forked from google/boringssl
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bring in the core of chromium certificate verifier as libpki
Initially this leaves the canonical source in chrome, Additions and fillins are committed directly, the chrome files are coverted using the IMPORT script run from the pki directory for the moment. The intention here is to continue frequent automatic conversion (and avoid wholesale cosmetic changes in here for now) until chrome converts to use these files in place of it's versions. At that point these will become the definiative files, and the IMPORT script can be tossed out. A middle step along the way will be to change google3's verify.cc in third_party/chromium_certificate_verifier to use this instead of it's own extracted copy. Status (and what is not done yet) being roughly tracked in README.md Bug: chromium:1322914 Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
- Loading branch information
Bob Beck
authored and
Boringssl LUCI CQ
committed
Jun 22, 2023
1 parent
ee194c7
commit bc97b7a
Showing
2,097 changed files
with
242,273 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| project(pki) | ||
| cmake_minimum_required(VERSION 3.25) | ||
| set(CMAKE_CXX_STANDARD 17) | ||
|
|
||
| add_library( | ||
| pki | ||
|
|
||
| fillins/ip_address.cc | ||
| fillins/utf_string_conversions.cc | ||
| fillins/string_util.cc | ||
| fillins/base64.cc | ||
| fillins/openssl_util.cc | ||
| string_util.cc | ||
| trust_store.cc | ||
| trust_store_collection.cc | ||
| parse_certificate.cc | ||
| parsed_certificate.cc | ||
| parser.cc | ||
| parse_values.cc | ||
| parse_name.cc | ||
| parsed_certificate.cc | ||
| name_constraints.cc | ||
| input.cc | ||
| tag.cc | ||
| cert_errors.cc | ||
| general_names.cc | ||
| pem.cc | ||
| crl.cc | ||
| revocation_util.cc | ||
| encode_values.cc | ||
| verify_name_match.cc | ||
| cert_errors.cc | ||
| common_cert_errors.cc | ||
| parse_certificate.cc | ||
| parsed_certificate.cc | ||
| extended_key_usage.cc | ||
| certificate_policies.cc | ||
| verify_certificate_chain.cc | ||
| verify_signed_data.cc | ||
| signature_algorithm.cc | ||
| cert_error_id.cc | ||
| cert_error_params.cc | ||
| trust_store.cc | ||
| trust_store_collection.cc | ||
| trust_store_in_memory.cc | ||
| simple_path_builder_delegate.cc | ||
| cert_issuer_source_static.cc | ||
| path_builder.cc | ||
| ) | ||
| # Although libpki also provides headers that require an include directory, the | ||
| # flag is already specified by libcrypto, so we omit target_include_directories | ||
| # here. | ||
| install_if_enabled(TARGETS pki EXPORT OpenSSLTargets ${INSTALL_DESTINATION_DEFAULT}) | ||
| set_property(TARGET pki PROPERTY EXPORT_NAME PKI) | ||
| set_property(TARGET pki PROPERTY CXX_STANDARD 17) | ||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_BORINGSSL_LIBPKI_") | ||
| if (APPLE) | ||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-aligned-new") | ||
| endif() | ||
| target_link_libraries(pki ssl crypto) | ||
|
|
||
| add_executable( | ||
| pki_test | ||
|
|
||
| fillins/path_service.cc | ||
| fillins/file_util.cc | ||
| test_helpers.cc | ||
| string_util_unittest.cc | ||
| parser_unittest.cc | ||
| parse_values_unittest.cc | ||
| input_unittest.cc | ||
| signature_algorithm_unittest.cc | ||
| extended_key_usage_unittest.cc | ||
| parse_name_unittest.cc | ||
| verify_name_match_unittest.cc | ||
| verify_signed_data_unittest.cc | ||
| parse_certificate_unittest.cc | ||
| parsed_certificate_unittest.cc | ||
| simple_path_builder_delegate_unittest.cc | ||
| trust_store_collection_unittest.cc | ||
| certificate_policies_unittest.cc | ||
| verify_certificate_chain_unittest.cc | ||
| nist_pkits_unittest.cc | ||
| path_builder_pkits_unittest.cc | ||
