR_ID() creates a CertErrorId given a non-null C-string
// literal. The string should be a textual name for the error which will appear
@@ -31,8 +31,8 @@
// Returns a debug string for a CertErrorId. In practice this returns the
// string literal given to DEFINE_CERT_ERROR_ID(), which is human-readable.
-OPENSSL_EXPORT const char* CertErrorIdToDebugString(CertErrorId id);
+OPENSSL_EXPORT const char *CertErrorIdToDebugString(CertErrorId id);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_ERROR_ID_H_
diff --git a/pki/cert_error_params.cc b/pki/cert_error_params.cc
index a454cd7..5d45aa8 100644
--- a/pki/cert_error_params.cc
+++ b/pki/cert_error_params.cc
@@ -2,14 +2,14 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "fillins/openssl_util.h"
#include "cert_error_params.h"
+#include "fillins/openssl_util.h"
#include <memory>
-#include "string_util.h"
-#include "input.h"
#include <openssl/base.h>
+#include "input.h"
+#include "string_util.h"
namespace bssl {
@@ -19,17 +19,15 @@
// blobs. It makes a copy of the der::Inputs.
class CertErrorParams2Der : public CertErrorParams {
public:
- CertErrorParams2Der(const char* name1,
- const der::Input& der1,
- const char* name2,
- const der::Input& der2)
+ CertErrorParams2Der(const char *name1, const der::Input &der1,
+ const char *name2, const der::Input &der2)
: name1_(name1),
der1_(der1.AsString()),
name2_(name2),
der2_(der2.AsString()) {}
- CertErrorParams2Der(const CertErrorParams2Der&) = delete;
- CertErrorParams2Der& operator=(const CertErrorParams2Der&) = delete;
+ CertErrorParams2Der(const CertErrorParams2Der &) = delete;
+ CertErrorParams2Der &operator=(const CertErrorParams2Der &) = delete;
std::string ToDebugString() const override {
std::string result;
@@ -42,30 +40,29 @@
}
private:
- static void AppendDer(const char* name,
- const std::string& der,
- std::string* out) {
+ static void AppendDer(const char *name, const std::string &der,
+ std::string *out) {
*out += name;
*out +=
": " + bssl::string_util::HexEncode(
- reinterpret_cast<const uint8_t*>(der.data()), der.size());
+ reinterpret_cast<const uint8_t *>(der.data()), der.size());
}
- const char* name1_;
+ const char *name1_;
std::string der1_;
- const char* name2_;
+ const char *name2_;
std::string der2_;
};
// Parameters subclass for describing (and pretty-printing) a single size_t.
class CertErrorParams1SizeT : public CertErrorParams {
public:
- CertErrorParams1SizeT(const char* name, size_t value)
+ CertErrorParams1SizeT(const char *name, size_t value)
: name_(name), value_(value) {}
- CertErrorParams1SizeT(const CertErrorParams1SizeT&) = delete;
- CertErrorParams1SizeT& operator=(const CertErrorParams1SizeT&) = delete;
+ CertErrorParams1SizeT(const CertErrorParams1SizeT &) = delete;
+ CertErrorParams1SizeT &operator=(const CertErrorParams1SizeT &) = delete;
std::string ToDebugString() const override {
return name_ + std::string(": ") +
@@ -73,7 +70,7 @@
}
private:
- const char* name_;
+ const char *name_;
size_t value_;
};
@@ -81,25 +78,24 @@
// values.
class CertErrorParams2SizeT : public CertErrorParams {
public:
- CertErrorParams2SizeT(const char* name1,
- size_t value1,
- const char* name2,
+ CertErrorParams2SizeT(const char *name1, size_t value1, const char *name2,
size_t value2)
: name1_(name1), value1_(value1), name2_(name2), value2_(value2) {}
- CertErrorParams2SizeT(const CertErrorParams2SizeT&) = delete;
- CertErrorParams2SizeT& operator=(const CertErrorParams2SizeT&) = delete;
+ CertErrorParams2SizeT(const CertErrorParams2SizeT &) = delete;
+ CertErrorParams2SizeT &operator=(const CertErrorParams2SizeT &) = delete;
std::string ToDebugString() const override {
return name1_ + std::string(": ") +
bssl::string_util::NumberToDecimalString(value1_) + "\n" + name2_ +
- std::string(": ") + bssl::string_util::NumberToDecimalString(value2_);
+ std::string(": ") +
+ bssl::string_util::NumberToDecimalString(value2_);
}
private:
- const char* name1_;
+ const char *name1_;
size_t value1_;
- const char* name2_;
+ const char *name2_;
size_t value2_;
};
@@ -109,37 +105,31 @@
CertErrorParams::~CertErrorParams() = default;
std::unique_ptr<CertErrorParams> CreateCertErrorParams1Der(
- const char* name,
- const der::Input& der) {
+ const char *name, const der::Input &der) {
BSSL_CHECK(name);
return std::make_unique<CertErrorParams2Der>(name, der, nullptr,
der::Input());
}
std::unique_ptr<CertErrorParams> CreateCertErrorParams2Der(
- const char* name1,
- const der::Input& der1,
- const char* name2,
- const der::Input& der2) {
+ const char *name1, const der::Input &der1, const char *name2,
+ const der::Input &der2) {
BSSL_CHECK(name1);
BSSL_CHECK(name2);
return std::make_unique<CertErrorParams2Der>(name1, der1, name2, der2);
}
-std::unique_ptr<CertErrorParams> CreateCertErrorParams1SizeT(const char* name,
+std::unique_ptr<CertErrorParams> CreateCertErrorParams1SizeT(const char *name,
size_t value) {
BSSL_CHECK(name);
return std::make_unique<CertErrorParams1SizeT>(name, value);
}
OPENSSL_EXPORT std::unique_ptr<CertErrorParams> CreateCertErrorParams2SizeT(
- const char* name1,
- size_t value1,
- const char* name2,
- size_t value2) {
+ const char *name1, size_t value1, const char *name2, size_t value2) {
BSSL_CHECK(name1);
BSSL_CHECK(name2);
return std::make_unique<CertErrorParams2SizeT>(name1, value1, name2, value2);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/cert_error_params.h b/pki/cert_error_params.h
index f13c943..5a2e9dc 100644
--- a/pki/cert_error_params.h
+++ b/pki/cert_error_params.h
@@ -5,9 +5,9 @@
#ifndef BSSL_PKI_CERT_ERROR_PARAMS_H_
#define BSSL_PKI_CERT_ERROR_PARAMS_H_
-#include "fillins/openssl_util.h"
#include <memory>
#include <string>
+#include "fillins/openssl_util.h"
@@ -27,8 +27,8 @@
public:
CertErrorParams();
- CertErrorParams(const CertErrorParams&) = delete;
- CertErrorParams& operator=(const CertErrorParams&) = delete;
+ CertErrorParams(const CertErrorParams &) = delete;
+ CertErrorParams &operator=(const CertErrorParams &) = delete;
virtual ~CertErrorParams();
@@ -40,29 +40,22 @@
// Creates a parameter object that holds a copy of |der|, and names it |name|
// in debug string outputs.
OPENSSL_EXPORT std::unique_ptr<CertErrorParams> CreateCertErrorParams1Der(
- const char* name,
- const der::Input& der);
+ const char *name, const der::Input &der);
// Same as CreateCertErrorParams1Der() but has a second DER blob.
OPENSSL_EXPORT std::unique_ptr<CertErrorParams> CreateCertErrorParams2Der(
- const char* name1,
- const der::Input& der1,
- const char* name2,
- const der::Input& der2);
+ const char *name1, const der::Input &der1, const char *name2,
+ const der::Input &der2);
// Creates a parameter object that holds a single size_t value. |name| is used
// when pretty-printing the parameters.
OPENSSL_EXPORT std::unique_ptr<CertErrorParams> CreateCertErrorParams1SizeT(
- const char* name,
- size_t value);
+ const char *name, size_t value);
// Same as CreateCertErrorParams1SizeT() but has a second size_t.
OPENSSL_EXPORT std::unique_ptr<CertErrorParams> CreateCertErrorParams2SizeT(
- const char* name1,
- size_t value1,
- const char* name2,
- size_t value2);
+ const char *name1, size_t value1, const char *name2, size_t value2);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_ERROR_PARAMS_H_
diff --git a/pki/cert_errors.cc b/pki/cert_errors.cc
index 12376b9..80f28d0 100644
--- a/pki/cert_errors.cc
+++ b/pki/cert_errors.cc
@@ -14,9 +14,9 @@
namespace {
-void AppendLinesWithIndentation(const std::string& text,
- const std::string& indentation,
- std::string* out) {
+void AppendLinesWithIndentation(const std::string &text,
+ const std::string &indentation,
+ std::string *out) {
std::istringstream stream(text);
for (std::string line; std::getline(stream, line, '\n');) {
out->append(indentation);
@@ -29,14 +29,13 @@
CertError::CertError() = default;
-CertError::CertError(Severity in_severity,
- CertErrorId in_id,
+CertError::CertError(Severity in_severity, CertErrorId in_id,
std::unique_ptr<CertErrorParams> in_params)
: severity(in_severity), id(in_id), params(std::move(in_params)) {}
-CertError::CertError(CertError&& other) = default;
+CertError::CertError(CertError &&other) = default;
-CertError& CertError::operator=(CertError&&) = default;
+CertError &CertError::operator=(CertError &&) = default;
CertError::~CertError() = default;
@@ -60,12 +59,11 @@
}
CertErrors::CertErrors() = default;
-CertErrors::CertErrors(CertErrors&& other) = default;
-CertErrors& CertErrors::operator=(CertErrors&&) = default;
+CertErrors::CertErrors(CertErrors &&other) = default;
+CertErrors &CertErrors::operator=(CertErrors &&) = default;
CertErrors::~CertErrors() = default;
-void CertErrors::Add(CertError::Severity severity,
- CertErrorId id,
+void CertErrors::Add(CertError::Severity severity, CertErrorId id,
std::unique_ptr<CertErrorParams> params) {
nodes_.emplace_back(severity, id, std::move(params));
}
@@ -75,29 +73,25 @@
Add(CertError::SEVERITY_HIGH, id, std::move(params));
}
-void CertErrors::AddError(CertErrorId id) {
- AddError(id, nullptr);
-}
+void CertErrors::AddError(CertErrorId id) { AddError(id, nullptr); }
void CertErrors::AddWarning(CertErrorId id,
std::unique_ptr<CertErrorParams> params) {
Add(CertError::SEVERITY_WARNING, id, std::move(params));
}
-void CertErrors::AddWarning(CertErrorId id) {
- AddWarning(id, nullptr);
-}
+void CertErrors::AddWarning(CertErrorId id) { AddWarning(id, nullptr); }
std::string CertErrors::ToDebugString() const {
std::string result;
- for (const CertError& node : nodes_)
+ for (const CertError &node : nodes_)
result += node.ToDebugString();
return result;
}
bool CertErrors::ContainsError(CertErrorId id) const {
- for (const CertError& node : nodes_) {
+ for (const CertError &node : nodes_) {
if (node.id == id)
return true;
}
@@ -106,7 +100,7 @@
bool CertErrors::ContainsAnyErrorWithSeverity(
CertError::Severity severity) const {
- for (const CertError& node : nodes_) {
+ for (const CertError &node : nodes_) {
if (node.severity == severity)
return true;
}
@@ -115,29 +109,27 @@
CertPathErrors::CertPathErrors() = default;
-CertPathErrors::CertPathErrors(CertPathErrors&& other) = default;
-CertPathErrors& CertPathErrors::operator=(CertPathErrors&&) = default;
+CertPathErrors::CertPathErrors(CertPathErrors &&other) = default;
+CertPathErrors &CertPathErrors::operator=(CertPathErrors &&) = default;
CertPathErrors::~CertPathErrors() = default;
-CertErrors* CertPathErrors::GetErrorsForCert(size_t cert_index) {
+CertErrors *CertPathErrors::GetErrorsForCert(size_t cert_index) {
if (cert_index >= cert_errors_.size())
cert_errors_.resize(cert_index + 1);
return &cert_errors_[cert_index];
}
-const CertErrors* CertPathErrors::GetErrorsForCert(size_t cert_index) const {
+const CertErrors *CertPathErrors::GetErrorsForCert(size_t cert_index) const {
if (cert_index >= cert_errors_.size())
return nullptr;
return &cert_errors_[cert_index];
}
-CertErrors* CertPathErrors::GetOtherErrors() {
- return &other_errors_;
-}
+CertErrors *CertPathErrors::GetOtherErrors() { return &other_errors_; }
bool CertPathErrors::ContainsError(CertErrorId id) const {
- for (const CertErrors& errors : cert_errors_) {
+ for (const CertErrors &errors : cert_errors_) {
if (errors.ContainsError(id))
return true;
}
@@ -150,7 +142,7 @@
bool CertPathErrors::ContainsAnyErrorWithSeverity(
CertError::Severity severity) const {
- for (const CertErrors& errors : cert_errors_) {
+ for (const CertErrors &errors : cert_errors_) {
if (errors.ContainsAnyErrorWithSeverity(severity))
return true;
}
@@ -162,13 +154,13 @@
}
std::string CertPathErrors::ToDebugString(
- const ParsedCertificateList& certs) const {
+ const ParsedCertificateList &certs) const {
std::ostringstream result;
for (size_t i = 0; i < cert_errors_.size(); ++i) {
// Pretty print the current CertErrors. If there were no errors/warnings,
// then continue.
- const CertErrors& errors = cert_errors_[i];
+ const CertErrors &errors = cert_errors_[i];
std::string cert_errors_string = errors.ToDebugString();
if (cert_errors_string.empty())
continue;
@@ -198,4 +190,4 @@
return result.str();
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/cert_errors.h b/pki/cert_errors.h
index 68977f8..daaf01f 100644
--- a/pki/cert_errors.h
+++ b/pki/cert_errors.h
@@ -66,11 +66,10 @@
};
CertError();
- CertError(Severity severity,
- CertErrorId id,
+ CertError(Severity severity, CertErrorId id,
std::unique_ptr<CertErrorParams> params);
- CertError(CertError&& other);
- CertError& operator=(CertError&&);
+ CertError(CertError &&other);
+ CertError &operator=(CertError &&);
~CertError();
// Pretty-prints the error and its parameters.
@@ -86,13 +85,12 @@
class OPENSSL_EXPORT CertErrors {
public:
CertErrors();
- CertErrors(CertErrors&& other);
- CertErrors& operator=(CertErrors&&);
+ CertErrors(CertErrors &&other);
+ CertErrors &operator=(CertErrors &&);
~CertErrors();
// Adds an error/warning. |params| may be null.
- void Add(CertError::Severity severity,
- CertErrorId id,
+ void Add(CertError::Severity severity, CertErrorId id,
std::unique_ptr<CertErrorParams> params);
// Adds a high severity error.
@@ -123,24 +121,24 @@
class OPENSSL_EXPORT CertPathErrors {
public:
CertPathErrors();
- CertPathErrors(CertPathErrors&& other);
- CertPathErrors& operator=(CertPathErrors&&);
+ CertPathErrors(CertPathErrors &&other);
+ CertPathErrors &operator=(CertPathErrors &&);
~CertPathErrors();
// Gets a bucket to put errors in for |cert_index|. This will lookup and
// return the existing error bucket if one exists, or create a new one for the
// specified index. It is expected that |cert_index| is the corresponding
// index in a certificate chain (with 0 being the target).
- CertErrors* GetErrorsForCert(size_t cert_index);
+ CertErrors *GetErrorsForCert(size_t cert_index);
// Const version of the above, with the difference that if there is no
// existing bucket for |cert_index| returns nullptr rather than lazyily
// creating one.
- const CertErrors* GetErrorsForCert(size_t cert_index) const;
+ const CertErrors *GetErrorsForCert(size_t cert_index) const;
// Returns a bucket to put errors that are not associated with a particular
// certificate.
- CertErrors* GetOtherErrors();
+ CertErrors *GetOtherErrors();
// Returns true if CertPathErrors contains the specified error (of any
// severity).
@@ -156,13 +154,13 @@
// Pretty-prints all the errors in the CertPathErrors. If there were no
// errors/warnings, returns an empty string.
- std::string ToDebugString(const ParsedCertificateList& certs) const;
+ std::string ToDebugString(const ParsedCertificateList &certs) const;
private:
std::vector<CertErrors> cert_errors_;
CertErrors other_errors_;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_ERRORS_H_
diff --git a/pki/cert_issuer_source.h b/pki/cert_issuer_source.h
index ba37d45..47d4b87 100644
--- a/pki/cert_issuer_source.h
+++ b/pki/cert_issuer_source.h
@@ -5,9 +5,9 @@
#ifndef BSSL_PKI_CERT_ISSUER_SOURCE_H_
#define BSSL_PKI_CERT_ISSUER_SOURCE_H_
-#include "fillins/openssl_util.h"
#include <memory>
#include <vector>
+#include "fillins/openssl_util.h"
#include "parsed_certificate.h"
@@ -27,8 +27,8 @@
public:
Request() = default;
- Request(const Request&) = delete;
- Request& operator=(const Request&) = delete;
+ Request(const Request &) = delete;
+ Request &operator=(const Request &) = delete;
// Destruction of the Request cancels it.
virtual ~Request() = default;
@@ -40,7 +40,7 @@
// If no issuers are left then |issuers| will not be modified. This
// indicates that the issuers have been exhausted and GetNext() should
// not be called again.
- virtual void GetNext(ParsedCertificateList* issuers) = 0;
+ virtual void GetNext(ParsedCertificateList *issuers) = 0;
};
virtual ~CertIssuerSource() = default;
@@ -49,8 +49,8 @@
// Matches are appended to |issuers|. Any existing contents of |issuers| will
// not be modified. If the implementation does not support synchronous
// lookups, or if there are no matches, |issuers| is not modified.
- virtual void SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) = 0;
+ virtual void SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) = 0;
// Finds certificates whose Subject matches |cert|'s Issuer.
// If the implementation does not support asynchronous lookups or can
@@ -59,10 +59,10 @@
//
// Otherwise a request is started and saved to |out_req|. The results can be
// read through the Request interface.
- virtual void AsyncGetIssuersOf(const ParsedCertificate* cert,
- std::unique_ptr<Request>* out_req) = 0;
+ virtual void AsyncGetIssuersOf(const ParsedCertificate *cert,
+ std::unique_ptr<Request> *out_req) = 0;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_ISSUER_SOURCE_H_
diff --git a/pki/cert_issuer_source_static.cc b/pki/cert_issuer_source_static.cc
index ea4be67..9d395d3 100644
--- a/pki/cert_issuer_source_static.cc
+++ b/pki/cert_issuer_source_static.cc
@@ -15,12 +15,10 @@
cert->normalized_subject().AsStringView(), std::move(cert)));
}
-void CertIssuerSourceStatic::Clear() {
- intermediates_.clear();
-}
+void CertIssuerSourceStatic::Clear() { intermediates_.clear(); }
-void CertIssuerSourceStatic::SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) {
+void CertIssuerSourceStatic::SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) {
auto range =
intermediates_.equal_range(cert->normalized_issuer().AsStringView());
for (auto it = range.first; it != range.second; ++it)
@@ -28,10 +26,9 @@
}
void CertIssuerSourceStatic::AsyncGetIssuersOf(
- const ParsedCertificate* cert,
- std::unique_ptr<Request>* out_req) {
+ const ParsedCertificate *cert, std::unique_ptr<Request> *out_req) {
// CertIssuerSourceStatic never returns asynchronous results.
out_req->reset();
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/cert_issuer_source_static.h b/pki/cert_issuer_source_static.h
index 11be846..2ab138a 100644
--- a/pki/cert_issuer_source_static.h
+++ b/pki/cert_issuer_source_static.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_CERT_ISSUER_SOURCE_STATIC_H_
#define BSSL_PKI_CERT_ISSUER_SOURCE_STATIC_H_
-#include "fillins/openssl_util.h"
#include <unordered_map>
+#include "fillins/openssl_util.h"
#include "cert_issuer_source.h"
@@ -18,8 +18,8 @@
public:
CertIssuerSourceStatic();
- CertIssuerSourceStatic(const CertIssuerSourceStatic&) = delete;
- CertIssuerSourceStatic& operator=(const CertIssuerSourceStatic&) = delete;
+ CertIssuerSourceStatic(const CertIssuerSourceStatic &) = delete;
+ CertIssuerSourceStatic &operator=(const CertIssuerSourceStatic &) = delete;
~CertIssuerSourceStatic() override;
@@ -33,10 +33,10 @@
size_t size() const { return intermediates_.size(); }
// CertIssuerSource implementation:
- void SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) override;
- void AsyncGetIssuersOf(const ParsedCertificate* cert,
- std::unique_ptr<Request>* out_req) override;
+ void SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) override;
+ void AsyncGetIssuersOf(const ParsedCertificate *cert,
+ std::unique_ptr<Request> *out_req) override;
private:
// The certificates that the CertIssuerSourceStatic can return, keyed on the
@@ -46,6 +46,6 @@
intermediates_;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_ISSUER_SOURCE_STATIC_H_
diff --git a/pki/cert_issuer_source_static_unittest.cc b/pki/cert_issuer_source_static_unittest.cc
index b745968..36f809a 100644
--- a/pki/cert_issuer_source_static_unittest.cc
+++ b/pki/cert_issuer_source_static_unittest.cc
@@ -4,9 +4,9 @@
#include "cert_issuer_source_static.h"
+#include <gtest/gtest.h>
#include "cert_issuer_source_sync_unittest.h"
#include "parsed_certificate.h"
-#include <gtest/gtest.h>
namespace bssl {
@@ -18,7 +18,7 @@
source_.AddCert(std::move(cert));
}
- CertIssuerSource& source() { return source_; }
+ CertIssuerSource &source() { return source_; }
protected:
CertIssuerSourceStatic source_;
@@ -37,4 +37,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/cert_issuer_source_sync_unittest.h b/pki/cert_issuer_source_sync_unittest.h
index ef5ef0b..12b44e7 100644
--- a/pki/cert_issuer_source_sync_unittest.h
+++ b/pki/cert_issuer_source_sync_unittest.h
@@ -7,19 +7,19 @@
#include <algorithm>
+#include <gtest/gtest.h>
+#include <openssl/pool.h>
#include "cert_errors.h"
#include "cert_issuer_source.h"
#include "test_helpers.h"
-#include <gtest/gtest.h>
-#include <openssl/pool.h>
namespace bssl {
namespace {
-::testing::AssertionResult ReadTestPem(const std::string& file_name,
- const std::string& block_name,
- std::string* result) {
+::testing::AssertionResult ReadTestPem(const std::string &file_name,
+ const std::string &block_name,
+ std::string *result) {
const PemBlockMapping mappings[] = {
{block_name.c_str(), result},
};
@@ -28,8 +28,8 @@
}
::testing::AssertionResult ReadTestCert(
- const std::string& file_name,
- std::shared_ptr<const ParsedCertificate>* result) {
+ const std::string &file_name,
+ std::shared_ptr<const ParsedCertificate> *result) {
std::string der;
::testing::AssertionResult r =
ReadTestPem("testdata/cert_issuer_source_static_unittest/" + file_name,
@@ -39,7 +39,7 @@
CertErrors errors;
*result = ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(der.data()), der.size(), nullptr)),
+ reinterpret_cast<const uint8_t *>(der.data()), der.size(), nullptr)),
{}, &errors);
if (!*result) {
return ::testing::AssertionFailure()
@@ -86,7 +86,7 @@
AddCert(e2_);
}
- CertIssuerSource& source() { return delegate_.source(); }
+ CertIssuerSource &source() { return delegate_.source(); }
protected:
bool IssuersMatch(std::shared_ptr<const ParsedCertificate> cert,
@@ -95,12 +95,12 @@
source().SyncGetIssuersOf(cert.get(), &matches);
std::vector<der::Input> der_result_matches;
- for (const auto& it : matches)
+ for (const auto &it : matches)
der_result_matches.push_back(it->der_cert());
std::sort(der_result_matches.begin(), der_result_matches.end());
std::vector<der::Input> der_expected_matches;
- for (const auto& it : expected_matches)
+ for (const auto &it : expected_matches)
der_expected_matches.push_back(it->der_cert());
std::sort(der_expected_matches.begin(), der_expected_matches.end());
@@ -168,12 +168,8 @@
// These are all the tests that should have the same result with or without
// normalization.
-REGISTER_TYPED_TEST_SUITE_P(CertIssuerSourceSyncTest,
- NoMatch,
- OneMatch,
- MultipleMatches,
- SelfIssued,
- IsNotAsync);
+REGISTER_TYPED_TEST_SUITE_P(CertIssuerSourceSyncTest, NoMatch, OneMatch,
+ MultipleMatches, SelfIssued, IsNotAsync);
template <typename TestDelegate>
class CertIssuerSourceSyncNormalizationTest
@@ -211,6 +207,6 @@
REGISTER_TYPED_TEST_SUITE_P(CertIssuerSourceSyncNotNormalizedTest,
OneMatchWithoutNormalization);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_ISSUER_SOURCE_SYNC_UNITTEST_H_
diff --git a/pki/cert_status_flags.h b/pki/cert_status_flags.h
index 9f7d979..cd66547 100644
--- a/pki/cert_status_flags.h
+++ b/pki/cert_status_flags.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_CERT_STATUS_FLAGS_H_
#define BSSL_PKI_CERT_STATUS_FLAGS_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
@@ -20,7 +20,7 @@
// MACRO_STYLE for continuity, instead of renaming them to kConstantStyle as
// befits most static consts.
#define CERT_STATUS_FLAG(label, value) \
- CertStatus static const CERT_STATUS_##label = value;
+ CertStatus static const CERT_STATUS_##label = value;
#include "cert_status_flags_list.h"
#undef CERT_STATUS_FLAG
@@ -33,17 +33,17 @@
// Maps a network error code to the equivalent certificate status flag. If
// the error code is not a certificate error, it is mapped to 0.
-// Note: It is not safe to go bssl::CertStatus -> bssl::Error -> bssl::CertStatus,
-// as the CertStatus contains more information. Conversely, going from
-// bssl::Error -> bssl::CertStatus -> bssl::Error is not a lossy function, for the
-// same reason.
-// To avoid incorrect use, this is only exported for unittest helpers.
+// Note: It is not safe to go bssl::CertStatus -> bssl::Error ->
+// bssl::CertStatus, as the CertStatus contains more information. Conversely,
+// going from bssl::Error -> bssl::CertStatus -> bssl::Error is not a lossy
+// function, for the same reason. To avoid incorrect use, this is only exported
+// for unittest helpers.
OPENSSL_EXPORT CertStatus MapNetErrorToCertStatus(int error);
// Maps the most serious certificate error in the certificate status flags
// to the equivalent network error code.
OPENSSL_EXPORT int MapCertStatusToNetError(CertStatus cert_status);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERT_STATUS_FLAGS_H_
diff --git a/pki/certificate_policies.cc b/pki/certificate_policies.cc
index 3716a4b..69de164 100644
--- a/pki/certificate_policies.cc
+++ b/pki/certificate_policies.cc
@@ -6,13 +6,13 @@
#include "certificate_policies.h"
+#include <openssl/base.h>
#include "cert_error_params.h"
#include "cert_errors.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
#include "tag.h"
-#include <openssl/base.h>
namespace bssl {
@@ -41,9 +41,9 @@
// If a policy qualifier other than User Notice/CPS is present, parsing
// will fail if |restrict_to_known_qualifiers| was set to true.
bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers,
- der::Parser* policy_qualifiers_sequence_parser,
- std::vector<PolicyQualifierInfo>* policy_qualifiers,
- CertErrors* errors) {
+ der::Parser *policy_qualifiers_sequence_parser,
+ std::vector<PolicyQualifierInfo> *policy_qualifiers,
+ CertErrors *errors) {
BSSL_CHECK(errors);
// If it is present, the policyQualifiers sequence should have at least 1
@@ -128,11 +128,9 @@
// bmpString BMPString (SIZE (1..200)),
// utf8String UTF8String (SIZE (1..200)) }
bool ParseCertificatePoliciesExtensionImpl(
- const der::Input& extension_value,
- bool fail_parsing_unknown_qualifier_oids,
- std::vector<der::Input>* policy_oids,
- std::vector<PolicyInformation>* policy_informations,
- CertErrors* errors) {
+ const der::Input &extension_value, bool fail_parsing_unknown_qualifier_oids,
+ std::vector<der::Input> *policy_oids,
+ std::vector<PolicyInformation> *policy_informations, CertErrors *errors) {
BSSL_CHECK(policy_oids);
BSSL_CHECK(errors);
// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
@@ -165,7 +163,7 @@
policy_oids->push_back(policy_oid);
- std::vector<PolicyQualifierInfo>* policy_qualifiers = nullptr;
+ std::vector<PolicyQualifierInfo> *policy_qualifiers = nullptr;
if (policy_informations) {
policy_informations->emplace_back();
policy_informations->back().policy_oid = policy_oid;
@@ -218,12 +216,12 @@
PolicyInformation::PolicyInformation() = default;
PolicyInformation::~PolicyInformation() = default;
-PolicyInformation::PolicyInformation(const PolicyInformation&) = default;
-PolicyInformation::PolicyInformation(PolicyInformation&&) = default;
+PolicyInformation::PolicyInformation(const PolicyInformation &) = default;
+PolicyInformation::PolicyInformation(PolicyInformation &&) = default;
-bool ParseCertificatePoliciesExtension(const der::Input& extension_value,
- std::vector<PolicyInformation>* policies,
- CertErrors* errors) {
+bool ParseCertificatePoliciesExtension(const der::Input &extension_value,
+ std::vector<PolicyInformation> *policies,
+ CertErrors *errors) {
std::vector<der::Input> unused_policy_oids;
return ParseCertificatePoliciesExtensionImpl(
extension_value, /*fail_parsing_unknown_qualifier_oids=*/false,
@@ -231,10 +229,8 @@
}
bool ParseCertificatePoliciesExtensionOids(
- const der::Input& extension_value,
- bool fail_parsing_unknown_qualifier_oids,
- std::vector<der::Input>* policy_oids,
- CertErrors* errors) {
+ const der::Input &extension_value, bool fail_parsing_unknown_qualifier_oids,
+ std::vector<der::Input> *policy_oids, CertErrors *errors) {
return ParseCertificatePoliciesExtensionImpl(
extension_value, fail_parsing_unknown_qualifier_oids, policy_oids,
nullptr, errors);
@@ -247,8 +243,8 @@
// inhibitPolicyMapping [1] SkipCerts OPTIONAL }
//
// SkipCerts ::= INTEGER (0..MAX)
-bool ParsePolicyConstraints(const der::Input& policy_constraints_tlv,
- ParsedPolicyConstraints* out) {
+bool ParsePolicyConstraints(const der::Input &policy_constraints_tlv,
+ ParsedPolicyConstraints *out) {
der::Parser parser(policy_constraints_tlv);
// PolicyConstraints ::= SEQUENCE {
@@ -311,7 +307,7 @@
//
// SkipCerts ::= INTEGER (0..MAX)
std::optional<uint8_t> ParseInhibitAnyPolicy(
- const der::Input& inhibit_any_policy_tlv) {
+ const der::Input &inhibit_any_policy_tlv) {
der::Parser parser(inhibit_any_policy_tlv);
std::optional<uint8_t> num_certs = std::make_optional<uint8_t>();
@@ -333,8 +329,8 @@
// PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
// issuerDomainPolicy CertPolicyId,
// subjectDomainPolicy CertPolicyId }
-bool ParsePolicyMappings(const der::Input& policy_mappings_tlv,
- std::vector<ParsedPolicyMapping>* mappings) {
+bool ParsePolicyMappings(const der::Input &policy_mappings_tlv,
+ std::vector<ParsedPolicyMapping> *mappings) {
mappings->clear();
der::Parser parser(policy_mappings_tlv);
@@ -373,4 +369,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/certificate_policies.h b/pki/certificate_policies.h
index 73f39b7..340ed63 100644
--- a/pki/certificate_policies.h
+++ b/pki/certificate_policies.h
@@ -5,14 +5,14 @@
#ifndef BSSL_PKI_CERTIFICATE_POLICIES_H_
#define BSSL_PKI_CERTIFICATE_POLICIES_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
#include <vector>
-#include "input.h"
#include <optional>
+#include "input.h"
namespace bssl {
@@ -59,8 +59,8 @@
struct OPENSSL_EXPORT PolicyInformation {
PolicyInformation();
~PolicyInformation();
- PolicyInformation(const PolicyInformation&);
- PolicyInformation(PolicyInformation&&);
+ PolicyInformation(const PolicyInformation &);
+ PolicyInformation(PolicyInformation &&);
der::Input policy_oid;
std::vector<PolicyQualifierInfo> policy_qualifiers;
@@ -75,9 +75,8 @@
// The values in |policies| are only valid as long as |extension_value| is (as
// it references data).
OPENSSL_EXPORT bool ParseCertificatePoliciesExtension(
- const der::Input& extension_value,
- std::vector<PolicyInformation>* policies,
- CertErrors* errors);
+ const der::Input &extension_value, std::vector<PolicyInformation> *policies,
+ CertErrors *errors);
// Parses a certificatePolicies extension and stores the policy OIDs in
// |*policy_oids|, in sorted order.
@@ -97,10 +96,8 @@
// The values in |policy_oids| are only valid as long as |extension_value| is
// (as it references data).
OPENSSL_EXPORT bool ParseCertificatePoliciesExtensionOids(
- const der::Input& extension_value,
- bool fail_parsing_unknown_qualifier_oids,
- std::vector<der::Input>* policy_oids,
- CertErrors* errors);
+ const der::Input &extension_value, bool fail_parsing_unknown_qualifier_oids,
+ std::vector<der::Input> *policy_oids, CertErrors *errors);
struct ParsedPolicyConstraints {
std::optional<uint8_t> require_explicit_policy;
@@ -111,13 +108,12 @@
// Parses a PolicyConstraints SEQUENCE as defined by RFC 5280. Returns true on
// success, and sets |out|.
[[nodiscard]] OPENSSL_EXPORT bool ParsePolicyConstraints(
- const der::Input& policy_constraints_tlv,
- ParsedPolicyConstraints* out);
+ const der::Input &policy_constraints_tlv, ParsedPolicyConstraints *out);
// Parses an InhibitAnyPolicy as defined by RFC 5280. Returns num certs on
// success, or empty if parser fails.
[[nodiscard]] OPENSSL_EXPORT std::optional<uint8_t> ParseInhibitAnyPolicy(
- const der::Input& inhibit_any_policy_tlv);
+ const der::Input &inhibit_any_policy_tlv);
struct ParsedPolicyMapping {
der::Input issuer_domain_policy;
@@ -127,9 +123,9 @@
// Parses a PolicyMappings SEQUENCE as defined by RFC 5280. Returns true on
// success, and sets |mappings|.
[[nodiscard]] OPENSSL_EXPORT bool ParsePolicyMappings(
- const der::Input& policy_mappings_tlv,
- std::vector<ParsedPolicyMapping>* mappings);
+ const der::Input &policy_mappings_tlv,
+ std::vector<ParsedPolicyMapping> *mappings);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CERTIFICATE_POLICIES_H_
diff --git a/pki/certificate_policies_unittest.cc b/pki/certificate_policies_unittest.cc
index fcf10b8..9458659 100644
--- a/pki/certificate_policies_unittest.cc
+++ b/pki/certificate_policies_unittest.cc
@@ -4,16 +4,16 @@
#include "certificate_policies.h"
-#include "test_helpers.h"
+#include <gtest/gtest.h>
#include "input.h"
#include "parser.h"
-#include <gtest/gtest.h>
+#include "test_helpers.h"
namespace bssl {
namespace {
-::testing::AssertionResult LoadTestData(const std::string& name,
- std::string* result) {
+::testing::AssertionResult LoadTestData(const std::string &name,
+ std::string *result) {
std::string path = "testdata/certificate_policies_unittest/" + name;
const PemBlockMapping mappings[] = {
@@ -34,8 +34,7 @@
// Run the tests with all possible values for
// |fail_parsing_unknown_qualifier_oids|.
-INSTANTIATE_TEST_SUITE_P(All,
- ParseCertificatePoliciesExtensionOidsTest,
+INSTANTIATE_TEST_SUITE_P(All, ParseCertificatePoliciesExtensionOidsTest,
testing::Bool());
TEST_P(ParseCertificatePoliciesExtensionOidsTest, InvalidEmpty) {
@@ -237,11 +236,11 @@
EXPECT_TRUE(
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(1U, policies.size());
- PolicyInformation& policy = policies[0];
+ PolicyInformation &policy = policies[0];
EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid);
ASSERT_EQ(1U, policy.policy_qualifiers.size());
- PolicyQualifierInfo& qualifier = policy.policy_qualifiers[0];
+ PolicyQualifierInfo &qualifier = policy.policy_qualifiers[0];
// 1.2.3.4
const uint8_t kExpectedQualifierOid[] = {0x2a, 0x03, 0x04};
EXPECT_EQ(der::Input(kExpectedQualifierOid), qualifier.qualifier_oid);
@@ -259,12 +258,12 @@
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(2U, policies.size());
{
- PolicyInformation& policy = policies[0];
+ PolicyInformation &policy = policies[0];
EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid);
EXPECT_EQ(0U, policy.policy_qualifiers.size());
}
{
- PolicyInformation& policy = policies[1];
+ PolicyInformation &policy = policies[1];
EXPECT_EQ(der::Input(policy_1_2_4_der), policy.policy_oid);
EXPECT_EQ(0U, policy.policy_qualifiers.size());
}
@@ -279,10 +278,10 @@
ParseCertificatePoliciesExtension(der::Input(der), &policies, &errors));
ASSERT_EQ(2U, policies.size());
{
- PolicyInformation& policy = policies[0];
+ PolicyInformation &policy = policies[0];
EXPECT_EQ(der::Input(policy_1_2_3_der), policy.policy_oid);
ASSERT_EQ(1U, policy.policy_qualifiers.size());
- PolicyQualifierInfo& qualifier = policy.policy_qualifiers[0];
+ PolicyQualifierInfo &qualifier = policy.policy_qualifiers[0];
EXPECT_EQ(der::Input(kCpsPointerId), qualifier.qualifier_oid);
// IA5String { "https://example.com/1_2_3" }
const uint8_t kExpectedQualifier[] = {
@@ -292,10 +291,10 @@
EXPECT_EQ(der::Input(kExpectedQualifier), qualifier.qualifier);
}
{
- PolicyInformation& policy = policies[1];
+ PolicyInformation &policy = policies[1];
EXPECT_EQ(der::Input(policy_1_2_4_der), policy.policy_oid);
ASSERT_EQ(1U, policy.policy_qualifiers.size());
- PolicyQualifierInfo& qualifier = policy.policy_qualifiers[0];
+ PolicyQualifierInfo &qualifier = policy.policy_qualifiers[0];
EXPECT_EQ(der::Input(kCpsPointerId), qualifier.qualifier_oid);
// IA5String { "http://example.com/1_2_4" }
const uint8_t kExpectedQualifier[] = {
@@ -310,4 +309,4 @@
// parsed_certificate_unittest.cc
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/crl.cc b/pki/crl.cc
index dbd1ca1..2ac7948 100644
--- a/pki/crl.cc
+++ b/pki/crl.cc
@@ -9,14 +9,14 @@
#include "cert_errors.h"
#include "crl.h"
-#include "revocation_util.h"
-#include "signature_algorithm.h"
-#include "verify_name_match.h"
-#include "verify_signed_data.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
+#include "revocation_util.h"
+#include "signature_algorithm.h"
#include "tag.h"
+#include "verify_name_match.h"
+#include "verify_signed_data.h"
namespace bssl {
@@ -26,8 +26,8 @@
// In dotted notation: 2.5.29.28
inline constexpr uint8_t kIssuingDistributionPointOid[] = {0x55, 0x1d, 0x1c};
-[[nodiscard]] bool NormalizeNameTLV(const der::Input& name_tlv,
- std::string* out_normalized_name) {
+[[nodiscard]] bool NormalizeNameTLV(const der::Input &name_tlv,
+ std::string *out_normalized_name) {
der::Parser parser(name_tlv);
der::Input name_rdn;
bssl::CertErrors unused_errors;
@@ -48,10 +48,10 @@
} // namespace
-bool ParseCrlCertificateList(const der::Input& crl_tlv,
- der::Input* out_tbs_cert_list_tlv,
- der::Input* out_signature_algorithm_tlv,
- der::BitString* out_signature_value) {
+bool ParseCrlCertificateList(const der::Input &crl_tlv,
+ der::Input *out_tbs_cert_list_tlv,
+ der::Input *out_signature_algorithm_tlv,
+ der::BitString *out_signature_value) {
der::Parser parser(crl_tlv);
// CertificateList ::= SEQUENCE {
@@ -86,7 +86,7 @@
return true;
}
-bool ParseCrlTbsCertList(const der::Input& tbs_tlv, ParsedCrlTbsCertList* out) {
+bool ParseCrlTbsCertList(const der::Input &tbs_tlv, ParsedCrlTbsCertList *out) {
der::Parser parser(tbs_tlv);
// TBSCertList ::= SEQUENCE {
@@ -179,9 +179,9 @@
}
bool ParseIssuingDistributionPoint(
- const der::Input& extension_value,
- std::unique_ptr<GeneralNames>* out_distribution_point_names,
- ContainedCertsType* out_only_contains_cert_type) {
+ const der::Input &extension_value,
+ std::unique_ptr<GeneralNames> *out_distribution_point_names,
+ ContainedCertsType *out_only_contains_cert_type) {
der::Parser idp_extension_value_parser(extension_value);
// IssuingDistributionPoint ::= SEQUENCE {
der::Parser idp_parser;
@@ -278,9 +278,8 @@
}
CRLRevocationStatus GetCRLStatusForCert(
- const der::Input& cert_serial,
- CrlVersion crl_version,
- const std::optional<der::Input>& revoked_certificates_tlv) {
+ const der::Input &cert_serial, CrlVersion crl_version,
+ const std::optional<der::Input> &revoked_certificates_tlv) {
if (!revoked_certificates_tlv.has_value()) {
// RFC 5280 Section 5.1.2.6: "When there are no revoked certificates, the
// revoked certificates list MUST be absent."
@@ -340,7 +339,7 @@
// RFC 5280 Section 5.3: "If a CRL contains a critical CRL entry
// extension that the application cannot process, then the application
// MUST NOT use that CRL to determine the status of any certificates."
- for (const auto& ext : extensions) {
+ for (const auto &ext : extensions) {
if (ext.second.critical)
return CRLRevocationStatus::UNKNOWN;
}
@@ -367,9 +366,9 @@
ParsedCrlTbsCertList::~ParsedCrlTbsCertList() = default;
CRLRevocationStatus CheckCRL(std::string_view raw_crl,
- const ParsedCertificateList& valid_chain,
+ const ParsedCertificateList &valid_chain,
size_t target_cert_index,
- const ParsedDistributionPoint& cert_dp,
+ const ParsedDistributionPoint &cert_dp,
int64_t verify_time_epoch_seconds,
std::optional<int64_t> max_age_seconds) {
BSSL_CHECK(target_cert_index < valid_chain.size());
@@ -385,7 +384,7 @@
return CRLRevocationStatus::UNKNOWN;
}
- const ParsedCertificate* target_cert = valid_chain[target_cert_index].get();
+ const ParsedCertificate *target_cert = valid_chain[target_cert_index].get();
// 6.3.3 (a) Update the local CRL cache by obtaining a complete CRL, a
// delta CRL, or both, as required.
@@ -558,7 +557,7 @@
}
}
- for (const auto& ext : extensions) {
+ for (const auto &ext : extensions) {
// Fail if any unhandled critical CRL extensions are present.
if (ext.second.critical)
return CRLRevocationStatus::UNKNOWN;
@@ -578,7 +577,7 @@
// PKITS 4.5.3 to pass when it seems like it would not be intended to (since
// issuingDistributionPoint CRL extension is not handled).
for (size_t i = target_cert_index + 1; i < valid_chain.size(); ++i) {
- const ParsedCertificate* issuer_cert = valid_chain[i].get();
+ const ParsedCertificate *issuer_cert = valid_chain[i].get();
// 6.3.3 (f) Obtain and validate the certification path for the issuer of
// the complete CRL. The trust anchor for the certification
@@ -628,4 +627,4 @@
return CRLRevocationStatus::UNKNOWN;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/crl.h b/pki/crl.h
index f58eeae..0d36f22 100644
--- a/pki/crl.h
+++ b/pki/crl.h
@@ -7,11 +7,11 @@
#include "fillins/openssl_util.h"
+#include <optional>
#include "general_names.h"
-#include "parsed_certificate.h"
#include "input.h"
#include "parse_values.h"
-#include <optional>
+#include "parsed_certificate.h"
namespace bssl {
@@ -42,10 +42,9 @@
// signatureAlgorithm AlgorithmIdentifier,
// signatureValue BIT STRING }
[[nodiscard]] OPENSSL_EXPORT bool ParseCrlCertificateList(
- const der::Input& crl_tlv,
- der::Input* out_tbs_cert_list_tlv,
- der::Input* out_signature_algorithm_tlv,
- der::BitString* out_signature_value);
+ const der::Input &crl_tlv, der::Input *out_tbs_cert_list_tlv,
+ der::Input *out_signature_algorithm_tlv,
+ der::BitString *out_signature_value);
// Parses a DER-encoded "TBSCertList" as specified by RFC 5280 Section 5.1.
