From 2a89c4c490dc98307f502d698d7d738371a1b5c6 Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Tue, 12 Apr 2011 16:26:26 +0000 Subject: net: add support for checking if a known public key is in a chain. This is intended for use with future support for HSTS or CAA pinning of certificate chains. Since we build certificate chains from a pool of certificates, and certificates get reissued with updated expiries etc, only the public keys in the chain will always match. Thus we match on SHA1 hashes of SubjectPublicKeyInfos. BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/6821010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81259 0039d316-1c4b-4281-b951-d872f2087c98 --- net/base/cert_verify_result.h | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'net/base/cert_verify_result.h') diff --git a/net/base/cert_verify_result.h b/net/base/cert_verify_result.h index 2939c3a..96b50e2 100644 --- a/net/base/cert_verify_result.h +++ b/net/base/cert_verify_result.h @@ -6,6 +6,10 @@ #define NET_BASE_CERT_VERIFY_RESULT_H_ #pragma once +#include + +#include "net/base/x509_cert_types.h" + namespace net { // The result of certificate verification. Eventually this may contain the @@ -22,6 +26,7 @@ class CertVerifyResult { has_md5_ca = false; has_md2_ca = false; is_issued_by_known_root = false; + public_key_hashes.clear(); } // Bitmask of CERT_STATUS_* from net/base/cert_status_flags.h @@ -34,6 +39,11 @@ class CertVerifyResult { bool has_md5_ca; bool has_md2_ca; + // If the certificate was successfully verified then this contains the SHA1 + // fingerprints of the SubjectPublicKeyInfos of the chain. The fingerprint + // from the leaf certificate will be the first element of the vector. + std::vector public_key_hashes; + // is_issued_by_known_root is true if we recognise the root CA as a standard // root. If it isn't then it's probably the case that this certificate was // generated by a MITM proxy whose root has been installed locally. This is -- cgit v1.1