Automated g4 rollback of changelist 291429810.
*** Reason for rollback ***
No needed for mTLS. quic::TlsHandshaker::VerifyCert is sufficient for a QUIC server to verify client certs.
*** Original change description ***
Add a ServerProofVerifier interface to QUIC.
This is a server-side equivalent of ProofVerifier. It is used to verify a
client's certificate chain. It will only be used when the server needs to
request client certificates.
ServerProofVerifier drops the VerifyProof() function (not used in TLS 1.3) and
the |hostname|, |ocsp_response|, and |cert_sct| parameters of VerifyCertChain()
(those aren't really meaningful to a server).
See go/quic-tls-client-certificates for the full design doc and cont...
***
PiperOrigin-RevId: 413521549
diff --git a/quic/core/crypto/server_proof_verifier.h b/quic/core/crypto/server_proof_verifier.h
deleted file mode 100644
index 3e5e67b..0000000
--- a/quic/core/crypto/server_proof_verifier.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright (c) 2020 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_
-#define QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_
-
-#include <memory>
-#include <string>
-#include <vector>
-
-#include "quic/core/crypto/proof_verifier.h"
-#include "quic/core/quic_types.h"
-
-namespace quic {
-
-// A ServerProofVerifier checks the certificate chain presented by a client.
-class QUIC_EXPORT_PRIVATE ServerProofVerifier {
- public:
- virtual ~ServerProofVerifier() {}
-
- // VerifyCertChain checks that |certs| is a valid chain. On success, it
- // returns QUIC_SUCCESS. On failure, it returns QUIC_FAILURE and sets
- // |*error_details| to a description of the problem. In either case it may set
- // |*details|, which the caller takes ownership of.
- //
- // |context| specifies an implementation specific struct (which may be nullptr
- // for some implementations) that provides useful information for the
- // verifier, e.g. logging handles.
- //
- // This function may also return QUIC_PENDING, in which case the
- // ServerProofVerifier will call back, on the original thread, via |callback|
- // when complete. In this case, the ServerProofVerifier will take ownership of
- // |callback|.
- virtual QuicAsyncStatus VerifyCertChain(
- const std::vector<std::string>& certs,
- std::string* error_details,
- std::unique_ptr<ProofVerifierCallback> callback) = 0;
-};
-
-} // namespace quic
-#endif // QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_
diff --git a/quic/core/tls_handshaker.h b/quic/core/tls_handshaker.h
index 3335564..9509e81 100644
--- a/quic/core/tls_handshaker.h
+++ b/quic/core/tls_handshaker.h
@@ -100,12 +100,11 @@
}
int expected_ssl_error() const { return expected_ssl_error_; }
- // Called to verify a cert chain. This is a simple wrapper around
- // ProofVerifier or ServerProofVerifier, which optionally gathers additional
- // arguments to pass into their VerifyCertChain method. This class retains a
- // non-owning pointer to |callback|; the callback must live until this
- // function returns QUIC_SUCCESS or QUIC_FAILURE, or until the callback is
- // run.
+ // Called to verify a cert chain. This can be implemented as a simple wrapper
+ // around ProofVerifier, which optionally gathers additional arguments to pass
+ // into their VerifyCertChain method. This class retains a non-owning pointer
+ // to |callback|; the callback must live until this function returns
+ // QUIC_SUCCESS or QUIC_FAILURE, or until the callback is run.
//
// If certificate verification fails, |*out_alert| may be set to a TLS alert
// that will be sent when closing the connection; it defaults to