For Developers‎ > ‎Design Documents‎ > ‎

Crypto

<< UNDER CONSTRUCTION >>

This page covers crypto and related technologies such as SSL and certificates in Chromium. Most of the code is in the "net" module, with some crypto classes in the "base" module.

Top priorities

  1. Port SSLClientSocketNSS to use native crypto APIs for SSL client authentication on Mac OS X and Windows.
    • Pending changelists: 4670004.
    • Remaining work:
      • Remove support for ssl_PlatformAuthTokenPresent and make it always return PR_TRUE.
      • Generate an NSS patch.
  2. Implement a password callback for NSS on Linux. This allows us to protect the private keys in the NSS key database with a password, and support smart cards.
  3. Load the test root CA certificate temporarily on Windows. This eliminates the need to install the test root CA certificate on Windows to run the SSL unit tests.
  4. Regenerate the root CA and test certificates to have a long validity period.
  5. Cache certificate verification results in memory.
  6. Complete <keygen> implementation.
  7. Cache complete certificate chains in the HTTP cache.

Work plan

<< A nice dependency diagram to be added by Ryan Sleevi. >>
  1. SSL client authentication
  2. A strategy towards FIPS 140-2 compliance.
  3. Clean up the crypto classes/API in base. The main issue is to standardize on one or two ways to represent a data buffer.
  4. Combine regular certificate verification and EV certificate verification into one for NSS. Not sure if this is possible.
  5. Have the NSS CERT_PKIXVerifyCert function report all certificate errors using the cert_po_errorLog output parameter.
Comments