// Returns true on success and sets the results in |out|.
@@ -77,8 +76,7 @@
// -- if present, version MUST be v2
// }
[[nodiscard]] OPENSSL_EXPORT bool ParseCrlTbsCertList(
- const der::Input& tbs_tlv,
- ParsedCrlTbsCertList* out);
+ const der::Input &tbs_tlv, ParsedCrlTbsCertList *out);
// Represents a CRL "Version" from RFC 5280. TBSCertList reuses the same
// Version definition from TBSCertificate, however only v1(not present) and
@@ -181,14 +179,13 @@
// indirectCRL [4] BOOLEAN DEFAULT FALSE,
// onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
[[nodiscard]] OPENSSL_EXPORT bool ParseIssuingDistributionPoint(
- const der::Input& extension_value,
- std::unique_ptr<GeneralNames>* out_distribution_point_names,
- ContainedCertsType* out_only_contains_cert_type);
+ const der::Input &extension_value,
+ std::unique_ptr<GeneralNames> *out_distribution_point_names,
+ ContainedCertsType *out_only_contains_cert_type);
OPENSSL_EXPORT CRLRevocationStatus
-GetCRLStatusForCert(const der::Input& cert_serial,
- CrlVersion crl_version,
- const std::optional<der::Input>& revoked_certificates_tlv);
+GetCRLStatusForCert(const der::Input &cert_serial, CrlVersion crl_version,
+ const std::optional<der::Input> &revoked_certificates_tlv);
// Checks the revocation status of the certificate |cert| by using the
// DER-encoded |raw_crl|. |cert| must already have passed certificate path
@@ -212,14 +209,11 @@
// implemented as time since the |thisUpdate| field in the CRL
// TBSCertList. Responses older than |max_age_seconds| will be
// considered invalid.
-[[nodiscard]] OPENSSL_EXPORT CRLRevocationStatus
-CheckCRL(std::string_view raw_crl,
- const ParsedCertificateList& valid_chain,
- size_t target_cert_index,
- const ParsedDistributionPoint& cert_dp,
- int64_t verify_time_epoch_seconds,
- std::optional<int64_t> max_age_seconds);
+[[nodiscard]] OPENSSL_EXPORT CRLRevocationStatus CheckCRL(
+ std::string_view raw_crl, const ParsedCertificateList &valid_chain,
+ size_t target_cert_index, const ParsedDistributionPoint &cert_dp,
+ int64_t verify_time_epoch_seconds, std::optional<int64_t> max_age_seconds);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_CRL_H_
diff --git a/pki/crl_unittest.cc b/pki/crl_unittest.cc
index a2479d4..b9be70f 100644
--- a/pki/crl_unittest.cc
+++ b/pki/crl_unittest.cc
@@ -6,12 +6,12 @@
#include <string_view>
+#include <gtest/gtest.h>
+#include <openssl/pool.h>
#include "cert_errors.h"
#include "parsed_certificate.h"
#include "string_util.h"
#include "test_helpers.h"
-#include <gtest/gtest.h>
-#include <openssl/pool.h>
namespace bssl {
@@ -27,12 +27,13 @@
std::string_view data) {
CertErrors errors;
return ParsedCertificate::Create(
- bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(data.data()), data.size(), nullptr)),
+ bssl::UniquePtr<CRYPTO_BUFFER>(
+ CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(data.data()),
+ data.size(), nullptr)),
{}, &errors);
}
-class CheckCRLTest : public ::testing::TestWithParam<const char*> {};
+class CheckCRLTest : public ::testing::TestWithParam<const char *> {};
// Test prefix naming scheme:
// good = valid CRL, cert affirmatively not revoked
@@ -40,7 +41,7 @@
// bad = valid CRL, but cert status is unknown (cases like unhandled features,
// mismatching issuer or signature, etc)
// invalid = corrupt or violates some spec requirement
-constexpr char const* kTestParams[] = {
+constexpr char const *kTestParams[] = {
"good.pem",
"good_issuer_name_normalization.pem",
"good_issuer_no_keyusage.pem",
@@ -111,7 +112,7 @@
struct PrintTestName {
std::string operator()(
- const testing::TestParamInfo<const char*>& info) const {
+ const testing::TestParamInfo<const char *> &info) const {
std::string_view name(info.param);
// Strip ".pem" from the end as GTest names cannot contain period.
name.remove_suffix(4);
@@ -119,9 +120,7 @@
}
};
-INSTANTIATE_TEST_SUITE_P(All,
- CheckCRLTest,
- ::testing::ValuesIn(kTestParams),
+INSTANTIATE_TEST_SUITE_P(All, CheckCRLTest, ::testing::ValuesIn(kTestParams),
PrintTestName());
TEST_P(CheckCRLTest, FromFile) {
@@ -162,7 +161,7 @@
// TODO(https://crbug.com/749276): This seems slightly hacky. Maybe the
// distribution point to use should be specified separately in the test PEM?
ParsedDistributionPoint fake_cert_dp;
- ParsedDistributionPoint* cert_dp = &fake_cert_dp;
+ ParsedDistributionPoint *cert_dp = &fake_cert_dp;
std::vector<ParsedDistributionPoint> distribution_points;
ParsedExtension crl_dp_extension;
if (cert->GetExtension(der::Input(kCrlDistributionPointsOid),
@@ -206,4 +205,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/encode_values.cc b/pki/encode_values.cc
index ac20039..4d4a0e9 100644
--- a/pki/encode_values.cc
+++ b/pki/encode_values.cc
@@ -36,7 +36,7 @@
} // namespace
bool EncodePosixTimeAsGeneralizedTime(int64_t posix_time,
- GeneralizedTime* generalized_time) {
+ GeneralizedTime *generalized_time) {
struct tm tmp_tm;
if (!OPENSSL_posix_to_tm(posix_time, &tmp_tm)) {
return false;
@@ -51,8 +51,8 @@
return true;
}
-bool GeneralizedTimeToPosixTime(const der::GeneralizedTime& generalized,
- int64_t* result) {
+bool GeneralizedTimeToPosixTime(const der::GeneralizedTime &generalized,
+ int64_t *result) {
struct tm tmp_tm;
tmp_tm.tm_year = generalized.year - 1900;
tmp_tm.tm_mon = generalized.month - 1;
@@ -68,7 +68,7 @@
return OPENSSL_tm_to_posix(&tmp_tm, result);
}
-bool EncodeGeneralizedTime(const GeneralizedTime& time,
+bool EncodeGeneralizedTime(const GeneralizedTime &time,
uint8_t out[kGeneralizedTimeLength]) {
if (!WriteFourDigit(time.year, out) || !WriteTwoDigit(time.month, out + 4) ||
!WriteTwoDigit(time.day, out + 6) ||
@@ -81,7 +81,7 @@
return true;
}
-bool EncodeUTCTime(const GeneralizedTime& time, uint8_t out[kUTCTimeLength]) {
+bool EncodeUTCTime(const GeneralizedTime &time, uint8_t out[kUTCTimeLength]) {
if (!time.InUTCTimeRange())
return false;
diff --git a/pki/encode_values.h b/pki/encode_values.h
index 79216cc..b3bc0be 100644
--- a/pki/encode_values.h
+++ b/pki/encode_values.h
@@ -5,9 +5,9 @@
#ifndef BSSL_DER_ENCODE_VALUES_H_
#define BSSL_DER_ENCODE_VALUES_H_
-#include "fillins/openssl_util.h"
#include <stddef.h>
#include <stdint.h>
+#include "fillins/openssl_util.h"
@@ -19,29 +19,27 @@
// comparing against other GeneralizedTime objects, returning true on success or
// false if |posix_time| is outside of the range from year 0000 to 9999.
OPENSSL_EXPORT bool EncodePosixTimeAsGeneralizedTime(
- int64_t posix_time,
- GeneralizedTime* generalized_time);
+ int64_t posix_time, GeneralizedTime *generalized_time);
// Converts a GeneralizedTime struct to a posix time in seconds in |result|,
// returning true on success or false if |generalized| was invalid or cannot be
// represented as a posix time in the range from the year 0000 to 9999.
OPENSSL_EXPORT bool GeneralizedTimeToPosixTime(
- const der::GeneralizedTime& generalized,
- int64_t* result);
+ const der::GeneralizedTime &generalized, int64_t *result);
static const size_t kGeneralizedTimeLength = 15;
// Encodes |time| to |out| as a DER GeneralizedTime value. Returns true on
// success and false on error.
-OPENSSL_EXPORT bool EncodeGeneralizedTime(const GeneralizedTime& time,
- uint8_t out[kGeneralizedTimeLength]);
+OPENSSL_EXPORT bool EncodeGeneralizedTime(const GeneralizedTime &time,
+ uint8_t out[kGeneralizedTimeLength]);
static const size_t kUTCTimeLength = 13;
// Encodes |time| to |out| as a DER UTCTime value. Returns true on success and
// false on error.
-OPENSSL_EXPORT bool EncodeUTCTime(const GeneralizedTime& time,
- uint8_t out[kUTCTimeLength]);
+OPENSSL_EXPORT bool EncodeUTCTime(const GeneralizedTime &time,
+ uint8_t out[kUTCTimeLength]);
} // namespace bssl::der
diff --git a/pki/encode_values_unittest.cc b/pki/encode_values_unittest.cc
index ab42418..e0a7820 100644
--- a/pki/encode_values_unittest.cc
+++ b/pki/encode_values_unittest.cc
@@ -6,8 +6,8 @@
#include <string_view>
-#include "parse_values.h"
#include <gtest/gtest.h>
+#include "parse_values.h"
namespace bssl::der::test {
@@ -15,7 +15,7 @@
template <size_t N>
std::string_view ToStringView(const uint8_t (&data)[N]) {
- return std::string_view(reinterpret_cast<const char*>(data), N);
+ return std::string_view(reinterpret_cast<const char *>(data), N);
}
} // namespace
diff --git a/pki/extended_key_usage.cc b/pki/extended_key_usage.cc
index 34345f1..d81599a 100644
--- a/pki/extended_key_usage.cc
+++ b/pki/extended_key_usage.cc
@@ -10,8 +10,8 @@
namespace bssl {
-bool ParseEKUExtension(const der::Input& extension_value,
- std::vector<der::Input>* eku_oids) {
+bool ParseEKUExtension(const der::Input &extension_value,
+ std::vector<der::Input> *eku_oids) {
der::Parser extension_parser(extension_value);
der::Parser sequence_parser;
if (!extension_parser.ReadSequence(&sequence_parser))
@@ -37,4 +37,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/extended_key_usage.h b/pki/extended_key_usage.h
index 89b5030..59e66c4 100644
--- a/pki/extended_key_usage.h
+++ b/pki/extended_key_usage.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_EXTENDED_KEY_USAGE_H_
#define BSSL_PKI_EXTENDED_KEY_USAGE_H_
-#include "fillins/openssl_util.h"
#include <vector>
+#include "fillins/openssl_util.h"
#include "input.h"
@@ -81,9 +81,9 @@
//
// Note: The returned OIDs are only as valid as long as the data pointed to by
// |extension_value| is valid.
-OPENSSL_EXPORT bool ParseEKUExtension(const der::Input& extension_value,
- std::vector<der::Input>* eku_oids);
+OPENSSL_EXPORT bool ParseEKUExtension(const der::Input &extension_value,
+ std::vector<der::Input> *eku_oids);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_EXTENDED_KEY_USAGE_H_
diff --git a/pki/extended_key_usage_unittest.cc b/pki/extended_key_usage_unittest.cc
index 2f190cf..f764e52 100644
--- a/pki/extended_key_usage_unittest.cc
+++ b/pki/extended_key_usage_unittest.cc
@@ -4,17 +4,17 @@
#include <algorithm>
+#include <gtest/gtest.h>
#include "extended_key_usage.h"
#include "input.h"
-#include <gtest/gtest.h>
namespace bssl {
namespace {
// Helper method to check if an EKU is present in a std::vector of EKUs.
-bool HasEKU(const std::vector<der::Input>& list, const der::Input& eku) {
- for (const auto& oid : list) {
+bool HasEKU(const std::vector<der::Input> &list, const der::Input &eku) {
+ for (const auto &oid : list) {
if (oid == eku)
return true;
}
@@ -60,7 +60,7 @@
std::vector<der::Input> ekus;
EXPECT_TRUE(ParseEKUExtension(extension, &ekus));
EXPECT_EQ(2u, ekus.size());
- for (const auto& eku : ekus) {
+ for (const auto &eku : ekus) {
EXPECT_EQ(der::Input(kServerAuth), eku);
}
}
@@ -163,4 +163,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/fillins/fillins_string_util.cc b/pki/fillins/fillins_string_util.cc
index cdafcc5..697af63 100644
--- a/pki/fillins/fillins_string_util.cc
+++ b/pki/fillins/fillins_string_util.cc
@@ -2,10 +2,10 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "../string_util.h"
+#include "fillins_string_util.h"
#include <string>
#include <string_view>
-#include "fillins_string_util.h"
+#include "../string_util.h"
namespace bssl {
diff --git a/pki/general_names.cc b/pki/general_names.cc
index 2ffb24b..253e54e 100644
--- a/pki/general_names.cc
+++ b/pki/general_names.cc
@@ -11,10 +11,10 @@
#include "cert_error_params.h"
#include "cert_errors.h"
-#include "ip_util.h"
-#include "string_util.h"
#include "input.h"
+#include "ip_util.h"
#include "parser.h"
+#include "string_util.h"
#include "tag.h"
namespace bssl {
@@ -45,8 +45,7 @@
// static
std::unique_ptr<GeneralNames> GeneralNames::Create(
- const der::Input& general_names_tlv,
- CertErrors* errors) {
+ const der::Input &general_names_tlv, CertErrors *errors) {
BSSL_CHECK(errors);
// RFC 5280 section 4.2.1.6:
@@ -67,8 +66,7 @@
// static
std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
- const der::Input& general_names_value,
- CertErrors* errors) {
+ const der::Input &general_names_value, CertErrors *errors) {
BSSL_CHECK(errors);
auto general_names = std::make_unique<GeneralNames>();
@@ -98,10 +96,9 @@
}
[[nodiscard]] bool ParseGeneralName(
- const der::Input& input,
+ const der::Input &input,
GeneralNames::ParseGeneralNameIPAddressType ip_address_type,
- GeneralNames* subtrees,
- CertErrors* errors) {
+ GeneralNames *subtrees, CertErrors *errors) {
BSSL_CHECK(errors);
der::Parser parser(input);
der::Tag tag;
@@ -217,4 +214,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/general_names.h b/pki/general_names.h
index 38643d1..426859c 100644
--- a/pki/general_names.h
+++ b/pki/general_names.h
@@ -5,10 +5,10 @@
#ifndef BSSL_PKI_GENERAL_NAMES_H_
#define BSSL_PKI_GENERAL_NAMES_H_
-#include "fillins/openssl_util.h"
#include <memory>
#include <string_view>
#include <vector>
+#include "fillins/openssl_util.h"
#include "cert_error_id.h"
@@ -63,14 +63,12 @@
// Returns nullptr on failure, and may fill |errors| with
// additional information. |errors| must be non-null.
static std::unique_ptr<GeneralNames> Create(
- const der::Input& general_names_tlv,
- CertErrors* errors);
+ const der::Input &general_names_tlv, CertErrors *errors);
// As above, but takes the GeneralNames sequence value, without the tag and
// length.
static std::unique_ptr<GeneralNames> CreateFromValue(
- const der::Input& general_names_value,
- CertErrors* errors);
+ const der::Input &general_names_value, CertErrors *errors);
// DER-encoded OtherName values.
std::vector<der::Input> other_names;
@@ -123,11 +121,10 @@
// |errors| must be non-null.
// TODO(mattm): should this be a method on GeneralNames?
[[nodiscard]] OPENSSL_EXPORT bool ParseGeneralName(
- const der::Input& input,
+ const der::Input &input,
GeneralNames::ParseGeneralNameIPAddressType ip_address_type,
- GeneralNames* subtrees,
- CertErrors* errors);
+ GeneralNames *subtrees, CertErrors *errors);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_GENERAL_NAMES_H_
diff --git a/pki/general_names_unittest.cc b/pki/general_names_unittest.cc
index a3e5368..be508a2 100644
--- a/pki/general_names_unittest.cc
+++ b/pki/general_names_unittest.cc
@@ -4,15 +4,15 @@
#include "general_names.h"
-#include "test_helpers.h"
#include <gtest/gtest.h>
+#include "test_helpers.h"
namespace bssl {
namespace {
-::testing::AssertionResult LoadTestData(const char* token,
- const std::string& basename,
- std::string* result) {
+::testing::AssertionResult LoadTestData(const char *token,
+ const std::string &basename,
+ std::string *result) {
std::string path = "testdata/name_constraints_unittest/" + basename;
const PemBlockMapping mappings[] = {
@@ -23,13 +23,11 @@
}
::testing::AssertionResult LoadTestSubjectAltNameData(
- const std::string& basename,
- std::string* result) {
+ const std::string &basename, std::string *result) {
return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
}
-void ReplaceFirstSubstring(std::string* str,
- std::string_view substr,
+void ReplaceFirstSubstring(std::string *str, std::string_view substr,
std::string_view replacement) {
size_t idx = str->find(substr);
if (idx != std::string::npos) {
@@ -225,4 +223,4 @@
EXPECT_EQ(der::Input(expected_der), general_names->registered_ids[0]);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/input.cc b/pki/input.cc
index 884c6bc..274055b 100644
--- a/pki/input.cc
+++ b/pki/input.cc
@@ -11,33 +11,29 @@
namespace bssl::der {
std::string Input::AsString() const {
- return std::string(reinterpret_cast<const char*>(data_.data()), data_.size());
+ return std::string(reinterpret_cast<const char *>(data_.data()),
+ data_.size());
}
std::string_view Input::AsStringView() const {
- return std::string_view(reinterpret_cast<const char*>(data_.data()),
+ return std::string_view(reinterpret_cast<const char *>(data_.data()),
data_.size());
}
-bssl::Span<const uint8_t> Input::AsSpan() const {
- return data_;
-}
+bssl::Span<const uint8_t> Input::AsSpan() const { return data_; }
-bool operator==(const Input& lhs, const Input& rhs) {
+bool operator==(const Input &lhs, const Input &rhs) {
return lhs.Length() == rhs.Length() &&
std::equal(lhs.UnsafeData(), lhs.UnsafeData() + lhs.Length(),
rhs.UnsafeData());
}
-bool operator!=(const Input& lhs, const Input& rhs) {
- return !(lhs == rhs);
-}
+bool operator!=(const Input &lhs, const Input &rhs) { return !(lhs == rhs); }
-ByteReader::ByteReader(const Input& in)
- : data_(in.UnsafeData()), len_(in.Length()) {
-}
+ByteReader::ByteReader(const Input &in)
+ : data_(in.UnsafeData()), len_(in.Length()) {}
-bool ByteReader::ReadByte(uint8_t* byte_p) {
+bool ByteReader::ReadByte(uint8_t *byte_p) {
if (!HasMore())
return false;
*byte_p = *data_;
@@ -45,7 +41,7 @@
return true;
}
-bool ByteReader::ReadBytes(size_t len, Input* out) {
+bool ByteReader::ReadBytes(size_t len, Input *out) {
if (len > len_)
return false;
*out = Input(data_, len);
@@ -54,9 +50,7 @@
}
// Returns whether there is any more data to be read.
-bool ByteReader::HasMore() {
- return len_ > 0;
-}
+bool ByteReader::HasMore() { return len_ > 0; }
void ByteReader::Advance(size_t len) {
BSSL_CHECK(len <= len_);
diff --git a/pki/input.h b/pki/input.h
index b3b13b7..cd5326f 100644
--- a/pki/input.h
+++ b/pki/input.h
@@ -5,9 +5,9 @@
#ifndef BSSL_DER_INPUT_H_
#define BSSL_DER_INPUT_H_
-#include "fillins/openssl_util.h"
#include <stddef.h>
#include <stdint.h>
+#include "fillins/openssl_util.h"
#include <string>
#include <string_view>
@@ -38,14 +38,14 @@
constexpr explicit Input(bssl::Span<const uint8_t> data) : data_(data) {}
// Creates an Input from the given |data| and |len|.
- constexpr explicit Input(const uint8_t* data, size_t len)
+ constexpr explicit Input(const uint8_t *data, size_t len)
: data_(bssl::MakeConstSpan(data, len)) {}
// Creates an Input from a std::string_view. The constructed Input is only
// valid as long as |data| points to live memory. If constructed from, say, a
// |std::string|, mutating the vector will invalidate the Input.
explicit Input(std::string_view str)
- : data_(bssl::MakeConstSpan(reinterpret_cast<const uint8_t*>(str.data()),
+ : data_(bssl::MakeConstSpan(reinterpret_cast<const uint8_t *>(str.data()),
str.size())) {}
// Returns the length in bytes of an Input's data.
@@ -55,7 +55,7 @@
// because access to the Input's data should be done through ByteReader
// instead. This method should only be used where using a ByteReader truly
// is not an option.
- constexpr const uint8_t* UnsafeData() const { return data_.data(); }
+ constexpr const uint8_t *UnsafeData() const { return data_.data(); }
constexpr uint8_t operator[](size_t idx) const { return data_[idx]; }
@@ -77,20 +77,19 @@
};
// Return true if |lhs|'s data and |rhs|'s data are byte-wise equal.
-OPENSSL_EXPORT bool operator==(const Input& lhs, const Input& rhs);
+OPENSSL_EXPORT bool operator==(const Input &lhs, const Input &rhs);
// Return true if |lhs|'s data and |rhs|'s data are not byte-wise equal.
-OPENSSL_EXPORT bool operator!=(const Input& lhs, const Input& rhs);
+OPENSSL_EXPORT bool operator!=(const Input &lhs, const Input &rhs);
// Returns true if |lhs|'s data is lexicographically less than |rhs|'s data.
-OPENSSL_EXPORT constexpr bool operator<(const Input& lhs,
- const Input& rhs) {
+OPENSSL_EXPORT constexpr bool operator<(const Input &lhs, const Input &rhs) {
// This is `std::lexicographical_compare`, but that's not `constexpr` until
// C++-20.
- auto* it1 = lhs.UnsafeData();
- auto* it2 = rhs.UnsafeData();
- const auto* end1 = lhs.UnsafeData() + lhs.Length();
- const auto* end2 = rhs.UnsafeData() + rhs.Length();
+ auto *it1 = lhs.UnsafeData();
+ auto *it2 = rhs.UnsafeData();
+ const auto *end1 = lhs.UnsafeData() + lhs.Length();
+ const auto *end2 = rhs.UnsafeData() + rhs.Length();
for (; it1 != end1 && it2 != end2; ++it1, ++it2) {
if (*it1 < *it2) {
return true;
@@ -121,17 +120,17 @@
class OPENSSL_EXPORT ByteReader {
public:
// Creates a ByteReader to read the data represented by an Input.
- explicit ByteReader(const Input& in);
+ explicit ByteReader(const Input &in);
// Reads a single byte from the input source, putting the byte read in
// |*byte_p|. If a byte cannot be read from the input (because there is
// no input left), then this method returns false.
- [[nodiscard]] bool ReadByte(uint8_t* out);
+ [[nodiscard]] bool ReadByte(uint8_t *out);
// Reads |len| bytes from the input source, and initializes an Input to
// point to that data. If there aren't enough bytes left in the input source,
// then this method returns false.
- [[nodiscard]] bool ReadBytes(size_t len, Input* out);
+ [[nodiscard]] bool ReadBytes(size_t len, Input *out);
// Returns how many bytes are left to read.
size_t BytesLeft() const { return len_; }
@@ -142,7 +141,7 @@
private:
void Advance(size_t len);
- const uint8_t* data_;
+ const uint8_t *data_;
size_t len_;
};
diff --git a/pki/input_unittest.cc b/pki/input_unittest.cc
index 6c3f757..42a7cdb 100644
--- a/pki/input_unittest.cc
+++ b/pki/input_unittest.cc
@@ -41,7 +41,7 @@
TEST(InputTest, AsString) {
Input input(kInput);
- std::string expected_string(reinterpret_cast<const char*>(kInput),
+ std::string expected_string(reinterpret_cast<const char *>(kInput),
std::size(kInput));
EXPECT_EQ(expected_string, input.AsString());
}
diff --git a/pki/ip_util.cc b/pki/ip_util.cc
index 75b77ca..1983633 100644
--- a/pki/ip_util.cc
+++ b/pki/ip_util.cc
@@ -33,8 +33,7 @@
return true;
}
-bool IPAddressMatchesWithNetmask(der::Input addr1,
- der::Input addr2,
+bool IPAddressMatchesWithNetmask(der::Input addr1, der::Input addr2,
der::Input mask) {
if (addr1.Length() != addr2.Length() || addr1.Length() != mask.Length()) {
return false;
@@ -47,4 +46,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/ip_util.h b/pki/ip_util.h
index e78b9e6..64ea719 100644
--- a/pki/ip_util.h
+++ b/pki/ip_util.h
@@ -21,9 +21,9 @@
// Returns whether `addr1` and `addr2` are equal under the netmask `mask`.
OPENSSL_EXPORT bool IPAddressMatchesWithNetmask(der::Input addr1,
- der::Input addr2,
- der::Input mask);
+ der::Input addr2,
+ der::Input mask);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_IP_UTIL_H_
diff --git a/pki/ip_util_unittest.cc b/pki/ip_util_unittest.cc
index 8ec7452..268a924 100644
--- a/pki/ip_util_unittest.cc
+++ b/pki/ip_util_unittest.cc
@@ -6,8 +6,8 @@
#include <string.h>
-#include "input.h"
#include <gtest/gtest.h>
+#include "input.h"
namespace bssl {
@@ -104,4 +104,4 @@
}
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/mock_signature_verify_cache.cc b/pki/mock_signature_verify_cache.cc
index 786fd44..d99f690 100644
--- a/pki/mock_signature_verify_cache.cc
+++ b/pki/mock_signature_verify_cache.cc
@@ -12,14 +12,14 @@
MockSignatureVerifyCache::~MockSignatureVerifyCache() = default;
-void MockSignatureVerifyCache::Store(const std::string& key,
+void MockSignatureVerifyCache::Store(const std::string &key,
SignatureVerifyCache::Value value) {
cache_.insert_or_assign(key, value);
stores_++;
}
SignatureVerifyCache::Value MockSignatureVerifyCache::Check(
- const std::string& key) {
+ const std::string &key) {
auto iter = cache_.find(key);
if (iter == cache_.end()) {
misses_++;
@@ -29,4 +29,4 @@
return iter->second;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/mock_signature_verify_cache.h b/pki/mock_signature_verify_cache.h
index ed7f1b1..80c4fa3 100644
--- a/pki/mock_signature_verify_cache.h
+++ b/pki/mock_signature_verify_cache.h
@@ -25,10 +25,10 @@
~MockSignatureVerifyCache() override;
- void Store(const std::string& key,
+ void Store(const std::string &key,
SignatureVerifyCache::Value value) override;
- SignatureVerifyCache::Value Check(const std::string& key) override;
+ SignatureVerifyCache::Value Check(const std::string &key) override;
size_t CacheHits() { return hits_; }
@@ -43,6 +43,6 @@
size_t stores_ = 0;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_MOCK_PATH_BUILDER_DELEGATE_H_
diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc
index aa03a96..6dea412 100644
--- a/pki/name_constraints.cc
+++ b/pki/name_constraints.cc
@@ -8,17 +8,17 @@
#include <memory>
+#include <openssl/base.h>
+#include <optional>
#include "cert_errors.h"
#include "common_cert_errors.h"
#include "general_names.h"
-#include "ip_util.h"
-#include "string_util.h"
-#include "verify_name_match.h"
#include "input.h"
+#include "ip_util.h"
#include "parser.h"
+#include "string_util.h"
#include "tag.h"
-#include <optional>
-#include <openssl/base.h>
+#include "verify_name_match.h"
namespace bssl {
@@ -53,8 +53,7 @@
// |wildcard_matching| controls handling of wildcard names (|name| starts with
// "*."). Wildcard handling is not specified by RFC 5280, but certificate
// verification allows it, name constraints must check it similarly.
-bool DNSNameMatches(std::string_view name,
- std::string_view dns_constraint,
+bool DNSNameMatches(std::string_view name, std::string_view dns_constraint,
WildcardMatchType wildcard_matching) {
// Everything matches the empty DNS name constraint.
if (dns_constraint.empty())
@@ -79,7 +78,7 @@
dns_constraint.substr(dns_constraint_dot_pos + 1);
std::string_view wildcard_domain = name.substr(2);
if (bssl::string_util::IsEqualNoCase(wildcard_domain,
- dns_constraint_domain)) {
+ dns_constraint_domain)) {
return true;
}
}
@@ -113,9 +112,9 @@
// NOTE: |subtrees| is not pre-initialized by the function(it is expected to be
// a default initialized object), and it will be modified regardless of the
// return value.
-[[nodiscard]] bool ParseGeneralSubtrees(const der::Input& value,
- GeneralNames* subtrees,
- CertErrors* errors) {
+[[nodiscard]] bool ParseGeneralSubtrees(const der::Input &value,
+ GeneralNames *subtrees,
+ CertErrors *errors) {
BSSL_CHECK(errors);
// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
@@ -206,8 +205,7 @@
}
enum class Rfc822NameMatchType { kPermitted, kExcluded };
-bool Rfc822NameMatches(std::string_view local_part,
- std::string_view domain,
+bool Rfc822NameMatches(std::string_view local_part, std::string_view domain,
std::string_view rfc822_constraint,
Rfc822NameMatchType match_type,
bool case_insensitive_local_part) {
@@ -271,9 +269,7 @@
// static
std::unique_ptr<NameConstraints> NameConstraints::Create(
- const der::Input& extension_value,
- bool is_critical,
- CertErrors* errors) {
+ const der::Input &extension_value, bool is_critical, CertErrors *errors) {
BSSL_CHECK(errors);
auto name_constraints = std::make_unique<NameConstraints>();
@@ -282,9 +278,8 @@
return name_constraints;
}
-bool NameConstraints::Parse(const der::Input& extension_value,
- bool is_critical,
- CertErrors* errors) {
+bool NameConstraints::Parse(const der::Input &extension_value, bool is_critical,
+ CertErrors *errors) {
BSSL_CHECK(errors);
der::Parser extension_parser(extension_value);
@@ -339,9 +334,9 @@
return true;
}
-void NameConstraints::IsPermittedCert(const der::Input& subject_rdn_sequence,
- const GeneralNames* subject_alt_names,
- CertErrors* errors) const {
+void NameConstraints::IsPermittedCert(const der::Input &subject_rdn_sequence,
+ const GeneralNames *subject_alt_names,
+ CertErrors *errors) const {
// Checking NameConstraints is O(number_of_names * number_of_constraints).
// Impose a hard limit to mitigate the use of name constraints as a DoS
// mechanism. This mimics the similar check in BoringSSL x509/v_ncons.c
@@ -426,7 +421,7 @@
// might fail if there are email addresses we don't know how to parse but
// are technically correct.
if (constrained_name_types() & GENERAL_NAME_RFC822_NAME) {
- for (const auto& rfc822_name : subject_alt_names->rfc822_names) {
+ for (const auto &rfc822_name : subject_alt_names->rfc822_names) {
if (!IsPermittedRfc822Name(
rfc822_name, /*case_insensitive_exclude_localpart=*/false)) {
errors->AddError(cert_errors::kNotPermittedByNameConstraints);
@@ -435,21 +430,21 @@
}
}
- for (const auto& dns_name : subject_alt_names->dns_names) {
+ for (const auto &dns_name : subject_alt_names->dns_names) {
if (!IsPermittedDNSName(dns_name)) {
errors->AddError(cert_errors::kNotPermittedByNameConstraints);
return;
}
}
- for (const auto& directory_name : subject_alt_names->directory_names) {
+ for (const auto &directory_name : subject_alt_names->directory_names) {
if (!IsPermittedDirectoryName(directory_name)) {
errors->AddError(cert_errors::kNotPermittedByNameConstraints);
return;
}
}
- for (const auto& ip_address : subject_alt_names->ip_addresses) {
+ for (const auto &ip_address : subject_alt_names->ip_addresses) {
if (!IsPermittedIP(ip_address)) {
errors->AddError(cert_errors::kNotPermittedByNameConstraints);
return;
@@ -466,7 +461,7 @@
// form, but the certificate does not include a subject alternative name, the
// rfc822Name constraint MUST be applied to the attribute of type emailAddress
// in the subject distinguished name.
- for (const auto& rfc822_name : subject_email_addresses_to_check) {
+ for (const auto &rfc822_name : subject_email_addresses_to_check) {
// Whether local_part should be matched case-sensitive or not is somewhat
// unclear. RFC 2821 says that it should be case-sensitive. RFC 2985 says
// that emailAddress attributes in a Name are fully case-insensitive.
@@ -503,8 +498,7 @@
}
bool NameConstraints::IsPermittedRfc822Name(
- std::string_view name,
- bool case_insensitive_exclude_localpart) const {
+ std::string_view name, bool case_insensitive_exclude_localpart) const {
// RFC 5280 4.2.1.6. Subject Alternative Name
//
// When the subjectAltName extension contains an Internet mail address,
@@ -584,7 +578,7 @@
return false;
}
- for (const auto& excluded_name : excluded_subtrees_.rfc822_names) {
+ for (const auto &excluded_name : excluded_subtrees_.rfc822_names) {
if (Rfc822NameMatches(name_components[0], name_components[1], excluded_name,
Rfc822NameMatchType::kExcluded,
case_insensitive_exclude_localpart)) {
@@ -598,7 +592,7 @@
return true;
}
- for (const auto& permitted_name : permitted_subtrees_.rfc822_names) {
+ for (const auto &permitted_name : permitted_subtrees_.rfc822_names) {
if (Rfc822NameMatches(name_components[0], name_components[1],
permitted_name, Rfc822NameMatchType::kPermitted,
/*case_insenitive_local_part=*/false)) {
@@ -610,7 +604,7 @@
}
bool NameConstraints::IsPermittedDNSName(std::string_view name) const {
- for (const auto& excluded_name : excluded_subtrees_.dns_names) {
+ for (const auto &excluded_name : excluded_subtrees_.dns_names) {
// When matching wildcard hosts against excluded subtrees, consider it a
// match if the constraint would match any expansion of the wildcard. Eg,
// *.bar.com should match a constraint of foo.bar.com.
@@ -623,7 +617,7 @@
if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_DNS_NAME))
return true;
- for (const auto& permitted_name : permitted_subtrees_.dns_names) {
+ for (const auto &permitted_name : permitted_subtrees_.dns_names) {
// When matching wildcard hosts against permitted subtrees, consider it a
// match only if the constraint would match all expansions of the wildcard.
// Eg, *.bar.com should match a constraint of bar.com, but not foo.bar.com.
@@ -635,8 +629,8 @@
}
bool NameConstraints::IsPermittedDirectoryName(
- const der::Input& name_rdn_sequence) const {
- for (const auto& excluded_name : excluded_subtrees_.directory_names) {
+ const der::Input &name_rdn_sequence) const {
+ for (const auto &excluded_name : excluded_subtrees_.directory_names) {
if (VerifyNameInSubtree(name_rdn_sequence, excluded_name))
return false;
}
@@ -646,7 +640,7 @@
if (!(permitted_subtrees_.present_name_types & GENERAL_NAME_DIRECTORY_NAME))
return true;
- for (const auto& permitted_name : permitted_subtrees_.directory_names) {
+ for (const auto &permitted_name : permitted_subtrees_.directory_names) {
if (VerifyNameInSubtree(name_rdn_sequence, permitted_name))
return true;
}
@@ -654,8 +648,8 @@
return false;
}
-bool NameConstraints::IsPermittedIP(const der::Input& ip) const {
- for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
+bool NameConstraints::IsPermittedIP(const der::Input &ip) const {
+ for (const auto &excluded_ip : excluded_subtrees_.ip_address_ranges) {
if (IPAddressMatchesWithNetmask(ip, excluded_ip.first,
excluded_ip.second)) {
return false;
@@ -668,7 +662,7 @@
return true;
}
- for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
+ for (const auto &permitted_ip : permitted_subtrees_.ip_address_ranges) {
if (IPAddressMatchesWithNetmask(ip, permitted_ip.first,
permitted_ip.second)) {
return true;
@@ -678,4 +672,4 @@
return false;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/name_constraints.h b/pki/name_constraints.h
index 6bf780c..bf3d3c6 100644
--- a/pki/name_constraints.h
+++ b/pki/name_constraints.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_NAME_CONSTRAINTS_H_
#define BSSL_PKI_NAME_CONSTRAINTS_H_
-#include "fillins/openssl_util.h"
#include <memory>
+#include "fillins/openssl_util.h"
#include "general_names.h"
@@ -32,9 +32,7 @@
// The object may reference data from |extension_value|, so is only valid as
// long as |extension_value| is.
static std::unique_ptr<NameConstraints> Create(
- const der::Input& extension_value,
- bool is_critical,
- CertErrors* errors);
+ const der::Input &extension_value, bool is_critical, CertErrors *errors);
// Tests if a certificate is allowed by the name constraints.
// |subject_rdn_sequence| should be the DER-encoded value of the subject's
@@ -44,9 +42,9 @@
// If the certificate is not allowed, an error will be added to |errors|.
// Note that this method does not check hostname or IP address in commonName,
// which is deprecated (crbug.com/308330).
- void IsPermittedCert(const der::Input& subject_rdn_sequence,
- const GeneralNames* subject_alt_names,
- CertErrors* errors) const;
+ void IsPermittedCert(const der::Input &subject_rdn_sequence,
+ const GeneralNames *subject_alt_names,
+ CertErrors *errors) const;
// Returns true if the ASCII email address |name| is permitted. |name| should
// be a "mailbox" as specified by RFC 2821, with the additional restriction
@@ -64,10 +62,10 @@
// Returns true if the directoryName |name_rdn_sequence| is permitted.
// |name_rdn_sequence| should be the DER-encoded RDNSequence value (not
// including the Sequence tag.)
- bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const;
+ bool IsPermittedDirectoryName(const der::Input &name_rdn_sequence) const;
// Returns true if the iPAddress |ip| is permitted.
- bool IsPermittedIP(const der::Input& ip) const;
+ bool IsPermittedIP(const der::Input &ip) const;
// Returns a bitfield of GeneralNameTypes of all the types constrained by this
// NameConstraints. Name types that aren't supported will only be present if
@@ -85,19 +83,18 @@
// either process the constraint or reject the certificate.
int constrained_name_types() const { return constrained_name_types_; }
- const GeneralNames& permitted_subtrees() const { return permitted_subtrees_; }
- const GeneralNames& excluded_subtrees() const { return excluded_subtrees_; }
+ const GeneralNames &permitted_subtrees() const { return permitted_subtrees_; }
+ const GeneralNames &excluded_subtrees() const { return excluded_subtrees_; }
private:
- [[nodiscard]] bool Parse(const der::Input& extension_value,
- bool is_critical,
- CertErrors* errors);
+ [[nodiscard]] bool Parse(const der::Input &extension_value, bool is_critical,
+ CertErrors *errors);
GeneralNames permitted_subtrees_;
GeneralNames excluded_subtrees_;
int constrained_name_types_ = GENERAL_NAME_NONE;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_NAME_CONSTRAINTS_H_
diff --git a/pki/name_constraints_unittest.cc b/pki/name_constraints_unittest.cc
index 5de90e5..4121b6f 100644
--- a/pki/name_constraints_unittest.cc
+++ b/pki/name_constraints_unittest.cc
@@ -7,16 +7,16 @@
#include <array>
#include <memory>
+#include <gtest/gtest.h>
#include "common_cert_errors.h"
#include "test_helpers.h"
-#include <gtest/gtest.h>
namespace bssl {
namespace {
-::testing::AssertionResult LoadTestData(const char* token,
- const std::string& basename,
- std::string* result) {
+::testing::AssertionResult LoadTestData(const char *token,
+ const std::string &basename,
+ std::string *result) {
std::string path = "testdata/name_constraints_unittest/" + basename;
const PemBlockMapping mappings[] = {
@@ -26,26 +26,24 @@
return ReadTestDataFromPemFile(path, mappings);
}
-::testing::AssertionResult LoadTestName(const std::string& basename,
- std::string* result) {
+::testing::AssertionResult LoadTestName(const std::string &basename,
+ std::string *result) {
return LoadTestData("NAME", basename, result);
}
-::testing::AssertionResult LoadTestNameConstraint(const std::string& basename,
- std::string* result) {
+::testing::AssertionResult LoadTestNameConstraint(const std::string &basename,
+ std::string *result) {
return LoadTestData("NAME CONSTRAINTS", basename, result);
}
::testing::AssertionResult LoadTestSubjectAltNameData(
- const std::string& basename,
- std::string* result) {
+ const std::string &basename, std::string *result) {
return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
}
::testing::AssertionResult LoadTestSubjectAltName(
- const std::string& basename,
- std::unique_ptr<GeneralNames>* result,
- std::string* result_der) {
+ const std::string &basename, std::unique_ptr<GeneralNames> *result,
+ std::string *result_der) {
::testing::AssertionResult load_result =
LoadTestSubjectAltNameData(basename, result_der);
if (!load_result) {
@@ -60,9 +58,9 @@
}
::testing::AssertionResult IsPermittedCert(
- const NameConstraints* name_constraints,
- const der::Input& subject_rdn_sequence,
- const GeneralNames* subject_alt_names) {
+ const NameConstraints *name_constraints,
+ const der::Input &subject_rdn_sequence,
+ const GeneralNames *subject_alt_names) {
CertErrors errors;
name_constraints->IsPermittedCert(subject_rdn_sequence, subject_alt_names,
&errors);
@@ -73,27 +71,15 @@
return ::testing::AssertionFailure();
}
-std::array<uint8_t, 4> IPAddress(uint8_t b0,
- uint8_t b1,
- uint8_t b2,
+std::array<uint8_t, 4> IPAddress(uint8_t b0, uint8_t b1, uint8_t b2,
uint8_t b3) {
return {b0, b1, b2, b3};
}
-std::array<uint8_t, 16> IPAddress(uint8_t b0,
- uint8_t b1,
- uint8_t b2,
- uint8_t b3,
- uint8_t b4,
- uint8_t b5,
- uint8_t b6,
- uint8_t b7,
- uint8_t b8,
- uint8_t b9,
- uint8_t b10,
- uint8_t b11,
- uint8_t b12,
- uint8_t b13,
- uint8_t b14,
+std::array<uint8_t, 16> IPAddress(uint8_t b0, uint8_t b1, uint8_t b2,
+ uint8_t b3, uint8_t b4, uint8_t b5,
+ uint8_t b6, uint8_t b7, uint8_t b8,
+ uint8_t b9, uint8_t b10, uint8_t b11,
+ uint8_t b12, uint8_t b13, uint8_t b14,
uint8_t b15) {
return {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15};
}
@@ -108,8 +94,7 @@
// Run the tests with the name constraints marked critical and non-critical. For
// supported name types, the results should be the same for both.
