1# Certificate verification 2 3This directory contains the core code for verifying server certificates. 4Limited support is also included for verifying client certificates, but only to 5the extent they chain to a server-supplied set of issuers. 6 7Server certificate verification emphasizes the standards/policy for 8publicly trusted certificates: 9 10 * Basic X.509 digital certificates 11 * RFC 5280 12 * CA/Browser Forum Baseline Requirements 13 * CRLSets 14 * Certificate Transparency 15 16The core logic of certificate verification is implemented synchronously, as it 17may need to integrate with synchronous OS-provided APIs. This synchronous 18implementation is performed through the [CertVerifyProc](cert_verify_proc.h) 19interface, which is a thread-agnostic/thread-safe interface that can be used to 20verify certificates synchronously on arbitrary worker threads. 21 22The top-level interface for verifying server certificates is the asynchronous 23[CertVerifier](cert_verifier.h). 24 25[MultiThreadedCertVerifier](multi_threaded_cert_verifier.h) is an 26implementation of `CertVerifier` that executes `CertVerifyProc` synchronously 27on worker threads. 28 29[CertVerifyProcBuiltin](cert_verify_proc_builtin.h) is a cross-platform 30implementation which implements path building internally. It only relies on 31platform integrations for obtaining user and enterprise configured trusted root 32certificates. The publicly trusted root certificates are supplied by the 33[Chrome Root Store](../data/ssl/chrome_root_store/README.md). 34 35The other `CertVerifyProc` implementations are for integrating 36with the underlying platform's certificate verification library. 37There are 2 platform implementations: 38[CertVerifyProcAndroid](cert_verify_proc_android.h) and 39[CertVerifyProcIOS](cert_verify_proc_ios.h). 40 41Browser-specific policy checks are applied even when using the platform's 42certificate verifier. For instance, a certificate chain the OS deemed valid 43could ultimately be rejected by `CertVerifyProc` since it independently 44checks the chain for CRLSet revocation, use of weak keys, Baseline Requirements 45validity, name constraints, weak signature algorithms, and more. 46