Google Git
Sign in
quiche/quiche.git/83760d3323bb88e46761382cb17f0ea3e62ebc63^!/.
commit
83760d3323bb88e46761382cb17f0ea3e62ebc63
[log]
author
QUICHE team <quiche-dev@google.com>
Fri Jan 24 13:18:40 2020 -0800
committer
Copybara-Service <copybara-worker@google.com>
Fri Jan 24 13:19:13 2020 -0800
tree
03bc050e8acdaf7c8691157f653228aa3c6ec253
parent
2f2915d4697d68e0c28bf6392b8ba7ae48ecf95d [diff]
Add a ServerProofVerifier interface to QUIC.

This is a server-side equivalent of ProofVerifier.  It is used to verify a
client's certificate chain.  It will only be used when the server needs to
request client certificates.

ServerProofVerifier drops the VerifyProof() function (not used in TLS 1.3) and
the |hostname|, |ocsp_response|, and |cert_sct| parameters of VerifyCertChain()
(those aren't really meaningful to a server).

See go/quic-tls-client-certificates for the full design doc and context.

gfe-relnote: no functional changes (only adds an interface).
PiperOrigin-RevId: 291429810
Change-Id: Ifd7deb6e72294b2626572b6555e3b5e2976b286e

diff --git a/quic/core/crypto/server_proof_verifier.h b/quic/core/crypto/server_proof_verifier.h
new file mode 100644
index 0000000..94fe131
--- /dev/null
+++ b/quic/core/crypto/server_proof_verifier.h

@@ -0,0 +1,42 @@
+// Copyright (c) 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_
+#define QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "net/third_party/quiche/src/quic/core/crypto/proof_verifier.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+
+namespace quic {
+
+// A ServerProofVerifier checks the certificate chain presented by a client.
+class QUIC_EXPORT_PRIVATE ServerProofVerifier {
+ public:
+  virtual ~ServerProofVerifier() {}
+
+  // VerifyCertChain checks that |certs| is a valid chain. On success, it
+  // returns QUIC_SUCCESS. On failure, it returns QUIC_FAILURE and sets
+  // |*error_details| to a description of the problem. In either case it may set
+  // |*details|, which the caller takes ownership of.
+  //
+  // |context| specifies an implementation specific struct (which may be nullptr
+  // for some implementations) that provides useful information for the
+  // verifier, e.g. logging handles.
+  //
+  // This function may also return QUIC_PENDING, in which case the
+  // ServerProofVerifier will call back, on the original thread, via |callback|
+  // when complete. In this case, the ServerProofVerifier will take ownership of
+  // |callback|.
+  virtual QuicAsyncStatus VerifyCertChain(
+      const std::vector<std::string>& certs,
+      std::string* error_details,
+      std::unique_ptr<ProofVerifierCallback> callback) = 0;
+};
+
+}  // namespace quic
+#endif  // QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_