Confirmed users
299
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
SecurityEngineering/mozpkix-testing (view source)
Revision as of 21:29, 10 April 2014
, 10 April 2014→Request for Code Review
| Line 37: | Line 37: | ||
* trust domain: https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ | * trust domain: https://mxr.mozilla.org/mozilla-central/source/security/certverifier/ | ||
=== High level description of folders/files/classes === | |||
The main entry-point for verification is <code>mozilla::pkix::BuildCertChain</code> in [https://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkix.h security/pkix/include/pkix/pkix.h]. This function takes a number of required arguments, including an implementation of a <code>mozilla::pkix::TrustDomain</code>, the certificate to verify, the time at which to verify, and whether this is an end-entity certificate or a CA certificate. Additionally, the caller may specify some required properties of some extensions if present. A known-in-advance OCSP response may be included as well. The function returns <code>SECSuccess</code> upon successful verification and <code>SECFailure</code> upon failure (in which case it sets an error code that can be obtained by calling <code>PR_GetError()</code>). The function will optionally return the trusted certificate chain found. | |||
<code>mozilla::pkix::TrustDomain</code> is declared in [https://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkixtypes.h#44 security/pkix/include/pkix/pkixtypes.h]. An implementation of a <code>TrustDomain</code> is responsible for deciding the trust level of a given certificate, finding potential issuers of a given certificate, verifying the signature of a certificate, and determining the revocation status of a certificate. The <code>TrustDomain</code> implementation used by PSM is <code>mozilla::psm::NSSCertDBTrustDomain</code>. See [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.h security/certverifier/NSSCertDBTrustDomain.h] and [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp NSSCertDBTrustDomain.cpp]. | |||
'''more information to come''' | |||
If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product=Core, Component=Security:PSM, and put "(mozilla::pkix)" at the beginning of the Summary. | If you find an issue, please file a Bugzilla bug (https://bugzilla.mozilla.org/enter_bug.cgi) with Product=Core, Component=Security:PSM, and put "(mozilla::pkix)" at the beginning of the Summary. | ||