Certificate path builder for new certificate verification library

net/cert/internal/verify_certificate_chain.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 
 #include <stdint.h>
 
+#include <map>
 #include <memory>
 #include <string>
+#include <unordered_map>
 #include <vector>
 
 #include "base/compiler_specific.h"
+#include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
+#include "net/cert/internal/name_constraints.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/der/input.h"
 
 namespace net {
 
 namespace der {
 struct GeneralizedTime;
 }
 
 class SignaturePolicy;
 
-// Represents a trust anchor (i.e. a trusted root certificate).
-class NET_EXPORT TrustAnchor {
+// XXX Rename, better comment
+// Represents a certificate, including top-level parsing and normalized name
+// values. The certificate is not completely parsed and validated, only the
+// validation performed by ParseCertificate, ParseTbsCertificate and
+// NormalizeName is done.
+class NET_EXPORT CertThing : public base::RefCountedThreadSafe<CertThing> {
  public:
+  // Map from OID to ParsedExtension.
+  using ExtensionsMap = std::map<der::Input, ParsedExtension>;
+
   // The certificate data for this trust anchor may either be owned internally
   // (INTERNAL_COPY) or owned externally (EXTERNAL_REFERENCE). When it is
   // owned internally the data is held by |cert_data_|
   enum class DataSource {
     INTERNAL_COPY,
     EXTERNAL_REFERENCE,
   };
 
-  TrustAnchor();
-  ~TrustAnchor();
-
-  // Creates a TrustAnchor given a DER-encoded certificate. Returns nullptr on
+  // Creates a CertThing given a DER-encoded certificate. Returns nullptr on
   // failure. Failure will occur if the certificate data cannot be parsed to
   // find a subject.
   //
   // The provided certificate data is either copied, or aliased, depending on
   // the value of |source|. See the comments for DataSource for details.
-  static std::unique_ptr<TrustAnchor> CreateFromCertificateData(
-      const uint8_t* data,
-      size_t length,
-      DataSource source);
+  static scoped_refptr<CertThing> CreateFromCertificateData(const uint8_t* data,
+                                                            size_t length,
+                                                            DataSource source);
+  static scoped_refptr<CertThing> CreateFromCertificateCopy(
+      const base::StringPiece& data);
 
-  // Returns true if the trust anchor matches |name|. In other words, returns
-  // true if the certificate's subject matches |name|.
-  bool MatchesName(const der::Input& name) const;
+  // Returns the DER-encoded certificate data for this cert.
+  const der::Input& der_cert() const { return cert_; }
 
-  // Returns the DER-encoded certificate data for this trust anchor.
-  const der::Input& cert() const { return cert_; }
+  const ParsedCertificate& parsed_cert() const { return parsed_cert_; }
+  const ParsedTbsCertificate& parsed_tbs() const { return parsed_tbs_; }
+
+  // Returns the DER-encoded normalized subject value (not including outer
+  // Sequence tag).
+  const std::string& normalized_subject() const { return normalized_subject_; }
+  // Returns the DER-encoded normalized issuer value (not including outer
+  // Sequence tag).
+  const std::string& normalized_issuer() const { return normalized_issuer_; }
+
+  // Returns true if the certificate had a SubjectAltName extension.
+  bool has_subject_alt_names() const { return subject_alt_names_ != nullptr; }
+  // Returns the ParsedExtension struct for the SubjectAltName extension.
+  // If the cert did not have a SubjectAltName extension, this will be a
+  // default-initialized ParsedExtension struct.
+  const ParsedExtension& subject_alt_names_extension() const {
+    return subject_alt_names_extension_;
+  }
+  // Returns the GeneralNames class parsed from SubjectAltName extension, orr
+  // nullptr if no SubjectAltName extension was present.
+  const GeneralNames* subject_alt_names() const {
+    return subject_alt_names_.get();
+  }
+
+  // Returns a map of unhandled extensions (excludes the ones above).
+  const ExtensionsMap& unconsumed_extensions() const {
+    return unconsumed_extensions_;
+  }
 
  private:
+  friend class base::RefCountedThreadSafe<CertThing>;
+  CertThing();
+  ~CertThing();
+
   // The backing store for the certificate data. This is only applicable when
   // the trust anchor was initialized using DataSource::INTERNAL_COPY.
   std::vector<uint8_t> cert_data_;
 
   // Note that the backing data for |cert_| and |name_| may come either form
   // |cert_data_| or some external buffer (depending on how the anchor was
   // created).
 