-INSTANTIATE_TEST_SUITE_P(InstantiationName,
- ParseNameConstraints,
+INSTANTIATE_TEST_SUITE_P(InstantiationName, ParseNameConstraints,
::testing::Values(true, false));
TEST_P(ParseNameConstraints, DNSNames) {
@@ -1915,4 +1900,4 @@
nullptr /* subject_alt_names */));
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/nist_pkits_unittest.cc b/pki/nist_pkits_unittest.cc
index d062de8..309cb64 100644
--- a/pki/nist_pkits_unittest.cc
+++ b/pki/nist_pkits_unittest.cc
@@ -28,8 +28,8 @@
const uint8_t kTestPolicy6[] = {0x60, 0x86, 0x48, 0x01, 0x65,
0x03, 0x02, 0x01, 0x30, 0x06};
-void SetPolicySetFromString(const char* const policy_names,
- std::set<der::Input>* out) {
+void SetPolicySetFromString(const char *const policy_names,
+ std::set<der::Input> *out) {
out->clear();
std::istringstream stream(policy_names);
for (std::string line; std::getline(stream, line, ',');) {
@@ -69,7 +69,7 @@
SetUserConstrainedPolicySet("NIST-test-policy-1");
}
-PkitsTestInfo::PkitsTestInfo(const PkitsTestInfo& other) = default;
+PkitsTestInfo::PkitsTestInfo(const PkitsTestInfo &other) = default;
PkitsTestInfo::~PkitsTestInfo() = default;
@@ -88,13 +88,13 @@
b ? InitialAnyPolicyInhibit::kTrue : InitialAnyPolicyInhibit::kFalse;
}
-void PkitsTestInfo::SetInitialPolicySet(const char* const policy_names) {
+void PkitsTestInfo::SetInitialPolicySet(const char *const policy_names) {
SetPolicySetFromString(policy_names, &initial_policy_set);
}
void PkitsTestInfo::SetUserConstrainedPolicySet(
- const char* const policy_names) {
+ const char *const policy_names) {
SetPolicySetFromString(policy_names, &user_constrained_policy_set);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/nist_pkits_unittest.h b/pki/nist_pkits_unittest.h
index 279fb29..5f9219c 100644
--- a/pki/nist_pkits_unittest.h
+++ b/pki/nist_pkits_unittest.h
@@ -7,9 +7,9 @@
#include <set>
-#include "test_helpers.h"
-#include "parse_values.h"
#include <gtest/gtest.h>
+#include "parse_values.h"
+#include "test_helpers.h"
namespace bssl {
@@ -18,7 +18,7 @@
struct PkitsTestInfo {
// Default construction results in the "default settings".
PkitsTestInfo();
- PkitsTestInfo(const PkitsTestInfo& other);
+ PkitsTestInfo(const PkitsTestInfo &other);
~PkitsTestInfo();
// Sets |initial_policy_set| to the specified policies. The
@@ -26,14 +26,14 @@
// "anyPolicy" and "NIST-test-policy-1".
//
// If this isn't called, the default is "anyPolicy".
- void SetInitialPolicySet(const char* const policy_names);
+ void SetInitialPolicySet(const char *const policy_names);
// Sets |user_constrained_policy_set| to the specified policies. The
// policies are described as comma-separated symbolic strings like
// "anyPolicy" and "NIST-test-policy-1".
//
// If this isn't called, the default is "NIST-test-policy-1".
- void SetUserConstrainedPolicySet(const char* const policy_names);
+ void SetUserConstrainedPolicySet(const char *const policy_names);
void SetInitialExplicitPolicy(bool b);
void SetInitialPolicyMappingInhibit(bool b);
@@ -44,7 +44,7 @@
// ----------------
// The PKITS test number. For example, "4.1.1".
- const char* test_number = nullptr;
+ const char *test_number = nullptr;
// ----------------
// Inputs
@@ -85,9 +85,9 @@
class PkitsTest : public ::testing::Test {
public:
template <size_t num_certs, size_t num_crls>
- void RunTest(const char* const (&cert_names)[num_certs],
- const char* const (&crl_names)[num_crls],
- const PkitsTestInfo& info) {
+ void RunTest(const char *const (&cert_names)[num_certs],
+ const char *const (&crl_names)[num_crls],
+ const PkitsTestInfo &info) {
std::vector<std::string> cert_ders;
for (const std::string s : cert_names) {
cert_ders.push_back(bssl::ReadTestFileToString(
@@ -95,8 +95,8 @@
}
std::vector<std::string> crl_ders;
for (const std::string s : crl_names) {
- crl_ders.push_back(bssl::ReadTestFileToString(
- "testdata/nist-pkits/crls/" + s + ".crl"));
+ crl_ders.push_back(
+ bssl::ReadTestFileToString("testdata/nist-pkits/crls/" + s + ".crl"));
}
std::string_view test_number = info.test_number;
@@ -144,6 +144,6 @@
// Inline the generated test code:
#include "testdata/nist-pkits/pkits_testcases-inl.h"
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_NIST_PKITS_UNITTEST_H_
diff --git a/pki/ocsp.cc b/pki/ocsp.cc
index 5ccf2e2..ed0d2ce 100644
--- a/pki/ocsp.cc
+++ b/pki/ocsp.cc
@@ -4,6 +4,11 @@
#include "ocsp.h"
+#include <openssl/bytestring.h>
+#include <openssl/digest.h>
+#include <openssl/mem.h>
+#include <openssl/pool.h>
+#include <openssl/sha.h>
#include "cert_errors.h"
#include "extended_key_usage.h"
#include "parsed_certificate.h"
@@ -11,11 +16,6 @@
#include "string_util.h"
#include "verify_name_match.h"
#include "verify_signed_data.h"
-#include <openssl/bytestring.h>
-#include <openssl/digest.h>
-#include <openssl/mem.h>
-#include <openssl/pool.h>
-#include <openssl/sha.h>
namespace bssl {
@@ -37,7 +37,7 @@
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber
// }
-bool ParseOCSPCertID(const der::Input& raw_tlv, OCSPCertID* out) {
+bool ParseOCSPCertID(const der::Input &raw_tlv, OCSPCertID *out) {
der::Parser outer_parser(raw_tlv);
der::Parser parser;
if (!outer_parser.ReadSequence(&parser))
@@ -73,7 +73,7 @@
// revocationTime GeneralizedTime,
// revocationReason [0] EXPLICIT CRLReason OPTIONAL
// }
-bool ParseRevokedInfo(const der::Input& raw_tlv, OCSPCertStatus* out) {
+bool ParseRevokedInfo(const der::Input &raw_tlv, OCSPCertStatus *out) {
der::Parser parser(raw_tlv);
if (!parser.ReadGeneralizedTime(&(out->revocation_time)))
return false;
@@ -116,7 +116,7 @@
// }
//
// UnknownInfo ::= NULL
-bool ParseCertStatus(const der::Input& raw_tlv, OCSPCertStatus* out) {
+bool ParseCertStatus(const der::Input &raw_tlv, OCSPCertStatus *out) {
der::Parser parser(raw_tlv);
der::Tag status_tag;
der::Input status;
@@ -141,9 +141,8 @@
// Writes the hash of |value| as an OCTET STRING to |cbb|, using |hash_type| as
// the algorithm. Returns true on success.
-bool AppendHashAsOctetString(const EVP_MD* hash_type,
- CBB* cbb,
- const der::Input& value) {
+bool AppendHashAsOctetString(const EVP_MD *hash_type, CBB *cbb,
+ const der::Input &value) {
CBB octet_string;
unsigned hash_len;
uint8_t hash_buffer[EVP_MAX_MD_SIZE];
@@ -163,8 +162,8 @@
// nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
// singleExtensions [1] EXPLICIT Extensions OPTIONAL
// }
-bool ParseOCSPSingleResponse(const der::Input& raw_tlv,
- OCSPSingleResponse* out) {
+bool ParseOCSPSingleResponse(const der::Input &raw_tlv,
+ OCSPSingleResponse *out) {
der::Parser outer_parser(raw_tlv);
der::Parser parser;
if (!outer_parser.ReadSequence(&parser))
@@ -212,8 +211,8 @@
// byName [1] Name,
// byKey [2] KeyHash
// }
-bool ParseResponderID(const der::Input& raw_tlv,
- OCSPResponseData::ResponderID* out) {
+bool ParseResponderID(const der::Input &raw_tlv,
+ OCSPResponseData::ResponderID *out) {
der::Parser parser(raw_tlv);
der::Tag id_tag;
der::Input id_input;
@@ -250,7 +249,7 @@
// responses SEQUENCE OF SingleResponse,
// responseExtensions [1] EXPLICIT Extensions OPTIONAL
// }
-bool ParseOCSPResponseData(const der::Input& raw_tlv, OCSPResponseData* out) {
+bool ParseOCSPResponseData(const der::Input &raw_tlv, OCSPResponseData *out) {
der::Parser outer_parser(raw_tlv);
der::Parser parser;
if (!outer_parser.ReadSequence(&parser))
@@ -320,7 +319,7 @@
// signature BIT STRING,
// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
// }
-bool ParseBasicOCSPResponse(const der::Input& raw_tlv, OCSPResponse* out) {
+bool ParseBasicOCSPResponse(const der::Input &raw_tlv, OCSPResponse *out) {
der::Parser outer_parser(raw_tlv);
der::Parser parser;
if (!outer_parser.ReadSequence(&parser))
@@ -379,7 +378,7 @@
// responseType OBJECT IDENTIFIER,
// response OCTET STRING
// }
-bool ParseOCSPResponse(const der::Input& raw_tlv, OCSPResponse* out) {
+bool ParseOCSPResponse(const der::Input &raw_tlv, OCSPResponse *out) {
der::Parser outer_parser(raw_tlv);
der::Parser parser;
if (!outer_parser.ReadSequence(&parser))
@@ -436,9 +435,8 @@
namespace {
// Checks that the |type| hash of |value| is equal to |hash|
-bool VerifyHash(const EVP_MD* type,
- const der::Input& hash,
- const der::Input& value) {
+bool VerifyHash(const EVP_MD *type, const der::Input &hash,
+ const der::Input &value) {
unsigned value_hash_len;
uint8_t value_hash[EVP_MAX_MD_SIZE];
if (!EVP_Digest(value.UnsafeData(), value.Length(), value_hash,
@@ -464,7 +462,7 @@
// algorithm OBJECT IDENTIFIER,
// parameters ANY DEFINED BY algorithm OPTIONAL }
//
-bool GetSubjectPublicKeyBytes(const der::Input& spki_tlv, der::Input* spk_tlv) {
+bool GetSubjectPublicKeyBytes(const der::Input &spki_tlv, der::Input *spk_tlv) {
CBS outer, inner, alg, spk;
uint8_t unused_bit_count;
CBS_init(&outer, spki_tlv.UnsafeData(), spki_tlv.Length());
@@ -484,10 +482,9 @@
// Checks the OCSPCertID |id| identifies |certificate|.
bool CheckCertIDMatchesCertificate(
- const OCSPCertID& id,
- const ParsedCertificate* certificate,
- const ParsedCertificate* issuer_certificate) {
- const EVP_MD* type = nullptr;
+ const OCSPCertID &id, const ParsedCertificate *certificate,
+ const ParsedCertificate *issuer_certificate) {
+ const EVP_MD *type = nullptr;
switch (id.hash_algorithm) {
case DigestAlgorithm::Md2:
case DigestAlgorithm::Md4:
@@ -538,7 +535,7 @@
CertErrors errors;
return ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(der.data()), der.size(), nullptr)),
+ reinterpret_cast<const uint8_t *>(der.data()), der.size(), nullptr)),
{}, &errors);
}
@@ -546,8 +543,7 @@
// by verifying the name matches that of the certificate or that the hash
// matches the certificate's public key hash (RFC 6960, 4.2.2.3).
[[nodiscard]] bool CheckResponderIDMatchesCertificate(
- const OCSPResponseData::ResponderID& id,
- const ParsedCertificate* cert) {
+ const OCSPResponseData::ResponderID &id, const ParsedCertificate *cert) {
switch (id.type) {
case OCSPResponseData::ResponderType::NAME: {
der::Input name_rdn;
@@ -579,8 +575,8 @@
// signature and EKU. Can full RFC 5280 validation be used, or are there
// compatibility concerns?
[[nodiscard]] bool VerifyAuthorizedResponderCert(
- const ParsedCertificate* responder_certificate,
- const ParsedCertificate* issuer_certificate) {
+ const ParsedCertificate *responder_certificate,
+ const ParsedCertificate *issuer_certificate) {
// The Authorized Responder must be directly signed by the issuer of the
// certificate being checked.
// TODO(eroman): Must check the signature algorithm against policy.
@@ -598,7 +594,7 @@
if (!responder_certificate->has_extended_key_usage())
return false;
- for (const auto& key_purpose_oid :
+ for (const auto &key_purpose_oid :
responder_certificate->extended_key_usage()) {
if (key_purpose_oid == der::Input(kOCSPSigning))
return true;
@@ -607,8 +603,7 @@
}
[[nodiscard]] bool VerifyOCSPResponseSignatureGivenCert(
- const OCSPResponse& response,
- const ParsedCertificate* cert) {
+ const OCSPResponse &response, const ParsedCertificate *cert) {
// TODO(eroman): Must check the signature algorithm against policy.
return VerifySignedData(response.signature_algorithm, response.data,
response.signature, cert->tbs().spki_tlv,
@@ -619,9 +614,8 @@
// |issuer_certificate|, or an authorized responder issued by
// |issuer_certificate| for OCSP signing.
[[nodiscard]] bool VerifyOCSPResponseSignature(
- const OCSPResponse& response,
- const OCSPResponseData& response_data,
- const ParsedCertificate* issuer_certificate) {
+ const OCSPResponse &response, const OCSPResponseData &response_data,
+ const ParsedCertificate *issuer_certificate) {
// In order to verify the OCSP signature, a valid responder matching the OCSP
// Responder ID must be located (RFC 6960, 4.2.2.2). The responder is allowed
// to be either the certificate issuer or a delegated authority directly
@@ -637,7 +631,7 @@
// (1) Matches the OCSP Responder ID.
// (2) Has been given authority for OCSP signing by |issuer_certificate|.
// (3) Has signed the OCSP response using its public key.
- for (const auto& responder_cert_tlv : response.certs) {
+ for (const auto &responder_cert_tlv : response.certs) {
std::shared_ptr<const ParsedCertificate> cur_responder_certificate =
OCSPParseCertificate(responder_cert_tlv.AsStringView());
@@ -674,15 +668,15 @@
// Parse ResponseData and return false if any unhandled critical extensions are
// found. No known critical ResponseData extensions exist.
bool ParseOCSPResponseDataExtensions(
- const der::Input& response_extensions,
- OCSPVerifyResult::ResponseStatus* response_details) {
+ const der::Input &response_extensions,
+ OCSPVerifyResult::ResponseStatus *response_details) {
std::map<der::Input, ParsedExtension> extensions;
if (!ParseExtensions(response_extensions, &extensions)) {
*response_details = OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR;
return false;
}
- for (const auto& ext : extensions) {
+ for (const auto &ext : extensions) {
// TODO: handle ResponseData extensions
if (ext.second.critical) {
@@ -699,8 +693,8 @@
// to be marked critical, but since it is handled by Chrome, we will overlook
// the flag setting.
bool ParseOCSPSingleResponseExtensions(
- const der::Input& single_extensions,
- OCSPVerifyResult::ResponseStatus* response_details) {
+ const der::Input &single_extensions,
+ OCSPVerifyResult::ResponseStatus *response_details) {
std::map<der::Input, ParsedExtension> extensions;
if (!ParseExtensions(single_extensions, &extensions)) {
*response_details = OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR;
@@ -714,7 +708,7 @@
0xD6, 0x79, 0x02, 0x04, 0x05};
der::Input ct_ext_oid(ct_ocsp_ext_oid);
- for (const auto& ext : extensions) {
+ for (const auto &ext : extensions) {
// The CT OCSP extension is handled in ct::ExtractSCTListFromOCSPResponse
if (ext.second.oid == ct_ext_oid)
continue;
@@ -732,16 +726,14 @@
// Loops through the OCSPSingleResponses to find the best match for |cert|.
OCSPRevocationStatus GetRevocationStatusForCert(
- const OCSPResponseData& response_data,
- const ParsedCertificate* cert,
- const ParsedCertificate* issuer_certificate,
- int64_t verify_time_epoch_seconds,
- std::optional<int64_t> max_age_seconds,
- OCSPVerifyResult::ResponseStatus* response_details) {
+ const OCSPResponseData &response_data, const ParsedCertificate *cert,
+ const ParsedCertificate *issuer_certificate,
+ int64_t verify_time_epoch_seconds, std::optional<int64_t> max_age_seconds,
+ OCSPVerifyResult::ResponseStatus *response_details) {
OCSPRevocationStatus result = OCSPRevocationStatus::UNKNOWN;
*response_details = OCSPVerifyResult::NO_MATCHING_RESPONSE;
- for (const auto& single_response_der : response_data.responses) {
+ for (const auto &single_response_der : response_data.responses) {
// In the common case, there should only be one SingleResponse in the
// ResponseData (matching the certificate requested and used on this
// connection). However, it is possible for the OCSP responder to provide
@@ -795,14 +787,12 @@
}
OCSPRevocationStatus CheckOCSP(
- std::string_view raw_response,
- std::string_view certificate_der,
- const ParsedCertificate* certificate,
+ std::string_view raw_response, std::string_view certificate_der,
+ const ParsedCertificate *certificate,
std::string_view issuer_certificate_der,
- const ParsedCertificate* issuer_certificate,
- int64_t verify_time_epoch_seconds,
- std::optional<int64_t> max_age_seconds,
- OCSPVerifyResult::ResponseStatus* response_details) {
+ const ParsedCertificate *issuer_certificate,
+ int64_t verify_time_epoch_seconds, std::optional<int64_t> max_age_seconds,
+ OCSPVerifyResult::ResponseStatus *response_details) {
*response_details = OCSPVerifyResult::NOT_CHECKED;
if (raw_response.empty()) {
@@ -899,33 +889,29 @@
} // namespace
OCSPRevocationStatus CheckOCSP(
- std::string_view raw_response,
- std::string_view certificate_der,
- std::string_view issuer_certificate_der,
- int64_t verify_time_epoch_seconds,
+ std::string_view raw_response, std::string_view certificate_der,
+ std::string_view issuer_certificate_der, int64_t verify_time_epoch_seconds,
std::optional<int64_t> max_age_seconds,
- OCSPVerifyResult::ResponseStatus* response_details) {
+ OCSPVerifyResult::ResponseStatus *response_details) {
return CheckOCSP(raw_response, certificate_der, nullptr,
issuer_certificate_der, nullptr, verify_time_epoch_seconds,
max_age_seconds, response_details);
}
OCSPRevocationStatus CheckOCSP(
- std::string_view raw_response,
- const ParsedCertificate* certificate,
- const ParsedCertificate* issuer_certificate,
- int64_t verify_time_epoch_seconds,
- std::optional<int64_t> max_age_seconds,
- OCSPVerifyResult::ResponseStatus* response_details) {
+ std::string_view raw_response, const ParsedCertificate *certificate,
+ const ParsedCertificate *issuer_certificate,
+ int64_t verify_time_epoch_seconds, std::optional<int64_t> max_age_seconds,
+ OCSPVerifyResult::ResponseStatus *response_details) {
return CheckOCSP(raw_response, std::string_view(), certificate,
std::string_view(), issuer_certificate,
verify_time_epoch_seconds, max_age_seconds,
response_details);
}
-bool CreateOCSPRequest(const ParsedCertificate* cert,
- const ParsedCertificate* issuer,
- std::vector<uint8_t>* request_der) {
+bool CreateOCSPRequest(const ParsedCertificate *cert,
+ const ParsedCertificate *issuer,
+ std::vector<uint8_t> *request_der) {
request_der->clear();
bssl::ScopedCBB cbb;
@@ -979,7 +965,7 @@
// serialNumber CertificateSerialNumber }
// TODO(eroman): Don't use SHA1.
- const EVP_MD* md = EVP_sha1();
+ const EVP_MD *md = EVP_sha1();
if (!EVP_marshal_digest_algorithm(&req_cert, md))
return false;
@@ -998,7 +984,7 @@
return false;
}
- uint8_t* result_bytes;
+ uint8_t *result_bytes;
size_t result_bytes_length;
if (!CBB_finish(cbb.get(), &result_bytes, &result_bytes_length))
return false;
@@ -1015,8 +1001,7 @@
// GET {url}/{url-encoding of base-64 encoding of the DER encoding of
// the OCSPRequest}
std::optional<std::string> CreateOCSPGetURL(
- const ParsedCertificate* cert,
- const ParsedCertificate* issuer,
+ const ParsedCertificate *cert, const ParsedCertificate *issuer,
std::string_view ocsp_responder_url) {
std::vector<uint8_t> ocsp_request_der;
if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) {
@@ -1048,4 +1033,4 @@
return std::string(ocsp_responder_url) + "/" + b64_encoded;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/ocsp.h b/pki/ocsp.h
index 69c41c8..334da79 100644
--- a/pki/ocsp.h
+++ b/pki/ocsp.h
@@ -5,19 +5,19 @@
#ifndef BSSL_PKI_OCSP_H_
#define BSSL_PKI_OCSP_H_
-#include "fillins/openssl_util.h"
#include <memory>
#include <string>
#include <vector>
+#include "fillins/openssl_util.h"
+#include <optional>
+#include "input.h"
#include "ocsp_revocation_status.h"
#include "ocsp_verify_result.h"
-#include "signature_algorithm.h"
-#include "input.h"
#include "parse_values.h"
#include "parser.h"
-#include <optional>
+#include "signature_algorithm.h"
namespace bssl {
@@ -230,8 +230,7 @@
//
// On failure |out| has an undefined state. Some of its fields may have been
// updated during parsing, whereas others may not have been changed.
-OPENSSL_EXPORT bool ParseOCSPCertID(const der::Input& raw_tlv,
- OCSPCertID* out);
+OPENSSL_EXPORT bool ParseOCSPCertID(const der::Input &raw_tlv, OCSPCertID *out);
// Parses a DER-encoded OCSP "SingleResponse" as specified by RFC 6960. Returns
// true on success and sets the results in |out|. The resulting |out|
@@ -240,8 +239,8 @@
//
// On failure |out| has an undefined state. Some of its fields may have been
// updated during parsing, whereas others may not have been changed.
-OPENSSL_EXPORT bool ParseOCSPSingleResponse(const der::Input& raw_tlv,
- OCSPSingleResponse* out);
+OPENSSL_EXPORT bool ParseOCSPSingleResponse(const der::Input &raw_tlv,
+ OCSPSingleResponse *out);
// Parses a DER-encoded OCSP "ResponseData" as specified by RFC 6960. Returns
// true on success and sets the results in |out|. The resulting |out|
@@ -250,8 +249,8 @@
//
// On failure |out| has an undefined state. Some of its fields may have been
// updated during parsing, whereas others may not have been changed.
-OPENSSL_EXPORT bool ParseOCSPResponseData(const der::Input& raw_tlv,
- OCSPResponseData* out);
+OPENSSL_EXPORT bool ParseOCSPResponseData(const der::Input &raw_tlv,
+ OCSPResponseData *out);
// Parses a DER-encoded "OCSPResponse" as specified by RFC 6960. Returns true
// on success and sets the results in |out|. The resulting |out|
@@ -260,8 +259,8 @@
//
// On failure |out| has an undefined state. Some of its fields may have been
// updated during parsing, whereas others may not have been changed.
-OPENSSL_EXPORT bool ParseOCSPResponse(const der::Input& raw_tlv,
- OCSPResponse* out);
+OPENSSL_EXPORT bool ParseOCSPResponse(const der::Input &raw_tlv,
+ OCSPResponse *out);
// Checks the revocation status of the certificate |certificate_der| by using
// the DER-encoded |raw_response|.
@@ -279,26 +278,22 @@
// time since the |thisUpdate| field in the CRL TBSCertList. Responses
// older than |max_age_seconds| will be considered invalid.
// * |response_details|: Additional details about failures.
-[[nodiscard]] OPENSSL_EXPORT OCSPRevocationStatus
-CheckOCSP(std::string_view raw_response,
- std::string_view certificate_der,
- std::string_view issuer_certificate_der,
- int64_t verify_time_epoch_seconds,
- std::optional<int64_t> max_age_seconds,
- OCSPVerifyResult::ResponseStatus* response_details);
+[[nodiscard]] OPENSSL_EXPORT OCSPRevocationStatus CheckOCSP(
+ std::string_view raw_response, std::string_view certificate_der,
+ std::string_view issuer_certificate_der, int64_t verify_time_epoch_seconds,
+ std::optional<int64_t> max_age_seconds,
+ OCSPVerifyResult::ResponseStatus *response_details);
// Checks the revocation status of |certificate| by using the DER-encoded
// |raw_response|.
//
// Arguments are the same as above, except that it takes already parsed
// instances of the certificate and issuer certificate.
-[[nodiscard]] OPENSSL_EXPORT OCSPRevocationStatus
-CheckOCSP(std::string_view raw_response,
- const ParsedCertificate* certificate,
- const ParsedCertificate* issuer_certificate,
- int64_t verify_time_epoch_seconds,
- std::optional<int64_t> max_age_seconds,
- OCSPVerifyResult::ResponseStatus* response_details);
+[[nodiscard]] OPENSSL_EXPORT OCSPRevocationStatus CheckOCSP(
+ std::string_view raw_response, const ParsedCertificate *certificate,
+ const ParsedCertificate *issuer_certificate,
+ int64_t verify_time_epoch_seconds, std::optional<int64_t> max_age_seconds,
+ OCSPVerifyResult::ResponseStatus *response_details);
// Creates a DER-encoded OCSPRequest for |cert|. The request is fairly basic:
// * No signature
@@ -307,16 +302,15 @@
// * Uses SHA1 for all hashes.
//
// Returns true on success and fills |request_der| with the resulting bytes.
-OPENSSL_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert,
- const ParsedCertificate* issuer,
- std::vector<uint8_t>* request_der);
+OPENSSL_EXPORT bool CreateOCSPRequest(const ParsedCertificate *cert,
+ const ParsedCertificate *issuer,
+ std::vector<uint8_t> *request_der);
// Creates a URL to issue a GET request for OCSP information for |cert|.
OPENSSL_EXPORT std::optional<std::string> CreateOCSPGetURL(
- const ParsedCertificate* cert,
- const ParsedCertificate* issuer,
+ const ParsedCertificate *cert, const ParsedCertificate *issuer,
std::string_view ocsp_responder_url);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_OCSP_H_
diff --git a/pki/ocsp_revocation_status.h b/pki/ocsp_revocation_status.h
index b4d30ca..2816aad 100644
--- a/pki/ocsp_revocation_status.h
+++ b/pki/ocsp_revocation_status.h
@@ -16,6 +16,6 @@
MAX_VALUE = UNKNOWN
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_OCSP_REVOCATION_STATUS_H_
diff --git a/pki/ocsp_unittest.cc b/pki/ocsp_unittest.cc
index 06a012b..98ae8dd 100644
--- a/pki/ocsp_unittest.cc
+++ b/pki/ocsp_unittest.cc
@@ -4,12 +4,12 @@
#include "ocsp.h"
-#include "string_util.h"
-#include "test_helpers.h"
-#include "encode_values.h"
#include <gtest/gtest.h>
#include <openssl/base64.h>
#include <openssl/pool.h>
+#include "encode_values.h"
+#include "string_util.h"
+#include "test_helpers.h"
namespace bssl {
@@ -17,7 +17,7 @@
constexpr int64_t kOCSPAgeOneWeek = 7 * 24 * 60 * 60;
-std::string GetFilePath(const std::string& file_name) {
+std::string GetFilePath(const std::string &file_name) {
return std::string("testdata/ocsp_unittest/") + file_name;
}
@@ -25,13 +25,14 @@
std::string_view data) {
CertErrors errors;
return ParsedCertificate::Create(
- bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(data.data()), data.size(), nullptr)),
+ bssl::UniquePtr<CRYPTO_BUFFER>(
+ CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(data.data()),
+ data.size(), nullptr)),
{}, &errors);
}
struct TestParams {
- const char* file_name;
+ const char *file_name;
OCSPRevocationStatus expected_revocation_status;
OCSPVerifyResult::ResponseStatus expected_response_status;
};
@@ -122,7 +123,7 @@
// Parameterised test name generator for tests depending on RenderTextBackend.
struct PrintTestName {
- std::string operator()(const testing::TestParamInfo<TestParams>& info) const {
+ std::string operator()(const testing::TestParamInfo<TestParams> &info) const {
std::string_view name(info.param.file_name);
// Strip ".pem" from the end as GTest names cannot contain period.
name.remove_suffix(4);
@@ -130,13 +131,11 @@
}
};
-INSTANTIATE_TEST_SUITE_P(All,
- CheckOCSPTest,
- ::testing::ValuesIn(kTestParams),
+INSTANTIATE_TEST_SUITE_P(All, CheckOCSPTest, ::testing::ValuesIn(kTestParams),
PrintTestName());
TEST_P(CheckOCSPTest, FromFile) {
- const TestParams& params = GetParam();
+ const TestParams ¶ms = GetParam();
std::string ocsp_data;
std::string ca_data;
@@ -187,8 +186,7 @@
class CreateOCSPGetURLTest : public ::testing::TestWithParam<std::string_view> {
};
-INSTANTIATE_TEST_SUITE_P(All,
- CreateOCSPGetURLTest,
+INSTANTIATE_TEST_SUITE_P(All, CreateOCSPGetURLTest,
::testing::ValuesIn(kGetURLTestParams));
TEST_P(CreateOCSPGetURLTest, Basic) {
@@ -232,7 +230,7 @@
EXPECT_TRUE(EVP_DecodedLength(&len, b64.size()));
std::vector<uint8_t> decoded(len);
EXPECT_TRUE(EVP_DecodeBase64(decoded.data(), &len, len,
- reinterpret_cast<const uint8_t*>(b64.data()),
+ reinterpret_cast<const uint8_t *>(b64.data()),
b64.size()));
std::string decoded_string(decoded.begin(), decoded.begin() + len);
@@ -241,4 +239,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/ocsp_verify_result.cc b/pki/ocsp_verify_result.cc
index b68bfdc..30ab6ca 100644
--- a/pki/ocsp_verify_result.cc
+++ b/pki/ocsp_verify_result.cc
@@ -7,10 +7,10 @@
namespace bssl {
OCSPVerifyResult::OCSPVerifyResult() = default;
-OCSPVerifyResult::OCSPVerifyResult(const OCSPVerifyResult&) = default;
+OCSPVerifyResult::OCSPVerifyResult(const OCSPVerifyResult &) = default;
OCSPVerifyResult::~OCSPVerifyResult() = default;
-bool OCSPVerifyResult::operator==(const OCSPVerifyResult& other) const {
+bool OCSPVerifyResult::operator==(const OCSPVerifyResult &other) const {
if (response_status != other.response_status)
return false;
@@ -21,4 +21,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/ocsp_verify_result.h b/pki/ocsp_verify_result.h
index 32998fa..4f5b9e2 100644
--- a/pki/ocsp_verify_result.h
+++ b/pki/ocsp_verify_result.h
@@ -20,10 +20,10 @@
// verification process, and should not be modified at other layers.
struct OPENSSL_EXPORT OCSPVerifyResult {
OCSPVerifyResult();
- OCSPVerifyResult(const OCSPVerifyResult&);
+ OCSPVerifyResult(const OCSPVerifyResult &);
~OCSPVerifyResult();
- bool operator==(const OCSPVerifyResult& other) const;
+ bool operator==(const OCSPVerifyResult &other) const;
// This value is histogrammed, so do not re-order or change values, and add
// new values at the end.
@@ -71,6 +71,6 @@
OCSPRevocationStatus revocation_status = OCSPRevocationStatus::UNKNOWN;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_OCSP_VERIFY_RESULT_H_
diff --git a/pki/parse_certificate.cc b/pki/parse_certificate.cc
index c201736..6894b23 100644
--- a/pki/parse_certificate.cc
+++ b/pki/parse_certificate.cc
@@ -2,19 +2,19 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "fillins/openssl_util.h"
#include "parse_certificate.h"
+#include "fillins/openssl_util.h"
#include <utility>
+#include <optional>
#include "cert_error_params.h"
#include "cert_errors.h"
#include "general_names.h"
-#include "string_util.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
-#include <optional>
+#include "string_util.h"
namespace bssl {
@@ -73,7 +73,7 @@
"Serial number is not a valid INTEGER");
// Returns true if |input| is a SEQUENCE and nothing else.
-[[nodiscard]] bool IsSequenceTLV(const der::Input& input) {
+[[nodiscard]] bool IsSequenceTLV(const der::Input &input) {
der::Parser parser(input);
der::Parser unused_sequence_parser;
if (!parser.ReadSequence(&unused_sequence_parser))
@@ -84,7 +84,7 @@
// Reads a SEQUENCE from |parser| and writes the full tag-length-value into
// |out|. On failure |parser| may or may not have been advanced.
-[[nodiscard]] bool ReadSequenceTLV(der::Parser* parser, der::Input* out) {
+[[nodiscard]] bool ReadSequenceTLV(der::Parser *parser, der::Input *out) {
return parser->ReadRawTLV(out) && IsSequenceTLV(*out);
}
@@ -99,8 +99,8 @@
// Implementations SHOULD be prepared to accept any version certificate.
// At a minimum, conforming implementations MUST recognize version 3
// certificates.
-[[nodiscard]] bool ParseVersion(const der::Input& in,
- CertificateVersion* version) {
+[[nodiscard]] bool ParseVersion(const der::Input &in,
+ CertificateVersion *version) {
der::Parser parser(in);
uint64_t version64;
if (!parser.ReadUint64(&version64))
@@ -127,7 +127,7 @@
}
// Returns true if every bit in |bits| is zero (including empty).
-[[nodiscard]] bool BitStringIsAllZeros(const der::BitString& bits) {
+[[nodiscard]] bool BitStringIsAllZeros(const der::BitString &bits) {
// Note that it is OK to read from the unused bits, since BitString parsing
// guarantees they are all zero.
for (size_t i = 0; i < bits.bytes().Length(); ++i) {
@@ -145,8 +145,8 @@
// DistributionPointName ::= CHOICE {
// fullName [0] GeneralNames,
// nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
-bool ParseDistributionPointName(const der::Input& dp_name,
- ParsedDistributionPoint* distribution_point) {
+bool ParseDistributionPointName(const der::Input &dp_name,
+ ParsedDistributionPoint *distribution_point) {
der::Parser parser(dp_name);
std::optional<der::Input> der_full_name;
if (!parser.ReadOptionalTag(
@@ -185,8 +185,8 @@
// reasons [1] ReasonFlags OPTIONAL,
// cRLIssuer [2] GeneralNames OPTIONAL }
bool ParseAndAddDistributionPoint(
- der::Parser* parser,
- std::vector<ParsedDistributionPoint>* distribution_points) {
+ der::Parser *parser,
+ std::vector<ParsedDistributionPoint> *distribution_points) {
ParsedDistributionPoint distribution_point;
// DistributionPoint ::= SEQUENCE {
@@ -238,14 +238,13 @@
ParsedTbsCertificate::ParsedTbsCertificate() = default;
-ParsedTbsCertificate::ParsedTbsCertificate(ParsedTbsCertificate&& other) =
+ParsedTbsCertificate::ParsedTbsCertificate(ParsedTbsCertificate &&other) =
default;
ParsedTbsCertificate::~ParsedTbsCertificate() = default;
-bool VerifySerialNumber(const der::Input& value,
- bool warnings_only,
- CertErrors* errors) {
+bool VerifySerialNumber(const der::Input &value, bool warnings_only,
+ CertErrors *errors) {
// If |warnings_only| was set to true, the exact same errors will be logged,
// only they will be logged with a lower severity (warning rather than error).
CertError::Severity error_severity =
@@ -282,7 +281,7 @@
return true;
}
-bool ReadUTCOrGeneralizedTime(der::Parser* parser, der::GeneralizedTime* out) {
+bool ReadUTCOrGeneralizedTime(der::Parser *parser, der::GeneralizedTime *out) {
der::Input value;
der::Tag tag;
@@ -299,9 +298,9 @@
return false;
}
-bool ParseValidity(const der::Input& validity_tlv,
- der::GeneralizedTime* not_before,
- der::GeneralizedTime* not_after) {
+bool ParseValidity(const der::Input &validity_tlv,
+ der::GeneralizedTime *not_before,
+ der::GeneralizedTime *not_after) {
der::Parser parser(validity_tlv);
// Validity ::= SEQUENCE {
@@ -333,11 +332,11 @@
return true;
}
-bool ParseCertificate(const der::Input& certificate_tlv,
- der::Input* out_tbs_certificate_tlv,
- der::Input* out_signature_algorithm_tlv,
- der::BitString* out_signature_value,
- CertErrors* out_errors) {
+bool ParseCertificate(const der::Input &certificate_tlv,
+ der::Input *out_tbs_certificate_tlv,
+ der::Input *out_signature_algorithm_tlv,
+ der::BitString *out_signature_value,
+ CertErrors *out_errors) {
// |out_errors| is optional. But ensure it is non-null for the remainder of
// this function.
CertErrors unused_errors;
@@ -407,10 +406,9 @@
// extensions [3] EXPLICIT Extensions OPTIONAL
// -- If present, version MUST be v3
// }
-bool ParseTbsCertificate(const der::Input& tbs_tlv,
- const ParseCertificateOptions& options,
- ParsedTbsCertificate* out,
- CertErrors* errors) {
+bool ParseTbsCertificate(const der::Input &tbs_tlv,
+ const ParseCertificateOptions &options,
+ ParsedTbsCertificate *out, CertErrors *errors) {
// The rest of this function assumes that |errors| is non-null.
CertErrors unused_errors;
if (!errors)
@@ -590,7 +588,7 @@
// -- corresponding to the extension type identified
// -- by extnID
// }
-bool ParseExtension(const der::Input& extension_tlv, ParsedExtension* out) {
+bool ParseExtension(const der::Input &extension_tlv, ParsedExtension *out) {
der::Parser parser(extension_tlv);
// Extension ::= SEQUENCE {
@@ -633,8 +631,8 @@
}
OPENSSL_EXPORT bool ParseExtensions(
- const der::Input& extensions_tlv,
- std::map<der::Input, ParsedExtension>* extensions) {
+ const der::Input &extensions_tlv,
+ std::map<der::Input, ParsedExtension> *extensions) {
der::Parser parser(extensions_tlv);
// Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
@@ -676,9 +674,9 @@
}
OPENSSL_EXPORT bool ConsumeExtension(
- const der::Input& oid,
- std::map<der::Input, ParsedExtension>* unconsumed_extensions,
- ParsedExtension* extension) {
+ const der::Input &oid,
+ std::map<der::Input, ParsedExtension> *unconsumed_extensions,
+ ParsedExtension *extension) {
auto it = unconsumed_extensions->find(oid);
if (it == unconsumed_extensions->end())
return false;
@@ -688,8 +686,8 @@
return true;
}
-bool ParseBasicConstraints(const der::Input& basic_constraints_tlv,
- ParsedBasicConstraints* out) {
+bool ParseBasicConstraints(const der::Input &basic_constraints_tlv,
+ ParsedBasicConstraints *out) {
der::Parser parser(basic_constraints_tlv);
// BasicConstraints ::= SEQUENCE {
@@ -741,7 +739,7 @@
// TODO(crbug.com/1314019): return std::optional<BitString> when converting
// has_key_usage_ and key_usage_ into single std::optional field.
-bool ParseKeyUsage(const der::Input& key_usage_tlv, der::BitString* key_usage) {
+bool ParseKeyUsage(const der::Input &key_usage_tlv, der::BitString *key_usage) {
der::Parser parser(key_usage_tlv);
std::optional<der::BitString> key_usage_internal = parser.ReadBitString();
if (!key_usage_internal)
@@ -763,8 +761,8 @@
}
bool ParseAuthorityInfoAccess(
- const der::Input& authority_info_access_tlv,
- std::vector<AuthorityInfoAccessDescription>* out_access_descriptions) {
+ const der::Input &authority_info_access_tlv,
+ std::vector<AuthorityInfoAccessDescription> *out_access_descriptions) {
der::Parser parser(authority_info_access_tlv);
out_access_descriptions->clear();
@@ -807,16 +805,16 @@
}
bool ParseAuthorityInfoAccessURIs(
- const der::Input& authority_info_access_tlv,
- std::vector<std::string_view>* out_ca_issuers_uris,
- std::vector<std::string_view>* out_ocsp_uris) {
+ const der::Input &authority_info_access_tlv,
+ std::vector<std::string_view> *out_ca_issuers_uris,
+ std::vector<std::string_view> *out_ocsp_uris) {
std::vector<AuthorityInfoAccessDescription> access_descriptions;
if (!ParseAuthorityInfoAccess(authority_info_access_tlv,
&access_descriptions)) {
return false;
}
- for (const auto& access_description : access_descriptions) {
+ for (const auto &access_description : access_descriptions) {
der::Parser access_location_parser(access_description.access_location);
der::Tag access_location_tag;
der::Input access_location_value;
@@ -843,12 +841,12 @@
ParsedDistributionPoint::ParsedDistributionPoint() = default;
ParsedDistributionPoint::ParsedDistributionPoint(
- ParsedDistributionPoint&& other) = default;
+ ParsedDistributionPoint &&other) = default;
ParsedDistributionPoint::~ParsedDistributionPoint() = default;
bool ParseCrlDistributionPoints(
- const der::Input& extension_value,
- std::vector<ParsedDistributionPoint>* distribution_points) {
+ const der::Input &extension_value,
+ std::vector<ParsedDistributionPoint> *distribution_points) {
distribution_points->clear();
// RFC 5280, section 4.2.1.13.
@@ -877,13 +875,13 @@
ParsedAuthorityKeyIdentifier::ParsedAuthorityKeyIdentifier() = default;
ParsedAuthorityKeyIdentifier::~ParsedAuthorityKeyIdentifier() = default;
ParsedAuthorityKeyIdentifier::ParsedAuthorityKeyIdentifier(
- ParsedAuthorityKeyIdentifier&& other) = default;
-ParsedAuthorityKeyIdentifier& ParsedAuthorityKeyIdentifier::operator=(
- ParsedAuthorityKeyIdentifier&& other) = default;
+ ParsedAuthorityKeyIdentifier &&other) = default;
+ParsedAuthorityKeyIdentifier &ParsedAuthorityKeyIdentifier::operator=(
+ ParsedAuthorityKeyIdentifier &&other) = default;
bool ParseAuthorityKeyIdentifier(
- const der::Input& extension_value,
- ParsedAuthorityKeyIdentifier* authority_key_identifier) {
+ const der::Input &extension_value,
+ ParsedAuthorityKeyIdentifier *authority_key_identifier) {
// RFC 5280, section 4.2.1.1.
// AuthorityKeyIdentifier ::= SEQUENCE {
// keyIdentifier [0] KeyIdentifier OPTIONAL,
@@ -937,8 +935,8 @@
return true;
}
-bool ParseSubjectKeyIdentifier(const der::Input& extension_value,
- der::Input* subject_key_identifier) {
+bool ParseSubjectKeyIdentifier(const der::Input &extension_value,
+ der::Input *subject_key_identifier) {
// SubjectKeyIdentifier ::= KeyIdentifier
//
// KeyIdentifier ::= OCTET STRING
@@ -955,4 +953,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/parse_certificate.h b/pki/parse_certificate.h
index 956c44e..d6171de 100644
--- a/pki/parse_certificate.h
+++ b/pki/parse_certificate.h
@@ -5,18 +5,18 @@
#ifndef BSSL_PKI_PARSE_CERTIFICATE_H_
#define BSSL_PKI_PARSE_CERTIFICATE_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
#include <map>
#include <memory>
#include <vector>
+#include <optional>
#include "general_names.h"
#include "input.h"
#include "parse_values.h"
-#include <optional>
namespace bssl {
@@ -56,9 +56,9 @@
// |errors| must be a non-null destination for any errors/warnings. If
// |warnings_only| is set to true, then what would ordinarily be errors are
// instead added as warnings.
-[[nodiscard]] OPENSSL_EXPORT bool VerifySerialNumber(const der::Input& value,
- bool warnings_only,
- CertErrors* errors);
+[[nodiscard]] OPENSSL_EXPORT bool VerifySerialNumber(const der::Input &value,
+ bool warnings_only,
+ CertErrors *errors);
// Consumes a "Time" value (as defined by RFC 5280) from |parser|. On success
// writes the result to |*out| and returns true. On failure no guarantees are
@@ -70,8 +70,7 @@
// utcTime UTCTime,
// generalTime GeneralizedTime }
[[nodiscard]] OPENSSL_EXPORT bool ReadUTCOrGeneralizedTime(
- der::Parser* parser,
- der::GeneralizedTime* out);
+ der::Parser *parser, der::GeneralizedTime *out);
// Parses a DER-encoded "Validity" as specified by RFC 5280. Returns true on
// success and sets the results in |not_before| and |not_after|:
@@ -81,9 +80,9 @@
// notAfter Time }
//
// Note that upon success it is NOT guaranteed that |*not_before <= *not_after|.
-[[nodiscard]] OPENSSL_EXPORT bool ParseValidity(const der::Input& validity_tlv,
- der::GeneralizedTime* not_before,
- der::GeneralizedTime* not_after);
+[[nodiscard]] OPENSSL_EXPORT bool ParseValidity(
+ const der::Input &validity_tlv, der::GeneralizedTime *not_before,
+ der::GeneralizedTime *not_after);
struct OPENSSL_EXPORT ParseCertificateOptions {
// If set to true, then parsing will skip checks on the certificate's serial
@@ -131,11 +130,9 @@
//
// Parsing guarantees that this is a valid BIT STRING.
