1*6777b538SAndroid Build Coastguard Worker# Certificate verification 2*6777b538SAndroid Build Coastguard Worker 3*6777b538SAndroid Build Coastguard WorkerThis directory contains the core code for verifying server certificates. 4*6777b538SAndroid Build Coastguard WorkerLimited support is also included for verifying client certificates, but only to 5*6777b538SAndroid Build Coastguard Workerthe extent they chain to a server-supplied set of issuers. 6*6777b538SAndroid Build Coastguard Worker 7*6777b538SAndroid Build Coastguard WorkerServer certificate verification emphasizes the standards/policy for 8*6777b538SAndroid Build Coastguard Workerpublicly trusted certificates: 9*6777b538SAndroid Build Coastguard Worker 10*6777b538SAndroid Build Coastguard Worker * Basic X.509 digital certificates 11*6777b538SAndroid Build Coastguard Worker * RFC 5280 12*6777b538SAndroid Build Coastguard Worker * CA/Browser Forum Baseline Requirements 13*6777b538SAndroid Build Coastguard Worker * CRLSets 14*6777b538SAndroid Build Coastguard Worker * Certificate Transparency 15*6777b538SAndroid Build Coastguard Worker 16*6777b538SAndroid Build Coastguard WorkerThe core logic of certificate verification is implemented synchronously, as it 17*6777b538SAndroid Build Coastguard Workermay need to integrate with synchronous OS-provided APIs. This synchronous 18*6777b538SAndroid Build Coastguard Workerimplementation is performed through the [CertVerifyProc](cert_verify_proc.h) 19*6777b538SAndroid Build Coastguard Workerinterface, which is a thread-agnostic/thread-safe interface that can be used to 20*6777b538SAndroid Build Coastguard Workerverify certificates synchronously on arbitrary worker threads. 21*6777b538SAndroid Build Coastguard Worker 22*6777b538SAndroid Build Coastguard WorkerThe top-level interface for verifying server certificates is the asynchronous 23*6777b538SAndroid Build Coastguard Worker[CertVerifier](cert_verifier.h). 24*6777b538SAndroid Build Coastguard Worker 25*6777b538SAndroid Build Coastguard Worker[MultiThreadedCertVerifier](multi_threaded_cert_verifier.h) is an 26*6777b538SAndroid Build Coastguard Workerimplementation of `CertVerifier` that executes `CertVerifyProc` synchronously 27*6777b538SAndroid Build Coastguard Workeron worker threads. 28*6777b538SAndroid Build Coastguard Worker 29*6777b538SAndroid Build Coastguard Worker[CertVerifyProcBuiltin](cert_verify_proc_builtin.h) is a cross-platform 30*6777b538SAndroid Build Coastguard Workerimplementation which implements path building internally. It only relies on 31*6777b538SAndroid Build Coastguard Workerplatform integrations for obtaining user and enterprise configured trusted root 32*6777b538SAndroid Build Coastguard Workercertificates. The publicly trusted root certificates are supplied by the 33*6777b538SAndroid Build Coastguard Worker[Chrome Root Store](../data/ssl/chrome_root_store/README.md). 34*6777b538SAndroid Build Coastguard Worker 35*6777b538SAndroid Build Coastguard WorkerThe other `CertVerifyProc` implementations are for integrating 36*6777b538SAndroid Build Coastguard Workerwith the underlying platform's certificate verification library. 37*6777b538SAndroid Build Coastguard WorkerThere are 2 platform implementations: 38*6777b538SAndroid Build Coastguard Worker[CertVerifyProcAndroid](cert_verify_proc_android.h) and 39*6777b538SAndroid Build Coastguard Worker[CertVerifyProcIOS](cert_verify_proc_ios.h). 40*6777b538SAndroid Build Coastguard Worker 41*6777b538SAndroid Build Coastguard WorkerBrowser-specific policy checks are applied even when using the platform's 42*6777b538SAndroid Build Coastguard Workercertificate verifier. For instance, a certificate chain the OS deemed valid 43*6777b538SAndroid Build Coastguard Workercould ultimately be rejected by `CertVerifyProc` since it independently 44*6777b538SAndroid Build Coastguard Workerchecks the chain for CRLSet revocation, use of weak keys, Baseline Requirements 45*6777b538SAndroid Build Coastguard Workervalidity, name constraints, weak signature algorithms, and more. 46