yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ring/pki/README.md
Bob Beck bc97b7a8e1 Bring in the core of chromium certificate verifier as libpki 
Initially this leaves the canonical source in chrome, Additions
and fillins are committed directly, the chrome files are coverted
using the IMPORT script run from the pki directory for the moment.

The intention here is to continue frequent automatic conversion
(and avoid wholesale cosmetic changes in here for now) until
chrome converts to use these files in place of it's versions.
At that point these will become the definiative files, and the
IMPORT script can be tossed out.

A middle step along the way will be to change google3's verify.cc
in third_party/chromium_certificate_verifier to use this instead
of it's own extracted copy.

Status (and what is not done yet) being roughly tracked in README.md

Bug: chromium:1322914

Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2023-06-22 19:34:39 +00:00

1.6 KiB
Raw Blame History

BoringSSL pki - Web PKI Certificate path building and verification library

This directory and library should be considered experimental and should not be depended upon not to change without notice. You should not use this.

It contains an extracted and modified copy of chrome's certificate verifier core logic.

It is for the moment, intended to be synchronized from a checkout of chrome's head with the IMPORT script run in this directory. The eventual goal is to make both chrome and google3 consume this.

Current status:

  • Some of the Path Builder tests depending on chrome testing classes and SavedUserData are disabled. These probably need either a mimicing SaveUserData class here, or be pulled out into chrome only.
  • This contains a copy of der as bssl:der - a consideration for re-integrating with chromium. the encode_values part of der does not include the base::time or absl::time based stuff as they are not used within the library, this should probably be split out for chrome, or chrome's der could be modified (along with this one and eventually merged together) to not use base::time for encoding GeneralizedTimes, but rather use boringssl posix times as does the rest of this library.
  • The Name Constraint limitation code is modified to remove clamped_math and mimic BoringSSL's overall limits - Some of the tests that test for specific edge cases for chrome's limits have been disabled. The tests need to be changed to reflect the overall limit, or ignored and we make name constraints subquadratic and stop caring about this.
  • Fuzzer targets are not yet hooked up.