[[nodiscard]] OPENSSL_EXPORT bool ParseCertificate(
- const der::Input& certificate_tlv,
- der::Input* out_tbs_certificate_tlv,
- der::Input* out_signature_algorithm_tlv,
- der::BitString* out_signature_value,
- CertErrors* out_errors);
+ const der::Input &certificate_tlv, der::Input *out_tbs_certificate_tlv,
+ der::Input *out_signature_algorithm_tlv,
+ der::BitString *out_signature_value, CertErrors *out_errors);
// Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true
// on success and sets the results in |out|. Certain invalid inputs may
@@ -170,10 +167,8 @@
// -- If present, version MUST be v3
// }
[[nodiscard]] OPENSSL_EXPORT bool ParseTbsCertificate(
- const der::Input& tbs_tlv,
- const ParseCertificateOptions& options,
- ParsedTbsCertificate* out,
- CertErrors* errors);
+ const der::Input &tbs_tlv, const ParseCertificateOptions &options,
+ ParsedTbsCertificate *out, CertErrors *errors);
// Represents a "Version" from RFC 5280:
// Version ::= INTEGER { v1(0), v2(1), v3(2) }
@@ -191,8 +186,8 @@
// sets.
struct OPENSSL_EXPORT ParsedTbsCertificate {
ParsedTbsCertificate();
- ParsedTbsCertificate(ParsedTbsCertificate&& other);
- ParsedTbsCertificate& operator=(ParsedTbsCertificate&& other) = default;
+ ParsedTbsCertificate(ParsedTbsCertificate &&other);
+ ParsedTbsCertificate &operator=(ParsedTbsCertificate &&other) = default;
~ParsedTbsCertificate();
// Corresponds with "version" from RFC 5280:
@@ -323,8 +318,8 @@
//
// On failure |out| has an undefined state. Some of its fields may have been
// updated during parsing, whereas others may not have been changed.
-[[nodiscard]] OPENSSL_EXPORT bool ParseExtension(const der::Input& extension_tlv,
- ParsedExtension* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseExtension(
+ const der::Input &extension_tlv, ParsedExtension *out);
// From RFC 5280:
//
@@ -436,16 +431,16 @@
// bytes in |extensions_tlv|, so that data must be kept alive.
// On failure |extensions| may be partially written to and should not be used.
[[nodiscard]] OPENSSL_EXPORT bool ParseExtensions(
- const der::Input& extensions_tlv,
- std::map<der::Input, ParsedExtension>* extensions);
+ const der::Input &extensions_tlv,
+ std::map<der::Input, ParsedExtension> *extensions);
// Removes the extension with OID |oid| from |unconsumed_extensions| and fills
// |extension| with the matching extension value. If there was no extension
// matching |oid| then returns |false|.
[[nodiscard]] OPENSSL_EXPORT bool ConsumeExtension(
- const der::Input& oid,
- std::map<der::Input, ParsedExtension>* unconsumed_extensions,
- ParsedExtension* extension);
+ const der::Input &oid,
+ std::map<der::Input, ParsedExtension> *unconsumed_extensions,
+ ParsedExtension *extension);
struct ParsedBasicConstraints {
bool is_ca = false;
@@ -462,8 +457,7 @@
// The maximum allowed value of pathLenConstraints will be whatever can fit
// into a uint8_t.
[[nodiscard]] OPENSSL_EXPORT bool ParseBasicConstraints(
- const der::Input& basic_constraints_tlv,
- ParsedBasicConstraints* out);
+ const der::Input &basic_constraints_tlv, ParsedBasicConstraints *out);
// KeyUsageBit contains the index for a particular key usage. The index is
// measured from the most significant bit of a bit string.
@@ -503,8 +497,8 @@
//
// To test if a particular key usage is set, call, e.g.:
// key_usage->AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE);
-[[nodiscard]] OPENSSL_EXPORT bool ParseKeyUsage(const der::Input& key_usage_tlv,
- der::BitString* key_usage);
+[[nodiscard]] OPENSSL_EXPORT bool ParseKeyUsage(const der::Input &key_usage_tlv,
+ der::BitString *key_usage);
struct AuthorityInfoAccessDescription {
// The accessMethod DER OID value.
@@ -520,8 +514,8 @@
// No validation is performed on the contents of the
// AuthorityInfoAccessDescription fields.
[[nodiscard]] OPENSSL_EXPORT bool ParseAuthorityInfoAccess(
- const der::Input& authority_info_access_tlv,
- std::vector<AuthorityInfoAccessDescription>* out_access_descriptions);
+ const der::Input &authority_info_access_tlv,
+ std::vector<AuthorityInfoAccessDescription> *out_access_descriptions);
// Parses the Authority Information Access extension defined by RFC 5280,
// extracting the caIssuers URIs and OCSP URIs.
@@ -542,9 +536,9 @@
// accessLocation types other than uniformResourceIdentifier are silently
// ignored.
[[nodiscard]] OPENSSL_EXPORT bool ParseAuthorityInfoAccessURIs(
- const der::Input& authority_info_access_tlv,
- std::vector<std::string_view>* out_ca_issuers_uris,
- std::vector<std::string_view>* out_ocsp_uris);
+ const der::Input &authority_info_access_tlv,
+ std::vector<std::string_view> *out_ca_issuers_uris,
+ std::vector<std::string_view> *out_ocsp_uris);
// ParsedDistributionPoint represents a parsed DistributionPoint from RFC 5280.
//
@@ -554,7 +548,7 @@
// cRLIssuer [2] GeneralNames OPTIONAL }
struct OPENSSL_EXPORT ParsedDistributionPoint {
ParsedDistributionPoint();
- ParsedDistributionPoint(ParsedDistributionPoint&& other);
+ ParsedDistributionPoint(ParsedDistributionPoint &&other);
~ParsedDistributionPoint();
// The parsed fullName, if distributionPoint was present and was a fullName.
@@ -578,8 +572,8 @@
// DistributionPoint). Return true on success, and fills |distribution_points|
// with values that reference data in |distribution_points_tlv|.
[[nodiscard]] OPENSSL_EXPORT bool ParseCrlDistributionPoints(
- const der::Input& distribution_points_tlv,
- std::vector<ParsedDistributionPoint>* distribution_points);
+ const der::Input &distribution_points_tlv,
+ std::vector<ParsedDistributionPoint> *distribution_points);
// Represents the AuthorityKeyIdentifier extension defined by RFC 5280 section
// 4.2.1.1.
@@ -593,8 +587,8 @@
struct OPENSSL_EXPORT ParsedAuthorityKeyIdentifier {
ParsedAuthorityKeyIdentifier();
~ParsedAuthorityKeyIdentifier();
- ParsedAuthorityKeyIdentifier(ParsedAuthorityKeyIdentifier&& other);
- ParsedAuthorityKeyIdentifier& operator=(ParsedAuthorityKeyIdentifier&& other);
+ ParsedAuthorityKeyIdentifier(ParsedAuthorityKeyIdentifier &&other);
+ ParsedAuthorityKeyIdentifier &operator=(ParsedAuthorityKeyIdentifier &&other);
// The keyIdentifier, which is an OCTET STRING.
std::optional<der::Input> key_identifier;
@@ -614,16 +608,15 @@
// in |extension_value|. On failure the state of |authority_key_identifier| is
// not guaranteed.
[[nodiscard]] OPENSSL_EXPORT bool ParseAuthorityKeyIdentifier(
- const der::Input& extension_value,
- ParsedAuthorityKeyIdentifier* authority_key_identifier);
+ const der::Input &extension_value,
+ ParsedAuthorityKeyIdentifier *authority_key_identifier);
// Parses the value of a subjectKeyIdentifier extension. Returns true on
// success and |subject_key_identifier| references data in |extension_value|.
// On failure the state of |subject_key_identifier| is not guaranteed.
[[nodiscard]] OPENSSL_EXPORT bool ParseSubjectKeyIdentifier(
- const der::Input& extension_value,
- der::Input* subject_key_identifier);
+ const der::Input &extension_value, der::Input *subject_key_identifier);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_PARSE_CERTIFICATE_H_
diff --git a/pki/parse_certificate_unittest.cc b/pki/parse_certificate_unittest.cc
index fc79ca3..6537e76 100644
--- a/pki/parse_certificate_unittest.cc
+++ b/pki/parse_certificate_unittest.cc
@@ -4,13 +4,13 @@
#include "parse_certificate.h"
-#include "cert_errors.h"
-#include "general_names.h"
-#include "parsed_certificate.h"
-#include "test_helpers.h"
-#include "input.h"
#include <gtest/gtest.h>
#include <openssl/pool.h>
+#include "cert_errors.h"
+#include "general_names.h"
+#include "input.h"
+#include "parsed_certificate.h"
+#include "test_helpers.h"
namespace bssl {
@@ -19,7 +19,7 @@
// Pretty-prints a GeneralizedTime as a human-readable string for use in test
// expectations (it is more readable to specify the expected results as a
// string).
-std::string ToString(const der::GeneralizedTime& time) {
+std::string ToString(const der::GeneralizedTime &time) {
std::ostringstream pretty_time;
pretty_time << "year=" << int{time.year} << ", month=" << int{time.month}
<< ", day=" << int{time.day} << ", hours=" << int{time.hours}
@@ -28,7 +28,7 @@
return pretty_time.str();
}
-std::string GetFilePath(const std::string& file_name) {
+std::string GetFilePath(const std::string &file_name) {
return std::string("testdata/parse_certificate_unittest/") + file_name;
}
@@ -36,7 +36,7 @@
// Verifies that parsing the Certificate matches expectations:
// * If expected to fail, emits the expected errors
// * If expected to succeeds, the parsed fields match expectations
-void RunCertificateTest(const std::string& file_name) {
+void RunCertificateTest(const std::string &file_name) {
std::string data;
std::string expected_errors;
std::string expected_tbs_certificate;
@@ -129,7 +129,7 @@
//
// TODO(eroman): Get rid of the |expected_version| parameter -- this should be
// encoded in the test expectations file.
-void RunTbsCertificateTestGivenVersion(const std::string& file_name,
+void RunTbsCertificateTestGivenVersion(const std::string &file_name,
CertificateVersion expected_version) {
std::string data;
std::string expected_serial_number;
@@ -211,7 +211,7 @@
}
}
-void RunTbsCertificateTest(const std::string& file_name) {
+void RunTbsCertificateTest(const std::string &file_name) {
RunTbsCertificateTestGivenVersion(file_name, CertificateVersion::V3);
}
@@ -271,9 +271,7 @@
}
// The version was set to v4, which is unrecognized.
-TEST(ParseTbsCertificateTest, Version4) {
- RunTbsCertificateTest("tbs_v4.pem");
-}
+TEST(ParseTbsCertificateTest, Version4) { RunTbsCertificateTest("tbs_v4.pem"); }
// Tests that extraneous data after extensions in a v3 is rejected.
TEST(ParseTbsCertificateTest, Version3DataAfterExtensions) {
@@ -491,7 +489,7 @@
ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
ASSERT_EQ(5u, access_descriptions.size());
{
- const auto& desc = access_descriptions[0];
+ const auto &desc = access_descriptions[0];
EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
const uint8_t location_der[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
@@ -499,7 +497,7 @@
EXPECT_EQ(der::Input(location_der), desc.access_location);
}
{
- const auto& desc = access_descriptions[1];
+ const auto &desc = access_descriptions[1];
EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
const uint8_t location_der[] = {
0xa4, 0x16, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
@@ -507,7 +505,7 @@
EXPECT_EQ(der::Input(location_der), desc.access_location);
}
{
- const auto& desc = access_descriptions[2];
+ const auto &desc = access_descriptions[2];
const uint8_t method_oid[] = {0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x30, 0x03};
EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
@@ -518,7 +516,7 @@
EXPECT_EQ(der::Input(location_der), desc.access_location);
}
{
- const auto& desc = access_descriptions[3];
+ const auto &desc = access_descriptions[3];
EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
const uint8_t location_der[] = {0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a,
0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e,
@@ -527,7 +525,7 @@
EXPECT_EQ(der::Input(location_der), desc.access_location);
}
{
- const auto& desc = access_descriptions[4];
+ const auto &desc = access_descriptions[4];
EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
const uint8_t location_der[] = {
0x86, 0x21, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
@@ -570,7 +568,7 @@
std::vector<AuthorityInfoAccessDescription> access_descriptions;
ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
ASSERT_EQ(1u, access_descriptions.size());
- const auto& desc = access_descriptions[0];
+ const auto &desc = access_descriptions[0];
const uint8_t method_oid[] = {0x2a, 0x03};
EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
const uint8_t location_der[] = {0xa4, 0x10, 0x30, 0x0e, 0x31, 0x0c,
@@ -657,8 +655,8 @@
class ParseCrlDistributionPointsTest : public ::testing::Test {
public:
protected:
- bool GetCrlDps(const char* file_name,
- std::vector<ParsedDistributionPoint>* dps) {
+ bool GetCrlDps(const char *file_name,
+ std::vector<ParsedDistributionPoint> *dps) {
std::string cert_bytes;
// Read the test certificate file.
const PemBlockMapping mappings[] = {
@@ -671,7 +669,7 @@
CertErrors errors;
std::shared_ptr<const ParsedCertificate> cert = ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(cert_bytes.data()),
+ reinterpret_cast<const uint8_t *>(cert_bytes.data()),
cert_bytes.size(), nullptr)),
{}, &errors);
@@ -703,10 +701,10 @@
ASSERT_TRUE(GetCrlDps("crldp_1uri_noissuer.pem", &dps));
ASSERT_EQ(1u, dps.size());
- const ParsedDistributionPoint& dp1 = dps.front();
+ const ParsedDistributionPoint &dp1 = dps.front();
ASSERT_TRUE(dp1.distribution_point_fullname);
- const GeneralNames& fullname = *dp1.distribution_point_fullname;
+ const GeneralNames &fullname = *dp1.distribution_point_fullname;
EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
fullname.present_name_types);
ASSERT_EQ(1u, fullname.uniform_resource_identifiers.size());
@@ -723,10 +721,10 @@
ASSERT_TRUE(GetCrlDps("crldp_3uri_noissuer.pem", &dps));
ASSERT_EQ(1u, dps.size());
- const ParsedDistributionPoint& dp1 = dps.front();
+ const ParsedDistributionPoint &dp1 = dps.front();
ASSERT_TRUE(dp1.distribution_point_fullname);
- const GeneralNames& fullname = *dp1.distribution_point_fullname;
+ const GeneralNames &fullname = *dp1.distribution_point_fullname;
EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
fullname.present_name_types);
ASSERT_EQ(3u, fullname.uniform_resource_identifiers.size());
@@ -747,9 +745,9 @@
ASSERT_TRUE(GetCrlDps("crldp_issuer_as_dirname.pem", &dps));
ASSERT_EQ(1u, dps.size());
- const ParsedDistributionPoint& dp1 = dps.front();
+ const ParsedDistributionPoint &dp1 = dps.front();
ASSERT_TRUE(dp1.distribution_point_fullname);
- const GeneralNames& fullname = *dp1.distribution_point_fullname;
+ const GeneralNames &fullname = *dp1.distribution_point_fullname;
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
// Generated by `ascii2der | xxd -i` from the Name value in
// crldp_issuer_as_dirname.pem.
@@ -791,10 +789,10 @@
ASSERT_TRUE(GetCrlDps("crldp_full_name_as_dirname.pem", &dps));
ASSERT_EQ(1u, dps.size());
- const ParsedDistributionPoint& dp1 = dps.front();
+ const ParsedDistributionPoint &dp1 = dps.front();
ASSERT_TRUE(dp1.distribution_point_fullname);
- const GeneralNames& fullname = *dp1.distribution_point_fullname;
+ const GeneralNames &fullname = *dp1.distribution_point_fullname;
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
// Generated by `ascii2der | xxd -i` from the Name value in
// crldp_full_name_as_dirname.pem.
@@ -869,7 +867,7 @@
ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
ASSERT_EQ(2u, dps.size());
{
- const ParsedDistributionPoint& dp = dps[0];
+ const ParsedDistributionPoint &dp = dps[0];
EXPECT_FALSE(dp.distribution_point_fullname);
ASSERT_TRUE(dp.distribution_point_name_relative_to_crl_issuer);
@@ -893,9 +891,9 @@
EXPECT_FALSE(dp.crl_issuer);
}
{
- const ParsedDistributionPoint& dp = dps[1];
+ const ParsedDistributionPoint &dp = dps[1];
ASSERT_TRUE(dp.distribution_point_fullname);
- const GeneralNames& fullname = *dp.distribution_point_fullname;
+ const GeneralNames &fullname = *dp.distribution_point_fullname;
EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
// SET {
// SEQUENCE {
@@ -947,7 +945,7 @@
std::vector<ParsedDistributionPoint> dps;
ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
ASSERT_EQ(1u, dps.size());
- const ParsedDistributionPoint& dp = dps[0];
+ const ParsedDistributionPoint &dp = dps[0];
EXPECT_FALSE(dp.distribution_point_fullname);
EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
@@ -995,9 +993,8 @@
}
bool ParseAuthorityKeyIdentifierTestData(
- const char* file_name,
- std::string* backing_bytes,
- ParsedAuthorityKeyIdentifier* authority_key_identifier) {
+ const char *file_name, std::string *backing_bytes,
+ ParsedAuthorityKeyIdentifier *authority_key_identifier) {
// Read the test file.
const PemBlockMapping mappings[] = {
{"AUTHORITY_KEY_IDENTIFIER", backing_bytes},
@@ -1173,4 +1170,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/parse_name.cc b/pki/parse_name.cc
index db116f8..c961867 100644
--- a/pki/parse_name.cc
+++ b/pki/parse_name.cc
@@ -6,10 +6,10 @@
#include <cassert>
-#include "string_util.h"
-#include "parse_values.h"
#include <openssl/bytestring.h>
#include <openssl/mem.h>
+#include "parse_values.h"
+#include "string_util.h"
namespace bssl {
@@ -28,7 +28,7 @@
} // namespace
-bool X509NameAttribute::ValueAsString(std::string* out) const {
+bool X509NameAttribute::ValueAsString(std::string *out) const {
switch (value_tag) {
case der::kTeletexString:
return der::ParseTeletexStringAsLatin1(value, out);
@@ -49,8 +49,7 @@
}
bool X509NameAttribute::ValueAsStringWithUnsafeOptions(
- PrintableStringHandling printable_string_handling,
- std::string* out) const {
+ PrintableStringHandling printable_string_handling, std::string *out) const {
if (printable_string_handling == PrintableStringHandling::kAsUTF8Hack &&
value_tag == der::kPrintableString) {
*out = value.AsString();
@@ -59,7 +58,7 @@
return ValueAsString(out);
}
-bool X509NameAttribute::ValueAsStringUnsafe(std::string* out) const {
+bool X509NameAttribute::ValueAsStringUnsafe(std::string *out) const {
switch (value_tag) {
case der::kIA5String:
case der::kPrintableString:
@@ -77,7 +76,7 @@
}
}
-bool X509NameAttribute::AsRFC2253String(std::string* out) const {
+bool X509NameAttribute::AsRFC2253String(std::string *out) const {
std::string type_string;
std::string value_string;
// TODO(mattm): Add streetAddress and domainComponent here?
@@ -131,7 +130,7 @@
h += c;
value_string +=
"\\" + bssl::string_util::HexEncode(
- reinterpret_cast<const uint8_t*>(h.data()), h.length());
+ reinterpret_cast<const uint8_t *>(h.data()), h.length());
} else {
value_string += c;
}
@@ -140,15 +139,15 @@
// If we have non-printable characters in a TeletexString, we hex encode
// since we don't handle Teletex control codes.
if (nonprintable && value_tag == der::kTeletexString)
- value_string =
- "#" + bssl::string_util::HexEncode(value.UnsafeData(), value.Length());
+ value_string = "#" + bssl::string_util::HexEncode(value.UnsafeData(),
+ value.Length());
}
*out = type_string + "=" + value_string;
return true;
}
-bool ReadRdn(der::Parser* parser, RelativeDistinguishedName* out) {
+bool ReadRdn(der::Parser *parser, RelativeDistinguishedName *out) {
while (parser->HasMore()) {
der::Parser attr_type_and_value;
if (!parser->ReadSequence(&attr_type_and_value))
@@ -177,7 +176,7 @@
return out->size() != 0;
}
-bool ParseName(const der::Input& name_tlv, RDNSequence* out) {
+bool ParseName(const der::Input &name_tlv, RDNSequence *out) {
der::Parser name_parser(name_tlv);
der::Input name_value;
if (!name_parser.ReadTag(der::kSequence, &name_value))
@@ -185,7 +184,7 @@
return ParseNameValue(name_value, out);
}
-bool ParseNameValue(const der::Input& name_value, RDNSequence* out) {
+bool ParseNameValue(const der::Input &name_value, RDNSequence *out) {
der::Parser rdn_sequence_parser(name_value);
while (rdn_sequence_parser.HasMore()) {
der::Parser rdn_parser;
@@ -200,13 +199,13 @@
return true;
}
-bool ConvertToRFC2253(const RDNSequence& rdn_sequence, std::string* out) {
+bool ConvertToRFC2253(const RDNSequence &rdn_sequence, std::string *out) {
std::string rdns_string;
size_t size = rdn_sequence.size();
for (size_t i = 0; i < size; ++i) {
RelativeDistinguishedName rdn = rdn_sequence[size - i - 1];
std::string rdn_string;
- for (const auto& atv : rdn) {
+ for (const auto &atv : rdn) {
if (!rdn_string.empty())
rdn_string += "+";
std::string atv_string;
@@ -223,4 +222,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/parse_name.h b/pki/parse_name.h
index 2a37c05..e67b2e2 100644
--- a/pki/parse_name.h
+++ b/pki/parse_name.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_PARSE_NAME_H_
#define BSSL_PKI_PARSE_NAME_H_
-#include "fillins/openssl_util.h"
#include <vector>
+#include "fillins/openssl_util.h"
#include "input.h"
@@ -65,8 +65,7 @@
// value AttributeValue
// }
struct OPENSSL_EXPORT X509NameAttribute {
- X509NameAttribute(der::Input in_type,
- der::Tag in_value_tag,
+ X509NameAttribute(der::Input in_type, der::Tag in_value_tag,
der::Input in_value)
: type(in_type), value_tag(in_value_tag), value(in_value) {}
@@ -78,7 +77,7 @@
// Attempts to convert the value represented by this struct into a
// UTF-8 string and store it in |out|, returning whether the conversion
// was successful.
- [[nodiscard]] bool ValueAsString(std::string* out) const;
+ [[nodiscard]] bool ValueAsString(std::string *out) const;
// Attempts to convert the value represented by this struct into a
// UTF-8 string and store it in |out|, returning whether the conversion
@@ -88,7 +87,7 @@
// Do not use without consulting //net owners.
[[nodiscard]] bool ValueAsStringWithUnsafeOptions(
PrintableStringHandling printable_string_handling,
- std::string* out) const;
+ std::string *out) const;
// Attempts to convert the value represented by this struct into a
// std::string and store it in |out|, returning whether the conversion was
@@ -100,11 +99,11 @@
//
// Note: The conversion doesn't verify that the value corresponds to the
// ASN.1 definition of the value type.
- [[nodiscard]] bool ValueAsStringUnsafe(std::string* out) const;
+ [[nodiscard]] bool ValueAsStringUnsafe(std::string *out) const;
// Formats the NameAttribute per RFC2253 into an ASCII string and stores
// the result in |out|, returning whether the conversion was successful.
- [[nodiscard]] bool AsRFC2253String(std::string* out) const;
+ [[nodiscard]] bool AsRFC2253String(std::string *out) const;
der::Input type;
der::Tag value_tag;
@@ -136,23 +135,23 @@
//
// The type of the component AttributeValue is determined by the AttributeType;
// in general it will be a DirectoryString.
-[[nodiscard]] OPENSSL_EXPORT bool ReadRdn(der::Parser* parser,
- RelativeDistinguishedName* out);
+[[nodiscard]] OPENSSL_EXPORT bool ReadRdn(der::Parser *parser,
+ RelativeDistinguishedName *out);
// Parses a DER-encoded "Name" as specified by 5280. Returns true on success
// and sets the results in |out|.
-[[nodiscard]] OPENSSL_EXPORT bool ParseName(const der::Input& name_tlv,
- RDNSequence* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseName(const der::Input &name_tlv,
+ RDNSequence *out);
// Parses a DER-encoded "Name" value (without the sequence tag & length) as
// specified by 5280. Returns true on success and sets the results in |out|.
-[[nodiscard]] OPENSSL_EXPORT bool ParseNameValue(const der::Input& name_value,
- RDNSequence* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseNameValue(const der::Input &name_value,
+ RDNSequence *out);
// Formats a RDNSequence |rdn_sequence| per RFC2253 as an ASCII string and
// stores the result into |out|, and returns whether the conversion was
// successful.
-[[nodiscard]] OPENSSL_EXPORT bool ConvertToRFC2253(const RDNSequence& rdn_sequence,
- std::string* out);
-} // namespace net
+[[nodiscard]] OPENSSL_EXPORT bool ConvertToRFC2253(
+ const RDNSequence &rdn_sequence, std::string *out);
+} // namespace bssl
#endif // BSSL_PKI_PARSE_NAME_H_
diff --git a/pki/parse_name_unittest.cc b/pki/parse_name_unittest.cc
index fec2e07..27989df 100644
--- a/pki/parse_name_unittest.cc
+++ b/pki/parse_name_unittest.cc
@@ -4,8 +4,8 @@
#include "parse_name.h"
-#include "test_helpers.h"
#include <gtest/gtest.h>
+#include "test_helpers.h"
namespace bssl {
@@ -16,10 +16,10 @@
// |value_type| indicates what ASN.1 type is used to encode the data.
// |suffix| indicates any additional modifications, such as caseswapping,
// whitespace adding, etc.
-::testing::AssertionResult LoadTestData(const std::string& prefix,
- const std::string& value_type,
- const std::string& suffix,
- std::string* result) {
+::testing::AssertionResult LoadTestData(const std::string &prefix,
+ const std::string &value_type,
+ const std::string &suffix,
+ std::string *result) {
std::string path = "testdata/verify_name_match_unittest/names/" + prefix +
"-" + value_type + "-" + suffix + ".pem";
@@ -358,4 +358,4 @@
ASSERT_EQ("SN=Lu\\C4\\8Di\\C4\\87", output);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/parse_values.cc b/pki/parse_values.cc
index 505a10c..13e2c20 100644
--- a/pki/parse_values.cc
+++ b/pki/parse_values.cc
@@ -16,7 +16,7 @@
namespace {
-bool ParseBoolInternal(const Input& in, bool* out, bool relaxed) {
+bool ParseBoolInternal(const Input &in, bool *out, bool relaxed) {
// According to ITU-T X.690 section 8.2, a bool is encoded as a single octet
// where the octet of all zeroes is FALSE and a non-zero value for the octet
// is TRUE.
@@ -44,7 +44,7 @@
// enough to hold 10^digits - 1; the caller must choose an appropriate type
// based on the number of digits they wish to parse.
template <typename UINT>
-bool DecimalStringToUint(ByteReader& in, size_t digits, UINT* out) {
+bool DecimalStringToUint(ByteReader &in, size_t digits, UINT *out) {
UINT value = 0;
for (size_t i = 0; i < digits; ++i) {
uint8_t digit;
@@ -66,7 +66,7 @@
// hours are between 0 and 23, minutes between 0 and 59, and seconds between
// 0 and 60 (to allow for leap seconds; no validation is done that a leap
// second is on a day that could be a leap second).
-bool ValidateGeneralizedTime(const GeneralizedTime& time) {
+bool ValidateGeneralizedTime(const GeneralizedTime &time) {
if (time.month < 1 || time.month > 12)
return false;
if (time.day < 1)
@@ -126,7 +126,7 @@
//
// For instance a 160-bit positive number might take 21 bytes to encode. This
// function will return 20 in such a case.
-size_t GetUnsignedIntegerLength(const Input& in) {
+size_t GetUnsignedIntegerLength(const Input &in) {
der::ByteReader reader(in);
uint8_t first_byte;
if (!reader.ReadByte(&first_byte))
@@ -139,7 +139,7 @@
} // namespace
-bool ParseBool(const Input& in, bool* out) {
+bool ParseBool(const Input &in, bool *out) {
return ParseBoolInternal(in, out, false /* relaxed */);
}
@@ -147,7 +147,7 @@
// have either all bits zero (false) or all bits one (true). To support
// malformed certs, we recognized the BER encoding instead of failing to
// parse.
-bool ParseBoolRelaxed(const Input& in, bool* out) {
+bool ParseBoolRelaxed(const Input &in, bool *out) {
return ParseBoolInternal(in, out, true /* relaxed */);
}
@@ -155,7 +155,7 @@
// in the smallest number of octets. If the encoding consists of more than
// one octet, then the bits of the first octet and the most significant bit
// of the second octet must not be all zeroes or all ones.
-bool IsValidInteger(const Input& in, bool* negative) {
+bool IsValidInteger(const Input &in, bool *negative) {
CBS cbs;
CBS_init(&cbs, in.UnsafeData(), in.Length());
int negative_int;
@@ -167,7 +167,7 @@
return true;
}
-bool ParseUint64(const Input& in, uint64_t* out) {
+bool ParseUint64(const Input &in, uint64_t *out) {
// Reject non-minimally encoded numbers and negative numbers.
bool negative;
if (!IsValidInteger(in, &negative) || negative)
@@ -189,7 +189,7 @@
return true;
}
-bool ParseUint8(const Input& in, uint8_t* out) {
+bool ParseUint8(const Input &in, uint8_t *out) {
// TODO(eroman): Implement this more directly.
uint64_t value;
if (!ParseUint64(in, &value))
@@ -202,7 +202,7 @@
return true;
}
-BitString::BitString(const Input& bytes, uint8_t unused_bits)
+BitString::BitString(const Input &bytes, uint8_t unused_bits)
: bytes_(bytes), unused_bits_(unused_bits) {
BSSL_CHECK(unused_bits < 8);
BSSL_CHECK(unused_bits == 0 || bytes.Length() != 0);
@@ -232,7 +232,7 @@
return 0 != (byte & (1 << bit_index_in_byte));
}
-std::optional<BitString> ParseBitString(const Input& in) {
+std::optional<BitString> ParseBitString(const Input &in) {
ByteReader reader(in);
// From ITU-T X.690, section 8.6.2.2 (applies to BER, CER, DER):
@@ -276,25 +276,25 @@
return 1950 <= year && year < 2050;
}
-bool operator<(const GeneralizedTime& lhs, const GeneralizedTime& rhs) {
+bool operator<(const GeneralizedTime &lhs, const GeneralizedTime &rhs) {
return std::tie(lhs.year, lhs.month, lhs.day, lhs.hours, lhs.minutes,
lhs.seconds) < std::tie(rhs.year, rhs.month, rhs.day,
rhs.hours, rhs.minutes, rhs.seconds);
}
-bool operator>(const GeneralizedTime& lhs, const GeneralizedTime& rhs) {
+bool operator>(const GeneralizedTime &lhs, const GeneralizedTime &rhs) {
return rhs < lhs;
}
-bool operator<=(const GeneralizedTime& lhs, const GeneralizedTime& rhs) {
+bool operator<=(const GeneralizedTime &lhs, const GeneralizedTime &rhs) {
return !(lhs > rhs);
}
-bool operator>=(const GeneralizedTime& lhs, const GeneralizedTime& rhs) {
+bool operator>=(const GeneralizedTime &lhs, const GeneralizedTime &rhs) {
return !(lhs < rhs);
}
-bool ParseUTCTime(const Input& in, GeneralizedTime* value) {
+bool ParseUTCTime(const Input &in, GeneralizedTime *value) {
ByteReader reader(in);
GeneralizedTime time;
if (!DecimalStringToUint(reader, 2, &time.year) ||
@@ -319,7 +319,7 @@
return true;
}
-bool ParseGeneralizedTime(const Input& in, GeneralizedTime* value) {
+bool ParseGeneralizedTime(const Input &in, GeneralizedTime *value) {
ByteReader reader(in);
GeneralizedTime time;
if (!DecimalStringToUint(reader, 4, &time.year) ||
@@ -339,7 +339,7 @@
return true;
}
-bool ParseIA5String(Input in, std::string* out) {
+bool ParseIA5String(Input in, std::string *out) {
for (char c : in.AsStringView()) {
if (static_cast<uint8_t>(c) > 127)
return false;
@@ -348,7 +348,7 @@
return true;
}
-bool ParseVisibleString(Input in, std::string* out) {
+bool ParseVisibleString(Input in, std::string *out) {
// ITU-T X.680:
// VisibleString : "Defining registration number 6" + SPACE
// 6 includes all the characters from '!' .. '~' (33 .. 126), space is 32.
@@ -363,7 +363,7 @@
return true;
}
-bool ParsePrintableString(Input in, std::string* out) {
+bool ParsePrintableString(Input in, std::string *out) {
for (char c : in.AsStringView()) {
if (!(OPENSSL_isalpha(c) || c == ' ' || (c >= '\'' && c <= ':') ||
c == '=' || c == '?')) {
@@ -374,7 +374,7 @@
return true;
}
-bool ParseTeletexStringAsLatin1(Input in, std::string* out) {
+bool ParseTeletexStringAsLatin1(Input in, std::string *out) {
out->clear();
// Convert from Latin-1 to UTF-8.
size_t utf8_length = in.Length();
@@ -397,7 +397,7 @@
return true;
}
-bool ParseUniversalString(Input in, std::string* out) {
+bool ParseUniversalString(Input in, std::string *out) {
if (in.Length() % 4 != 0) {
return false;
}
@@ -421,7 +421,7 @@
return true;
}
-bool ParseBmpString(Input in, std::string* out) {
+bool ParseBmpString(Input in, std::string *out) {
if (in.Length() % 2 != 0) {
return false;
}
diff --git a/pki/parse_values.h b/pki/parse_values.h
index ca65873..f9b7470 100644
--- a/pki/parse_values.h
+++ b/pki/parse_values.h
@@ -5,23 +5,23 @@
#ifndef BSSL_DER_PARSE_VALUES_H_
#define BSSL_DER_PARSE_VALUES_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
-#include "input.h"
#include <optional>
+#include "input.h"
namespace bssl::der {
// Reads a DER-encoded ASN.1 BOOLEAN value from |in| and puts the resulting
// value in |out|. Returns whether the encoded value could successfully be
// read.
-[[nodiscard]] OPENSSL_EXPORT bool ParseBool(const Input& in, bool* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseBool(const Input &in, bool *out);
// Like ParseBool, except it is more relaxed in what inputs it accepts: Any
// value that is a valid BER encoding will be parsed successfully.
-[[nodiscard]] OPENSSL_EXPORT bool ParseBoolRelaxed(const Input& in, bool* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseBoolRelaxed(const Input &in, bool *out);
// Checks the validity of a DER-encoded ASN.1 INTEGER value from |in|, and
// determines the sign of the number. Returns true on success and
@@ -31,7 +31,8 @@
// in: The value portion of an INTEGER.
// negative: Out parameter that is set to true if the number is negative
// and false otherwise (zero is non-negative).
-[[nodiscard]] OPENSSL_EXPORT bool IsValidInteger(const Input& in, bool* negative);
+[[nodiscard]] OPENSSL_EXPORT bool IsValidInteger(const Input &in,
+ bool *negative);
// Reads a DER-encoded ASN.1 INTEGER value from |in| and puts the resulting
// value in |out|. ASN.1 INTEGERs are arbitrary precision; this function is
@@ -39,10 +40,10 @@
// and is between 0 and 2^64-1. This function returns false if the value is too
// big to fit in a uint64_t, is negative, or if there is an error reading the
// integer.
-[[nodiscard]] OPENSSL_EXPORT bool ParseUint64(const Input& in, uint64_t* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseUint64(const Input &in, uint64_t *out);
// Same as ParseUint64() but for a uint8_t.
-[[nodiscard]] OPENSSL_EXPORT bool ParseUint8(const Input& in, uint8_t* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseUint8(const Input &in, uint8_t *out);
// The BitString class is a helper for representing a valid parsed BIT STRING.
//
@@ -57,9 +58,9 @@
// |unused_bits| represents the number of bits in the last octet of |bytes|,
// starting from the least significant bit, that are unused. It MUST be < 8.
// And if bytes is empty, then it MUST be 0.
- BitString(const Input& bytes, uint8_t unused_bits);
+ BitString(const Input &bytes, uint8_t unused_bits);
- const Input& bytes() const { return bytes_; }
+ const Input &bytes() const { return bytes_; }
uint8_t unused_bits() const { return unused_bits_; }
// Returns true if the bit string contains 1 at the specified position.
@@ -82,7 +83,7 @@
//
// On failure, returns std::nullopt.
[[nodiscard]] OPENSSL_EXPORT std::optional<BitString> ParseBitString(
- const Input& in);
+ const Input &in);
struct OPENSSL_EXPORT GeneralizedTime {
uint16_t year;
@@ -96,39 +97,41 @@
bool InUTCTimeRange() const;
};
-OPENSSL_EXPORT bool operator<(const GeneralizedTime& lhs,
- const GeneralizedTime& rhs);
-OPENSSL_EXPORT bool operator<=(const GeneralizedTime& lhs,
- const GeneralizedTime& rhs);
-OPENSSL_EXPORT bool operator>(const GeneralizedTime& lhs,
- const GeneralizedTime& rhs);
-OPENSSL_EXPORT bool operator>=(const GeneralizedTime& lhs,
- const GeneralizedTime& rhs);
+OPENSSL_EXPORT bool operator<(const GeneralizedTime &lhs,
+ const GeneralizedTime &rhs);
+OPENSSL_EXPORT bool operator<=(const GeneralizedTime &lhs,
+ const GeneralizedTime &rhs);
+OPENSSL_EXPORT bool operator>(const GeneralizedTime &lhs,
+ const GeneralizedTime &rhs);
+OPENSSL_EXPORT bool operator>=(const GeneralizedTime &lhs,
+ const GeneralizedTime &rhs);
// Reads a DER-encoded ASN.1 UTCTime value from |in| and puts the resulting
// value in |out|, returning true if the UTCTime could be parsed successfully.
-[[nodiscard]] OPENSSL_EXPORT bool ParseUTCTime(const Input& in,
- GeneralizedTime* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseUTCTime(const Input &in,
+ GeneralizedTime *out);
// Reads a DER-encoded ASN.1 GeneralizedTime value from |in| and puts the
// resulting value in |out|, returning true if the GeneralizedTime could
// be parsed successfully. This function is even more restrictive than the
// DER rules - it follows the rules from RFC5280, which does not allow for
// fractional seconds.
-[[nodiscard]] OPENSSL_EXPORT bool ParseGeneralizedTime(const Input& in,
- GeneralizedTime* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseGeneralizedTime(const Input &in,
+ GeneralizedTime *out);
// Reads a DER-encoded ASN.1 IA5String value from |in| and stores the result in
// |out| as ASCII, returning true if successful.
-[[nodiscard]] OPENSSL_EXPORT bool ParseIA5String(Input in, std::string* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseIA5String(Input in, std::string *out);
// Reads a DER-encoded ASN.1 VisibleString value from |in| and stores the result
// in |out| as ASCII, returning true if successful.
-[[nodiscard]] OPENSSL_EXPORT bool ParseVisibleString(Input in, std::string* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseVisibleString(Input in,
+ std::string *out);
// Reads a DER-encoded ASN.1 PrintableString value from |in| and stores the
// result in |out| as ASCII, returning true if successful.
-[[nodiscard]] OPENSSL_EXPORT bool ParsePrintableString(Input in, std::string* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParsePrintableString(Input in,
+ std::string *out);
// Reads a DER-encoded ASN.1 TeletexString value from |in|, treating it as
// Latin-1, and stores the result in |out| as UTF-8, returning true if
@@ -137,15 +140,16 @@
// This is for compatibility with legacy implementations that would use Latin-1
// encoding but tag it as TeletexString.
[[nodiscard]] OPENSSL_EXPORT bool ParseTeletexStringAsLatin1(Input in,
- std::string* out);
+ std::string *out);
// Reads a DER-encoded ASN.1 UniversalString value from |in| and stores the
// result in |out| as UTF-8, returning true if successful.
-[[nodiscard]] OPENSSL_EXPORT bool ParseUniversalString(Input in, std::string* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseUniversalString(Input in,
+ std::string *out);
// Reads a DER-encoded ASN.1 BMPString value from |in| and stores the
// result in |out| as UTF-8, returning true if successful.
-[[nodiscard]] OPENSSL_EXPORT bool ParseBmpString(Input in, std::string* out);
+[[nodiscard]] OPENSSL_EXPORT bool ParseBmpString(Input in, std::string *out);
} // namespace bssl::der
diff --git a/pki/parse_values_unittest.cc b/pki/parse_values_unittest.cc
index 7eab66a..ee9e481 100644
--- a/pki/parse_values_unittest.cc
+++ b/pki/parse_values_unittest.cc
@@ -13,10 +13,10 @@
namespace {
template <size_t N>
-Input FromStringLiteral(const char(&data)[N]) {
+Input FromStringLiteral(const char (&data)[N]) {
// Strings are null-terminated. The null terminating byte shouldn't be
// included in the Input, so the size is N - 1 instead of N.
- return Input(reinterpret_cast<const uint8_t*>(data), N - 1);
+ return Input(reinterpret_cast<const uint8_t *>(data), N - 1);
}
} // namespace
@@ -127,9 +127,8 @@
ParseGeneralizedTime(FromStringLiteral("20001231010203Z\0"), &out));
// Check what happens when a null byte is in the middle of the input.
- EXPECT_FALSE(ParseGeneralizedTime(FromStringLiteral(
- "200\0"
- "1231010203Z"),
+ EXPECT_FALSE(ParseGeneralizedTime(FromStringLiteral("200\0"
+ "1231010203Z"),
&out));
// The year can't be in hex.
@@ -214,7 +213,7 @@
TEST(ParseValuesTest, ParseUint64) {
for (size_t i = 0; i < std::size(kUint64TestData); i++) {
- const Uint64TestData& test_case = kUint64TestData[i];
+ const Uint64TestData &test_case = kUint64TestData[i];
SCOPED_TRACE(i);
uint64_t result;
@@ -251,7 +250,7 @@
TEST(ParseValuesTest, ParseUint8) {
for (size_t i = 0; i < std::size(kUint8TestData); i++) {
- const Uint8TestData& test_case = kUint8TestData[i];
+ const Uint8TestData &test_case = kUint8TestData[i];
SCOPED_TRACE(i);
uint8_t result;
@@ -297,7 +296,7 @@
TEST(ParseValuesTest, IsValidInteger) {
for (size_t i = 0; i < std::size(kIsValidIntegerTestData); i++) {
- const auto& test_case = kIsValidIntegerTestData[i];
+ const auto &test_case = kIsValidIntegerTestData[i];
SCOPED_TRACE(i);
bool negative;
diff --git a/pki/parsed_certificate.cc b/pki/parsed_certificate.cc
index 1c94830..5f2406d 100644
--- a/pki/parsed_certificate.cc
+++ b/pki/parsed_certificate.cc
@@ -4,14 +4,14 @@
#include "parsed_certificate.h"
+#include <openssl/pool.h>
#include "cert_errors.h"
#include "certificate_policies.h"
#include "extended_key_usage.h"
#include "name_constraints.h"
+#include "parser.h"
#include "signature_algorithm.h"
#include "verify_name_match.h"
-#include "parser.h"
-#include <openssl/pool.h>
namespace bssl {
@@ -49,15 +49,15 @@
DEFINE_CERT_ERROR_ID(kFailedParsingSubjectKeyIdentifier,
"Failed parsing subject key identifier");
-[[nodiscard]] bool GetSequenceValue(const der::Input& tlv, der::Input* value) {
+[[nodiscard]] bool GetSequenceValue(const der::Input &tlv, der::Input *value) {
der::Parser parser(tlv);
return parser.ReadTag(der::kSequence, value) && !parser.HasMore();
}
} // namespace
-bool ParsedCertificate::GetExtension(const der::Input& extension_oid,
- ParsedExtension* parsed_extension) const {
+bool ParsedCertificate::GetExtension(const der::Input &extension_oid,
+ ParsedExtension *parsed_extension) const {
if (!tbs_.extensions_tlv)
return false;
@@ -77,8 +77,7 @@
// static
std::shared_ptr<const ParsedCertificate> ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER> backing_data,
- const ParseCertificateOptions& options,
- CertErrors* errors) {
+ const ParseCertificateOptions &options, CertErrors *errors) {
// |errors| is an optional parameter, but to keep the code simpler, use a
// dummy object when one wasn't provided.