| name_constraints_unittest.cc | ||
| cert_issuer_source_static_unittest.cc | ||
| path_builder_unittest.cc | ||
| mock_signature_verify_cache.cc | ||
| path_builder_verify_certificate_chain_unittest.cc | ||
| verify_certificate_chain_pkits_unittest.cc | ||
| # encode_values_unittest.cc # Currently does a bunch of time goo.. | ||
| # ocsp_unittest.cc # Not sure we will keep this here.. | ||
| ) | ||
| target_link_libraries(pki_test test_support_lib boringssl_gtest_main pki ssl crypto) | ||
| set_property(TARGET pki_test PROPERTY CXX_STANDARD 17) | ||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_BORINGSSL_LIBPKI_") | ||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_BORINGSSL_PKI_SRCDIR_=${CMAKE_CURRENT_SOURCE_DIR}") | ||
| if (APPLE) | ||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-aligned-new") | ||
| endif() | ||
| add_dependencies(all_tests pki_test) | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| #!/bin/sh | ||
|
|
||
| # Set this to be the location of a chromium checkout, and | ||
| # apply the patches in ./patches with "git am" first | ||
| # before running this script. | ||
| CHROMIUM_SRC=~/chromium/src | ||
|
|
||
| mkdir -p ./testdata | ||
| cp $CHROMIUM_SRC/net/test/test_certificate_data.h ./testdata | ||
|
|
||
| tar -C $CHROMIUM_SRC/net/third_party -cf - nist-pkits | tar -C ./testdata -xf - | ||
| tar -C $CHROMIUM_SRC/net/data -cf - cert_issuer_source_static_unittest \ | ||
| ssl/certificates \ | ||
| certificate_policies_unittest \ | ||
| name_constraints_unittest \ | ||
| ocsp_unittest \ | ||
| parse_certificate_unittest \ | ||
| path_builder_unittest \ | ||
| verify_certificate_chain_unittest \ | ||
| verify_name_match_unittest \ | ||
| verify_signed_data_unittest | tar -C ./testdata -xf - | ||
|
|
||
| go run ./import_tool.go -spec import_spec.json --source-base $CHROMIUM_SRC -dest-base . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # BoringSSL pki - Web PKI Certificate path building and verification library | ||
|
|
||
| This directory and library should be considered experimental and should not be | ||
| depended upon not to change without notice. You should not use this. | ||
|
|
||
| It contains an extracted and modified copy of chrome's certificate | ||
| verifier core logic. | ||
|
|
||
| It is for the moment, intended to be synchronized from a checkout of chrome's | ||
| head with the IMPORT script run in this directory. The eventual goal is to | ||
| make both chrome and google3 consume this. | ||
|
|
||
| ## Current status: | ||
| * Some of the Path Builder tests depending on chrome testing classes and | ||
| SavedUserData are disabled. These probably need either a mimicing | ||
| SaveUserData class here, or be pulled out into chrome only. | ||
| * This contains a copy of der as bssl:der - a consideration for | ||
| re-integrating with chromium. the encode_values part of der does not include | ||
| the base::time or absl::time based stuff as they are not used within the | ||
| library, this should probably be split out for chrome, or chrome's der could | ||
| be modified (along with this one and eventually merged together) to not use | ||
| base::time for encoding GeneralizedTimes, but rather use boringssl posix | ||
| times as does the rest of this library. | ||
| * The Name Constraint limitation code is modified to remove clamped_math | ||
| and mimic BoringSSL's overall limits - Some of the tests that test | ||
| for specific edge cases for chrome's limits have been disabled. The | ||
| tests need to be changed to reflect the overall limit, or ignored | ||
| and we make name constraints subquadratic and stop caring about this. | ||
| * Fuzzer targets are not yet hooked up. | ||
|
|
||
|
|
||
|
|
Oops, something went wrong.