Automated g4 rollback of changelist 291429810. *** Reason for rollback *** No needed for mTLS. quic::TlsHandshaker::VerifyCert is sufficient for a QUIC server to verify client certs. *** Original change description *** Add a ServerProofVerifier interface to QUIC. This is a server-side equivalent of ProofVerifier. It is used to verify a client's certificate chain. It will only be used when the server needs to request client certificates. ServerProofVerifier drops the VerifyProof() function (not used in TLS 1.3) and the |hostname|, |ocsp_response|, and |cert_sct| parameters of VerifyCertChain() (those aren't really meaningful to a server). See go/quic-tls-client-certificates for the full design doc and cont... *** PiperOrigin-RevId: 413521549
diff --git a/quic/core/crypto/server_proof_verifier.h b/quic/core/crypto/server_proof_verifier.h deleted file mode 100644 index 3e5e67b..0000000 --- a/quic/core/crypto/server_proof_verifier.h +++ /dev/null
@@ -1,42 +0,0 @@ -// Copyright (c) 2020 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_ -#define QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_ - -#include <memory> -#include <string> -#include <vector> - -#include "quic/core/crypto/proof_verifier.h" -#include "quic/core/quic_types.h" - -namespace quic { - -// A ServerProofVerifier checks the certificate chain presented by a client. -class QUIC_EXPORT_PRIVATE ServerProofVerifier { - public: - virtual ~ServerProofVerifier() {} - - // VerifyCertChain checks that |certs| is a valid chain. On success, it - // returns QUIC_SUCCESS. On failure, it returns QUIC_FAILURE and sets - // |*error_details| to a description of the problem. In either case it may set - // |*details|, which the caller takes ownership of. - // - // |context| specifies an implementation specific struct (which may be nullptr - // for some implementations) that provides useful information for the - // verifier, e.g. logging handles. - // - // This function may also return QUIC_PENDING, in which case the - // ServerProofVerifier will call back, on the original thread, via |callback| - // when complete. In this case, the ServerProofVerifier will take ownership of - // |callback|. - virtual QuicAsyncStatus VerifyCertChain( - const std::vector<std::string>& certs, - std::string* error_details, - std::unique_ptr<ProofVerifierCallback> callback) = 0; -}; - -} // namespace quic -#endif // QUICHE_QUIC_CORE_CRYPTO_SERVER_PROOF_VERIFIER_H_
diff --git a/quic/core/tls_handshaker.h b/quic/core/tls_handshaker.h index 3335564..9509e81 100644 --- a/quic/core/tls_handshaker.h +++ b/quic/core/tls_handshaker.h
@@ -100,12 +100,11 @@ } int expected_ssl_error() const { return expected_ssl_error_; } - // Called to verify a cert chain. This is a simple wrapper around - // ProofVerifier or ServerProofVerifier, which optionally gathers additional - // arguments to pass into their VerifyCertChain method. This class retains a - // non-owning pointer to |callback|; the callback must live until this - // function returns QUIC_SUCCESS or QUIC_FAILURE, or until the callback is - // run. + // Called to verify a cert chain. This can be implemented as a simple wrapper + // around ProofVerifier, which optionally gathers additional arguments to pass + // into their VerifyCertChain method. This class retains a non-owning pointer + // to |callback|; the callback must live until this function returns + // QUIC_SUCCESS or QUIC_FAILURE, or until the callback is run. // // If certificate verification fails, |*out_alert| may be set to a TLS alert // that will be sent when closing the connection; it defaults to