Chiebot-Mirror
/
boringssl
mirror of https://gitee.com/mirrors/boringssl.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
Mirror of BoringSSL (grpc依赖) https://boringssl.googlesource.com/boringssl
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1581 Commits
59 Branches
16 Tags
480 MiB
Tag: Branch: Tree: 257bfaa329
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '257bfaa329'
${ noResults }
boringssl/pki/cert_errors.h

169 lines
5.3 KiB
Raw Normal View History Unescape

Bring in the core of chromium certificate verifier as libpki Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
2 years ago
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// ----------------------------
// Overview of error design
// ----------------------------
#include "fillins/openssl_util.h"
//
// Certificate path building/validation/parsing may emit a sequence of errors
// and warnings.
//
// Each individual error/warning entry (CertError) is comprised of:
//
// * A unique identifier.
//
// This serves similarly to an error code, and is used to query if a
// particular error/warning occurred.
//
// * [optional] A parameters object.
//
// Nodes may attach a heap-allocated subclass of CertErrorParams to carry
// extra information that is used when reporting the error. For instance
// a parsing error may describe where in the DER the failure happened, or
// what the unexpected value was.
//
// A collection of errors is represented by the CertErrors object. This may be
// used to group errors that have a common context, such as all the
// errors/warnings that apply to a specific certificate.
//
// Lastly, CertPathErrors composes multiple CertErrors -- one for each
// certificate in the verified chain.
//
// ----------------------------
// Defining new errors
// ----------------------------
//
// The error IDs are extensible and do not need to be centrally defined.
//
// To define a new error use the macro DEFINE_CERT_ERROR_ID() in a .cc file.
// If consumers are to be able to query for this error then the symbol should
// also be exposed in a header file.
//
// Error IDs are in truth string literals, whose pointer value will be unique
// per process.
#ifndef BSSL_PKI_CERT_ERRORS_H_
#define BSSL_PKI_CERT_ERRORS_H_
#include <memory>
#include <vector>
#include "cert_error_id.h"
#include "parsed_certificate.h"
namespace bssl {
class CertErrorParams;
// CertError represents either an error or a warning.
struct OPENSSL_EXPORT CertError {
enum Severity {
SEVERITY_HIGH,
SEVERITY_WARNING,
};
CertError();
CertError(Severity severity,
CertErrorId id,
std::unique_ptr<CertErrorParams> params);
CertError(CertError&& other);
CertError& operator=(CertError&&);
~CertError();
// Pretty-prints the error and its parameters.
std::string ToDebugString() const;
Severity severity;
CertErrorId id;
std::unique_ptr<CertErrorParams> params;
};
// CertErrors is a collection of CertError, along with convenience methods to
// add and inspect errors.
class OPENSSL_EXPORT CertErrors {
public:
CertErrors();
CertErrors(CertErrors&& other);
CertErrors& operator=(CertErrors&&);
~CertErrors();
// Adds an error/warning. |params| may be null.
void Add(CertError::Severity severity,
CertErrorId id,
std::unique_ptr<CertErrorParams> params);
// Adds a high severity error.
void AddError(CertErrorId id, std::unique_ptr<CertErrorParams> params);
void AddError(CertErrorId id);
// Adds a low severity error.
void AddWarning(CertErrorId id, std::unique_ptr<CertErrorParams> params);
void AddWarning(CertErrorId id);
// Dumps a textual representation of the errors for debugging purposes.
std::string ToDebugString() const;
// Returns true if the error |id| was added to this CertErrors (of any
// severity).
bool ContainsError(CertErrorId id) const;
// Returns true if this contains any errors of the given severity level.
bool ContainsAnyErrorWithSeverity(CertError::Severity severity) const;
private:
std::vector<CertError> nodes_;
};
// CertPathErrors is a collection of CertErrors, to group errors into different
// buckets for different certificates. The "index" should correspond with that
// of the certificate relative to its chain.
class OPENSSL_EXPORT CertPathErrors {
public:
CertPathErrors();
CertPathErrors(CertPathErrors&& other);
CertPathErrors& operator=(CertPathErrors&&);
~CertPathErrors();
// Gets a bucket to put errors in for |cert_index|. This will lookup and
// return the existing error bucket if one exists, or create a new one for the
// specified index. It is expected that |cert_index| is the corresponding
// index in a certificate chain (with 0 being the target).
CertErrors* GetErrorsForCert(size_t cert_index);
// Const version of the above, with the difference that if there is no
// existing bucket for |cert_index| returns nullptr rather than lazyily
// creating one.
const CertErrors* GetErrorsForCert(size_t cert_index) const;
// Returns a bucket to put errors that are not associated with a particular
// certificate.
CertErrors* GetOtherErrors();
// Returns true if CertPathErrors contains the specified error (of any
// severity).
bool ContainsError(CertErrorId id) const;
// Returns true if this contains any errors of the given severity level.
bool ContainsAnyErrorWithSeverity(CertError::Severity severity) const;
// Shortcut for ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH).
bool ContainsHighSeverityErrors() const {
return ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH);
}
// Pretty-prints all the errors in the CertPathErrors. If there were no
// errors/warnings, returns an empty string.
std::string ToDebugString(const ParsedCertificateList& certs) const;
private:
std::vector<CertErrors> cert_errors_;
CertErrors other_errors_;
};
} // namespace net
#endif // BSSL_PKI_CERT_ERRORS_H_