Crypto
<< UNDER CONSTRUCTION >>
This page covers crypto and related technologies such as SSL and certificates in Chromium. Most of the code is in the "net" module, with some crypto classes in the "base" module.
Top priorities
- Port SSLClientSocketNSS to use native crypto APIs for SSL client
authentication on Mac OS
X and
Windows.
- Pending changelists: 4670004.
- Remaining work:
- Remove support for ssl_PlatformAuthTokenPresent and make it always return PR_TRUE.
- Generate an NSS patch.
- Implement a password callback for NSS on
Linux.
This allows us to protect the private keys in the NSS key database
with a password, and support smart cards.
- Pending changelists: 5686002
- Load the test root CA certificate temporarily on
Windows.
This eliminates the need to install the test root CA certificate on
Windows to run the SSL unit tests.
- Pending changelists: 4646001.
- Regenerate the root CA and test certificates to have a long
validity
period.
- Pending changelists: 5535006
- Cache certificate verification results in
memory.
- Pending changelists: 5386001
- Complete <keygen> implementation.
- Cache complete certificate chains in the HTTP
cache.
- Pending changelists: 4645001.
Work plan
<< A nice dependency diagram to be added by Ryan Sleevi. >>
- SSL client authentication
- A strategy towards FIPS 140-2 compliance.
- Clean up the crypto classes/API in base. The main issue is to standardize on one or two ways to represent a data buffer.
- Combine regular certificate verification and EV certificate verification into one for NSS. Not sure if this is possible.
- Have the NSS CERT_PKIXVerifyCert function report all certificate errors using the cert_po_errorLog output parameter.