Certificate path builder for new certificate verification library

components/cast_certificate/cast_cert_validator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
 #include "base/memory/ptr_util.h"
 #include "base/memory/singleton.h"
+#include "net/cert/internal/cert_issuer_source_static.h"
 #include "net/cert/internal/certificate_policies.h"
 #include "net/cert/internal/extended_key_usage.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/parse_name.h"
 #include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/path_builder.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/trust_store.h"
-#include "net/cert/internal/verify_certificate_chain.h"
 #include "net/cert/internal/verify_signed_data.h"
 #include "net/der/input.h"
 
 namespace cast_certificate {
 namespace {
 
 // -------------------------------------------------------------------------
 // Cast trust anchors.
 // -------------------------------------------------------------------------
 
@@ skipping 203 matching lines @@
   net::der::GeneralizedTime result;
   result.year = exploded.year;
   result.month = exploded.month;
   result.day = exploded.day_of_month;
   result.hours = exploded.hour;
   result.minutes = exploded.minute;
   result.seconds = exploded.second;
   return result;
 }
 
-class ScopedCheckUnreferencedCerts {
- public:
-  explicit ScopedCheckUnreferencedCerts(
-      std::vector<scoped_refptr<net::ParsedCertificate>>* certs)
-      : certs_(certs) {}
-  ~ScopedCheckUnreferencedCerts() {
-    for (const auto& cert : *certs_)
-      DCHECK(cert->HasOneRef());
-  }
-
- private:
-  std::vector<scoped_refptr<net::ParsedCertificate>>* certs_;
-};
-
 // Returns the parsing options used for Cast certificates.
 net::ParseCertificateOptions GetCertParsingOptions() {
   net::ParseCertificateOptions options;
 
   // Some cast intermediate certificates contain serial numbers that are
   // 21 octets long, and might also not use valid DER encoding for an
   // INTEGER (non-minimal encoding).
   //
   // Allow these sorts of serial numbers.
   //
   // TODO(eroman): At some point in the future this workaround will no longer be
   // necessary. Should revisit this for removal in 2017 if not earlier.
   options.allow_invalid_serial_numbers = true;
   return options;
 }
 
 }  // namespace
 
 bool VerifyDeviceCert(const std::vector<std::string>& certs,

[eroman, 2016/06/27 19:58:52]

Can you update the documentation in
components/cast_certificate/cast_cert_validator.h to indicate the weaker
requirements on |certs| now? (Or if you don't want to change the API guarantees
yet for full path building then leave a TODO).

[mattm, 2016/06/27 23:45:45]

Done.

                       const base::Time::Exploded& time,
                       std::unique_ptr<CertVerificationContext>* context,
                       CastDeviceCertPolicy* policy) {
-  // The underlying verification function expects a sequence of
-  // ParsedCertificate.
-  std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
-  // Verify that nothing saves a reference to the input certs, since the backing
-  // data will go out of scope when the function finishes.
-  ScopedCheckUnreferencedCerts ref_checker(&input_chain);
+  if (certs.empty())
+    return false;
 
-  for (const auto& cert_der : certs) {
-    // No reference to the ParsedCertificate is kept past the end of this
-    // function, so using EXTERNAL_REFERENCE here is safe.
-    if (!net::ParsedCertificate::CreateAndAddToVector(
-            reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(),
+  // No reference to these ParsedCertificates is kept past the end of this
+  // function, so using EXTERNAL_REFERENCE here is safe.
+  scoped_refptr<net::ParsedCertificate> target_cert(
+      net::ParsedCertificate::CreateFromCertificateData(
+          reinterpret_cast<const uint8_t*>(certs[0].data()), certs[0].size(),
+          net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
+          GetCertParsingOptions()));
+  if (!target_cert)
+    return false;
+
+  net::CertIssuerSourceStatic intermediate_cert_issuer_source;
+  for (size_t i = 1; i < certs.size(); ++i) {

[eroman, 2016/06/27 19:58:52]

optional: How about starting at i=0 and handle the target cert in here too? It
avoids duplicating the ugly calls to CreateFromCertificateData(), and the return
false above.

[mattm, 2016/06/27 23:45:44]

Done.

+    scoped_refptr<net::ParsedCertificate> cert(
+        net::ParsedCertificate::CreateFromCertificateData(
+            reinterpret_cast<const uint8_t*>(certs[i].data()), certs[i].size(),
             net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
-            GetCertParsingOptions(), &input_chain)) {
+            GetCertParsingOptions()));
+    if (!cert)
       return false;
-    }
+    intermediate_cert_issuer_source.AddCert(cert);
   }
 
   // Use a signature policy compatible with Cast's PKI.
   auto signature_policy = CreateCastSignaturePolicy();
 
   // Do RFC 5280 compatible certificate verification using the two Cast

[eroman, 2016/06/27 19:58:52]

Should this comment be expanded to mention path building?

[mattm, 2016/06/27 23:45:45]

Done.

   // trust anchors and Cast signature policy.
-  if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(),
-                                   signature_policy.get(),
-                                   ConvertExplodedTime(time), nullptr)) {
+  net::CertPathBuilder::Result result;
+  net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(),
+                                    signature_policy.get(),
+                                    ConvertExplodedTime(time), &result);
+  path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source);
+  net::CompletionStatus rv = path_builder.Run(base::Closure());
+  DCHECK_EQ(rv, net::CompletionStatus::SYNC);
+  if (!result.is_success())
     return false;
-  }
 
   // Check properties of the leaf certificate (key usage, policy), and construct
   // a CertVerificationContext that uses its public key.
-  return CheckTargetCertificate(input_chain[0].get(), context, policy);
+  return CheckTargetCertificate(target_cert.get(), context, policy);
 }
 
 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
     const base::StringPiece& spki) {
   // Use a bogus CommonName, since this is just exposed for testing signature
   // verification by unittests.
   return base::WrapUnique(
       new CertVerificationContextImpl(net::der::Input(spki), "CommonName"));
 }
 
 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) {
   scoped_refptr<net::ParsedCertificate> anchor(
       net::ParsedCertificate::CreateFromCertificateData(
           data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
           GetCertParsingOptions()));
   if (!anchor)
     return false;
   CastTrustStore::Get().AddTrustedCertificate(std::move(anchor));
   return true;
 }
 
 }  // namespace cast_certificate