CertErrors unused_errors;
@@ -280,9 +279,9 @@
// static
bool ParsedCertificate::CreateAndAddToVector(
bssl::UniquePtr<CRYPTO_BUFFER> cert_data,
- const ParseCertificateOptions& options,
- std::vector<std::shared_ptr<const bssl::ParsedCertificate>>* chain,
- CertErrors* errors) {
+ const ParseCertificateOptions &options,
+ std::vector<std::shared_ptr<const bssl::ParsedCertificate>> *chain,
+ CertErrors *errors) {
std::shared_ptr<const ParsedCertificate> cert(
Create(std::move(cert_data), options, errors));
if (!cert)
@@ -291,4 +290,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/parsed_certificate.h b/pki/parsed_certificate.h
index 3f872f0..9d72e62 100644
--- a/pki/parsed_certificate.h
+++ b/pki/parsed_certificate.h
@@ -5,18 +5,18 @@
#ifndef BSSL_PKI_PARSED_CERTIFICATE_H_
#define BSSL_PKI_PARSED_CERTIFICATE_H_
-#include "fillins/openssl_util.h"
#include <map>
#include <memory>
#include <vector>
+#include "fillins/openssl_util.h"
+#include <openssl/base.h>
+#include <optional>
#include "certificate_policies.h"
+#include "input.h"
#include "parse_certificate.h"
#include "signature_algorithm.h"
-#include "input.h"
-#include <optional>
-#include <openssl/base.h>
namespace bssl {
@@ -46,7 +46,7 @@
};
public:
-~ParsedCertificate();
+ ~ParsedCertificate();
// Map from OID to ParsedExtension.
using ExtensionsMap = std::map<der::Input, ParsedExtension>;
@@ -57,8 +57,7 @@
// information added to it.
static std::shared_ptr<const ParsedCertificate> Create(
bssl::UniquePtr<CRYPTO_BUFFER> cert_data,
- const ParseCertificateOptions& options,
- CertErrors* errors);
+ const ParseCertificateOptions &options, CertErrors *errors);
// Creates a ParsedCertificate by copying the provided |data|, and appends it
// to |chain|. Returns true if the certificate was successfully parsed and
@@ -68,32 +67,32 @@
// information added to it.
static bool CreateAndAddToVector(
bssl::UniquePtr<CRYPTO_BUFFER> cert_data,
- const ParseCertificateOptions& options,
- std::vector<std::shared_ptr<const bssl::ParsedCertificate>>* chain,
- CertErrors* errors);
+ const ParseCertificateOptions &options,
+ std::vector<std::shared_ptr<const bssl::ParsedCertificate>> *chain,
+ CertErrors *errors);
explicit ParsedCertificate(PrivateConstructor);
-
- ParsedCertificate(const ParsedCertificate&) = delete;
- ParsedCertificate& operator=(const ParsedCertificate&) = delete;
+
+ ParsedCertificate(const ParsedCertificate &) = delete;
+ ParsedCertificate &operator=(const ParsedCertificate &) = delete;
// Returns the DER-encoded certificate data for this cert.
- const der::Input& der_cert() const { return cert_; }
+ const der::Input &der_cert() const { return cert_; }
// Returns the CRYPTO_BUFFER backing this object.
- CRYPTO_BUFFER* cert_buffer() const { return cert_data_.get(); }
+ CRYPTO_BUFFER *cert_buffer() const { return cert_data_.get(); }
// Accessors for raw fields of the Certificate.
- const der::Input& tbs_certificate_tlv() const { return tbs_certificate_tlv_; }
+ const der::Input &tbs_certificate_tlv() const { return tbs_certificate_tlv_; }
- const der::Input& signature_algorithm_tlv() const {
+ const der::Input &signature_algorithm_tlv() const {
return signature_algorithm_tlv_;
}
- const der::BitString& signature_value() const { return signature_value_; }
+ const der::BitString &signature_value() const { return signature_value_; }
// Accessor for struct containing raw fields of the TbsCertificate.
- const ParsedTbsCertificate& tbs() const { return tbs_; }
+ const ParsedTbsCertificate &tbs() const { return tbs_; }
// Returns the signatureAlgorithm of the Certificate (not the tbsCertificate).
// If the signature algorithm is unknown/unsupported, this returns nullopt.
@@ -127,7 +126,7 @@
// Returns the ParsedBasicConstraints struct. Caller must check
// has_basic_constraints() before accessing this.
- const ParsedBasicConstraints& basic_constraints() const {
+ const ParsedBasicConstraints &basic_constraints() const {
BSSL_CHECK(has_basic_constraints_);
return basic_constraints_;
}
@@ -137,7 +136,7 @@
// Returns the KeyUsage BitString. Caller must check
// has_key_usage() before accessing this.
- const der::BitString& key_usage() const {
+ const der::BitString &key_usage() const {
BSSL_CHECK(has_key_usage_);
return key_usage_;
}
@@ -147,7 +146,7 @@
// Returns the ExtendedKeyUsage key purpose OIDs. Caller must check
// has_extended_key_usage() before accessing this.
- const std::vector<der::Input>& extended_key_usage() const {
+ const std::vector<der::Input> &extended_key_usage() const {
BSSL_CHECK(has_extended_key_usage_);
return extended_key_usage_;
}
@@ -158,13 +157,13 @@
// Returns the ParsedExtension struct for the SubjectAltName extension.
// If the cert did not have a SubjectAltName extension, this will be a
// default-initialized ParsedExtension struct.
- const ParsedExtension& subject_alt_names_extension() const {
+ const ParsedExtension &subject_alt_names_extension() const {
return subject_alt_names_extension_;
}
// Returns the GeneralNames class parsed from SubjectAltName extension, or
// nullptr if no SubjectAltName extension was present.
- const GeneralNames* subject_alt_names() const {
+ const GeneralNames *subject_alt_names() const {
return subject_alt_names_.get();
}
@@ -173,7 +172,7 @@
// Returns the parsed NameConstraints extension. Must not be called if
// has_name_constraints() is false.
- const NameConstraints& name_constraints() const {
+ const NameConstraints &name_constraints() const {
BSSL_CHECK(name_constraints_);
return *name_constraints_;
}
@@ -182,24 +181,24 @@
bool has_authority_info_access() const { return has_authority_info_access_; }
// Returns the ParsedExtension struct for the AuthorityInfoAccess extension.
- const ParsedExtension& authority_info_access_extension() const {
+ const ParsedExtension &authority_info_access_extension() const {
return authority_info_access_extension_;
}
// Returns any caIssuers URIs from the AuthorityInfoAccess extension.
- const std::vector<std::string_view>& ca_issuers_uris() const {
+ const std::vector<std::string_view> &ca_issuers_uris() const {
return ca_issuers_uris_;
}
// Returns any OCSP URIs from the AuthorityInfoAccess extension.
- const std::vector<std::string_view>& ocsp_uris() const { return ocsp_uris_; }
+ const std::vector<std::string_view> &ocsp_uris() const { return ocsp_uris_; }
// Returns true if the certificate has a Policies extension.
bool has_policy_oids() const { return has_policy_oids_; }
// Returns the policy OIDs. Caller must check has_policy_oids() before
// accessing this.
- const std::vector<der::Input>& policy_oids() const {
+ const std::vector<der::Input> &policy_oids() const {
BSSL_CHECK(has_policy_oids());
return policy_oids_;
}
@@ -209,7 +208,7 @@
// Returns the ParsedPolicyConstraints struct. Caller must check
// has_policy_constraints() before accessing this.
- const ParsedPolicyConstraints& policy_constraints() const {
+ const ParsedPolicyConstraints &policy_constraints() const {
BSSL_CHECK(has_policy_constraints_);
return policy_constraints_;
}
@@ -219,36 +218,36 @@
// Returns the PolicyMappings extension. Caller must check
// has_policy_mappings() before accessing this.
- const std::vector<ParsedPolicyMapping>& policy_mappings() const {
+ const std::vector<ParsedPolicyMapping> &policy_mappings() const {
BSSL_CHECK(has_policy_mappings_);
return policy_mappings_;
}
// Returns the Inhibit Any Policy extension.
- const std::optional<uint8_t>& inhibit_any_policy() const {
+ const std::optional<uint8_t> &inhibit_any_policy() const {
return inhibit_any_policy_;
}
// Returns the AuthorityKeyIdentifier extension, or nullopt if there wasn't
// one.
- const std::optional<ParsedAuthorityKeyIdentifier>& authority_key_identifier()
+ const std::optional<ParsedAuthorityKeyIdentifier> &authority_key_identifier()
const {
return authority_key_identifier_;
}
// Returns the SubjectKeyIdentifier extension, or nullopt if there wasn't
// one.
- const std::optional<der::Input>& subject_key_identifier() const {
+ const std::optional<der::Input> &subject_key_identifier() const {
return subject_key_identifier_;
}
// Returns a map of all the extensions in the certificate.
- const ExtensionsMap& extensions() const { return extensions_; }
+ const ExtensionsMap &extensions() const { return extensions_; }
// Gets the value for extension matching |extension_oid|. Returns false if the
// extension is not present.
- bool GetExtension(const der::Input& extension_oid,
- ParsedExtension* parsed_extension) const;
+ bool GetExtension(const der::Input &extension_oid,
+ ParsedExtension *parsed_extension) const;
private:
// The backing store for the certificate data.
@@ -325,6 +324,6 @@
ExtensionsMap extensions_;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_PARSED_CERTIFICATE_H_
diff --git a/pki/parsed_certificate_unittest.cc b/pki/parsed_certificate_unittest.cc
index b3ee6a0..95f4433 100644
--- a/pki/parsed_certificate_unittest.cc
+++ b/pki/parsed_certificate_unittest.cc
@@ -4,12 +4,12 @@
#include "parsed_certificate.h"
-#include "cert_errors.h"
-#include "parse_certificate.h"
-#include "test_helpers.h"
-#include "input.h"
#include <gtest/gtest.h>
#include <openssl/pool.h>
+#include "cert_errors.h"
+#include "input.h"
+#include "parse_certificate.h"
+#include "test_helpers.h"
// TODO(eroman): Add tests for parsing of policy mappings.
@@ -17,7 +17,7 @@
namespace {
-std::string GetFilePath(const std::string& file_name) {
+std::string GetFilePath(const std::string &file_name) {
return std::string("testdata/parse_certificate_unittest/") + file_name;
}
@@ -26,8 +26,7 @@
// Returns nullptr if the certificate parsing failed, and verifies that any
// errors match the ERRORS block in the .pem file.
std::shared_ptr<const ParsedCertificate> ParseCertificateFromFile(
- const std::string& file_name,
- const ParseCertificateOptions& options) {
+ const std::string &file_name, const ParseCertificateOptions &options) {
std::string data;
std::string expected_errors;
@@ -41,8 +40,9 @@
CertErrors errors;
std::shared_ptr<const ParsedCertificate> cert = ParsedCertificate::Create(
- bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(data.data()), data.size(), nullptr)),
+ bssl::UniquePtr<CRYPTO_BUFFER>(
+ CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(data.data()),
+ data.size(), nullptr)),
options, &errors);
// The errors are baselined for |!allow_invalid_serial_numbers|. So if
@@ -590,4 +590,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/parser.cc b/pki/parser.cc
index 623da92..ae6a201 100644
--- a/pki/parser.cc
+++ b/pki/parser.cc
@@ -4,20 +4,18 @@
#include "parser.h"
-#include "parse_values.h"
#include <openssl/base.h>
+#include "parse_values.h"
namespace bssl::der {
-Parser::Parser() {
- CBS_init(&cbs_, nullptr, 0);
-}
+Parser::Parser() { CBS_init(&cbs_, nullptr, 0); }
-Parser::Parser(const Input& input) {
+Parser::Parser(const Input &input) {
CBS_init(&cbs_, input.UnsafeData(), input.Length());
}
-bool Parser::PeekTagAndValue(Tag* tag, Input* out) {
+bool Parser::PeekTagAndValue(Tag *tag, Input *out) {
CBS peeker = cbs_;
CBS tmp_out;
size_t header_len;
@@ -40,11 +38,9 @@
return ret;
}
-bool Parser::HasMore() {
- return CBS_len(&cbs_) > 0;
-}
+bool Parser::HasMore() { return CBS_len(&cbs_) > 0; }
-bool Parser::ReadRawTLV(Input* out) {
+bool Parser::ReadRawTLV(Input *out) {
CBS tmp_out;
if (!CBS_get_any_asn1_element(&cbs_, &tmp_out, nullptr, nullptr))
return false;
@@ -52,14 +48,14 @@
return true;
}
-bool Parser::ReadTagAndValue(Tag* tag, Input* out) {
+bool Parser::ReadTagAndValue(Tag *tag, Input *out) {
if (!PeekTagAndValue(tag, out))
return false;
BSSL_CHECK(Advance());
return true;
}
-bool Parser::ReadOptionalTag(Tag tag, std::optional<Input>* out) {
+bool Parser::ReadOptionalTag(Tag tag, std::optional<Input> *out) {
if (!HasMore()) {
*out = std::nullopt;
return true;
@@ -79,7 +75,7 @@
return true;
}
-bool Parser::ReadOptionalTag(Tag tag, Input* out, bool* present) {
+bool Parser::ReadOptionalTag(Tag tag, Input *out, bool *present) {
std::optional<Input> tmp_out;
if (!ReadOptionalTag(tag, &tmp_out))
return false;
@@ -88,12 +84,12 @@
return true;
}
-bool Parser::SkipOptionalTag(Tag tag, bool* present) {
+bool Parser::SkipOptionalTag(Tag tag, bool *present) {
Input out;
return ReadOptionalTag(tag, &out, present);
}
-bool Parser::ReadTag(Tag tag, Input* out) {
+bool Parser::ReadTag(Tag tag, Input *out) {
Tag actual_tag;
Input value;
if (!PeekTagAndValue(&actual_tag, &value) || actual_tag != tag) {
@@ -111,7 +107,7 @@
// Type-specific variants of ReadTag
-bool Parser::ReadConstructed(Tag tag, Parser* out) {
+bool Parser::ReadConstructed(Tag tag, Parser *out) {
if (!IsConstructed(tag))
return false;
Input data;
@@ -121,18 +117,18 @@
return true;
}
-bool Parser::ReadSequence(Parser* out) {
+bool Parser::ReadSequence(Parser *out) {
return ReadConstructed(kSequence, out);
}
-bool Parser::ReadUint8(uint8_t* out) {
+bool Parser::ReadUint8(uint8_t *out) {
Input encoded_int;
if (!ReadTag(kInteger, &encoded_int))
return false;
return ParseUint8(encoded_int, out);
}
-bool Parser::ReadUint64(uint64_t* out) {
+bool Parser::ReadUint64(uint64_t *out) {
Input encoded_int;
if (!ReadTag(kInteger, &encoded_int))
return false;
@@ -146,7 +142,7 @@
return ParseBitString(value);
}
-bool Parser::ReadGeneralizedTime(GeneralizedTime* out) {
+bool Parser::ReadGeneralizedTime(GeneralizedTime *out) {
Input value;
if (!ReadTag(kGeneralizedTime, &value))
return false;
diff --git a/pki/parser.h b/pki/parser.h
index 6716968..81a0d02 100644
--- a/pki/parser.h
+++ b/pki/parser.h
@@ -5,14 +5,14 @@
#ifndef BSSL_DER_PARSER_H_
#define BSSL_DER_PARSER_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
+#include <openssl/bytestring.h>
+#include <optional>
#include "input.h"
#include "tag.h"
-#include <optional>
-#include <openssl/bytestring.h>
namespace bssl::der {
@@ -92,10 +92,10 @@
// Creates a parser to parse over the data represented by input. This class
// assumes that the underlying data will not change over the lifetime of
// the Parser object.
- explicit Parser(const Input& input);
+ explicit Parser(const Input &input);
- Parser(const Parser&) = default;
- Parser& operator=(const Parser&) = default;
+ Parser(const Parser &) = default;
+ Parser &operator=(const Parser &) = default;
// Returns whether there is any more data left in the input to parse. This
// does not guarantee that the data is parseable.
@@ -105,12 +105,12 @@
// encoding for the current value is invalid, this method returns false and
// does not advance the input. Otherwise, it returns true, putting the
// read tag in |tag| and the value in |out|.
- [[nodiscard]] bool ReadTagAndValue(Tag* tag, Input* out);
+ [[nodiscard]] bool ReadTagAndValue(Tag *tag, Input *out);
// Reads the current TLV from the input and advances. Unlike ReadTagAndValue
// where only the value is put in |out|, this puts the raw bytes from the
// tag, length, and value in |out|.
- [[nodiscard]] bool ReadRawTLV(Input* out);
+ [[nodiscard]] bool ReadRawTLV(Input *out);
// Basic methods for reading or skipping the current TLV, with an
// expectation of what the current tag should be. It should be possible
@@ -122,7 +122,7 @@
// something else, then |out| is set to nullopt and the input is not
// advanced. Like ReadTagAndValue, it returns false if the encoding is
// invalid and does not advance the input.
- [[nodiscard]] bool ReadOptionalTag(Tag tag, std::optional<Input>* out);
+ [[nodiscard]] bool ReadOptionalTag(Tag tag, std::optional<Input> *out);
// If the current tag in the input is |tag|, it puts the corresponding value
// in |out|, sets |was_present| to true, and advances the input to the next
@@ -131,14 +131,14 @@
// false if the encoding is invalid and does not advance the input.
// DEPRECATED: use the std::optional version above in new code.
// TODO(mattm): convert the existing callers and remove this override.
- [[nodiscard]] bool ReadOptionalTag(Tag tag, Input* out, bool* was_present);
+ [[nodiscard]] bool ReadOptionalTag(Tag tag, Input *out, bool *was_present);
// Like ReadOptionalTag, but the value is discarded.
- [[nodiscard]] bool SkipOptionalTag(Tag tag, bool* was_present);
+ [[nodiscard]] bool SkipOptionalTag(Tag tag, bool *was_present);
// If the current tag matches |tag|, it puts the current value in |out|,
// advances the input, and returns true. Otherwise, it returns false.
- [[nodiscard]] bool ReadTag(Tag tag, Input* out);
+ [[nodiscard]] bool ReadTag(Tag tag, Input *out);
// Advances the input and returns true if the current tag matches |tag|;
// otherwise it returns false.
@@ -149,11 +149,11 @@
// Reads the current TLV from the input, checks that the tag matches |tag|
// and is a constructed tag, and creates a new Parser from the value.
- [[nodiscard]] bool ReadConstructed(Tag tag, Parser* out);
+ [[nodiscard]] bool ReadConstructed(Tag tag, Parser *out);
// A more specific form of ReadConstructed that expects the current tag
// to be 0x30 (SEQUENCE).
- [[nodiscard]] bool ReadSequence(Parser* out);
+ [[nodiscard]] bool ReadSequence(Parser *out);
// Expects the current tag to be kInteger, and calls ParseUint8 on the
// current value. Note that DER-encoded integers are arbitrary precision,
@@ -162,7 +162,7 @@
//
// Note that on failure the Parser is left in an undefined state (the
// input may or may not have been advanced).
- [[nodiscard]] bool ReadUint8(uint8_t* out);
+ [[nodiscard]] bool ReadUint8(uint8_t *out);
// Expects the current tag to be kInteger, and calls ParseUint64 on the
// current value. Note that DER-encoded integers are arbitrary precision,
@@ -171,7 +171,7 @@
//
// Note that on failure the Parser is left in an undefined state (the
// input may or may not have been advanced).
- [[nodiscard]] bool ReadUint64(uint64_t* out);
+ [[nodiscard]] bool ReadUint64(uint64_t *out);
// Reads a BIT STRING. On success returns BitString. On failure, returns
// std::nullopt.
@@ -184,7 +184,7 @@
//
// Note that on failure the Parser is left in an undefined state (the
// input may or may not have been advanced).
- [[nodiscard]] bool ReadGeneralizedTime(GeneralizedTime* out);
+ [[nodiscard]] bool ReadGeneralizedTime(GeneralizedTime *out);
// Lower level methods. The previous methods couple reading data from the
// input with advancing the Parser's internal pointer to the next TLV; these
@@ -195,7 +195,7 @@
// Reads the current TLV from the input, putting the tag in |tag| and the raw
// value in |out|, but does not advance the input. Returns true if the tag
// and length are successfully read and the output exists.
- [[nodiscard]] bool PeekTagAndValue(Tag* tag, Input* out);
+ [[nodiscard]] bool PeekTagAndValue(Tag *tag, Input *out);
// Advances the input to the next TLV. This method only needs to be called
// after PeekTagAndValue; all other methods will advance the input if they
diff --git a/pki/parser_unittest.cc b/pki/parser_unittest.cc
index 94d24d0..e510a93 100644
--- a/pki/parser_unittest.cc
+++ b/pki/parser_unittest.cc
@@ -4,9 +4,9 @@
#include "parser.h"
+#include <gtest/gtest.h>
#include "input.h"
#include "parse_values.h"
-#include <gtest/gtest.h>
namespace bssl::der::test {
diff --git a/pki/path_builder.cc b/pki/path_builder.cc
index 764a80b..f0e74e8 100644
--- a/pki/path_builder.cc
+++ b/pki/path_builder.cc
@@ -11,35 +11,35 @@
#include "fillins/log.h"
+#include <openssl/base.h>
+#include <openssl/sha.h>
#include "cert_issuer_source.h"
#include "certificate_policies.h"
#include "common_cert_errors.h"
#include "parse_certificate.h"
#include "parse_name.h" // For CertDebugString.
+#include "parser.h"
#include "string_util.h"
+#include "tag.h"
#include "trust_store.h"
#include "verify_certificate_chain.h"
#include "verify_name_match.h"
-#include "parser.h"
-#include "tag.h"
-#include <openssl/base.h>
-#include <openssl/sha.h>
namespace bssl {
namespace {
-using CertIssuerSources = std::vector<CertIssuerSource*>;
+using CertIssuerSources = std::vector<CertIssuerSource *>;
// Returns a hex-encoded sha256 of the DER-encoding of |cert|.
-std::string FingerPrintParsedCertificate(const bssl::ParsedCertificate* cert) {
+std::string FingerPrintParsedCertificate(const bssl::ParsedCertificate *cert) {
uint8_t digest[SHA256_DIGEST_LENGTH];
SHA256(cert->der_cert().UnsafeData(), cert->der_cert().Length(), digest);
return bssl::string_util::HexEncode(digest, sizeof(digest));
}
// TODO(mattm): decide how much debug logging to keep.
-std::string CertDebugString(const ParsedCertificate* cert) {
+std::string CertDebugString(const ParsedCertificate *cert) {
RDNSequence subject;
std::string subject_str;
if (!ParseName(cert->tbs().subject_tlv, &subject) ||
@@ -49,9 +49,9 @@
return FingerPrintParsedCertificate(cert) + " " + subject_str;
}
-std::string PathDebugString(const ParsedCertificateList& certs) {
+std::string PathDebugString(const ParsedCertificateList &certs) {
std::string s;
- for (const auto& cert : certs) {
+ for (const auto &cert : certs) {
if (!s.empty())
s += "\n";
s += " " + CertDebugString(cert.get());
@@ -83,8 +83,7 @@
// subjectKeyIdentifier and |target|'s authorityKeyIdentifier. Lower return
// values indicate higer priority.
KeyIdentifierMatch CalculateKeyIdentifierMatch(
- const ParsedCertificate* target,
- const ParsedCertificate* issuer) {
+ const ParsedCertificate *target, const ParsedCertificate *issuer) {
if (!target->authority_key_identifier())
return kNoData;
@@ -107,9 +106,9 @@
// Returns an integer that represents the relative ordering of |issuer| based
// on |issuer_trust| and authorityKeyIdentifier matching for prioritizing
// certificates in path building. Lower return values indicate higer priority.
-int TrustAndKeyIdentifierMatchToOrder(const ParsedCertificate* target,
- const ParsedCertificate* issuer,
- const CertificateTrust& issuer_trust) {
+int TrustAndKeyIdentifierMatchToOrder(const ParsedCertificate *target,
+ const ParsedCertificate *issuer,
+ const CertificateTrust &issuer_trust) {
enum {
kTrustedAndKeyIdMatch = 0,
kTrustedAndKeyIdNoData = 1,
@@ -168,15 +167,15 @@
// Constructs the CertIssuersIter. |*cert_issuer_sources|, and
// |*trust_store| must be valid for the lifetime of the CertIssuersIter.
CertIssuersIter(std::shared_ptr<const ParsedCertificate> cert,
- CertIssuerSources* cert_issuer_sources,
- TrustStore* trust_store);
+ CertIssuerSources *cert_issuer_sources,
+ TrustStore *trust_store);
- CertIssuersIter(const CertIssuersIter&) = delete;
- CertIssuersIter& operator=(const CertIssuersIter&) = delete;
+ CertIssuersIter(const CertIssuersIter &) = delete;
+ CertIssuersIter &operator=(const CertIssuersIter &) = delete;
// Gets the next candidate issuer, or clears |*out| when all issuers have been
// exhausted.
- void GetNextIssuer(IssuerEntry* out);
+ void GetNextIssuer(IssuerEntry *out);
// Returns true if candidate issuers were found for |cert_|.
bool had_non_skipped_issuers() const {
@@ -186,7 +185,7 @@
void increment_skipped_issuer_count() { skipped_issuer_count_++; }
// Returns the |cert| for which issuers are being retrieved.
- const ParsedCertificate* cert() const { return cert_.get(); }
+ const ParsedCertificate *cert() const { return cert_.get(); }
std::shared_ptr<const ParsedCertificate> reference_cert() const {
return cert_;
}
@@ -203,8 +202,8 @@
void SortRemainingIssuers();
std::shared_ptr<const ParsedCertificate> cert_;
- CertIssuerSources* cert_issuer_sources_;
- TrustStore* trust_store_;
+ CertIssuerSources *cert_issuer_sources_;
+ TrustStore *trust_store_;
// The list of issuers for |cert_|. This is added to incrementally (first
// synchronous results, then possibly multiple times as asynchronous results
@@ -241,18 +240,17 @@
CertIssuersIter::CertIssuersIter(
std::shared_ptr<const ParsedCertificate> in_cert,
- CertIssuerSources* cert_issuer_sources,
- TrustStore* trust_store)
+ CertIssuerSources *cert_issuer_sources, TrustStore *trust_store)
: cert_(std::move(in_cert)),
cert_issuer_sources_(cert_issuer_sources),
trust_store_(trust_store) {
DVLOG(2) << "CertIssuersIter created for " << CertDebugString(cert());
}
-void CertIssuersIter::GetNextIssuer(IssuerEntry* out) {
+void CertIssuersIter::GetNextIssuer(IssuerEntry *out) {
if (!did_initial_query_) {
did_initial_query_ = true;
- for (auto* cert_issuer_source : *cert_issuer_sources_) {
+ for (auto *cert_issuer_source : *cert_issuer_sources_) {
ParsedCertificateList new_issuers;
cert_issuer_source->SyncGetIssuersOf(cert(), &new_issuers);
AddIssuers(std::move(new_issuers));
@@ -301,7 +299,7 @@
}
void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) {
- for (std::shared_ptr<const ParsedCertificate>& issuer : new_issuers) {
+ for (std::shared_ptr<const ParsedCertificate> &issuer : new_issuers) {
if (present_issuers_.find(issuer->der_cert().AsStringView()) !=
present_issuers_.end())
continue;
@@ -323,7 +321,7 @@
BSSL_CHECK(!did_async_issuer_query_);
did_async_issuer_query_ = true;
cur_async_request_ = 0;
- for (auto* cert_issuer_source : *cert_issuer_sources_) {
+ for (auto *cert_issuer_source : *cert_issuer_sources_) {
std::unique_ptr<CertIssuerSource::Request> request;
cert_issuer_source->AsyncGetIssuersOf(cert(), &request);
if (request) {
@@ -339,7 +337,7 @@
std::stable_sort(
issuers_.begin() + cur_issuer_, issuers_.end(),
- [](const IssuerEntry& issuer1, const IssuerEntry& issuer2) {
+ [](const IssuerEntry &issuer1, const IssuerEntry &issuer2) {
// TODO(crbug.com/635205): Add other prioritization hints. (See big list
// of possible sorting hints in RFC 4158.)
const bool issuer1_self_issued = issuer1.cert->normalized_subject() ==
@@ -371,7 +369,7 @@
class CertIssuerIterPath {
public:
// Returns true if |cert| is already present in the path.
- bool IsPresent(const ParsedCertificate* cert) const {
+ bool IsPresent(const ParsedCertificate *cert) const {
return present_certs_.find(GetKey(cert)) != present_certs_.end();
}
@@ -392,9 +390,9 @@
}
// Copies the ParsedCertificate elements of the current path to |*out_path|.
- void CopyPath(ParsedCertificateList* out_path) {
+ void CopyPath(ParsedCertificateList *out_path) {
out_path->clear();
- for (const auto& node : cur_path_)
+ for (const auto &node : cur_path_)
out_path->push_back(node->reference_cert());
}
@@ -402,14 +400,14 @@
bool Empty() const { return cur_path_.empty(); }
// Returns the last CertIssuersIter in the path.
- CertIssuersIter* back() { return cur_path_.back().get(); }
+ CertIssuersIter *back() { return cur_path_.back().get(); }
// Returns the length of the path.
size_t Length() const { return cur_path_.size(); }
std::string PathDebugString() {
std::string s;
- for (const auto& node : cur_path_) {
+ for (const auto &node : cur_path_) {
if (!s.empty())
s += "\n";
s += " " + CertDebugString(node->cert());
@@ -420,7 +418,7 @@
private:
using Key = std::tuple<std::string_view, std::string_view, std::string_view>;
- static Key GetKey(const ParsedCertificate* cert) {
+ static Key GetKey(const ParsedCertificate *cert) {
// TODO(mattm): ideally this would use a normalized version of
// SubjectAltName, but it's not that important just for LoopChecker.
//
@@ -441,7 +439,7 @@
} // namespace
-const ParsedCertificate* CertPathBuilderResultPath::GetTrustedCert() const {
+const ParsedCertificate *CertPathBuilderResultPath::GetTrustedCert() const {
if (certs.empty())
return nullptr;
@@ -465,15 +463,15 @@
class CertPathIter {
public:
CertPathIter(std::shared_ptr<const ParsedCertificate> cert,
- TrustStore* trust_store);
+ TrustStore *trust_store);
- CertPathIter(const CertPathIter&) = delete;
- CertPathIter& operator=(const CertPathIter&) = delete;
+ CertPathIter(const CertPathIter &) = delete;
+ CertPathIter &operator=(const CertPathIter &) = delete;
// Adds a CertIssuerSource to provide intermediates for use in path building.
// The |*cert_issuer_source| must remain valid for the lifetime of the
// CertPathIter.
- void AddCertIssuerSource(CertIssuerSource* cert_issuer_source);
+ void AddCertIssuerSource(CertIssuerSource *cert_issuer_source);
// Gets the next candidate path, and fills it into |out_certs| and
// |out_last_cert_trust|. Note that the returned path is unverified and must
@@ -484,11 +482,10 @@
// and continue path building. Once all paths have been exhausted returns
// false. If deadline or iteration limit is exceeded, sets |out_certs| to the
// current path being explored and returns false.
- bool GetNextPath(ParsedCertificateList* out_certs,
- CertificateTrust* out_last_cert_trust,
- CertPathErrors* out_errors,
- CertPathBuilderDelegate* delegate,
- uint32_t* iteration_count,
+ bool GetNextPath(ParsedCertificateList *out_certs,
+ CertificateTrust *out_last_cert_trust,
+ CertPathErrors *out_errors,
+ CertPathBuilderDelegate *delegate, uint32_t *iteration_count,
const uint32_t max_iteration_count,
const uint32_t max_path_building_depth);
@@ -503,26 +500,26 @@
// The CertIssuerSources for retrieving candidate issuers.
CertIssuerSources cert_issuer_sources_;
// The TrustStore for checking if a path ends in a trust anchor.
- TrustStore* trust_store_;
+ TrustStore *trust_store_;
};
CertPathIter::CertPathIter(std::shared_ptr<const ParsedCertificate> cert,
- TrustStore* trust_store)
+ TrustStore *trust_store)
: trust_store_(trust_store) {
// Initialize |next_issuer_| to the target certificate.
next_issuer_.cert = std::move(cert);
next_issuer_.trust = trust_store_->GetTrust(next_issuer_.cert.get());
}
-void CertPathIter::AddCertIssuerSource(CertIssuerSource* cert_issuer_source) {
+void CertPathIter::AddCertIssuerSource(CertIssuerSource *cert_issuer_source) {
cert_issuer_sources_.push_back(cert_issuer_source);
}
-bool CertPathIter::GetNextPath(ParsedCertificateList* out_certs,
- CertificateTrust* out_last_cert_trust,
- CertPathErrors* out_errors,
- CertPathBuilderDelegate* delegate,
- uint32_t* iteration_count,
+bool CertPathIter::GetNextPath(ParsedCertificateList *out_certs,
+ CertificateTrust *out_last_cert_trust,
+ CertPathErrors *out_errors,
+ CertPathBuilderDelegate *delegate,
+ uint32_t *iteration_count,
const uint32_t max_iteration_count,
const uint32_t max_path_building_depth) {
out_certs->clear();
@@ -690,16 +687,17 @@
}
CertPathBuilder::Result::Result() = default;
-CertPathBuilder::Result::Result(Result&&) = default;
+CertPathBuilder::Result::Result(Result &&) = default;
CertPathBuilder::Result::~Result() = default;
-CertPathBuilder::Result& CertPathBuilder::Result::operator=(Result&&) = default;
+CertPathBuilder::Result &CertPathBuilder::Result::operator=(Result &&) =
+ default;
bool CertPathBuilder::Result::HasValidPath() const {
return GetBestValidPath() != nullptr;
}
bool CertPathBuilder::Result::AnyPathContainsError(CertErrorId error_id) const {
- for (const auto& path : paths) {
+ for (const auto &path : paths) {
if (path->errors.ContainsError(error_id))
return true;
}
@@ -707,9 +705,9 @@
return false;
}
-const CertPathBuilderResultPath* CertPathBuilder::Result::GetBestValidPath()
+const CertPathBuilderResultPath *CertPathBuilder::Result::GetBestValidPath()
const {
- const CertPathBuilderResultPath* result_path = GetBestPathPossiblyInvalid();
+ const CertPathBuilderResultPath *result_path = GetBestPathPossiblyInvalid();
if (result_path && result_path->IsValid())
return result_path;
@@ -717,7 +715,7 @@
return nullptr;
}
-const CertPathBuilderResultPath*
+const CertPathBuilderResultPath *
CertPathBuilder::Result::GetBestPathPossiblyInvalid() const {
BSSL_CHECK((paths.empty() && best_result_index == 0) ||
best_result_index < paths.size());
@@ -729,13 +727,10 @@
}
CertPathBuilder::CertPathBuilder(
- std::shared_ptr<const ParsedCertificate> cert,
- TrustStore* trust_store,
- CertPathBuilderDelegate* delegate,
- const der::GeneralizedTime& time,
- KeyPurpose key_purpose,
- InitialExplicitPolicy initial_explicit_policy,
- const std::set<der::Input>& user_initial_policy_set,
+ std::shared_ptr<const ParsedCertificate> cert, TrustStore *trust_store,
+ CertPathBuilderDelegate *delegate, const der::GeneralizedTime &time,
+ KeyPurpose key_purpose, InitialExplicitPolicy initial_explicit_policy,
+ const std::set<der::Input> &user_initial_policy_set,
InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
InitialAnyPolicyInhibit initial_any_policy_inhibit)
: cert_path_iter_(
@@ -755,7 +750,7 @@
CertPathBuilder::~CertPathBuilder() = default;
void CertPathBuilder::AddCertIssuerSource(
- CertIssuerSource* cert_issuer_source) {
+ CertIssuerSource *cert_issuer_source) {
cert_path_iter_->AddCertIssuerSource(cert_issuer_source);
}
@@ -846,7 +841,7 @@
// best_result_index based on prioritization (since due to AIA and such, the
// actual order results were discovered may not match the ideal).
if (!out_result_.HasValidPath()) {
- const CertPathBuilderResultPath* old_best_path =
+ const CertPathBuilderResultPath *old_best_path =
out_result_.GetBestPathPossiblyInvalid();
// If |result_path| is a valid path or if the previous best result did not
// end in a trust anchor but the |result_path| does, then update the best
@@ -863,4 +858,4 @@
out_result_.paths.push_back(std::move(result_path));
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/path_builder.h b/pki/path_builder.h
index ea11b43..48f0666 100644
--- a/pki/path_builder.h
+++ b/pki/path_builder.h
@@ -5,17 +5,17 @@
#ifndef BSSL_PKI_PATH_BUILDER_H_
#define BSSL_PKI_PATH_BUILDER_H_
-#include "fillins/openssl_util.h"
#include <memory>
#include <vector>
+#include "fillins/openssl_util.h"
#include "cert_errors.h"
+#include "input.h"
+#include "parse_values.h"
#include "parsed_certificate.h"
#include "trust_store.h"
#include "verify_certificate_chain.h"
-#include "input.h"
-#include "parse_values.h"
namespace bssl {
@@ -51,7 +51,7 @@
// Returns the chain's root certificate or nullptr if the chain doesn't
// chain to a trust anchor.
- const ParsedCertificate* GetTrustedCert() const;
+ const ParsedCertificate *GetTrustedCert() const;
// Path in the forward direction:
//
@@ -92,8 +92,8 @@
// been run through RFC 5280 verification. |path| may already have errors
// and warnings set on it. Delegates can "reject" a candidate path from path
// building by adding high severity errors.
- virtual void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) = 0;
+ virtual void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) = 0;
// This is called during path building in between attempts to build candidate
// paths. Delegates can cause path building to stop and return indicating
@@ -113,13 +113,13 @@
// were attempted.
struct OPENSSL_EXPORT Result {
Result();
- Result(Result&&);
+ Result(Result &&);
- Result(const Result&) = delete;
- Result& operator=(const Result&) = delete;
+ Result(const Result &) = delete;
+ Result &operator=(const Result &) = delete;
~Result();
- Result& operator=(Result&&);
+ Result &operator=(Result &&);
// Returns true if there was a valid path.
bool HasValidPath() const;
@@ -129,10 +129,10 @@
// Returns the CertPathBuilderResultPath for the best valid path, or nullptr
// if there was none.
- const CertPathBuilderResultPath* GetBestValidPath() const;
+ const CertPathBuilderResultPath *GetBestValidPath() const;
// Returns the best CertPathBuilderResultPath or nullptr if there was none.
- const CertPathBuilderResultPath* GetBestPathPossiblyInvalid() const;
+ const CertPathBuilderResultPath *GetBestPathPossiblyInvalid() const;
// List of paths that were attempted and the result for each.
std::vector<std::unique_ptr<CertPathBuilderResultPath>> paths;
@@ -171,17 +171,15 @@
// final chain. See CertPathBuilderDelegate and
// VerifyCertificateChainDelegate for more information.
CertPathBuilder(std::shared_ptr<const ParsedCertificate> cert,
- TrustStore* trust_store,
- CertPathBuilderDelegate* delegate,
- const der::GeneralizedTime& time,
- KeyPurpose key_purpose,
+ TrustStore *trust_store, CertPathBuilderDelegate *delegate,
+ const der::GeneralizedTime &time, KeyPurpose key_purpose,
InitialExplicitPolicy initial_explicit_policy,
- const std::set<der::Input>& user_initial_policy_set,
+ const std::set<der::Input> &user_initial_policy_set,
InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
InitialAnyPolicyInhibit initial_any_policy_inhibit);
- CertPathBuilder(const CertPathBuilder&) = delete;
- CertPathBuilder& operator=(const CertPathBuilder&) = delete;
+ CertPathBuilder(const CertPathBuilder &) = delete;
+ CertPathBuilder &operator=(const CertPathBuilder &) = delete;
~CertPathBuilder();
@@ -192,7 +190,7 @@
//
// (If no issuer sources are added, the target certificate will only verify if
// it is a trust anchor or is directly signed by a trust anchor.)
- void AddCertIssuerSource(CertIssuerSource* cert_issuer_source);
+ void AddCertIssuerSource(CertIssuerSource *cert_issuer_source);
// Sets a limit to the number of times to repeat the process of considering a
// new intermediate over all potential paths. Setting |limit| to 0 disables
@@ -222,7 +220,7 @@
Result out_result_;
std::unique_ptr<CertPathIter> cert_path_iter_;
- CertPathBuilderDelegate* delegate_;
+ CertPathBuilderDelegate *delegate_;
const der::GeneralizedTime time_;
const KeyPurpose key_purpose_;
const InitialExplicitPolicy initial_explicit_policy_;
@@ -234,6 +232,6 @@
bool explore_all_paths_ = false;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_PATH_BUILDER_H_
diff --git a/pki/path_builder_pkits_unittest.cc b/pki/path_builder_pkits_unittest.cc
index 153ce14..6f3573f 100644
--- a/pki/path_builder_pkits_unittest.cc
+++ b/pki/path_builder_pkits_unittest.cc
@@ -8,17 +8,17 @@
#include "fillins/log.h"
+#include <openssl/pool.h>
#include "cert_issuer_source_static.h"
#include "common_cert_errors.h"
#include "crl.h"
+#include "encode_values.h"
+#include "input.h"
#include "parse_certificate.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
#include "trust_store_in_memory.h"
#include "verify_certificate_chain.h"
-#include "encode_values.h"
-#include "input.h"
-#include <openssl/pool.h>
#include "nist_pkits_unittest.h"
@@ -30,9 +30,8 @@
class CrlCheckingPathBuilderDelegate : public SimplePathBuilderDelegate {
public:
- CrlCheckingPathBuilderDelegate(const std::vector<std::string>& der_crls,
- int64_t verify_time,
- int64_t max_age,
+ CrlCheckingPathBuilderDelegate(const std::vector<std::string> &der_crls,
+ int64_t verify_time, int64_t max_age,
size_t min_rsa_modulus_length_bits,
DigestPolicy digest_policy)
: SimplePathBuilderDelegate(min_rsa_modulus_length_bits, digest_policy),
@@ -40,8 +39,8 @@
verify_time_(verify_time),
max_age_(max_age) {}
- void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) override {
+ void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) override {
SimplePathBuilderDelegate::CheckPathAfterVerification(path_builder, path);
if (!path->IsValid())
@@ -51,7 +50,7 @@
// CheckValidatedChainRevocation somehow, but that only supports getting
// CRLs by http distributionPoints. So this just settles for writing a
// little bit of wrapper code to test CheckCRL directly.
- const ParsedCertificateList& certs = path->certs;
+ const ParsedCertificateList &certs = path->certs;
for (size_t reverse_i = 0; reverse_i < certs.size(); ++reverse_i) {
size_t i = certs.size() - reverse_i - 1;
@@ -68,7 +67,7 @@
// points, this means a default-initialized ParsedDistributionPoint is
// sufficient.
ParsedDistributionPoint fake_cert_dp;
- const ParsedDistributionPoint* cert_dp = &fake_cert_dp;
+ const ParsedDistributionPoint *cert_dp = &fake_cert_dp;
// If the target cert does have a distribution point, use it.
std::vector<ParsedDistributionPoint> distribution_points;
@@ -84,7 +83,7 @@
// reasons.)
// Look for a DistributionPoint without reasons.