   // Points to the raw certificate DER.
   der::Input cert_;
 
-  // Points to the subject TLV for the certificate.
-  der::Input name_;
+  ParsedCertificate parsed_cert_;
+  ParsedTbsCertificate parsed_tbs_;
 
-  DISALLOW_COPY_AND_ASSIGN(TrustAnchor);
+  // Normalized DER-encoded Subject (not including outer Sequence tag).
+  std::string normalized_subject_;
+  // Normalized DER-encoded Issuer (not including outer Sequence tag).
+  std::string normalized_issuer_;
+
+  // Raw SubjectAltName extension.
+  ParsedExtension subject_alt_names_extension_;
+  // Parsed SubjectAltName extension.
+  std::unique_ptr<GeneralNames> subject_alt_names_;
+
+  // The remaining extensions (excludes the standard ones above).
+  ExtensionsMap unconsumed_extensions_;
+
+  DISALLOW_COPY_AND_ASSIGN(CertThing);
 };
 
+using CertVector = std::vector<scoped_refptr<CertThing>>;
+
 // A very simple implementation of a TrustStore, which contains a set of
 // trusted certificates.
 class NET_EXPORT TrustStore {
  public:
   TrustStore();
   ~TrustStore();
 
   // Empties the trust store, resetting it to original state.
   void Clear();
 
-  // Adds a trusted certificate to the store. The trust store makes a copy of
-  // the provided certificate data.
-  bool AddTrustedCertificate(const uint8_t* data,
-                             size_t length) WARN_UNUSED_RESULT;
-  bool AddTrustedCertificate(const base::StringPiece& data) WARN_UNUSED_RESULT;
+  // Adds a trusted certificate to the store.
+  void AddTrustedCertificate(scoped_refptr<CertThing> anchor);
 
-  // This function is the same as AddTrustedCertificate() except the underlying
-  // data is not copied. The caller is responsible for ensuring that the data
-  // pointer remains alive and is not mutated for the lifetime of the
-  // TrustStore.
-  bool AddTrustedCertificateWithoutCopying(const uint8_t* data,
-                                           size_t length) WARN_UNUSED_RESULT;
+  // Returns the trust anchors that match |name| in |*matches|, if any.
+  void FindTrustAnchorsByNormalizedName(const std::string& normalized_name,
+                                        CertVector* matches) const;
 
-  // Returns the trust anchor that matches |name|, or nullptr if there is none.
-  // TODO(eroman): There may be multiple matches.
-  const TrustAnchor* FindTrustAnchorByName(const der::Input& name) const
-      WARN_UNUSED_RESULT;
-
-  // Returns true if |cert_der| matches a certificate in the TrustStore.
-  bool IsTrustedCertificate(const der::Input& cert_der) const
-      WARN_UNUSED_RESULT;
+  // Returns true if |cert| matches a certificate in the TrustStore.
+  bool IsTrustedCertificate(const CertThing* cert) const WARN_UNUSED_RESULT;
 
  private:
-  bool AddTrustedCertificate(const uint8_t* data,
-                             size_t length,
-                             TrustAnchor::DataSource source) WARN_UNUSED_RESULT;
-
-  std::vector<std::unique_ptr<TrustAnchor>> anchors_;
+  // Multimap from normalized subject -> CertThing.
+  std::unordered_multimap<base::StringPiece,
+                          scoped_refptr<CertThing>,
+                          base::StringPieceHash>
+      anchors_;
 
   DISALLOW_COPY_AND_ASSIGN(TrustStore);
 };
 
 // VerifyCertificateChain() verifies a certificate path (chain) based on the
 // rules in RFC 5280.
 //
 // WARNING: This implementation is in progress, and is currently
 // incomplete. DO NOT USE IT unless its limitations are acceptable for your use.
 //
@@ skipping 23 matching lines @@
 // Outputs
 // ---------
 //
 //   Returns true if the target certificate can be verified.
 NET_EXPORT bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
                                        const TrustStore& trust_store,
                                        const SignaturePolicy* signature_policy,
                                        const der::GeneralizedTime& time)
     WARN_UNUSED_RESULT;
 
+// XXX docs.
+NET_EXPORT bool VerifyCertificateChainAssumingTrustedRoot(
+    const std::vector<scoped_refptr<CertThing>>& certs,
+    // The trust store is only used for assertions.
+    const TrustStore& trust_store,
+    const SignaturePolicy* signature_policy,
+    const der::GeneralizedTime& time) WARN_UNUSED_RESULT;
+
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_