tree: 7cfc731cf5d7792541a3bcee9f95e579e58b22f2 [path history] [tgz]
  1. fillins/
  2. patches/
  3. testdata/
  4. asn1_util.cc
  5. asn1_util.h
  6. cert_error_id.cc
  7. cert_error_id.h
  8. cert_error_params.cc
  9. cert_error_params.h
  10. cert_errors.cc
  11. cert_errors.h
  12. cert_issuer_source.h
  13. cert_issuer_source_static.cc
  14. cert_issuer_source_static.h
  15. cert_issuer_source_static_unittest.cc
  16. cert_issuer_source_sync_unittest.h
  17. cert_status_flags.h
  18. cert_status_flags_list.h
  19. cert_verify_proc_blocklist.inc
  20. certificate_policies.cc
  21. certificate_policies.h
  22. certificate_policies_unittest.cc
  23. common_cert_errors.cc
  24. common_cert_errors.h
  25. crl.cc
  26. crl.h
  27. crl_unittest.cc
  28. encode_values.cc
  29. encode_values.h
  30. encode_values_unittest.cc
  31. extended_key_usage.cc
  32. extended_key_usage.h
  33. extended_key_usage_unittest.cc
  34. general_names.cc
  35. general_names.h
  36. general_names_unittest.cc
  37. IMPORT
  38. import_spec.json
  39. import_tool.go
  40. input.cc
  41. input.h
  42. input_unittest.cc
  43. ip_util.cc
  44. ip_util.h
  45. ip_util_unittest.cc
  46. mock_signature_verify_cache.cc
  47. mock_signature_verify_cache.h
  48. name_constraints.cc
  49. name_constraints.h
  50. name_constraints_unittest.cc
  51. nist_pkits_unittest.cc
  52. nist_pkits_unittest.h
  53. ocsp.cc
  54. ocsp.h
  55. ocsp_revocation_status.h
  56. ocsp_unittest.cc
  57. ocsp_verify_result.cc
  58. ocsp_verify_result.h
  59. parse_certificate.cc
  60. parse_certificate.h
  61. parse_certificate_unittest.cc
  62. parse_name.cc
  63. parse_name.h
  64. parse_name_unittest.cc
  65. parse_values.cc
  66. parse_values.h
  67. parse_values_unittest.cc
  68. parsed_certificate.cc
  69. parsed_certificate.h
  70. parsed_certificate_unittest.cc
  71. parser.cc
  72. parser.h
  73. parser_unittest.cc
  74. path_builder.cc
  75. path_builder.h
  76. path_builder_pkits_unittest.cc
  77. path_builder_unittest.cc
  78. path_builder_verify_certificate_chain_unittest.cc
  79. pem.cc
  80. pem.h
  81. README.md
  82. revocation_util.cc
  83. revocation_util.h
  84. signature_algorithm.cc
  85. signature_algorithm.h
  86. signature_algorithm_unittest.cc
  87. signature_verify_cache.h
  88. simple_path_builder_delegate.cc
  89. simple_path_builder_delegate.h
  90. simple_path_builder_delegate_unittest.cc
  91. string_util.cc
  92. string_util.h
  93. string_util_unittest.cc
  94. tag.cc
  95. tag.h
  96. test_helpers.cc
  97. test_helpers.h
  98. trust_store.cc
  99. trust_store.h
  100. trust_store_collection.cc
  101. trust_store_collection.h
  102. trust_store_collection_unittest.cc
  103. trust_store_in_memory.cc
  104. trust_store_in_memory.h
  105. verify_certificate_chain.cc
  106. verify_certificate_chain.h
  107. verify_certificate_chain_pkits_unittest.cc
  108. verify_certificate_chain_typed_unittest.h
  109. verify_certificate_chain_unittest.cc
  110. verify_name_match.cc
  111. verify_name_match.h
  112. verify_name_match_unittest.cc
  113. verify_signed_data.cc
  114. verify_signed_data.h
  115. verify_signed_data_unittest.cc
pki/README.md

BoringSSL pki - Web PKI Certificate path building and verification library

This directory and library should be considered experimental and should not be depended upon not to change without notice. You should not use this.

It contains an extracted and modified copy of chrome's certificate verifier core logic.

It is for the moment, intended to be synchronized from a checkout of chrome's head with the IMPORT script run in this directory. The eventual goal is to make both chrome and google3 consume this.

Current status:

  • Some of the Path Builder tests depending on chrome testing classes and SavedUserData are disabled. These probably need either a mimicing SaveUserData class here, or be pulled out into chrome only.
  • This contains a copy of der as bssl:der - a consideration for re-integrating with chromium. the encode_values part of der does not include the base::time or absl::time based stuff as they are not used within the library, this should probably be split out for chrome, or chrome's der could be modified (along with this one and eventually merged together) to not use base::time for encoding GeneralizedTimes, but rather use boringssl posix times as does the rest of this library.
  • The Name Constraint limitation code is modified to remove clamped_math and mimic BoringSSL‘s overall limits - Some of the tests that test for specific edge cases for chrome’s limits have been disabled. The tests need to be changed to reflect the overall limit, or ignored and we make name constraints subquadratic and stop caring about this.
  • Fuzzer targets are not yet hooked up.