- for (const auto& dp : distribution_points) {
+ for (const auto &dp : distribution_points) {
if (!dp.reasons) {
cert_dp = &dp;
break;
@@ -98,7 +97,7 @@
bool cert_good = false;
- for (const auto& der_crl : der_crls_) {
+ for (const auto &der_crl : der_crls_) {
CRLRevocationStatus crl_status =
CheckCRL(der_crl, certs, i, *cert_dp, verify_time_, max_age_);
if (crl_status == CRLRevocationStatus::REVOKED) {
@@ -133,16 +132,16 @@
public:
static void RunTest(std::vector<std::string> cert_ders,
std::vector<std::string> crl_ders,
- const PkitsTestInfo& orig_info) {
+ const PkitsTestInfo &orig_info) {
PkitsTestInfo info = orig_info;
ASSERT_FALSE(cert_ders.empty());
ParsedCertificateList certs;
- for (const std::string& der : cert_ders) {
+ for (const std::string &der : cert_ders) {
CertErrors errors;
ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector(
bssl::UniquePtr<CRYPTO_BUFFER>(
- CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()),
+ CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(der.data()),
der.size(), nullptr)),
{}, &certs, &errors))
<< errors.ToDebugString();
@@ -233,7 +232,7 @@
if (info.should_validate != result.HasValidPath()) {
for (size_t i = 0; i < result.paths.size(); ++i) {
- const bssl::CertPathBuilderResultPath* result_path =
+ const bssl::CertPathBuilderResultPath *result_path =
result.paths[i].get();
LOG(ERROR) << "path " << i << " errors:\n"
<< result_path->errors.ToDebugString(result_path->certs);
@@ -251,54 +250,41 @@
} // namespace
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest01SignatureVerification,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest01SignatureVerification,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest02ValidityPeriods,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest02ValidityPeriods,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest03VerifyingNameChaining,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest03VerifyingNameChaining,
PathBuilderPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
PkitsTest04BasicCertificateRevocationTests,
PathBuilderPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(
- PathBuilder,
- PkitsTest05VerifyingPathswithSelfIssuedCertificates,
+ PathBuilder, PkitsTest05VerifyingPathswithSelfIssuedCertificates,
PathBuilderPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
PkitsTest06VerifyingBasicConstraints,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest07KeyUsage,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest07KeyUsage,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest08CertificatePolicies,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest08CertificatePolicies,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest09RequireExplicitPolicy,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest09RequireExplicitPolicy,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest10PolicyMappings,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest10PolicyMappings,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest11InhibitPolicyMapping,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest11InhibitPolicyMapping,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest12InhibitAnyPolicy,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest12InhibitAnyPolicy,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest13NameConstraints,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest13NameConstraints,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest14DistributionPoints,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest14DistributionPoints,
PathBuilderPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
- PkitsTest15DeltaCRLs,
+INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest15DeltaCRLs,
PathBuilderPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder,
PkitsTest16PrivateCertificateExtensions,
PathBuilderPkitsTestDelegate);
-} // namespace net
+} // namespace bssl
diff --git a/pki/path_builder_unittest.cc b/pki/path_builder_unittest.cc
index ef7ffca..dfe5a50 100644
--- a/pki/path_builder_unittest.cc
+++ b/pki/path_builder_unittest.cc
@@ -6,12 +6,13 @@
#include <algorithm>
-#include "fillins/path_service.h"
#include "fillins/file_util.h"
+#include "fillins/path_service.h"
#include "cert_error_params.h"
#include "cert_issuer_source_static.h"
#include "common_cert_errors.h"
+#include "input.h"
#include "mock_signature_verify_cache.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
@@ -19,12 +20,11 @@
#include "trust_store_collection.h"
#include "trust_store_in_memory.h"
#include "verify_certificate_chain.h"
-#include "input.h"
-#include "testdata/test_certificate_data.h"
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <openssl/pool.h>
+#include "testdata/test_certificate_data.h"
namespace bssl {
@@ -54,7 +54,7 @@
deadline_is_expired_ = deadline_is_expired;
}
- SignatureVerifyCache* GetVerifyCache() override {
+ SignatureVerifyCache *GetVerifyCache() override {
return use_signature_cache_ ? &cache_ : nullptr;
}
@@ -62,7 +62,7 @@
void DeActivateCache() { use_signature_cache_ = false; }
- MockSignatureVerifyCache* GetMockVerifyCache() { return &cache_; }
+ MockSignatureVerifyCache *GetMockVerifyCache() { return &cache_; }
private:
bool deadline_is_expired_ = false;
@@ -75,17 +75,17 @@
public:
class StaticAsyncRequest : public Request {
public:
- explicit StaticAsyncRequest(ParsedCertificateList&& issuers) {
+ explicit StaticAsyncRequest(ParsedCertificateList &&issuers) {
issuers_.swap(issuers);
issuers_iter_ = issuers_.begin();
}
- StaticAsyncRequest(const StaticAsyncRequest&) = delete;
- StaticAsyncRequest& operator=(const StaticAsyncRequest&) = delete;
+ StaticAsyncRequest(const StaticAsyncRequest &) = delete;
+ StaticAsyncRequest &operator=(const StaticAsyncRequest &) = delete;
~StaticAsyncRequest() override = default;
- void GetNext(ParsedCertificateList* out_certs) override {
+ void GetNext(ParsedCertificateList *out_certs) override {
if (issuers_iter_ != issuers_.end())
out_certs->push_back(std::move(*issuers_iter_++));
}
@@ -104,10 +104,10 @@
static_cert_issuer_source_.AddCert(std::move(cert));
}
- void SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) override {}
- void AsyncGetIssuersOf(const ParsedCertificate* cert,
- std::unique_ptr<Request>* out_req) override {
+ void SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) override {}
+ void AsyncGetIssuersOf(const ParsedCertificate *cert,
+ std::unique_ptr<Request> *out_req) override {
num_async_gets_++;
ParsedCertificateList issuers;
static_cert_issuer_source_.SyncGetIssuersOf(cert, &issuers);
@@ -126,9 +126,9 @@
std::function<void()> async_get_callback_ = nullptr;
};
-::testing::AssertionResult ReadTestPem(const std::string& file_name,
- const std::string& block_name,
- std::string* result) {
+::testing::AssertionResult ReadTestPem(const std::string &file_name,
+ const std::string &block_name,
+ std::string *result) {
const PemBlockMapping mappings[] = {
{block_name.c_str(), result},
};
@@ -137,8 +137,8 @@
}
::testing::AssertionResult ReadTestCert(
- const std::string& file_name,
- std::shared_ptr<const ParsedCertificate>* result) {
+ const std::string &file_name,
+ std::shared_ptr<const ParsedCertificate> *result) {
std::string der;
::testing::AssertionResult r = ReadTestPem(
"testdata/ssl/certificates/" + file_name, "CERTIFICATE", &der);
@@ -147,7 +147,7 @@
CertErrors errors;
*result = ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(der.data()), der.size(), nullptr)),
+ reinterpret_cast<const uint8_t *>(der.data()), der.size(), nullptr)),
{}, &errors);
if (!*result) {
return ::testing::AssertionFailure()
@@ -211,7 +211,7 @@
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
- const auto& path = *result.GetBestValidPath();
+ const auto &path = *result.GetBestValidPath();
ASSERT_EQ(2U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_f_, path.certs[1]);
@@ -267,7 +267,7 @@
ASSERT_EQ(1U, result.paths.size());
EXPECT_FALSE(result.paths[0]->IsValid());
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(b_by_c_, path0.certs[0]);
EXPECT_EQ(c_by_d_, path0.certs[1]);
@@ -292,7 +292,7 @@
// Verifying a trusted leaf certificate is not permitted, however this
// certificate is self-signed, and can chain to itself.
- const auto& path = *result.GetBestValidPath();
+ const auto &path = *result.GetBestValidPath();
ASSERT_EQ(2U, path.certs.size());
EXPECT_EQ(e_by_e_, path.certs[0]);
EXPECT_EQ(e_by_e_, path.certs[1]);
@@ -312,7 +312,7 @@
auto result = path_builder.Run();
ASSERT_TRUE(result.HasValidPath());
- const auto& path = *result.GetBestValidPath();
+ const auto &path = *result.GetBestValidPath();
ASSERT_EQ(2U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_f_, path.certs[1]);
@@ -446,7 +446,7 @@
// The result path should be A(B) <- B(C) <- C(D) <- D(D)
EXPECT_EQ(1U, result.best_result_index);
EXPECT_TRUE(result.paths[1]->IsValid());
- const auto& path = *result.GetBestValidPath();
+ const auto &path = *result.GetBestValidPath();
ASSERT_EQ(4U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_c_, path.certs[1]);
@@ -573,7 +573,7 @@
// The result path should be A(B) <- B(C) <- C(D) <- D(D)
EXPECT_EQ(1U, result.best_result_index);
EXPECT_FALSE(result.paths[1]->IsValid());
- const auto& path = *result.GetBestPathPossiblyInvalid();
+ const auto &path = *result.GetBestPathPossiblyInvalid();
ASSERT_EQ(4U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_c_, path.certs[1]);
@@ -597,7 +597,7 @@
for (auto it = certs.rbegin(); it != certs.rend(); ++it)
sync_certs.AddCert(*it);
} else {
- for (const auto& cert : certs)
+ for (const auto &cert : certs)
sync_certs.AddCert(cert);
}
@@ -612,7 +612,7 @@
ASSERT_TRUE(result.HasValidPath());
// The result path should be A(B) <- B(C) <- C(D) <- D(D)
- const auto& path = *result.GetBestValidPath();
+ const auto &path = *result.GetBestValidPath();
ASSERT_EQ(4U, path.certs.size());
EXPECT_EQ(a_by_b_, path.certs[0]);
EXPECT_EQ(b_by_c_, path.certs[1]);
@@ -871,7 +871,7 @@
ASSERT_EQ(result.paths.size(), 2u);
- const CertPathBuilderResultPath* truncated_path = result.paths[0].get();
+ const CertPathBuilderResultPath *truncated_path = result.paths[0].get();
EXPECT_FALSE(truncated_path->IsValid());
EXPECT_TRUE(
truncated_path->errors.ContainsError(cert_errors::kDepthLimitExceeded));
@@ -880,7 +880,7 @@
EXPECT_EQ(b_by_f_, truncated_path->certs[1]);
EXPECT_EQ(f_by_e_, truncated_path->certs[2]);
- const CertPathBuilderResultPath* valid_path = result.paths[1].get();
+ const CertPathBuilderResultPath *valid_path = result.paths[1].get();
EXPECT_TRUE(valid_path->IsValid());
EXPECT_FALSE(
valid_path->errors.ContainsError(cert_errors::kDepthLimitExceeded));
@@ -985,7 +985,7 @@
// attempt: target <- newintermediate <- newrootrollover <- oldroot
// which will succeed.
ASSERT_EQ(1U, result.paths.size());
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
EXPECT_EQ(0U, result.best_result_index);
EXPECT_TRUE(path0.IsValid());
ASSERT_EQ(4U, path0.certs.size());
@@ -1020,7 +1020,7 @@
EXPECT_TRUE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
- const auto& path = *result.paths[0];
+ const auto &path = *result.paths[0];
EXPECT_TRUE(result.paths[0]->IsValid());
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
@@ -1046,7 +1046,7 @@
EXPECT_FALSE(result.HasValidPath());
ASSERT_EQ(1U, result.paths.size());
- const auto& path = *result.paths[0];
+ const auto &path = *result.paths[0];
EXPECT_FALSE(result.paths[0]->IsValid());
ASSERT_EQ(1U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
@@ -1093,7 +1093,7 @@
// target->newintermediate->newrootrollover
{
- const auto& path = *result.paths[0];
+ const auto &path = *result.paths[0];
EXPECT_FALSE(path.IsValid());
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
@@ -1103,7 +1103,7 @@
}
{
- const auto& path = *result.paths[1];
+ const auto &path = *result.paths[1];
EXPECT_FALSE(path.IsValid());
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
@@ -1148,7 +1148,7 @@
// attempt: target <- old intermediate <- oldroot
// which should succeed.
EXPECT_TRUE(result.paths[result.best_result_index]->IsValid());
- const auto& path = *result.paths[result.best_result_index];
+ const auto &path = *result.paths[result.best_result_index];
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
EXPECT_EQ(oldintermediate_, path.certs[1]);
@@ -1189,7 +1189,7 @@
// target <- newintermediate <- newroot <- oldroot
// but it will fail since newroot is self-signed.
EXPECT_FALSE(result.paths[0]->IsValid());
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
ASSERT_EQ(4U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(newintermediate_, path0.certs[1]);
@@ -1199,7 +1199,7 @@
// Path builder will next attempt: target <- newintermediate <- oldroot
// but it will fail since newintermediate is signed by newroot.
EXPECT_FALSE(result.paths[1]->IsValid());
- const auto& path1 = *result.paths[1];
+ const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
@@ -1213,7 +1213,7 @@
// target <- newintermediate <- newrootrollover <- oldroot
EXPECT_EQ(2U, result.best_result_index);
EXPECT_TRUE(result.paths[2]->IsValid());
- const auto& path2 = *result.paths[2];
+ const auto &path2 = *result.paths[2];
ASSERT_EQ(4U, path2.certs.size());
EXPECT_EQ(target_, path2.certs[0]);
EXPECT_EQ(newintermediate_, path2.certs[1]);
@@ -1259,7 +1259,7 @@
sync_certs.AddCert(oldintermediate_);
sync_certs.AddCert(newintermediate_);
- for (const auto& expectation : kExpectations) {
+ for (const auto &expectation : kExpectations) {
SCOPED_TRACE(expectation.iteration_limit);
CertPathBuilder path_builder(
@@ -1281,7 +1281,7 @@
ASSERT_EQ(expectation.expected_num_paths, result.paths.size());
} else {
ASSERT_EQ(1 + expectation.expected_num_paths, result.paths.size());
- const auto& path = *result.paths[result.paths.size() - 1];
+ const auto &path = *result.paths[result.paths.size() - 1];
EXPECT_FALSE(path.IsValid());
EXPECT_EQ(expectation.partial_path, path.certs);
EXPECT_TRUE(
@@ -1291,7 +1291,7 @@
if (expectation.expected_num_paths > 0) {
// Path builder will first build path: target <- newintermediate <-
// newroot
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
EXPECT_TRUE(path0.IsValid());
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
@@ -1302,7 +1302,7 @@
if (expectation.expected_num_paths > 1) {
// Next path: target <- newintermediate <- oldroot
- const auto& path1 = *result.paths[1];
+ const auto &path1 = *result.paths[1];
EXPECT_FALSE(path1.IsValid());
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
@@ -1313,7 +1313,7 @@
if (expectation.expected_num_paths > 2) {
// Next path: target <- oldintermediate <- oldroot
- const auto& path2 = *result.paths[2];
+ const auto &path2 = *result.paths[2];
EXPECT_TRUE(path2.IsValid());
ASSERT_EQ(3U, path2.certs.size());
EXPECT_EQ(target_, path2.certs[0]);
@@ -1324,7 +1324,7 @@
if (expectation.expected_num_paths > 3) {
// Final path: target <- oldintermediate <- newroot
- const auto& path3 = *result.paths[3];
+ const auto &path3 = *result.paths[3];
EXPECT_FALSE(path3.IsValid());
ASSERT_EQ(3U, path3.certs.size());
EXPECT_EQ(target_, path3.certs[0]);
@@ -1401,7 +1401,7 @@
ASSERT_TRUE(result.HasValidPath());
- const CertPathBuilderResultPath* best_result = result.GetBestValidPath();
+ const CertPathBuilderResultPath *best_result = result.GetBestValidPath();
// Newroot has same name+SPKI as newrootrollover, thus the path is valid and
// only contains newroot.
@@ -1457,7 +1457,7 @@
// Path builder will first attempt: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
@@ -1470,7 +1470,7 @@
// which will succeed.
EXPECT_EQ(1U, result.best_result_index);
EXPECT_TRUE(result.paths[1]->IsValid());
- const auto& path1 = *result.paths[1];
+ const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
@@ -1511,7 +1511,7 @@
// Path builder attempt: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
- const auto& path = *result.paths[0];
+ const auto &path = *result.paths[0];
ASSERT_EQ(3U, path.certs.size());
EXPECT_EQ(target_, path.certs[0]);
EXPECT_EQ(oldintermediate_, path.certs[1]);
@@ -1522,15 +1522,15 @@
class MockCertIssuerSourceRequest : public CertIssuerSource::Request {
public:
- MOCK_METHOD1(GetNext, void(ParsedCertificateList*));
+ MOCK_METHOD1(GetNext, void(ParsedCertificateList *));
};
class MockCertIssuerSource : public CertIssuerSource {
public:
MOCK_METHOD2(SyncGetIssuersOf,
- void(const ParsedCertificate*, ParsedCertificateList*));
+ void(const ParsedCertificate *, ParsedCertificateList *));
MOCK_METHOD2(AsyncGetIssuersOf,
- void(const ParsedCertificate*, std::unique_ptr<Request>*));
+ void(const ParsedCertificate *, std::unique_ptr<Request> *));
};
// Helper class to pass the Request to the PathBuilder when it calls
@@ -1541,8 +1541,8 @@
explicit CertIssuerSourceRequestMover(
std::unique_ptr<CertIssuerSource::Request> req)
: request_(std::move(req)) {}
- void MoveIt(const ParsedCertificate* cert,
- std::unique_ptr<CertIssuerSource::Request>* out_req) {
+ void MoveIt(const ParsedCertificate *cert,
+ std::unique_ptr<CertIssuerSource::Request> *out_req) {
*out_req = std::move(request_);
}
@@ -1555,10 +1555,10 @@
class AppendCertToList {
public:
explicit AppendCertToList(
- const std::shared_ptr<const ParsedCertificate>& cert)
+ const std::shared_ptr<const ParsedCertificate> &cert)
: cert_(cert) {}
- void operator()(ParsedCertificateList* out) { out->push_back(cert_); }
+ void operator()(ParsedCertificateList *out) { out->push_back(cert_); }
private:
std::shared_ptr<const ParsedCertificate> cert_;
@@ -1584,7 +1584,7 @@
auto target_issuers_req_owner =
std::make_unique<StrictMock<MockCertIssuerSourceRequest>>();
// Keep a raw pointer to the Request...
- StrictMock<MockCertIssuerSourceRequest>* target_issuers_req =
+ StrictMock<MockCertIssuerSourceRequest> *target_issuers_req =
target_issuers_req_owner.get();
// Setup helper class to pass ownership of the Request to the PathBuilder when
// it calls AsyncGetIssuersOf.
@@ -1629,7 +1629,7 @@
// Path builder first attempts: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(oldintermediate_, path0.certs[1]);
@@ -1638,7 +1638,7 @@
// After the second batch of async results, path builder will attempt:
// target <- newintermediate <- newroot which will succeed.
EXPECT_TRUE(result.paths[1]->IsValid());
- const auto& path1 = *result.paths[1];
+ const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
@@ -1664,7 +1664,7 @@
auto target_issuers_req_owner =
std::make_unique<StrictMock<MockCertIssuerSourceRequest>>();
// Keep a raw pointer to the Request...
- StrictMock<MockCertIssuerSourceRequest>* target_issuers_req =
+ StrictMock<MockCertIssuerSourceRequest> *target_issuers_req =
target_issuers_req_owner.get();
// Setup helper class to pass ownership of the Request to the PathBuilder when
// it calls AsyncGetIssuersOf.
@@ -1716,7 +1716,7 @@
// Path builder first attempts: target <- oldintermediate <- newroot
// but it will fail since oldintermediate is signed by oldroot.
EXPECT_FALSE(result.paths[0]->IsValid());
- const auto& path0 = *result.paths[0];
+ const auto &path0 = *result.paths[0];
ASSERT_EQ(3U, path0.certs.size());
EXPECT_EQ(target_, path0.certs[0]);
EXPECT_EQ(oldintermediate_, path0.certs[1]);
@@ -1727,7 +1727,7 @@
// After the third batch of async results, path builder will attempt:
// target <- newintermediate <- newroot which will succeed.
EXPECT_TRUE(result.paths[1]->IsValid());
- const auto& path1 = *result.paths[1];
+ const auto &path1 = *result.paths[1];
ASSERT_EQ(3U, path1.certs.size());
EXPECT_EQ(target_, path1.certs[0]);
EXPECT_EQ(newintermediate_, path1.certs[1]);
@@ -1751,8 +1751,8 @@
// Runs the path builder for the target certificate while |distrusted_cert| is
// blocked, and |delegate| if non-null.
CertPathBuilder::Result RunPathBuilder(
- const std::shared_ptr<const ParsedCertificate>& distrusted_cert,
- CertPathBuilderDelegate* optional_delegate) {
+ const std::shared_ptr<const ParsedCertificate> &distrusted_cert,
+ CertPathBuilderDelegate *optional_delegate) {
// Set up the trust store such that |distrusted_cert| is blocked, and
// the root is trusted (except if it was |distrusted_cert|).
TrustStoreInMemory trust_store;
@@ -1767,7 +1767,7 @@
SimplePathBuilderDelegate default_delegate(
1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
- CertPathBuilderDelegate* delegate =
+ CertPathBuilderDelegate *delegate =
optional_delegate ? optional_delegate : &default_delegate;
const InitialExplicitPolicy initial_explicit_policy =
@@ -1801,7 +1801,7 @@
// Runs the path builder for the target certificate while |distrusted_cert| is
// blocked.
CertPathBuilder::Result RunPathBuilderWithDistrustedCert(
- const std::shared_ptr<const ParsedCertificate>& distrusted_cert) {
+ const std::shared_ptr<const ParsedCertificate> &distrusted_cert) {
return RunPathBuilder(distrusted_cert, nullptr);
}
};
@@ -1815,7 +1815,7 @@
{
ASSERT_TRUE(result.HasValidPath());
// The built path should be identical the the one read from disk.
- const auto& path = *result.GetBestValidPath();
+ const auto &path = *result.GetBestValidPath();
ASSERT_EQ(test_.chain.size(), path.certs.size());
for (size_t i = 0; i < test_.chain.size(); ++i)
EXPECT_EQ(test_.chain[i], path.certs[i]);
@@ -1826,7 +1826,7 @@
{
EXPECT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
- const auto& best_path = result.paths[result.best_result_index];
+ const auto &best_path = result.paths[result.best_result_index];
// The built chain has length 1 since path building stopped once
// it encountered the blocked certificate (target).
@@ -1841,7 +1841,7 @@
{
EXPECT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
- const auto& best_path = result.paths[result.best_result_index];
+ const auto &best_path = result.paths[result.best_result_index];
// The built chain has length 2 since path building stopped once
// it encountered the blocked certificate (intermediate).
@@ -1857,7 +1857,7 @@
{
EXPECT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
- const auto& best_path = result.paths[result.best_result_index];
+ const auto &best_path = result.paths[result.best_result_index];
// The built chain has length 3 since path building stopped once
// it encountered the blocked certificate (root).
@@ -1879,10 +1879,9 @@
public:
CertPathBuilderDelegateBase()
: SimplePathBuilderDelegate(
- 1024,
- SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {}
- void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) override {
+ 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1) {}
+ void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) override {
ADD_FAILURE() << "Tests must override this";
}
};
@@ -1890,8 +1889,8 @@
class MockPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
MOCK_METHOD2(CheckPathAfterVerification,
- void(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path));
+ void(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path));
};
TEST_F(PathBuilderCheckPathAfterVerificationTest, NoOpToValidPath) {
@@ -1907,8 +1906,8 @@
class AddWarningPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
- void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) override {
+ void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) override {
path->errors.GetErrorsForCert(1)->AddWarning(kWarningFromDelegate, nullptr);
}
};
@@ -1919,7 +1918,7 @@
ASSERT_TRUE(result.HasValidPath());
// A warning should have been added to certificate at index 1 in the path.
- const CertErrors* cert1_errors =
+ const CertErrors *cert1_errors =
result.GetBestValidPath()->errors.GetErrorsForCert(1);
ASSERT_TRUE(cert1_errors);
EXPECT_TRUE(cert1_errors->ContainsError(kWarningFromDelegate));
@@ -1929,8 +1928,8 @@
class AddErrorPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
- void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) override {
+ void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) override {
path->errors.GetErrorsForCert(2)->AddError(kErrorFromDelegate, nullptr);
}
};
@@ -1943,12 +1942,12 @@
ASSERT_FALSE(result.HasValidPath());
ASSERT_LT(result.best_result_index, result.paths.size());
- const CertPathBuilderResultPath* failed_path =
+ const CertPathBuilderResultPath *failed_path =
result.paths[result.best_result_index].get();
ASSERT_TRUE(failed_path);
// An error should have been added to certificate at index 2 in the path.
- const CertErrors* cert2_errors = failed_path->errors.GetErrorsForCert(2);
+ const CertErrors *cert2_errors = failed_path->errors.GetErrorsForCert(2);
ASSERT_TRUE(cert2_errors);
EXPECT_TRUE(cert2_errors->ContainsError(kErrorFromDelegate));
}
@@ -1969,8 +1968,8 @@
class SetsDelegateDataPathBuilderDelegate : public CertPathBuilderDelegateBase {
public:
- void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) override {
+ void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) override {
path->delegate_data = std::make_unique<DelegateData>();
}
};
@@ -1980,7 +1979,7 @@
CertPathBuilder::Result result = RunPathBuilder(nullptr, &delegate);
ASSERT_TRUE(result.HasValidPath());
- DelegateData* data = reinterpret_cast<DelegateData*>(
+ DelegateData *data = reinterpret_cast<DelegateData *>(
result.GetBestValidPath()->delegate_data.get());
EXPECT_EQ(0xB33F, data->value);
@@ -2460,4 +2459,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/path_builder_verify_certificate_chain_unittest.cc b/pki/path_builder_verify_certificate_chain_unittest.cc
index b2cac64..bb0cab9 100644
--- a/pki/path_builder_verify_certificate_chain_unittest.cc
+++ b/pki/path_builder_verify_certificate_chain_unittest.cc
@@ -15,8 +15,8 @@
class PathBuilderTestDelegate {
public:
- static void Verify(const VerifyCertChainTest& test,
- const std::string& test_file_path) {
+ static void Verify(const VerifyCertChainTest &test,
+ const std::string &test_file_path) {
SimplePathBuilderDelegate path_builder_delegate(1024, test.digest_policy);
ASSERT_FALSE(test.chain.empty());
@@ -52,4 +52,4 @@
VerifyCertificateChainSingleRootTest,
PathBuilderTestDelegate);
-} // namespace net
+} // namespace bssl
diff --git a/pki/pem.cc b/pki/pem.cc
index 1c12448..57068d4 100644
--- a/pki/pem.cc
+++ b/pki/pem.cc
@@ -2,11 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "string_util.h"
#include "pem.h"
+#include "string_util.h"
-#include "fillins/fillins_base64.h"
#include <string_view>
+#include "fillins/fillins_base64.h"
#include "fillins/fillins_string_util.h"
@@ -29,8 +29,7 @@
};
PEMTokenizer::PEMTokenizer(
- std::string_view str,
- const std::vector<std::string>& allowed_block_types) {
+ std::string_view str, const std::vector<std::string> &allowed_block_types) {
Init(str, allowed_block_types);
}
@@ -62,9 +61,10 @@
pos_ = footer_pos + it->footer.size();
block_type_ = it->type;
- std::string_view encoded = str_.substr(data_begin, footer_pos - data_begin);
- if (!fillins::Base64Decode(fillins::CollapseWhitespaceASCII(encoded, true),
- &data_)) {
+ std::string_view encoded =
+ str_.substr(data_begin, footer_pos - data_begin);
+ if (!fillins::Base64Decode(
+ fillins::CollapseWhitespaceASCII(encoded, true), &data_)) {
// The most likely cause for a decode failure is a datatype that
// includes PEM headers, which are not supported.
break;
@@ -85,13 +85,13 @@
}
void PEMTokenizer::Init(std::string_view str,
- const std::vector<std::string>& allowed_block_types) {
+ const std::vector<std::string> &allowed_block_types) {
str_ = str;
pos_ = 0;
// Construct PEM header/footer strings for all the accepted types, to
// reduce parsing later.
- for (const auto& allowed_block_type : allowed_block_types) {
+ for (const auto &allowed_block_type : allowed_block_types) {
PEMType allowed_type;
allowed_type.type = allowed_block_type;
allowed_type.header = kPEMHeaderBeginBlock;
@@ -104,7 +104,7 @@
}
}
-std::string PEMEncode(std::string_view data, const std::string& type) {
+std::string PEMEncode(std::string_view data, const std::string &type) {
std::string b64_encoded;
fillins::Base64Encode(data, &b64_encoded);
@@ -140,4 +140,4 @@
return pem_encoded;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/pem.h b/pki/pem.h
index 6bd1e41..9ec5519 100644
--- a/pki/pem.h
+++ b/pki/pem.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_PEM_H_
#define BSSL_PKI_PEM_H_
-#include "fillins/openssl_util.h"
#include <stddef.h>
+#include "fillins/openssl_util.h"
#include <string>
#include <vector>
@@ -27,10 +27,10 @@
// instances of PEM encoded blocks that are of the |allowed_block_types|.
// |str| must remain valid for the duration of the PEMTokenizer.
PEMTokenizer(std::string_view str,
- const std::vector<std::string>& allowed_block_types);
+ const std::vector<std::string> &allowed_block_types);
- PEMTokenizer(const PEMTokenizer&) = delete;
- PEMTokenizer& operator=(const PEMTokenizer&) = delete;
+ PEMTokenizer(const PEMTokenizer &) = delete;
+ PEMTokenizer &operator=(const PEMTokenizer &) = delete;
~PEMTokenizer();
@@ -42,16 +42,16 @@
// Returns the PEM block type (eg: CERTIFICATE) of the last successfully
// decoded PEM block.
// GetNext() must have returned true before calling this method.
- const std::string& block_type() const { return block_type_; }
+ const std::string &block_type() const { return block_type_; }
// Returns the raw, Base64-decoded data of the last successfully decoded
// PEM block.
// GetNext() must have returned true before calling this method.
- const std::string& data() const { return data_; }
+ const std::string &data() const { return data_; }
private:
void Init(std::string_view str,
- const std::vector<std::string>& allowed_block_types);
+ const std::vector<std::string> &allowed_block_types);
// A simple cache of the allowed PEM header and footer for a given PEM
// block type, so that it is only computed once.
@@ -81,8 +81,8 @@
// Encodes |data| in the encapsulated message format described in RFC 1421,
// with |type| as the PEM block type (eg: CERTIFICATE).
OPENSSL_EXPORT std::string PEMEncode(std::string_view data,
- const std::string& type);
+ const std::string &type);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_PEM_H_
diff --git a/pki/pem_unittest.cc b/pki/pem_unittest.cc
index 12e05ec..a7f9eda 100644
--- a/pki/pem_unittest.cc
+++ b/pki/pem_unittest.cc
@@ -202,4 +202,4 @@
"WRAPPED LINE"));
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/revocation_util.cc b/pki/revocation_util.cc
index 801a545..80779d7 100644
--- a/pki/revocation_util.cc
+++ b/pki/revocation_util.cc
@@ -16,8 +16,8 @@
} // namespace
-bool CheckRevocationDateValid(const der::GeneralizedTime& this_update,
- const der::GeneralizedTime* next_update,
+bool CheckRevocationDateValid(const der::GeneralizedTime &this_update,
+ const der::GeneralizedTime *next_update,
int64_t verify_time_epoch_seconds,
std::optional<int64_t> max_age_seconds) {
if (verify_time_epoch_seconds > kMaxValidTime ||
@@ -56,4 +56,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/revocation_util.h b/pki/revocation_util.h
index 33c12ef..273c6fe 100644
--- a/pki/revocation_util.h
+++ b/pki/revocation_util.h
@@ -23,11 +23,10 @@
// differently, returns true if |this_update <= verify_time < next_update|, and
// |this_update >= verify_time - max_age|.
[[nodiscard]] OPENSSL_EXPORT bool CheckRevocationDateValid(
- const der::GeneralizedTime& this_update,
- const der::GeneralizedTime* next_update,
- int64_t verify_time_epoch_seconds,
+ const der::GeneralizedTime &this_update,
+ const der::GeneralizedTime *next_update, int64_t verify_time_epoch_seconds,
std::optional<int64_t> max_age_seconds);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_REVOCATION_UTIL_H_
diff --git a/pki/signature_algorithm.cc b/pki/signature_algorithm.cc
index e66ef12..83f65d1 100644
--- a/pki/signature_algorithm.cc
+++ b/pki/signature_algorithm.cc
@@ -4,11 +4,11 @@
#include "signature_algorithm.h"
+#include <openssl/bytestring.h>
+#include <openssl/digest.h>
#include "input.h"
#include "parse_values.h"
#include "parser.h"
-#include <openssl/bytestring.h>
-#include <openssl/digest.h>
namespace bssl {
@@ -123,12 +123,12 @@
0x0d, 0x01, 0x01, 0x08};
// Returns true if |input| is empty.
-[[nodiscard]] bool IsEmpty(const der::Input& input) {
+[[nodiscard]] bool IsEmpty(const der::Input &input) {
return input.Length() == 0;
}
// Returns true if the entirety of the input is a NULL value.
-[[nodiscard]] bool IsNull(const der::Input& input) {
+[[nodiscard]] bool IsNull(const der::Input &input) {
der::Parser parser(input);
der::Input null_value;
if (!parser.ReadTag(der::kNull, &null_value))
@@ -142,7 +142,7 @@
return !parser.HasMore();
}
-[[nodiscard]] bool IsNullOrEmpty(const der::Input& input) {
+[[nodiscard]] bool IsNullOrEmpty(const der::Input &input) {
return IsNull(input) || IsEmpty(input);
}
@@ -172,7 +172,7 @@
// the only function supported is MGF1, as that is the singular mask gen
// function defined by RFC 4055 / RFC 5912.
[[nodiscard]] bool ParseMaskGenAlgorithm(const der::Input input,
- DigestAlgorithm* mgf1_hash) {
+ DigestAlgorithm *mgf1_hash) {
der::Input oid;
der::Input params;
if (!ParseAlgorithmIdentifier(input, &oid, ¶ms))
@@ -211,7 +211,7 @@
// Note also that DER encoding (ITU-T X.690 section 11.5) prohibits
// specifying default values explicitly. The parameter should instead be
// omitted to indicate a default value.
-std::optional<SignatureAlgorithm> ParseRsaPss(const der::Input& params) {
+std::optional<SignatureAlgorithm> ParseRsaPss(const der::Input ¶ms) {
der::Parser parser(params);
der::Parser params_parser;
if (!parser.ReadSequence(¶ms_parser)) {
@@ -269,9 +269,9 @@
} // namespace
-[[nodiscard]] bool ParseAlgorithmIdentifier(const der::Input& input,
- der::Input* algorithm,
- der::Input* parameters) {
+[[nodiscard]] bool ParseAlgorithmIdentifier(const der::Input &input,
+ der::Input *algorithm,
+ der::Input *parameters) {
der::Parser parser(input);
der::Parser algorithm_identifier_parser;
@@ -301,11 +301,11 @@
return !algorithm_identifier_parser.HasMore();
}
-[[nodiscard]] bool ParseHashAlgorithm(const der::Input& input,
- DigestAlgorithm* out) {
+[[nodiscard]] bool ParseHashAlgorithm(const der::Input &input,
+ DigestAlgorithm *out) {
CBS cbs;
CBS_init(&cbs, input.UnsafeData(), input.Length());
- const EVP_MD* md = EVP_parse_digest_algorithm(&cbs);
+ const EVP_MD *md = EVP_parse_digest_algorithm(&cbs);
if (md == EVP_sha1()) {
*out = DigestAlgorithm::Sha1;
@@ -325,7 +325,7 @@
}
std::optional<SignatureAlgorithm> ParseSignatureAlgorithm(
- const der::Input& algorithm_identifier) {
+ const der::Input &algorithm_identifier) {
der::Input oid;
der::Input params;
if (!ParseAlgorithmIdentifier(algorithm_identifier, &oid, ¶ms)) {
@@ -417,4 +417,4 @@
return std::nullopt;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/signature_algorithm.h b/pki/signature_algorithm.h
index bf7207f..1cec208 100644
--- a/pki/signature_algorithm.h
+++ b/pki/signature_algorithm.h
@@ -5,12 +5,12 @@
#ifndef BSSL_PKI_SIGNATURE_ALGORITHM_H_
#define BSSL_PKI_SIGNATURE_ALGORITHM_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
-#include <optional>
#include <openssl/evp.h>
+#include <optional>
namespace bssl {
@@ -53,9 +53,8 @@
// AlgorithmIdentifier ::= SEQUENCE {
// algorithm OBJECT IDENTIFIER,
// parameters ANY DEFINED BY algorithm OPTIONAL }
-[[nodiscard]] OPENSSL_EXPORT bool ParseAlgorithmIdentifier(const der::Input& input,
- der::Input* algorithm,
- der::Input* parameters);
+[[nodiscard]] OPENSSL_EXPORT bool ParseAlgorithmIdentifier(
+ const der::Input &input, der::Input *algorithm, der::Input *parameters);
// Parses a HashAlgorithm as defined by RFC 5912:
//
@@ -69,20 +68,20 @@
// { IDENTIFIER id-sha384 PARAMS TYPE NULL ARE preferredPresent } |
// { IDENTIFIER id-sha512 PARAMS TYPE NULL ARE preferredPresent }
// }
-[[nodiscard]] bool ParseHashAlgorithm(const der::Input& input,
- DigestAlgorithm* out);
+[[nodiscard]] bool ParseHashAlgorithm(const der::Input &input,
+ DigestAlgorithm *out);
// Parses an AlgorithmIdentifier into a signature algorithm and returns it, or
// returns `std::nullopt` if `algorithm_identifer` either cannot be parsed or
// is not a recognized signature algorithm.
OPENSSL_EXPORT std::optional<SignatureAlgorithm> ParseSignatureAlgorithm(
- const der::Input& algorithm_identifier);
+ const der::Input &algorithm_identifier);
// Returns the hash to be used with the tls-server-end-point channel binding
// (RFC 5929) or `std::nullopt`, if not supported for this signature algorithm.
-OPENSSL_EXPORT std::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm(
- SignatureAlgorithm alg);
+OPENSSL_EXPORT std::optional<DigestAlgorithm>
+GetTlsServerEndpointDigestAlgorithm(SignatureAlgorithm alg);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_SIGNATURE_ALGORITHM_H_
diff --git a/pki/signature_algorithm_unittest.cc b/pki/signature_algorithm_unittest.cc
index 9673ab2..5343e28 100644
--- a/pki/signature_algorithm_unittest.cc
+++ b/pki/signature_algorithm_unittest.cc
@@ -6,10 +6,10 @@
#include <memory>
+#include <gtest/gtest.h>
#include "fillins/file_util.h"
#include "input.h"
#include "parser.h"
-#include <gtest/gtest.h>
namespace bssl {
@@ -1154,7 +1154,7 @@
0x08, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x03, 0xa2, 0x03, 0x02, 0x01, 0x40},
SignatureAlgorithm::kRsaPssSha512}};
- for (const auto& t : kValidTests) {
+ for (const auto &t : kValidTests) {
EXPECT_EQ(ParseSignatureAlgorithm(der::Input(t.data)), t.expected);
}
@@ -1344,7 +1344,7 @@
0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
0x05, 0x00, 0xa2, 0x03, 0x02, 0x01, 0x41}},
};
- for (const auto& t : kInvalidTests) {
+ for (const auto &t : kInvalidTests) {
EXPECT_FALSE(ParseSignatureAlgorithm(der::Input(t.data)));
}
}
@@ -1449,4 +1449,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/signature_verify_cache.h b/pki/signature_verify_cache.h
index f0d98cf..83f99ac 100644
--- a/pki/signature_verify_cache.h
+++ b/pki/signature_verify_cache.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_SIGNATURE_VERIFY_CACHE_H_
#define BSSL_PKI_SIGNATURE_VERIFY_CACHE_H_
-#include "fillins/openssl_util.h"
#include <string>
+#include "fillins/openssl_util.h"
namespace bssl {
@@ -27,15 +27,15 @@
// |Store| is called to store the result of a verification for |key| as kValid
// or kInvalid after a signature check.
- virtual void Store(const std::string& key, Value value) = 0;
+ virtual void Store(const std::string &key, Value value) = 0;
// |Check| is called to fetch a cached value for a verification for |key|. If
// the result is kValid, or kInvalid, signature checking is skipped and the
// corresponding cached result is used. If the result is kUnknown signature
// checking is performed and the corresponding result saved using |Store|.
- virtual Value Check(const std::string& key) = 0;
+ virtual Value Check(const std::string &key) = 0;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_SIGNATURE_VERIFY_CACHE_H_
diff --git a/pki/simple_path_builder_delegate.cc b/pki/simple_path_builder_delegate.cc
index cc173bf..4dfaea8 100644
--- a/pki/simple_path_builder_delegate.cc
+++ b/pki/simple_path_builder_delegate.cc
@@ -4,11 +4,6 @@
#include "simple_path_builder_delegate.h"
-#include "cert_error_params.h"
-#include "cert_errors.h"
-#include "signature_algorithm.h"
-#include "signature_verify_cache.h"
-#include "verify_signed_data.h"
#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/digest.h>
@@ -17,6 +12,11 @@
#include <openssl/evp.h>
#include <openssl/nid.h>
#include <openssl/rsa.h>
+#include "cert_error_params.h"
+#include "cert_errors.h"
+#include "signature_algorithm.h"
+#include "signature_verify_cache.h"
+#include "verify_signed_data.h"
namespace bssl {
@@ -42,28 +42,23 @@
} // namespace
SimplePathBuilderDelegate::SimplePathBuilderDelegate(
- size_t min_rsa_modulus_length_bits,
- DigestPolicy digest_policy)
+ size_t min_rsa_modulus_length_bits, DigestPolicy digest_policy)
: min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits),
digest_policy_(digest_policy) {}
void SimplePathBuilderDelegate::CheckPathAfterVerification(
- const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) {
+ const CertPathBuilder &path_builder, CertPathBuilderResultPath *path) {
// Do nothing - consider all candidate paths valid.
}
-bool SimplePathBuilderDelegate::IsDeadlineExpired() {
- return false;
-}
+bool SimplePathBuilderDelegate::IsDeadlineExpired() { return false; }
-SignatureVerifyCache* SimplePathBuilderDelegate::GetVerifyCache() {
+SignatureVerifyCache *SimplePathBuilderDelegate::GetVerifyCache() {
return nullptr;
}
bool SimplePathBuilderDelegate::IsSignatureAlgorithmAcceptable(
- SignatureAlgorithm algorithm,
- CertErrors* errors) {
+ SignatureAlgorithm algorithm, CertErrors *errors) {
switch (algorithm) {
case SignatureAlgorithm::kRsaPkcs1Sha1:
case SignatureAlgorithm::kEcdsaSha1:
@@ -83,12 +78,12 @@
return false;
}
-bool SimplePathBuilderDelegate::IsPublicKeyAcceptable(EVP_PKEY* public_key,
- CertErrors* errors) {
+bool SimplePathBuilderDelegate::IsPublicKeyAcceptable(EVP_PKEY *public_key,
+ CertErrors *errors) {
int pkey_id = EVP_PKEY_id(public_key);
if (pkey_id == EVP_PKEY_RSA) {
// Extract the modulus length from the key.
- RSA* rsa = EVP_PKEY_get0_RSA(public_key);
+ RSA *rsa = EVP_PKEY_get0_RSA(public_key);
if (!rsa)
return false;
unsigned int modulus_length_bits = RSA_bits(rsa);
@@ -106,7 +101,7 @@
if (pkey_id == EVP_PKEY_EC) {
// Extract the curve name.
- EC_KEY* ec = EVP_PKEY_get0_EC_KEY(public_key);
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(public_key);
if (!ec)
return false; // Unexpected.
int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
@@ -123,4 +118,4 @@
return false;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/simple_path_builder_delegate.h b/pki/simple_path_builder_delegate.h
index ac22d45..0face8e 100644
--- a/pki/simple_path_builder_delegate.h
+++ b/pki/simple_path_builder_delegate.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
#define BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
-#include "fillins/openssl_util.h"
#include <stddef.h>
+#include "fillins/openssl_util.h"
#include "path_builder.h"
@@ -26,7 +26,8 @@
// * If the |digest_policy| was set to kAllowSha1, then SHA1 is
// additionally accepted.
// * EC named curve can be P-256, P-384, P-521.
-class OPENSSL_EXPORT SimplePathBuilderDelegate : public CertPathBuilderDelegate {
+class OPENSSL_EXPORT SimplePathBuilderDelegate
+ : public CertPathBuilderDelegate {
public:
enum class DigestPolicy {
// Accepts digests of SHA256, SHA348 or SHA512
@@ -48,26 +49,26 @@
// Accepts RSA PKCS#1, RSASSA-PSS or ECDA using any of the SHA* digests
// (including SHA1).
bool IsSignatureAlgorithmAcceptable(SignatureAlgorithm signature_algorithm,
- CertErrors* errors) override;
+ CertErrors *errors) override;
// Requires RSA keys be >= |min_rsa_modulus_length_bits_|.
- bool IsPublicKeyAcceptable(EVP_PKEY* public_key, CertErrors* errors) override;
+ bool IsPublicKeyAcceptable(EVP_PKEY *public_key, CertErrors *errors) override;
// No-op implementation.
- void CheckPathAfterVerification(const CertPathBuilder& path_builder,
- CertPathBuilderResultPath* path) override;
+ void CheckPathAfterVerification(const CertPathBuilder &path_builder,
+ CertPathBuilderResultPath *path) override;
// No-op implementation.
bool IsDeadlineExpired() override;
// No-op implementation.
- SignatureVerifyCache* GetVerifyCache() override;
+ SignatureVerifyCache *GetVerifyCache() override;
private:
const size_t min_rsa_modulus_length_bits_;
const DigestPolicy digest_policy_;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_SIMPLE_PATH_BUILDER_DELEGATE_H_
diff --git a/pki/simple_path_builder_delegate_unittest.cc b/pki/simple_path_builder_delegate_unittest.cc
index 7b6206c..f0131fa 100644
--- a/pki/simple_path_builder_delegate_unittest.cc
+++ b/pki/simple_path_builder_delegate_unittest.cc
@@ -6,24 +6,24 @@
#include <memory>
#include <set>
+#include <gtest/gtest.h>
+#include <openssl/nid.h>
#include "cert_errors.h"
-#include "signature_algorithm.h"
-#include "test_helpers.h"
-#include "verify_signed_data.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
-#include <gtest/gtest.h>
-#include <openssl/nid.h>
+#include "signature_algorithm.h"
+#include "test_helpers.h"
+#include "verify_signed_data.h"
namespace bssl {
namespace {
// Reads the public key and algorithm from the test data at |file_name|.
-void ReadTestCase(const char* file_name,
- SignatureAlgorithm* signature_algorithm,
- bssl::UniquePtr<EVP_PKEY>* public_key) {
+void ReadTestCase(const char *file_name,
+ SignatureAlgorithm *signature_algorithm,
+ bssl::UniquePtr<EVP_PKEY> *public_key) {
std::string path =
std::string("testdata/verify_signed_data_unittest/") + file_name;
@@ -46,17 +46,16 @@
}
class SimplePathBuilderDelegate1024SuccessTest
- : public ::testing::TestWithParam<const char*> {};
+ : public ::testing::TestWithParam<const char *> {};
-const char* kSuccess1024Filenames[] = {
+const char *kSuccess1024Filenames[] = {
"rsa-pkcs1-sha1.pem", "rsa-pkcs1-sha256.pem",
"rsa2048-pkcs1-sha512.pem", "ecdsa-secp384r1-sha256.pem",
"ecdsa-prime256v1-sha512.pem", "rsa-pss-sha256.pem",
"ecdsa-secp384r1-sha256.pem", "ecdsa-prime256v1-sha512.pem",
};
-INSTANTIATE_TEST_SUITE_P(All,
- SimplePathBuilderDelegate1024SuccessTest,
+INSTANTIATE_TEST_SUITE_P(All, SimplePathBuilderDelegate1024SuccessTest,
::testing::ValuesIn(kSuccess1024Filenames));
TEST_P(SimplePathBuilderDelegate1024SuccessTest, IsAcceptableSignatureAndKey) {
@@ -77,13 +76,12 @@
}
class SimplePathBuilderDelegate2048FailTest
- : public ::testing::TestWithParam<const char*> {};
+ : public ::testing::TestWithParam<const char *> {};
-const char* kFail2048Filenames[] = {"rsa-pkcs1-sha1.pem",
+const char *kFail2048Filenames[] = {"rsa-pkcs1-sha1.pem",
"rsa-pkcs1-sha256.pem"};
-INSTANTIATE_TEST_SUITE_P(All,
- SimplePathBuilderDelegate2048FailTest,
+INSTANTIATE_TEST_SUITE_P(All, SimplePathBuilderDelegate2048FailTest,
::testing::ValuesIn(kFail2048Filenames));
TEST_P(SimplePathBuilderDelegate2048FailTest, RsaKeySmallerThan2048) {
@@ -105,4 +103,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/string_util.cc b/pki/string_util.cc
index 5e97eb5..d980c4e 100644
--- a/pki/string_util.cc
+++ b/pki/string_util.cc
@@ -39,8 +39,7 @@
IsEqualNoCase(prefix, str.substr(0, prefix.size()));
}
-std::string FindAndReplace(std::string_view str,
- std::string_view find,
+std::string FindAndReplace(std::string_view str, std::string_view find,
std::string_view replace) {
std::string ret;
@@ -71,7 +70,7 @@
return prefix.size() <= str.size() && prefix == str.substr(0, prefix.size());
}
-std::string HexEncode(const uint8_t* data, size_t length) {
+std::string HexEncode(const uint8_t *data, size_t length) {
std::ostringstream out;
for (size_t i = 0; i < length; i++) {
out << std::hex << std::setfill('0') << std::setw(2) << std::uppercase
diff --git a/pki/string_util.h b/pki/string_util.h
index 635f9ea..8b93255 100644
--- a/pki/string_util.h
+++ b/pki/string_util.h
@@ -21,44 +21,41 @@
// Compares |str1| and |str2| ASCII case insensitively (independent of locale).
// Returns true if |str1| and |str2| match.
-OPENSSL_EXPORT bool IsEqualNoCase(std::string_view str1,
- std::string_view str2);
+OPENSSL_EXPORT bool IsEqualNoCase(std::string_view str1, std::string_view str2);
// Compares |str1| and |prefix| ASCII case insensitively (independent of
// locale). Returns true if |str1| starts with |prefix|.
OPENSSL_EXPORT bool StartsWithNoCase(std::string_view str,
- std::string_view prefix);
+ std::string_view prefix);
// Compares |str1| and |suffix| ASCII case insensitively (independent of
// locale). Returns true if |str1| starts with |suffix|.
OPENSSL_EXPORT bool EndsWithNoCase(std::string_view str,
- std::string_view suffix);
+ std::string_view suffix);
// Finds and replaces all occurrences of |find| of non zero length with
// |replace| in |str|, returning the result.
OPENSSL_EXPORT std::string FindAndReplace(std::string_view str,
- std::string_view find,
- std::string_view replace);
+ std::string_view find,
+ std::string_view replace);
// TODO(bbe) transition below to c++20
// Compares |str1| and |prefix|. Returns true if |str1| starts with |prefix|.
-OPENSSL_EXPORT bool StartsWith(std::string_view str,
- std::string_view prefix);
+OPENSSL_EXPORT bool StartsWith(std::string_view str, std::string_view prefix);
// TODO(bbe) transition below to c++20
// Compares |str1| and |suffix|. Returns true if |str1| ends with |suffix|.
OPENSSL_EXPORT bool EndsWith(std::string_view str, std::string_view suffix);
// Returns a hexadecimal string encoding |data| of length |length|.
-OPENSSL_EXPORT std::string HexEncode(const uint8_t* data, size_t length);
+OPENSSL_EXPORT std::string HexEncode(const uint8_t *data, size_t length);
// Returns a decimal string representation of |i|.
OPENSSL_EXPORT std::string NumberToDecimalString(int i);
// Splits |str| on |split_char| returning the list of resulting strings.
-OPENSSL_EXPORT std::vector<std::string_view> SplitString(
- std::string_view str,
- char split_char);
+OPENSSL_EXPORT std::vector<std::string_view> SplitString(std::string_view str,
+ char split_char);
} // namespace bssl::string_util
diff --git a/pki/string_util_unittest.cc b/pki/string_util_unittest.cc
index c8da4a5..4929a27 100644
--- a/pki/string_util_unittest.cc
+++ b/pki/string_util_unittest.cc
@@ -22,11 +22,11 @@
EXPECT_TRUE(
bssl::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cOm"));
EXPECT_TRUE(bssl::string_util::IsEqualNoCase("MAil~-.google.cOm",
- "maIL~-.gOoGlE.CoM"));
+ "maIL~-.gOoGlE.CoM"));
EXPECT_TRUE(bssl::string_util::IsEqualNoCase("mail\x80.google.com",
- "maIL\x80.GOoGlE.cOm"));
+ "maIL\x80.GOoGlE.cOm"));
EXPECT_TRUE(bssl::string_util::IsEqualNoCase("mail\xFF.google.com",
- "maIL\xFF.GOoGlE.cOm"));
+ "maIL\xFF.GOoGlE.cOm"));
EXPECT_FALSE(
bssl::string_util::IsEqualNoCase("mail.google.co", "maIL.GOoGlE.cOm"));
EXPECT_FALSE(
@@ -43,11 +43,11 @@
EXPECT_TRUE(
bssl::string_util::EndsWithNoCase("MAil~-.google.cOm", "-.gOoGlE.CoM"));
EXPECT_TRUE(bssl::string_util::EndsWithNoCase("mail\x80.google.com",
- "\x80.GOoGlE.cOm"));
+ "\x80.GOoGlE.cOm"));
EXPECT_FALSE(
bssl::string_util::EndsWithNoCase("mail.google.com", "pOoGlE.com"));
EXPECT_FALSE(bssl::string_util::EndsWithNoCase("mail\x80.google.com",
- "\x81.GOoGlE.cOm"));
+ "\x81.GOoGlE.cOm"));
EXPECT_FALSE(
bssl::string_util::EndsWithNoCase("mail.google.co", ".GOoGlE.cOm"));
EXPECT_FALSE(
@@ -77,8 +77,8 @@
TEST(StringUtilTest, StartsWithNoCase) {
EXPECT_TRUE(bssl::string_util::StartsWithNoCase("", ""));
EXPECT_TRUE(bssl::string_util::StartsWithNoCase("mail.google.com", ""));
- EXPECT_TRUE(
- bssl::string_util::StartsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm"));
+ EXPECT_TRUE(bssl::string_util::StartsWithNoCase("mail.google.com",
+ "maIL.GOoGlE.cOm"));
EXPECT_TRUE(bssl::string_util::StartsWithNoCase("mail.google.com", "MaIL."));
EXPECT_TRUE(
bssl::string_util::StartsWithNoCase("MAil~-.google.cOm", "maiL~-.Goo"));
@@ -93,9 +93,9 @@
EXPECT_FALSE(
bssl::string_util::StartsWithNoCase("mail.google.com", "MaI.GooGLE"));
EXPECT_FALSE(bssl::string_util::StartsWithNoCase("mail.google.com",
- "mail.google.com1"));
+ "mail.google.com1"));
EXPECT_FALSE(bssl::string_util::StartsWithNoCase("mail.google.com",
- "1mail.google.com"));
+ "1mail.google.com"));
}
TEST(StringUtilTest, HexEncode) {
@@ -152,4 +152,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/tag.h b/pki/tag.h
index 986a805..a2c3b4f 100644
--- a/pki/tag.h
+++ b/pki/tag.h
@@ -5,8 +5,8 @@
#ifndef BSSL_DER_TAG_H_
#define BSSL_DER_TAG_H_
-#include "fillins/openssl_util.h"
#include <stdint.h>
+#include "fillins/openssl_util.h"
#include <openssl/bytestring.h>
diff --git a/pki/test_helpers.cc b/pki/test_helpers.cc
index 8b4e033..f149d32 100644
--- a/pki/test_helpers.cc
+++ b/pki/test_helpers.cc
@@ -7,29 +7,27 @@
#include <sstream>
#include <string_view>
-#include "fillins/path_service.h"
#include "fillins/file_util.h"
+#include "fillins/path_service.h"
-#include "pem.h"
-#include "cert_error_params.h"
-#include "cert_errors.h"
-#include "simple_path_builder_delegate.h"
-#include "string_util.h"
-#include "trust_store.h"
-#include "parser.h"
#include <gtest/gtest.h>
#include <openssl/bytestring.h>
#include <openssl/mem.h>
#include <openssl/pool.h>
+#include "cert_error_params.h"
+#include "cert_errors.h"
+#include "parser.h"
+#include "pem.h"
+#include "simple_path_builder_delegate.h"
+#include "string_util.h"
+#include "trust_store.h"
namespace bssl {
namespace {
-bool GetValue(std::string_view prefix,
- std::string_view line,
- std::string* value,
- bool* has_value) {
+bool GetValue(std::string_view prefix, std::string_view line,
+ std::string *value, bool *has_value) {
if (!bssl::string_util::StartsWith(line, prefix))
return false;
@@ -56,9 +54,9 @@
return text.get();
}
-std::string StrSetToString(const std::set<std::string>& str_set) {
+std::string StrSetToString(const std::set<std::string> &str_set) {
std::string out;
- for (const auto& s : str_set) {
+ for (const auto &s : str_set) {
EXPECT_FALSE(s.empty());
if (!out.empty()) {
out += ", ";
@@ -85,7 +83,7 @@
std::vector<std::string_view> split = string_util::SplitString(str, ',');
std::vector<std::string> out;
- for (const auto& s : split) {
+ for (const auto &s : split) {
out.push_back(StripString(s));
}
return out;
@@ -95,7 +93,7 @@
namespace der {
-void PrintTo(const Input& data, ::std::ostream* os) {
+void PrintTo(const Input &data, ::std::ostream *os) {
size_t len;
if (!EVP_EncodedLength(&len, data.Length())) {
*os << "[]";
@@ -125,8 +123,7 @@
}
::testing::AssertionResult ReadTestDataFromPemFile(
- const std::string& file_path_ascii,
- const PemBlockMapping* mappings,
+ const std::string &file_path_ascii, const PemBlockMapping *mappings,
size_t mappings_length) {
std::string file_data = ReadTestFileToString(file_path_ascii);
@@ -138,13 +135,13 @@
// Build the |pem_headers| vector needed for PEMTokenzier.
std::vector<std::string> pem_headers;
- for (const auto& mapping : mappings_copy) {
+ for (const auto &mapping : mappings_copy) {
pem_headers.push_back(mapping.block_name);
}
PEMTokenizer pem_tokenizer(file_data, pem_headers);
while (pem_tokenizer.GetNext()) {
- for (auto& mapping : mappings_copy) {
+ for (auto &mapping : mappings_copy) {
// Find the mapping for this block type.
if (pem_tokenizer.block_type() == mapping.block_name) {
if (!mapping.value) {
@@ -162,7 +159,7 @@
}
// Ensure that all specified blocks were found.
- for (const auto& mapping : mappings_copy) {
+ for (const auto &mapping : mappings_copy) {
if (mapping.value && !mapping.optional) {
return ::testing::AssertionFailure()
<< "PEM block missing: " << mapping.block_name;
@@ -192,8 +189,8 @@
return expected_errors.find("ERROR: ") != std::string::npos;
}
-bool ReadCertChainFromFile(const std::string& file_path_ascii,
- ParsedCertificateList* chain) {
+bool ReadCertChainFromFile(const std::string &file_path_ascii,
+ ParsedCertificateList *chain) {
// Reset all the out parameters to their defaults.
*chain = ParsedCertificateList();
@@ -205,12 +202,12 @@
PEMTokenizer pem_tokenizer(file_data, pem_headers);
while (pem_tokenizer.GetNext()) {
- const std::string& block_data = pem_tokenizer.data();
+ const std::string &block_data = pem_tokenizer.data();
CertErrors errors;
if (!ParsedCertificate::CreateAndAddToVector(
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(block_data.data()),
+ reinterpret_cast<const uint8_t *>(block_data.data()),
block_data.size(), nullptr)),
{}, chain, &errors)) {
ADD_FAILURE() << errors.ToDebugString();
@@ -222,7 +219,7 @@
}
std::shared_ptr<const ParsedCertificate> ReadCertFromFile(
- const std::string& file_path_ascii) {
+ const std::string &file_path_ascii) {
ParsedCertificateList chain;
if (!ReadCertChainFromFile(file_path_ascii, &chain))
return nullptr;
@@ -231,8 +228,8 @@
return chain[0];
}
-bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
- VerifyCertChainTest* test) {
+bool ReadVerifyCertChainTestFromFile(const std::string &file_path_ascii,
+ VerifyCertChainTest *test) {
// Reset all the out parameters to their defaults.
*test = {};
@@ -412,7 +409,7 @@
return true;
}
-std::string ReadTestFileToString(const std::string& file_path_ascii) {
+std::string ReadTestFileToString(const std::string &file_path_ascii) {
// Compute the full path, relative to the src/ directory.
fillins::FilePath src_root;
bssl::fillins::PathService::Get(fillins::BSSL_TEST_DATA_ROOT, &src_root);
@@ -428,10 +425,10 @@
return file_data;
}
-void VerifyCertPathErrors(const std::string& expected_errors_str,
- const CertPathErrors& actual_errors,
- const ParsedCertificateList& chain,
- const std::string& errors_file_path) {
+void VerifyCertPathErrors(const std::string &expected_errors_str,
+ const CertPathErrors &actual_errors,
+ const ParsedCertificateList &chain,
+ const std::string &errors_file_path) {
std::string actual_errors_str = actual_errors.ToDebugString(chain);
if (expected_errors_str != actual_errors_str) {
@@ -447,9 +444,9 @@
}
}
-void VerifyCertErrors(const std::string& expected_errors_str,
- const CertErrors& actual_errors,
- const std::string& errors_file_path) {
+void VerifyCertErrors(const std::string &expected_errors_str,
+ const CertErrors &actual_errors,
+ const std::string &errors_file_path) {
std::string actual_errors_str = actual_errors.ToDebugString();
if (expected_errors_str != actual_errors_str) {
@@ -466,11 +463,11 @@
}
void VerifyUserConstrainedPolicySet(
- const std::set<std::string>& expected_user_constrained_policy_str_set,
- const std::set<der::Input>& actual_user_constrained_policy_set,
- const std::string& errors_file_path) {
+ const std::set<std::string> &expected_user_constrained_policy_str_set,
+ const std::set<der::Input> &actual_user_constrained_policy_set,
+ const std::string &errors_file_path) {
std::set<std::string> actual_user_constrained_policy_str_set;
- for (const der::Input& der_oid : actual_user_constrained_policy_set) {
+ for (const der::Input &der_oid : actual_user_constrained_policy_set) {
actual_user_constrained_policy_str_set.insert(OidToString(der_oid));
}
if (expected_user_constrained_policy_str_set !=
@@ -486,4 +483,4 @@
}
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/test_helpers.h b/pki/test_helpers.h
index 6857dd3..7b16e86 100644
--- a/pki/test_helpers.h
+++ b/pki/test_helpers.h
@@ -12,19 +12,19 @@
#include <string_view>
#include <vector>
+#include <gtest/gtest.h>
+#include "input.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
#include "trust_store.h"
#include "verify_certificate_chain.h"
-#include "input.h"
-#include <gtest/gtest.h>
namespace bssl {
namespace der {
// This function is used by GTest to support EXPECT_EQ() for der::Input.
-void PrintTo(const Input& data, ::std::ostream* os);
+void PrintTo(const Input &data, ::std::ostream *os);
} // namespace der
@@ -40,10 +40,10 @@
// the destination where the value for that block should be written.
struct PemBlockMapping {
// The name of the PEM header. Example "CERTIFICATE".
- const char* block_name;
+ const char *block_name;
// The destination where the read value should be written to.
- std::string* value;
+ std::string *value;
// True to indicate that the block is not required to be present. If the
// block is optional and is not present, then |value| will not be modified.
@@ -65,8 +65,7 @@
// once. In other words, the header must be present (unless marked as
// optional=true), have valid data, and appear no more than once.
::testing::AssertionResult ReadTestDataFromPemFile(
- const std::string& file_path_ascii,
- const PemBlockMapping* mappings,
+ const std::string &file_path_ascii, const PemBlockMapping *mappings,
size_t mappings_length);
// This is the same as the variant above, however it uses template magic so an
@@ -74,8 +73,7 @@
// inferred).
template <size_t N>
::testing::AssertionResult ReadTestDataFromPemFile(
- const std::string& file_path_ascii,
- const PemBlockMapping (&mappings)[N]) {
+ const std::string &file_path_ascii, const PemBlockMapping (&mappings)[N]) {
return ReadTestDataFromPemFile(file_path_ascii, mappings, N);
}
@@ -125,45 +123,45 @@
// Reads a test case from |file_path_ascii| (which is relative to //src).
// Generally |file_path_ascii| will start with:
// net/data/verify_certificate_chain_unittest/
-bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
- VerifyCertChainTest* test);
+bool ReadVerifyCertChainTestFromFile(const std::string &file_path_ascii,
+ VerifyCertChainTest *test);
// Reads a certificate chain from |file_path_ascii|
-bool ReadCertChainFromFile(const std::string& file_path_ascii,
- ParsedCertificateList* chain);
+bool ReadCertChainFromFile(const std::string &file_path_ascii,
+ ParsedCertificateList *chain);
// Reads a certificate from |file_path_ascii|. Returns nullptr if the file
// contained more that one certificate.
std::shared_ptr<const ParsedCertificate> ReadCertFromFile(
- const std::string& file_path_ascii);
+ const std::string &file_path_ascii);
// Reads a data file relative to the src root directory.
-std::string ReadTestFileToString(const std::string& file_path_ascii);
+std::string ReadTestFileToString(const std::string &file_path_ascii);
// Asserts that |actual_errors| matches |expected_errors_str|.
//
// This is a helper function to simplify rebasing the error expectations when
// they originate from a test file.
-void VerifyCertPathErrors(const std::string& expected_errors_str,
- const CertPathErrors& actual_errors,
- const ParsedCertificateList& chain,
- const std::string& errors_file_path);
+void VerifyCertPathErrors(const std::string &expected_errors_str,
+ const CertPathErrors &actual_errors,
+ const ParsedCertificateList &chain,
+ const std::string &errors_file_path);
// Asserts that |actual_errors| matches |expected_errors_str|.
//
// This is a helper function to simplify rebasing the error expectations when
// they originate from a test file.
-void VerifyCertErrors(const std::string& expected_errors_str,
- const CertErrors& actual_errors,
- const std::string& errors_file_path);
+void VerifyCertErrors(const std::string &expected_errors_str,
+ const CertErrors &actual_errors,
+ const std::string &errors_file_path);
// Asserts that |actual_user_constrained_policy_set| matches
// |expected_user_constrained_policy_set|.
void VerifyUserConstrainedPolicySet(
- const std::set<std::string>& expected_user_constrained_policy_str_set,
- const std::set<der::Input>& actual_user_constrained_policy_set,
- const std::string& errors_file_path);
+ const std::set<std::string> &expected_user_constrained_policy_str_set,
+ const std::set<der::Input> &actual_user_constrained_policy_set,
+ const std::string &errors_file_path);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_TEST_HELPERS_H_
diff --git a/pki/trust_store.cc b/pki/trust_store.cc
index 07ec965..fc373f7 100644
--- a/pki/trust_store.cc
+++ b/pki/trust_store.cc
@@ -126,7 +126,7 @@
// static
std::optional<CertificateTrust> CertificateTrust::FromDebugString(
- const std::string& trust_string) {
+ const std::string &trust_string) {
std::vector<std::string_view> split =
string_util::SplitString(trust_string, '+');
@@ -169,9 +169,9 @@
TrustStore::TrustStore() = default;
-void TrustStore::AsyncGetIssuersOf(const ParsedCertificate* cert,
- std::unique_ptr<Request>* out_req) {
+void TrustStore::AsyncGetIssuersOf(const ParsedCertificate *cert,
+ std::unique_ptr<Request> *out_req) {
out_req->reset();
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/trust_store.h b/pki/trust_store.h
index bd8ccea..e5a9246 100644
--- a/pki/trust_store.h
+++ b/pki/trust_store.h
@@ -7,9 +7,9 @@
#include "fillins/openssl_util.h"
+#include <optional>
#include "cert_issuer_source.h"
#include "parsed_certificate.h"
-#include <optional>
namespace bssl {
@@ -100,7 +100,7 @@
std::string ToDebugString() const;
static std::optional<CertificateTrust> FromDebugString(
- const std::string& trust_string);
+ const std::string &trust_string);
// The overall type of trust.
CertificateTrustType type = CertificateTrustType::UNSPECIFIED;
@@ -127,17 +127,17 @@
public:
TrustStore();
- TrustStore(const TrustStore&) = delete;
- TrustStore& operator=(const TrustStore&) = delete;
+ TrustStore(const TrustStore &) = delete;
+ TrustStore &operator=(const TrustStore &) = delete;
// Returns the trusted of |cert|, which must be non-null.
- virtual CertificateTrust GetTrust(const ParsedCertificate* cert) = 0;
+ virtual CertificateTrust GetTrust(const ParsedCertificate *cert) = 0;
// Disable async issuers for TrustStore, as it isn't needed.
- void AsyncGetIssuersOf(const ParsedCertificate* cert,
- std::unique_ptr<Request>* out_req) final;
+ void AsyncGetIssuersOf(const ParsedCertificate *cert,
+ std::unique_ptr<Request> *out_req) final;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_TRUST_STORE_H_
diff --git a/pki/trust_store_collection.cc b/pki/trust_store_collection.cc
index 27dd060..804b1c8 100644
--- a/pki/trust_store_collection.cc
+++ b/pki/trust_store_collection.cc
@@ -11,23 +11,23 @@
TrustStoreCollection::TrustStoreCollection() = default;
TrustStoreCollection::~TrustStoreCollection() = default;
-void TrustStoreCollection::AddTrustStore(TrustStore* store) {
+void TrustStoreCollection::AddTrustStore(TrustStore *store) {
BSSL_CHECK(store);
stores_.push_back(store);
}
-void TrustStoreCollection::SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) {
- for (auto* store : stores_) {
+void TrustStoreCollection::SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) {
+ for (auto *store : stores_) {
store->SyncGetIssuersOf(cert, issuers);
}
}
-CertificateTrust TrustStoreCollection::GetTrust(const ParsedCertificate* cert) {
+CertificateTrust TrustStoreCollection::GetTrust(const ParsedCertificate *cert) {
// The current aggregate result.
CertificateTrust result = CertificateTrust::ForUnspecified();
- for (auto* store : stores_) {
+ for (auto *store : stores_) {
CertificateTrust cur_trust = store->GetTrust(cert);
// * If any stores distrust the certificate, consider it untrusted.
@@ -43,4 +43,4 @@
return result;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/trust_store_collection.h b/pki/trust_store_collection.h
index 239d5e0..9ec914e 100644
--- a/pki/trust_store_collection.h
+++ b/pki/trust_store_collection.h
@@ -20,24 +20,24 @@
public:
TrustStoreCollection();
- TrustStoreCollection(const TrustStoreCollection&) = delete;
- TrustStoreCollection& operator=(const TrustStoreCollection&) = delete;
+ TrustStoreCollection(const TrustStoreCollection &) = delete;
+ TrustStoreCollection &operator=(const TrustStoreCollection &) = delete;
~TrustStoreCollection() override;
// Includes results from |store| in the combined output. |store| must
// outlive the TrustStoreCollection.
- void AddTrustStore(TrustStore* store);
+ void AddTrustStore(TrustStore *store);
// TrustStore implementation:
- void SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) override;
- CertificateTrust GetTrust(const ParsedCertificate* cert) override;
+ void SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) override;
+ CertificateTrust GetTrust(const ParsedCertificate *cert) override;
private:
- std::vector<TrustStore*> stores_;
+ std::vector<TrustStore *> stores_;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_TRUST_STORE_COLLECTION_H_
diff --git a/pki/trust_store_collection_unittest.cc b/pki/trust_store_collection_unittest.cc
index 80923ac..94989ba 100644
--- a/pki/trust_store_collection_unittest.cc
+++ b/pki/trust_store_collection_unittest.cc
@@ -4,9 +4,9 @@
#include "trust_store_collection.h"
+#include <gtest/gtest.h>
#include "test_helpers.h"
#include "trust_store_in_memory.h"
-#include <gtest/gtest.h>
namespace bssl {
@@ -185,4 +185,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
diff --git a/pki/trust_store_in_memory.cc b/pki/trust_store_in_memory.cc
index 07cb17a..40aaa1f 100644
--- a/pki/trust_store_in_memory.cc
+++ b/pki/trust_store_in_memory.cc
@@ -9,13 +9,9 @@
TrustStoreInMemory::TrustStoreInMemory() = default;
TrustStoreInMemory::~TrustStoreInMemory() = default;
-bool TrustStoreInMemory::IsEmpty() const {
- return entries_.empty();
-}
+bool TrustStoreInMemory::IsEmpty() const { return entries_.empty(); }
-void TrustStoreInMemory::Clear() {
- entries_.clear();
-}
+void TrustStoreInMemory::Clear() { entries_.clear(); }
void TrustStoreInMemory::AddTrustAnchor(
std::shared_ptr<const ParsedCertificate> cert) {
@@ -45,29 +41,29 @@
AddCertificate(std::move(cert), CertificateTrust::ForUnspecified());
}
-void TrustStoreInMemory::SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) {
+void TrustStoreInMemory::SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) {
auto range = entries_.equal_range(cert->normalized_issuer().AsStringView());
for (auto it = range.first; it != range.second; ++it)
issuers->push_back(it->second.cert);
}
-CertificateTrust TrustStoreInMemory::GetTrust(const ParsedCertificate* cert) {
- const Entry* entry = GetEntry(cert);
+CertificateTrust TrustStoreInMemory::GetTrust(const ParsedCertificate *cert) {
+ const Entry *entry = GetEntry(cert);
return entry ? entry->trust : CertificateTrust::ForUnspecified();
}
-bool TrustStoreInMemory::Contains(const ParsedCertificate* cert) const {
+bool TrustStoreInMemory::Contains(const ParsedCertificate *cert) const {
return GetEntry(cert) != nullptr;
}
TrustStoreInMemory::Entry::Entry() = default;
-TrustStoreInMemory::Entry::Entry(const Entry& other) = default;
+TrustStoreInMemory::Entry::Entry(const Entry &other) = default;
TrustStoreInMemory::Entry::~Entry() = default;
void TrustStoreInMemory::AddCertificate(
std::shared_ptr<const ParsedCertificate> cert,
- const CertificateTrust& trust) {
+ const CertificateTrust &trust) {
Entry entry;
entry.cert = std::move(cert);
entry.trust = trust;
@@ -77,8 +73,8 @@
std::make_pair(entry.cert->normalized_subject().AsStringView(), entry));
}
-const TrustStoreInMemory::Entry* TrustStoreInMemory::GetEntry(
- const ParsedCertificate* cert) const {
+const TrustStoreInMemory::Entry *TrustStoreInMemory::GetEntry(
+ const ParsedCertificate *cert) const {
auto range = entries_.equal_range(cert->normalized_subject().AsStringView());
for (auto it = range.first; it != range.second; ++it) {
if (cert == it->second.cert.get() ||
@@ -90,4 +86,4 @@
return nullptr;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/trust_store_in_memory.h b/pki/trust_store_in_memory.h
index e770510..ccffc7f 100644
--- a/pki/trust_store_in_memory.h
+++ b/pki/trust_store_in_memory.h
@@ -5,8 +5,8 @@
#ifndef BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
#define BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
-#include "fillins/openssl_util.h"
#include <unordered_map>
+#include "fillins/openssl_util.h"
#include "trust_store.h"
@@ -19,8 +19,8 @@
public:
TrustStoreInMemory();
- TrustStoreInMemory(const TrustStoreInMemory&) = delete;
- TrustStoreInMemory& operator=(const TrustStoreInMemory&) = delete;
+ TrustStoreInMemory(const TrustStoreInMemory &) = delete;
+ TrustStoreInMemory &operator=(const TrustStoreInMemory &) = delete;
~TrustStoreInMemory() override;
@@ -33,7 +33,7 @@
// Adds a certificate with the specified trust settings. Both trusted and
// distrusted certificates require a full DER match.
void AddCertificate(std::shared_ptr<const ParsedCertificate> cert,
- const CertificateTrust& trust);
+ const CertificateTrust &trust);
// Adds a certificate as a trust anchor (only the SPKI and subject will be
// used during verification).
@@ -60,18 +60,18 @@
std::shared_ptr<const ParsedCertificate> cert);
// TrustStore implementation:
- void SyncGetIssuersOf(const ParsedCertificate* cert,
- ParsedCertificateList* issuers) override;
- CertificateTrust GetTrust(const ParsedCertificate* cert) override;
+ void SyncGetIssuersOf(const ParsedCertificate *cert,
+ ParsedCertificateList *issuers) override;
+ CertificateTrust GetTrust(const ParsedCertificate *cert) override;
// Returns true if the trust store contains the given ParsedCertificate
// (matches by DER).
- bool Contains(const ParsedCertificate* cert) const;
+ bool Contains(const ParsedCertificate *cert) const;
private:
struct Entry {
Entry();
- Entry(const Entry& other);
+ Entry(const Entry &other);
~Entry();
std::shared_ptr<const ParsedCertificate> cert;
@@ -83,9 +83,9 @@
// Returns the `Entry` matching `cert`, or `nullptr` if not in the trust
// store.
- const Entry* GetEntry(const ParsedCertificate* cert) const;
+ const Entry *GetEntry(const ParsedCertificate *cert) const;
};
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
diff --git a/pki/verify_certificate_chain.cc b/pki/verify_certificate_chain.cc
index c7eb4ce..e1d8d3f 100644
--- a/pki/verify_certificate_chain.cc
+++ b/pki/verify_certificate_chain.cc
@@ -7,24 +7,24 @@
#include <algorithm>
#include <cassert>
+#include <openssl/base.h>
#include "cert_error_params.h"
#include "cert_errors.h"
#include "common_cert_errors.h"
#include "extended_key_usage.h"
+#include "input.h"
#include "name_constraints.h"
#include "parse_certificate.h"
#include "signature_algorithm.h"
#include "trust_store.h"
#include "verify_signed_data.h"
-#include "input.h"
-#include <openssl/base.h>
namespace bssl {
namespace {
-bool IsHandledCriticalExtension(const ParsedExtension& extension,
- const ParsedCertificate& cert) {
+bool IsHandledCriticalExtension(const ParsedExtension &extension,
+ const ParsedCertificate &cert) {
if (extension.oid == der::Input(kBasicConstraintsOid))
return true;
// Key Usage is NOT processed for end-entity certificates (this is the
@@ -75,10 +75,10 @@
// Adds errors to |errors| if the certificate contains unconsumed _critical_
// extensions.
-void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert,
- CertErrors* errors) {
- for (const auto& it : cert.extensions()) {
- const ParsedExtension& extension = it.second;
+void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate &cert,
+ CertErrors *errors) {
+ for (const auto &it : cert.extensions()) {
+ const ParsedExtension &extension = it.second;
if (extension.critical && !IsHandledCriticalExtension(extension, cert)) {
errors->AddError(cert_errors::kUnconsumedCriticalExtension,
CreateCertErrorParams2Der("oid", extension.oid, "value",
@@ -98,7 +98,7 @@
// support key rollover or changes in certificate policies. These
// self-issued certificates are not counted when evaluating path length
// or name constraints.
-[[nodiscard]] bool IsSelfIssued(const ParsedCertificate& cert) {
+[[nodiscard]] bool IsSelfIssued(const ParsedCertificate &cert) {
return cert.normalized_subject() == cert.normalized_issuer();
}
@@ -109,9 +109,8 @@
//
// The validity period for a certificate is the period of time from
// notBefore through notAfter, inclusive.
-void VerifyTimeValidity(const ParsedCertificate& cert,
- const der::GeneralizedTime& time,
- CertErrors* errors) {
+void VerifyTimeValidity(const ParsedCertificate &cert,
+ const der::GeneralizedTime &time, CertErrors *errors) {
if (time < cert.tbs().validity_not_before)
errors->AddError(cert_errors::kValidityFailedNotBefore);
@@ -139,10 +138,10 @@
// In practice however there are certificates which use different encodings for
// specifying RSA with SHA1 (different OIDs). This is special-cased for
// compatibility sake.
-bool VerifySignatureAlgorithmsMatch(const ParsedCertificate& cert,
- CertErrors* errors) {
- const der::Input& alg1_tlv = cert.signature_algorithm_tlv();
- const der::Input& alg2_tlv = cert.tbs().signature_algorithm_tlv;
+bool VerifySignatureAlgorithmsMatch(const ParsedCertificate &cert,
+ CertErrors *errors) {
+ const der::Input &alg1_tlv = cert.signature_algorithm_tlv();
+ const der::Input &alg2_tlv = cert.tbs().signature_algorithm_tlv;
// Ensure that the two DER-encoded signature algorithms are byte-for-byte
// equal.
@@ -179,11 +178,9 @@
}
// Verify that |cert| can be used for |required_key_purpose|.
-void VerifyExtendedKeyUsage(const ParsedCertificate& cert,
- KeyPurpose required_key_purpose,
- CertErrors* errors,
- bool is_target_cert,
- bool is_target_cert_issuer) {
+void VerifyExtendedKeyUsage(const ParsedCertificate &cert,
+ KeyPurpose required_key_purpose, CertErrors *errors,
+ bool is_target_cert, bool is_target_cert_issuer) {
// We treat a required KeyPurpose of ANY_EKU to mean "Do not check EKU"
if (required_key_purpose == KeyPurpose::ANY_EKU) {
return;
@@ -196,7 +193,7 @@
bool has_ocsp_signing_eku = false;
bool has_nsgc = false;
if (cert.has_extended_key_usage()) {
- for (const auto& key_purpose_oid : cert.extended_key_usage()) {
+ for (const auto &key_purpose_oid : cert.extended_key_usage()) {
if (key_purpose_oid == der::Input(kAnyEKU)) {
has_any_eku = true;
}
@@ -392,8 +389,8 @@
public:
ValidPolicyGraph() = default;
- ValidPolicyGraph(const ValidPolicyGraph&) = delete;
- ValidPolicyGraph& operator=(const ValidPolicyGraph&) = delete;
+ ValidPolicyGraph(const ValidPolicyGraph &) = delete;
+ ValidPolicyGraph &operator=(const ValidPolicyGraph &) = delete;
// A Node is an entry in the policy graph. It contains information about some
// policy asserted by a certificate in the chain. The policy OID itself is
@@ -471,7 +468,7 @@
LevelDetails StartLevel() {
// Finish building expected_policy_map for the previous level.
if (!levels_.empty()) {
- for (const auto& [policy, node] : levels_.back()) {
+ for (const auto &[policy, node] : levels_.back()) {
if (!node.mapped) {
current_level_.expected_policy_map[policy].push_back(policy);
}
@@ -491,7 +488,7 @@
//
// This method may only be called once, after the policy graph is constructed.
std::set<der::Input> GetUserConstrainedPolicySet(
- const std::set<der::Input>& user_initial_policy_set) {
+ const std::set<der::Input> &user_initial_policy_set) {
if (levels_.empty()) {
return {};
}
@@ -508,7 +505,7 @@
// The root's policy domain is determined by nodes with anyPolicy as a
// parent. However, we must limit to those which are reachable from the
// end-entity certificate because we defer some pruning steps.
- for (auto& [policy, node] : levels_.back()) {
+ for (auto &[policy, node] : levels_.back()) {
// GCC before 8.1 tracks individual unused bindings and does not support
// marking them [[maybe_unused]].
(void)policy;
@@ -516,7 +513,7 @@
}
std::set<der::Input> policy_set;
for (size_t i = levels_.size() - 1; i < levels_.size(); i--) {
- for (auto& [policy, node] : levels_[i]) {
+ for (auto &[policy, node] : levels_[i]) {
if (!node.reachable) {
continue;
}
@@ -609,8 +606,7 @@
private:
Level::iterator AddNodeReturningIterator(
- der::Input policy,
- std::vector<der::Input> parent_policies) {
+ der::Input policy, std::vector<der::Input> parent_policies) {
assert(policy != der::Input(kAnyPolicyOid));
auto [iter, inserted] = levels_.back().insert(
std::pair{policy, Node{std::move(parent_policies)}});
@@ -632,86 +628,83 @@
class PathVerifier {
public:
// Same parameters and meaning as VerifyCertificateChain().
- void Run(const ParsedCertificateList& certs,
- const CertificateTrust& last_cert_trust,
- VerifyCertificateChainDelegate* delegate,
- const der::GeneralizedTime& time,
- KeyPurpose required_key_purpose,
+ void Run(const ParsedCertificateList &certs,
+ const CertificateTrust &last_cert_trust,
+ VerifyCertificateChainDelegate *delegate,
+ const der::GeneralizedTime &time, KeyPurpose required_key_purpose,
InitialExplicitPolicy initial_explicit_policy,
- const std::set<der::Input>& user_initial_policy_set,
+ const std::set<der::Input> &user_initial_policy_set,
InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
InitialAnyPolicyInhibit initial_any_policy_inhibit,
- std::set<der::Input>* user_constrained_policy_set,
- CertPathErrors* errors);
+ std::set<der::Input> *user_constrained_policy_set,
+ CertPathErrors *errors);
private:
// Verifies and updates the valid policies. This corresponds with RFC 5280
// section 6.1.3 steps d-f.
- void VerifyPolicies(const ParsedCertificate& cert,
- bool is_target_cert,
- CertErrors* errors);
+ void VerifyPolicies(const ParsedCertificate &cert, bool is_target_cert,
+ CertErrors *errors);
// Applies the policy mappings. This corresponds with RFC 5280 section 6.1.4
// steps a-b.
- void VerifyPolicyMappings(const ParsedCertificate& cert, CertErrors* errors);
+ void VerifyPolicyMappings(const ParsedCertificate &cert, CertErrors *errors);
// Applies policyConstraints and inhibitAnyPolicy. This corresponds with RFC
// 5280 section 6.1.4 steps i-j.
- void ApplyPolicyConstraints(const ParsedCertificate& cert);
+ void ApplyPolicyConstraints(const ParsedCertificate &cert);
// This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
// Processing" procedure.
- void BasicCertificateProcessing(const ParsedCertificate& cert,
+ void BasicCertificateProcessing(const ParsedCertificate &cert,
bool is_target_cert,
bool is_target_cert_issuer,
- const der::GeneralizedTime& time,
+ const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
- CertErrors* errors,
- bool* shortcircuit_chain_validation);
+ CertErrors *errors,
+ bool *shortcircuit_chain_validation);
// This function corresponds to RFC 5280 section 6.1.4's "Preparation for
// Certificate i+1" procedure. |cert| is expected to be an intermediate.
- void PrepareForNextCertificate(const ParsedCertificate& cert,
- CertErrors* errors);
+ void PrepareForNextCertificate(const ParsedCertificate &cert,
+ CertErrors *errors);
// This function corresponds with RFC 5280 section 6.1.5's "Wrap-Up
// Procedure". It does processing for the final certificate (the target cert).
- void WrapUp(const ParsedCertificate& cert,
- KeyPurpose required_key_purpose,
- const std::set<der::Input>& user_initial_policy_set,
- CertErrors* errors);
+ void WrapUp(const ParsedCertificate &cert, KeyPurpose required_key_purpose,
+ const std::set<der::Input> &user_initial_policy_set,
+ CertErrors *errors);
// Enforces trust anchor constraints compatibile with RFC 5937.
//
// Note that the anchor constraints are encoded via the attached certificate
// itself.
- void ApplyTrustAnchorConstraints(const ParsedCertificate& cert,
+ void ApplyTrustAnchorConstraints(const ParsedCertificate &cert,
KeyPurpose required_key_purpose,
- CertErrors* errors);
+ CertErrors *errors);
// Initializes the path validation algorithm given anchor constraints. This
// follows the description in RFC 5937
- void ProcessRootCertificate(const ParsedCertificate& cert,
- const CertificateTrust& trust,
- const der::GeneralizedTime& time,
+ void ProcessRootCertificate(const ParsedCertificate &cert,
+ const CertificateTrust &trust,
+ const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
- CertErrors* errors,
- bool* shortcircuit_chain_validation);
+ CertErrors *errors,
+ bool *shortcircuit_chain_validation);
// Processes verification when the input is a single certificate. This is not
// defined by any standard. We attempt to match the de-facto behaviour of
// Operating System verifiers.
- void ProcessSingleCertChain(const ParsedCertificate& cert,
- const CertificateTrust& trust,
- const der::GeneralizedTime& time,
+ void ProcessSingleCertChain(const ParsedCertificate &cert,
+ const CertificateTrust &trust,
+ const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
- CertErrors* errors);
+ CertErrors *errors);
// Parses |spki| to an EVP_PKEY and checks whether the public key is accepted
// by |delegate_|. On failure parsing returns nullptr. If either parsing the
// key or key policy failed, adds a high-severity error to |errors|.
- bssl::UniquePtr<EVP_PKEY> ParseAndCheckPublicKey(const der::Input& spki,
- CertErrors* errors);
+ bssl::UniquePtr<EVP_PKEY> ParseAndCheckPublicKey(const der::Input &spki,
+ CertErrors *errors);
ValidPolicyGraph valid_policy_graph_;
@@ -720,7 +713,7 @@
// Will contain a NameConstraints for each previous cert in the chain which
// had nameConstraints. This corresponds to the permitted_subtrees and
// excluded_subtrees state variables from RFC 5280.
- std::vector<const NameConstraints*> name_constraints_list_;
+ std::vector<const NameConstraints *> name_constraints_list_;
// |explicit_policy_| corresponds with the same named variable from RFC 5280
// section 6.1.2:
@@ -799,12 +792,11 @@
// certificate.
size_t max_path_length_;
- VerifyCertificateChainDelegate* delegate_;
+ VerifyCertificateChainDelegate *delegate_;
};
-void PathVerifier::VerifyPolicies(const ParsedCertificate& cert,
- bool is_target_cert,
- CertErrors* errors) {
+void PathVerifier::VerifyPolicies(const ParsedCertificate &cert,
+ bool is_target_cert, CertErrors *errors) {
// From RFC 5280 section 6.1.3:
//
// (d) If the certificate policies extension is present in the
@@ -820,7 +812,7 @@
// for policy P and P-Q denote the qualifier set for policy
// P. Perform the following steps in order:
bool cert_has_any_policy = false;
- for (const der::Input& p_oid : cert.policy_oids()) {
+ for (const der::Input &p_oid : cert.policy_oids()) {
if (p_oid == der::Input(kAnyPolicyOid)) {
cert_has_any_policy = true;
continue;
@@ -862,7 +854,7 @@
// this node.
if (cert_has_any_policy && ((inhibit_any_policy_ > 0) ||
(!is_target_cert && IsSelfIssued(cert)))) {
- for (auto& [p_oid, parent_policies] :
+ for (auto &[p_oid, parent_policies] :
previous_level.expected_policy_map) {
valid_policy_graph_.AddNode(p_oid, std::move(parent_policies));
}
@@ -891,8 +883,8 @@
errors->AddError(cert_errors::kNoValidPolicy);
}
-void PathVerifier::VerifyPolicyMappings(const ParsedCertificate& cert,
- CertErrors* errors) {
+void PathVerifier::VerifyPolicyMappings(const ParsedCertificate &cert,
+ CertErrors *errors) {
if (!cert.has_policy_mappings())
return;
@@ -901,7 +893,7 @@
// (a) If a policy mappings extension is present, verify that the
// special value anyPolicy does not appear as an
// issuerDomainPolicy or a subjectDomainPolicy.
- for (const ParsedPolicyMapping& mapping : cert.policy_mappings()) {
+ for (const ParsedPolicyMapping &mapping : cert.policy_mappings()) {
if (mapping.issuer_domain_policy == der::Input(kAnyPolicyOid) ||
mapping.subject_domain_policy == der::Input(kAnyPolicyOid)) {
// Because this implementation continues processing certificates after
@@ -939,7 +931,7 @@
// equivalent to ID-P by the policy mappings extension.
//
if (policy_mapping_ > 0) {
- for (const ParsedPolicyMapping& mapping : cert.policy_mappings()) {
+ for (const ParsedPolicyMapping &mapping : cert.policy_mappings()) {
valid_policy_graph_.AddPolicyMapping(mapping.issuer_domain_policy,
mapping.subject_domain_policy);
}
@@ -962,13 +954,13 @@
//
// Step (ii) is deferred to part of GetUserConstrainedPolicySet().
if (policy_mapping_ == 0) {
- for (const ParsedPolicyMapping& mapping : cert.policy_mappings()) {
+ for (const ParsedPolicyMapping &mapping : cert.policy_mappings()) {
valid_policy_graph_.DeleteNode(mapping.issuer_domain_policy);
}
}
}
-void PathVerifier::ApplyPolicyConstraints(const ParsedCertificate& cert) {
+void PathVerifier::ApplyPolicyConstraints(const ParsedCertificate &cert) {
// RFC 5280 section 6.1.4 step i-j:
// (i) If a policy constraints extension is included in the
// certificate, modify the explicit_policy and policy_mapping
@@ -1005,13 +997,10 @@
}
void PathVerifier::BasicCertificateProcessing(
- const ParsedCertificate& cert,
- bool is_target_cert,
- bool is_target_cert_issuer,
- const der::GeneralizedTime& time,
- KeyPurpose required_key_purpose,
- CertErrors* errors,
- bool* shortcircuit_chain_validation) {
+ const ParsedCertificate &cert, bool is_target_cert,
+ bool is_target_cert_issuer, const der::GeneralizedTime &time,
+ KeyPurpose required_key_purpose, CertErrors *errors,
+ bool *shortcircuit_chain_validation) {
*shortcircuit_chain_validation = false;
// Check that the signature algorithms in Certificate vs TBSCertificate
// match. This isn't part of RFC 5280 section 6.1.3, but is mandated by
@@ -1063,7 +1052,7 @@
// path, skip this step for certificate i.
if (!name_constraints_list_.empty() &&
(!IsSelfIssued(cert) || is_target_cert)) {
- for (const NameConstraints* nc : name_constraints_list_) {
+ for (const NameConstraints *nc : name_constraints_list_) {
nc->IsPermittedCert(cert.normalized_subject(), cert.subject_alt_names(),
errors);
}
@@ -1080,8 +1069,8 @@
is_target_cert_issuer);
}
-void PathVerifier::PrepareForNextCertificate(const ParsedCertificate& cert,
- CertErrors* errors) {
+void PathVerifier::PrepareForNextCertificate(const ParsedCertificate &cert,
+ CertErrors *errors) {
// RFC 5280 section 6.1.4 step a-b
VerifyPolicyMappings(cert, errors);
@@ -1185,9 +1174,9 @@
// Checks if the target certificate has the CA bit set. If it does, add
// the appropriate error or warning to |errors|.
-void VerifyTargetCertIsNotCA(const ParsedCertificate& cert,
+void VerifyTargetCertIsNotCA(const ParsedCertificate &cert,
KeyPurpose required_key_purpose,
- CertErrors* errors) {
+ CertErrors *errors) {
if (cert.has_basic_constraints() && cert.basic_constraints().is_ca) {
// In spite of RFC 5280 4.2.1.9 which says the CA properties MAY exist in
// an end entity certificate, the CABF Baseline Requirements version
@@ -1208,10 +1197,10 @@
}
}
-void PathVerifier::WrapUp(const ParsedCertificate& cert,
+void PathVerifier::WrapUp(const ParsedCertificate &cert,
KeyPurpose required_key_purpose,
- const std::set<der::Input>& user_initial_policy_set,
- CertErrors* errors) {
+ const std::set<der::Input> &user_initial_policy_set,
+ CertErrors *errors) {
// From RFC 5280 section 6.1.5:
// (a) If explicit_policy is not 0, decrement explicit_policy by 1.
if (explicit_policy_ > 0)
@@ -1266,9 +1255,9 @@
ParseAndCheckPublicKey(cert.tbs().spki_tlv, errors);
}
-void PathVerifier::ApplyTrustAnchorConstraints(const ParsedCertificate& cert,
+void PathVerifier::ApplyTrustAnchorConstraints(const ParsedCertificate &cert,
KeyPurpose required_key_purpose,
- CertErrors* errors) {
+ CertErrors *errors) {
// If certificatePolicies is present, process the policies. This matches the
// handling for intermediates from RFC 5280 section 6.1.3.d (except that for
// intermediates it is non-optional). It intentionally deviates from RFC 5937
@@ -1341,12 +1330,12 @@
VerifyNoUnconsumedCriticalExtensions(cert, errors);
}
-void PathVerifier::ProcessRootCertificate(const ParsedCertificate& cert,
- const CertificateTrust& trust,
- const der::GeneralizedTime& time,
+void PathVerifier::ProcessRootCertificate(const ParsedCertificate &cert,
+ const CertificateTrust &trust,
+ const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
- CertErrors* errors,
- bool* shortcircuit_chain_validation) {
+ CertErrors *errors,
+ bool *shortcircuit_chain_validation) {
*shortcircuit_chain_validation = false;
switch (trust.type) {
case CertificateTrustType::UNSPECIFIED:
@@ -1390,11 +1379,11 @@
working_normalized_issuer_name_ = cert.normalized_subject();
}
-void PathVerifier::ProcessSingleCertChain(const ParsedCertificate& cert,
- const CertificateTrust& trust,
- const der::GeneralizedTime& time,
+void PathVerifier::ProcessSingleCertChain(const ParsedCertificate &cert,
+ const CertificateTrust &trust,
+ const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
- CertErrors* errors) {
+ CertErrors *errors) {
switch (trust.type) {
case CertificateTrustType::UNSPECIFIED:
case CertificateTrustType::TRUSTED_ANCHOR:
@@ -1443,8 +1432,7 @@
}
bssl::UniquePtr<EVP_PKEY> PathVerifier::ParseAndCheckPublicKey(
- const der::Input& spki,
- CertErrors* errors) {
+ const der::Input &spki, CertErrors *errors) {
// Parse the public key.
bssl::UniquePtr<EVP_PKEY> pkey;
if (!ParsePublicKey(spki, &pkey)) {
@@ -1460,17 +1448,14 @@
}
void PathVerifier::Run(
- const ParsedCertificateList& certs,
- const CertificateTrust& last_cert_trust,
- VerifyCertificateChainDelegate* delegate,
- const der::GeneralizedTime& time,
+ const ParsedCertificateList &certs, const CertificateTrust &last_cert_trust,
+ VerifyCertificateChainDelegate *delegate, const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
InitialExplicitPolicy initial_explicit_policy,
- const std::set<der::Input>& user_initial_policy_set,
+ const std::set<der::Input> &user_initial_policy_set,
InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
InitialAnyPolicyInhibit initial_any_policy_inhibit,
- std::set<der::Input>* user_constrained_policy_set,
- CertPathErrors* errors) {
+ std::set<der::Input> *user_constrained_policy_set, CertPathErrors *errors) {
// This implementation is structured to mimic the description of certificate
// path verification given by RFC 5280 section 6.1.
BSSL_CHECK(delegate);
@@ -1544,11 +1529,11 @@
const bool is_target_cert_issuer = index_into_certs == 1;
const bool is_root_cert = i == 0;
- const ParsedCertificate& cert = *certs[index_into_certs];
+ const ParsedCertificate &cert = *certs[index_into_certs];
// Output errors for the current certificate into an error bucket that is
// associated with that certificate.
- CertErrors* cert_errors = errors->GetErrorsForCert(index_into_certs);
+ CertErrors *cert_errors = errors->GetErrorsForCert(index_into_certs);
if (is_root_cert) {
bool shortcircuit_chain_validation = false;
@@ -1606,17 +1591,14 @@
VerifyCertificateChainDelegate::~VerifyCertificateChainDelegate() = default;
void VerifyCertificateChain(
- const ParsedCertificateList& certs,
- const CertificateTrust& last_cert_trust,
- VerifyCertificateChainDelegate* delegate,
- const der::GeneralizedTime& time,
+ const ParsedCertificateList &certs, const CertificateTrust &last_cert_trust,
+ VerifyCertificateChainDelegate *delegate, const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
InitialExplicitPolicy initial_explicit_policy,
- const std::set<der::Input>& user_initial_policy_set,
+ const std::set<der::Input> &user_initial_policy_set,
InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
InitialAnyPolicyInhibit initial_any_policy_inhibit,
- std::set<der::Input>* user_constrained_policy_set,
- CertPathErrors* errors) {
+ std::set<der::Input> *user_constrained_policy_set, CertPathErrors *errors) {
PathVerifier verifier;
verifier.Run(certs, last_cert_trust, delegate, time, required_key_purpose,
initial_explicit_policy, user_initial_policy_set,
@@ -1624,9 +1606,9 @@
user_constrained_policy_set, errors);
}
-bool VerifyCertificateIsSelfSigned(const ParsedCertificate& cert,
- SignatureVerifyCache* cache,
- CertErrors* errors) {
+bool VerifyCertificateIsSelfSigned(const ParsedCertificate &cert,
+ SignatureVerifyCache *cache,
+ CertErrors *errors) {
if (cert.normalized_subject() != cert.normalized_issuer()) {
if (errors) {
errors->AddError(cert_errors::kSubjectDoesNotMatchIssuer);
@@ -1656,4 +1638,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/verify_certificate_chain.h b/pki/verify_certificate_chain.h
index e6f44d9..9e62f5c 100644
--- a/pki/verify_certificate_chain.h
+++ b/pki/verify_certificate_chain.h
@@ -5,15 +5,15 @@
#ifndef BSSL_PKI_VERIFY_CERTIFICATE_CHAIN_H_
#define BSSL_PKI_VERIFY_CERTIFICATE_CHAIN_H_
-#include "fillins/openssl_util.h"
#include <set>
+#include "fillins/openssl_util.h"
+#include <openssl/evp.h>
#include "cert_errors.h"
+#include "input.h"
#include "parsed_certificate.h"
#include "signature_verify_cache.h"
-#include "input.h"
-#include <openssl/evp.h>
namespace bssl {
@@ -58,8 +58,7 @@
// can optionally add high-severity errors to |errors| with details on why it
// was rejected.
virtual bool IsSignatureAlgorithmAcceptable(
- SignatureAlgorithm signature_algorithm,
- CertErrors* errors) = 0;
+ SignatureAlgorithm signature_algorithm, CertErrors *errors) = 0;
// Implementations should return true if |public_key| is acceptable. This is
// called for each certificate in the chain, including the target certificate.
@@ -67,13 +66,13 @@
// errors to |errors| with details on why it was rejected.
//
// |public_key| can be assumed to be non-null.
- virtual bool IsPublicKeyAcceptable(EVP_PKEY* public_key,
- CertErrors* errors) = 0;
+ virtual bool IsPublicKeyAcceptable(EVP_PKEY *public_key,
+ CertErrors *errors) = 0;
// This is called during verification to obtain a pointer to a signature
// verification cache if one exists. nullptr may be returned indicating there
// is no verification cache.
- virtual SignatureVerifyCache* GetVerifyCache() = 0;
+ virtual SignatureVerifyCache *GetVerifyCache() = 0;
virtual ~VerifyCertificateChainDelegate();
};
@@ -241,26 +240,23 @@
// The presence of any other unrecognized extension marked as critical fails
// validation.
OPENSSL_EXPORT void VerifyCertificateChain(
- const ParsedCertificateList& certs,
- const CertificateTrust& last_cert_trust,
- VerifyCertificateChainDelegate* delegate,
- const der::GeneralizedTime& time,
+ const ParsedCertificateList &certs, const CertificateTrust &last_cert_trust,
+ VerifyCertificateChainDelegate *delegate, const der::GeneralizedTime &time,
KeyPurpose required_key_purpose,
InitialExplicitPolicy initial_explicit_policy,
- const std::set<der::Input>& user_initial_policy_set,
+ const std::set<der::Input> &user_initial_policy_set,
InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
InitialAnyPolicyInhibit initial_any_policy_inhibit,
- std::set<der::Input>* user_constrained_policy_set,
- CertPathErrors* errors);
+ std::set<der::Input> *user_constrained_policy_set, CertPathErrors *errors);
// Returns true if `cert` is self-signed. Returns false `cert` is not
// self-signed or there was an error. If `errors` is non-null, it will contain
// additional information about the problem. If `cache` is non-null, it will be
// used to cache the signature verification step.
-OPENSSL_EXPORT bool VerifyCertificateIsSelfSigned(const ParsedCertificate& cert,
- SignatureVerifyCache* cache,
- CertErrors* errors);
+OPENSSL_EXPORT bool VerifyCertificateIsSelfSigned(const ParsedCertificate &cert,
+ SignatureVerifyCache *cache,
+ CertErrors *errors);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_VERIFY_CERTIFICATE_CHAIN_H_
diff --git a/pki/verify_certificate_chain_pkits_unittest.cc b/pki/verify_certificate_chain_pkits_unittest.cc
index f36efa6..98d1504 100644
--- a/pki/verify_certificate_chain_pkits_unittest.cc
+++ b/pki/verify_certificate_chain_pkits_unittest.cc
@@ -4,11 +4,11 @@
#include "verify_certificate_chain.h"
+#include <openssl/pool.h>
+#include "input.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
#include "trust_store.h"
-#include "input.h"
-#include <openssl/pool.h>
// These require CRL support, which is not implemented at the
// VerifyCertificateChain level.
@@ -27,7 +27,7 @@
public:
static void RunTest(std::vector<std::string> cert_ders,
std::vector<std::string> crl_ders,
- const PkitsTestInfo& info) {
+ const PkitsTestInfo &info) {
ASSERT_FALSE(cert_ders.empty());
// PKITS lists chains from trust anchor to target, whereas
@@ -37,8 +37,9 @@
CertErrors parsing_errors;
for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) {
ASSERT_TRUE(ParsedCertificate::CreateAndAddToVector(
- bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
- reinterpret_cast<const uint8_t*>(i->data()), i->size(), nullptr)),
+ bssl::UniquePtr<CRYPTO_BUFFER>(
+ CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t *>(i->data()),
+ i->size(), nullptr)),
{}, &input_chain, &parsing_errors))
<< parsing_errors.ToDebugString();
}
@@ -95,8 +96,7 @@
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest06VerifyingBasicConstraints,
VerifyCertificateChainPkitsTestDelegate);
-INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
- PkitsTest07KeyUsage,
+INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain, PkitsTest07KeyUsage,
VerifyCertificateChainPkitsTestDelegate);
INSTANTIATE_TYPED_TEST_SUITE_P(VerifyCertificateChain,
PkitsTest08CertificatePolicies,
@@ -126,4 +126,4 @@
// PkitsTest05VerifyingPathswithSelfIssuedCertificates,
// PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
-} // namespace net
+} // namespace bssl
diff --git a/pki/verify_certificate_chain_typed_unittest.h b/pki/verify_certificate_chain_typed_unittest.h
index e253847..e22788c 100644
--- a/pki/verify_certificate_chain_typed_unittest.h
+++ b/pki/verify_certificate_chain_typed_unittest.h
@@ -5,20 +5,20 @@
#ifndef BSSL_PKI_VERIFY_CERTIFICATE_CHAIN_TYPED_UNITTEST_H_
#define BSSL_PKI_VERIFY_CERTIFICATE_CHAIN_TYPED_UNITTEST_H_
+#include <gtest/gtest.h>
+#include "input.h"
#include "parsed_certificate.h"
#include "simple_path_builder_delegate.h"
#include "test_helpers.h"
#include "trust_store.h"
#include "verify_certificate_chain.h"
-#include "input.h"
-#include <gtest/gtest.h>
namespace bssl {
template <typename TestDelegate>
class VerifyCertificateChainTest : public ::testing::Test {
public:
- void RunTest(const char* file_name) {
+ void RunTest(const char *file_name) {
VerifyCertChainTest test;
std::string path =
@@ -318,29 +318,17 @@
// TODO(eroman): Add test that invalid validity dates where the day or month
// ordinal not in range, like "March 39, 2016" are rejected.
-REGISTER_TYPED_TEST_SUITE_P(VerifyCertificateChainSingleRootTest,
- Simple,
- BasicConstraintsCa,
- BasicConstraintsPathlen,
- UnknownExtension,
- MSApplicationPolicies,
- WeakSignature,
- WrongSignature,
- LastCertificateNotTrusted,
- WeakPublicKey,
- TargetSignedUsingEcdsa,
- Expired,
- TargetNotEndEntity,
- KeyUsage,
- ExtendedKeyUsage,
+REGISTER_TYPED_TEST_SUITE_P(VerifyCertificateChainSingleRootTest, Simple,
+ BasicConstraintsCa, BasicConstraintsPathlen,
+ UnknownExtension, MSApplicationPolicies,
+ WeakSignature, WrongSignature,
+ LastCertificateNotTrusted, WeakPublicKey,
+ TargetSignedUsingEcdsa, Expired, TargetNotEndEntity,
+ KeyUsage, ExtendedKeyUsage,
IssuerAndSubjectNotByteForByteEqual,
- TrustAnchorNotSelfSigned,
- KeyRollover,
- Policies,
- ManyNames,
- TargetOnly,
- TargetSelfSigned);
+ TrustAnchorNotSelfSigned, KeyRollover, Policies,
+ ManyNames, TargetOnly, TargetSelfSigned);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_VERIFY_CERTIFICATE_CHAIN_TYPED_UNITTEST_H_
diff --git a/pki/verify_certificate_chain_unittest.cc b/pki/verify_certificate_chain_unittest.cc
index bebd4dd..5ea3e08 100644
--- a/pki/verify_certificate_chain_unittest.cc
+++ b/pki/verify_certificate_chain_unittest.cc
@@ -18,8 +18,8 @@
class VerifyCertificateChainTestDelegate {
public:
- static void Verify(const VerifyCertChainTest& test,
- const std::string& test_file_path) {
+ static void Verify(const VerifyCertChainTest &test,
+ const std::string &test_file_path) {
SimplePathBuilderDelegate delegate(1024, test.digest_policy);
CertPathErrors errors;
@@ -125,4 +125,4 @@
EXPECT_EQ(cache.CacheStores(), 1U);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/verify_name_match.cc b/pki/verify_name_match.cc
index 5d01ddf..5952fff 100644
--- a/pki/verify_name_match.cc
+++ b/pki/verify_name_match.cc
@@ -4,14 +4,14 @@
#include "verify_name_match.h"
-#include "cert_error_params.h"
-#include "cert_errors.h"
-#include "parse_name.h"
-#include "input.h"
-#include "parser.h"
-#include "tag.h"
#include <openssl/base.h>
#include <openssl/bytestring.h>
+#include "cert_error_params.h"
+#include "cert_errors.h"
+#include "input.h"
+#include "parse_name.h"
+#include "parser.h"
+#include "tag.h"
namespace bssl {
@@ -55,8 +55,7 @@
//
// NOTE: |output| will be modified regardless of the return.
[[nodiscard]] bool NormalizeDirectoryString(
- CharsetEnforcement charset_enforcement,
- std::string* output) {
+ CharsetEnforcement charset_enforcement, std::string *output) {
// Normalized version will always be equal or shorter than input.
// Normalize in place and then truncate the output if necessary.
std::string::const_iterator read_iter = output->begin();
@@ -113,8 +112,7 @@
// is invalid, returns false.
// NOTE: |output| will be modified regardless of the return.
[[nodiscard]] bool NormalizeValue(X509NameAttribute attribute,
- std::string* output,
- CertErrors* errors) {
+ std::string *output, CertErrors *errors) {
BSSL_CHECK(errors);
if (!attribute.ValueAsStringUnsafe(output)) {
@@ -193,7 +191,7 @@
// Verifies that |a_parser| and |b_parser| are the same length and that every
// AttributeTypeAndValue in |a_parser| has a matching AttributeTypeAndValue in
// |b_parser|.
-bool VerifyRdnMatch(der::Parser* a_parser, der::Parser* b_parser) {
+bool VerifyRdnMatch(der::Parser *a_parser, der::Parser *b_parser) {
RelativeDistinguishedName a_type_and_values, b_type_and_values;
if (!ReadRdn(a_parser, &a_type_and_values) ||
!ReadRdn(b_parser, &b_type_and_values))
@@ -210,10 +208,10 @@
// differently in the DER encoding. Since the number of elements should be
// small, a naive linear search for each element should be fine. (Hostile
// certificates already have ways to provoke pathological behavior.)
- for (const auto& a : a_type_and_values) {
+ for (const auto &a : a_type_and_values) {
auto b_iter = b_type_and_values.begin();
for (; b_iter != b_type_and_values.end(); ++b_iter) {
- const auto& b = *b_iter;
+ const auto &b = *b_iter;
if (a.type == b.type && VerifyValueMatch(a, b)) {
break;
}
@@ -251,8 +249,7 @@
//
// RelativeDistinguishedName ::=
// SET SIZE (1..MAX) OF AttributeTypeAndValue
-bool VerifyNameMatchInternal(const der::Input& a,
- const der::Input& b,
+bool VerifyNameMatchInternal(const der::Input &a, const der::Input &b,
NameMatchType match_type) {
// Empty Names are allowed. RFC 5280 section 4.1.2.4 requires "The issuer
// field MUST contain a non-empty distinguished name (DN)", while section
@@ -299,9 +296,8 @@
} // namespace
-bool NormalizeName(const der::Input& name_rdn_sequence,
- std::string* normalized_rdn_sequence,
- CertErrors* errors) {
+bool NormalizeName(const der::Input &name_rdn_sequence,
+ std::string *normalized_rdn_sequence, CertErrors *errors) {
BSSL_CHECK(errors);
// RFC 5280 section 4.1.2.4
@@ -325,7 +321,7 @@
if (!CBB_add_asn1(cbb.get(), &rdn_cbb, CBS_ASN1_SET))
return false;
- for (const auto& type_and_value : type_and_values) {
+ for (const auto &type_and_value : type_and_values) {
// AttributeTypeAndValue ::= SEQUENCE {
// type AttributeType,
// value AttributeValue }
@@ -352,7 +348,7 @@
CBS_ASN1_UTF8STRING) ||
!CBB_add_bytes(
&value_cbb,
- reinterpret_cast<const uint8_t*>(normalized_value.data()),
+ reinterpret_cast<const uint8_t *>(normalized_value.data()),
normalized_value.size()))
return false;
} else {
@@ -377,20 +373,20 @@
return true;
}
-bool VerifyNameMatch(const der::Input& a_rdn_sequence,
- const der::Input& b_rdn_sequence) {
+bool VerifyNameMatch(const der::Input &a_rdn_sequence,
+ const der::Input &b_rdn_sequence) {
return VerifyNameMatchInternal(a_rdn_sequence, b_rdn_sequence, EXACT_MATCH);
}
-bool VerifyNameInSubtree(const der::Input& name_rdn_sequence,
- const der::Input& parent_rdn_sequence) {
+bool VerifyNameInSubtree(const der::Input &name_rdn_sequence,
+ const der::Input &parent_rdn_sequence) {
return VerifyNameMatchInternal(name_rdn_sequence, parent_rdn_sequence,
SUBTREE_MATCH);
}
bool FindEmailAddressesInName(
- const der::Input& name_rdn_sequence,
- std::vector<std::string>* contained_email_addresses) {
+ const der::Input &name_rdn_sequence,
+ std::vector<std::string> *contained_email_addresses) {
contained_email_addresses->clear();
der::Parser rdn_sequence_parser(name_rdn_sequence);
@@ -403,7 +399,7 @@
if (!ReadRdn(&rdn_parser, &type_and_values))
return false;
- for (const auto& type_and_value : type_and_values) {
+ for (const auto &type_and_value : type_and_values) {
if (type_and_value.type == der::Input(kTypeEmailAddressOid)) {
std::string email_address;
if (!type_and_value.ValueAsString(&email_address)) {
@@ -417,4 +413,4 @@
return true;
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/verify_name_match.h b/pki/verify_name_match.h
index a328245..27ed913 100644
--- a/pki/verify_name_match.h
+++ b/pki/verify_name_match.h
@@ -5,9 +5,9 @@
#ifndef BSSL_PKI_VERIFY_NAME_MATCH_H_
#define BSSL_PKI_VERIFY_NAME_MATCH_H_
-#include "fillins/openssl_util.h"
#include <string>
#include <vector>
+#include "fillins/openssl_util.h"
@@ -25,24 +25,24 @@
// outer Sequence tag). Returns false if there was an error parsing or
// normalizing the input, and adds error information to |errors|. |errors| must
// be non-null.
-OPENSSL_EXPORT bool NormalizeName(const der::Input& name_rdn_sequence,
- std::string* normalized_rdn_sequence,
- CertErrors* errors);
+OPENSSL_EXPORT bool NormalizeName(const der::Input &name_rdn_sequence,
+ std::string *normalized_rdn_sequence,
+ CertErrors *errors);
// Compares DER-encoded X.501 Name values according to RFC 5280 rules.
// |a_rdn_sequence| and |b_rdn_sequence| should be the DER-encoded RDNSequence
// values (not including the Sequence tag).
// Returns true if |a_rdn_sequence| and |b_rdn_sequence| match.
-OPENSSL_EXPORT bool VerifyNameMatch(const der::Input& a_rdn_sequence,
- const der::Input& b_rdn_sequence);
+OPENSSL_EXPORT bool VerifyNameMatch(const der::Input &a_rdn_sequence,
+ const der::Input &b_rdn_sequence);
// Compares |name_rdn_sequence| and |parent_rdn_sequence| and return true if
// |name_rdn_sequence| is within the subtree defined by |parent_rdn_sequence| as
// defined by RFC 5280 section 7.1. |name_rdn_sequence| and
// |parent_rdn_sequence| should be the DER-encoded sequence values (not
// including the Sequence tag).
-OPENSSL_EXPORT bool VerifyNameInSubtree(const der::Input& name_rdn_sequence,
- const der::Input& parent_rdn_sequence);
+OPENSSL_EXPORT bool VerifyNameInSubtree(const der::Input &name_rdn_sequence,
+ const der::Input &parent_rdn_sequence);
// Helper functions:
@@ -54,9 +54,9 @@
// tag, but otherwise have not been validated.
// Returns false if there was a parsing error.
[[nodiscard]] bool FindEmailAddressesInName(
- const der::Input& name_rdn_sequence,
- std::vector<std::string>* contained_email_addresses);
+ const der::Input &name_rdn_sequence,
+ std::vector<std::string> *contained_email_addresses);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_VERIFY_NAME_MATCH_H_
diff --git a/pki/verify_name_match_unittest.cc b/pki/verify_name_match_unittest.cc
index 4e57250..29fc844 100644
--- a/pki/verify_name_match_unittest.cc
+++ b/pki/verify_name_match_unittest.cc
@@ -4,9 +4,9 @@
#include "verify_name_match.h"
+#include <gtest/gtest.h>
#include "string_util.h"
#include "test_helpers.h"
-#include <gtest/gtest.h>
namespace bssl {
namespace {
@@ -17,10 +17,10 @@
// |value_type| indicates what ASN.1 type is used to encode the data.
// |suffix| indicates any additional modifications, such as caseswapping,
// whitespace adding, etc.
-::testing::AssertionResult LoadTestData(const std::string& prefix,
- const std::string& value_type,
- const std::string& suffix,
- std::string* result) {
+::testing::AssertionResult LoadTestData(const std::string &prefix,
+ const std::string &value_type,
+ const std::string &suffix,
+ std::string *result) {
std::string path = "testdata/verify_name_match_unittest/names/" + prefix +
"-" + value_type + "-" + suffix + ".pem";
@@ -31,7 +31,7 @@
return ReadTestDataFromPemFile(path, mappings);
}
-bool TypesAreComparable(const std::string& type_1, const std::string& type_2) {
+bool TypesAreComparable(const std::string &type_1, const std::string &type_2) {
if (type_1 == type_2)
return true;
if ((type_1 == "PRINTABLESTRING" || type_1 == "UTF8" ||
@@ -44,23 +44,23 @@
}
// All string types.
-static const char* kValueTypes[] = {"PRINTABLESTRING", "T61STRING", "UTF8",
+static const char *kValueTypes[] = {"PRINTABLESTRING", "T61STRING", "UTF8",
"BMPSTRING", "UNIVERSALSTRING"};
// String types that can encode the Unicode Basic Multilingual Plane.
-static const char* kUnicodeBMPValueTypes[] = {"UTF8", "BMPSTRING",
+static const char *kUnicodeBMPValueTypes[] = {"UTF8", "BMPSTRING",
"UNIVERSALSTRING"};
// String types that can encode the Unicode Supplementary Planes.
-static const char* kUnicodeSupplementaryValueTypes[] = {"UTF8",
+static const char *kUnicodeSupplementaryValueTypes[] = {"UTF8",
"UNIVERSALSTRING"};
-static const char* kMangleTypes[] = {"unmangled", "case_swap",
+static const char *kMangleTypes[] = {"unmangled", "case_swap",
"extra_whitespace"};
} // namespace
class VerifyNameMatchSimpleTest
: public ::testing::TestWithParam<
- ::testing::tuple<const char*, const char*>> {
+ ::testing::tuple<const char *, const char *>> {
public:
std::string value_type() const { return ::testing::get<0>(GetParam()); }
std::string suffix() const { return ::testing::get<1>(GetParam()); }
@@ -136,13 +136,12 @@
// Runs VerifyNameMatchSimpleTest for all combinations of value_type and and
// suffix.
-INSTANTIATE_TEST_SUITE_P(InstantiationName,
- VerifyNameMatchSimpleTest,
+INSTANTIATE_TEST_SUITE_P(InstantiationName, VerifyNameMatchSimpleTest,
::testing::Combine(::testing::ValuesIn(kValueTypes),
::testing::ValuesIn(kMangleTypes)));
class VerifyNameMatchNormalizationTest
- : public ::testing::TestWithParam<::testing::tuple<bool, const char*>> {
+ : public ::testing::TestWithParam<::testing::tuple<bool, const char *>> {
public:
bool expected_result() const { return ::testing::get<0>(GetParam()); }
std::string value_type() const { return ::testing::get<1>(GetParam()); }
@@ -182,20 +181,19 @@
// Runs VerifyNameMatchNormalizationTest for each (expected_result, value_type)
// tuple.
INSTANTIATE_TEST_SUITE_P(
- InstantiationName,
- VerifyNameMatchNormalizationTest,
+ InstantiationName, VerifyNameMatchNormalizationTest,
::testing::Values(
::testing::make_tuple(true,
- static_cast<const char*>("PRINTABLESTRING")),
- ::testing::make_tuple(false, static_cast<const char*>("T61STRING")),
- ::testing::make_tuple(true, static_cast<const char*>("UTF8")),
- ::testing::make_tuple(true, static_cast<const char*>("BMPSTRING")),
+ static_cast<const char *>("PRINTABLESTRING")),
+ ::testing::make_tuple(false, static_cast<const char *>("T61STRING")),
+ ::testing::make_tuple(true, static_cast<const char *>("UTF8")),
+ ::testing::make_tuple(true, static_cast<const char *>("BMPSTRING")),
::testing::make_tuple(true,
- static_cast<const char*>("UNIVERSALSTRING"))));
+ static_cast<const char *>("UNIVERSALSTRING"))));
class VerifyNameMatchDifferingTypesTest
: public ::testing::TestWithParam<
- ::testing::tuple<const char*, const char*>> {
+ ::testing::tuple<const char *, const char *>> {
public:
std::string value_type_1() const { return ::testing::get<0>(GetParam()); }
std::string value_type_2() const { return ::testing::get<1>(GetParam()); }
@@ -269,15 +267,13 @@
// Runs VerifyNameMatchDifferingTypesTest for all combinations of value types in
// value_type1 and value_type_2.
-INSTANTIATE_TEST_SUITE_P(InstantiationName,
- VerifyNameMatchDifferingTypesTest,
+INSTANTIATE_TEST_SUITE_P(InstantiationName, VerifyNameMatchDifferingTypesTest,
::testing::Combine(::testing::ValuesIn(kValueTypes),
::testing::ValuesIn(kValueTypes)));
class VerifyNameMatchUnicodeConversionTest
- : public ::testing::TestWithParam<
- ::testing::tuple<const char*,
- ::testing::tuple<const char*, const char*>>> {
+ : public ::testing::TestWithParam<::testing::tuple<
+ const char *, ::testing::tuple<const char *, const char *>>> {
public:
std::string prefix() const { return ::testing::get<0>(GetParam()); }
std::string value_type_1() const {
@@ -301,8 +297,7 @@
// combinations of Basic Multilingual Plane-capable value types in value_type1
// and value_type_2.
INSTANTIATE_TEST_SUITE_P(
- BMPConversion,
- VerifyNameMatchUnicodeConversionTest,
+ BMPConversion, VerifyNameMatchUnicodeConversionTest,
::testing::Combine(
::testing::Values("unicode_bmp"),
::testing::Combine(::testing::ValuesIn(kUnicodeBMPValueTypes),
@@ -312,8 +307,7 @@
// for all combinations of Unicode Supplementary Plane-capable value types in
// value_type1 and value_type_2.
INSTANTIATE_TEST_SUITE_P(
- SMPConversion,
- VerifyNameMatchUnicodeConversionTest,
+ SMPConversion, VerifyNameMatchUnicodeConversionTest,
::testing::Combine(
::testing::Values("unicode_supplementary"),
::testing::Combine(
@@ -610,4 +604,4 @@
EXPECT_EQ(SequenceValueFromString(raw_der), der::Input(normalized_der));
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/verify_signed_data.cc b/pki/verify_signed_data.cc
index a7a2cf6..f477178 100644
--- a/pki/verify_signed_data.cc
+++ b/pki/verify_signed_data.cc
@@ -4,27 +4,26 @@
#include "verify_signed_data.h"
-#include "fillins/openssl_util.h"
-#include "cert_errors.h"
-#include "signature_algorithm.h"
-#include "signature_verify_cache.h"
-#include "input.h"
-#include "parse_values.h"
-#include "parser.h"
#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
+#include "cert_errors.h"
+#include "fillins/openssl_util.h"
+#include "input.h"
+#include "parse_values.h"
+#include "parser.h"
+#include "signature_algorithm.h"
+#include "signature_verify_cache.h"
namespace bssl {
namespace {
-bool SHA256UpdateWithLengthPrefixedData(SHA256_CTX* s_ctx,
- const uint8_t* data,
+bool SHA256UpdateWithLengthPrefixedData(SHA256_CTX *s_ctx, const uint8_t *data,
uint64_t length) {
- return (SHA256_Update(s_ctx, reinterpret_cast<uint8_t*>(&length),
+ return (SHA256_Update(s_ctx, reinterpret_cast<uint8_t *>(&length),
sizeof(length)) &&
SHA256_Update(s_ctx, data, length));
}
@@ -34,9 +33,9 @@
constexpr uint32_t VerifyCacheKeyVersion = 1;
std::string SignatureVerifyCacheKey(std::string_view algorithm_name,
- const der::Input& signed_data,
- const der::Input& signature_value_bytes,
- EVP_PKEY* public_key) {
+ const der::Input &signed_data,
+ const der::Input &signature_value_bytes,
+ EVP_PKEY *public_key) {
SHA256_CTX s_ctx;
bssl::ScopedCBB public_key_cbb;
uint8_t digest[SHA256_DIGEST_LENGTH];
@@ -44,10 +43,10 @@
if (CBB_init(public_key_cbb.get(), 128) &&
EVP_marshal_public_key(public_key_cbb.get(), public_key) &&
SHA256_Init(&s_ctx) &&
- SHA256_Update(&s_ctx, reinterpret_cast<uint8_t*>(&version),
+ SHA256_Update(&s_ctx, reinterpret_cast<uint8_t *>(&version),
sizeof(version)) &&
SHA256UpdateWithLengthPrefixedData(
- &s_ctx, reinterpret_cast<const uint8_t*>(algorithm_name.data()),
+ &s_ctx, reinterpret_cast<const uint8_t *>(algorithm_name.data()),
algorithm_name.length()) &&
SHA256UpdateWithLengthPrefixedData(&s_ctx, CBB_data(public_key_cbb.get()),
CBB_len(public_key_cbb.get())) &&
@@ -57,7 +56,7 @@
SHA256UpdateWithLengthPrefixedData(&s_ctx, signed_data.UnsafeData(),
signed_data.Length()) &&
SHA256_Final(digest, &s_ctx)) {
- return std::string(reinterpret_cast<char*>(digest), sizeof(digest));
+ return std::string(reinterpret_cast<char *>(digest), sizeof(digest));
}
return std::string();
}
@@ -129,8 +128,8 @@
// { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
// ... -- Extensible
// }
-bool ParsePublicKey(const der::Input& public_key_spki,
- bssl::UniquePtr<EVP_PKEY>* public_key) {
+bool ParsePublicKey(const der::Input &public_key_spki,
+ bssl::UniquePtr<EVP_PKEY> *public_key) {
// Parse the SPKI to an EVP_PKEY.
fillins::OpenSSLErrStackTracer err_tracer;
@@ -145,12 +144,11 @@
}
bool VerifySignedData(SignatureAlgorithm algorithm,
- const der::Input& signed_data,
- const der::BitString& signature_value,
- EVP_PKEY* public_key,
- SignatureVerifyCache* cache) {
+ const der::Input &signed_data,
+ const der::BitString &signature_value,
+ EVP_PKEY *public_key, SignatureVerifyCache *cache) {
int expected_pkey_id = 1;
- const EVP_MD* digest = nullptr;
+ const EVP_MD *digest = nullptr;
bool is_rsa_pss = false;
std::string_view cache_algorithm_name;
switch (algorithm) {
@@ -223,7 +221,7 @@
// number of bytes.
if (signature_value.unused_bits() != 0)
return false;
- const der::Input& signature_value_bytes = signature_value.bytes();
+ const der::Input &signature_value_bytes = signature_value.bytes();
std::string cache_key;
if (cache) {
@@ -244,7 +242,7 @@
fillins::OpenSSLErrStackTracer err_tracer;
bssl::ScopedEVP_MD_CTX ctx;
- EVP_PKEY_CTX* pctx = nullptr; // Owned by |ctx|.
+ EVP_PKEY_CTX *pctx = nullptr; // Owned by |ctx|.
if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key))
return false;
@@ -276,10 +274,10 @@
}
bool VerifySignedData(SignatureAlgorithm algorithm,
- const der::Input& signed_data,
- const der::BitString& signature_value,
- const der::Input& public_key_spki,
- SignatureVerifyCache* cache) {
+ const der::Input &signed_data,
+ const der::BitString &signature_value,
+ const der::Input &public_key_spki,
+ SignatureVerifyCache *cache) {
bssl::UniquePtr<EVP_PKEY> public_key;
if (!ParsePublicKey(public_key_spki, &public_key))
return false;
@@ -287,4 +285,4 @@
public_key.get(), cache);
}
-} // namespace net
+} // namespace bssl
diff --git a/pki/verify_signed_data.h b/pki/verify_signed_data.h
index 27b5af5..66a34ca 100644
--- a/pki/verify_signed_data.h
+++ b/pki/verify_signed_data.h
@@ -6,11 +6,10 @@
#define BSSL_PKI_VERIFY_SIGNED_DATA_H_
#include "fillins/openssl_util.h"
-#include "fillins/openssl_util.h"
+#include <openssl/evp.h>
#include "signature_algorithm.h"
#include "signature_verify_cache.h"
-#include <openssl/evp.h>
namespace bssl {
@@ -29,25 +28,20 @@
//
// Returns true if verification was successful.
[[nodiscard]] OPENSSL_EXPORT bool VerifySignedData(
- SignatureAlgorithm algorithm,
- const der::Input& signed_data,
- const der::BitString& signature_value,
- EVP_PKEY* public_key,
- SignatureVerifyCache* cache);
+ SignatureAlgorithm algorithm, const der::Input &signed_data,
+ const der::BitString &signature_value, EVP_PKEY *public_key,
+ SignatureVerifyCache *cache);
// Same as above overload, only the public key is inputted as an SPKI and will
// be parsed internally.
[[nodiscard]] OPENSSL_EXPORT bool VerifySignedData(
- SignatureAlgorithm algorithm,
- const der::Input& signed_data,
- const der::BitString& signature_value,
- const der::Input& public_key_spki,
- SignatureVerifyCache* cache);
+ SignatureAlgorithm algorithm, const der::Input &signed_data,
+ const der::BitString &signature_value, const der::Input &public_key_spki,
+ SignatureVerifyCache *cache);
[[nodiscard]] OPENSSL_EXPORT bool ParsePublicKey(
- const der::Input& public_key_spki,
- bssl::UniquePtr<EVP_PKEY>* public_key);
+ const der::Input &public_key_spki, bssl::UniquePtr<EVP_PKEY> *public_key);
-} // namespace net
+} // namespace bssl
#endif // BSSL_PKI_VERIFY_SIGNED_DATA_H_
diff --git a/pki/verify_signed_data_unittest.cc b/pki/verify_signed_data_unittest.cc
index 6ab0878..1d94bb6 100644
--- a/pki/verify_signed_data_unittest.cc
+++ b/pki/verify_signed_data_unittest.cc
@@ -7,15 +7,15 @@
#include <memory>
#include <set>
-#include "cert_errors.h"
-#include "mock_signature_verify_cache.h"
-#include "signature_algorithm.h"
-#include "test_helpers.h"
-#include "input.h"
-#include "parse_values.h"
-#include "parser.h"
#include <gtest/gtest.h>
#include <optional>
+#include "cert_errors.h"
+#include "input.h"
+#include "mock_signature_verify_cache.h"
+#include "parse_values.h"
+#include "parser.h"
+#include "signature_algorithm.h"
+#include "test_helpers.h"
namespace bssl {
@@ -34,9 +34,8 @@
//
// If expected_result was FAILURE then the test will only succeed if
// VerifySignedData() returns false.
-void RunTestCase(VerifyResult expected_result,
- const char* file_name,
- SignatureVerifyCache* cache) {
+void RunTestCase(VerifyResult expected_result, const char *file_name,
+ SignatureVerifyCache *cache) {
std::string path =
std::string("testdata/verify_signed_data_unittest/") + file_name;
@@ -73,7 +72,7 @@
EXPECT_EQ(expected_result_bool, result);
}
-void RunTestCase(VerifyResult expected_result, const char* file_name) {
+void RunTestCase(VerifyResult expected_result, const char *file_name) {
RunTestCase(expected_result, file_name, /*cache=*/nullptr);
}
@@ -239,4 +238,4 @@
} // namespace
-} // namespace net
+} // namespace bssl
