Allow Cast certificates to have serial numbers greater than 20 bytes, as well as non-minimal INTEGE…

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "net/cert/internal/name_constraints.h"
@@ skipping 65 matching lines @@
 }
 
 WARN_UNUSED_RESULT bool GetSequenceValue(const der::Input& tlv,
                                          der::Input* value) {
   der::Parser parser(tlv);
   return parser.ReadTag(der::kSequence, value) && !parser.HasMore();
 }
 
 // Parses an X.509 Certificate fully (including the TBSCertificate and
 // standard extensions), saving all the properties to |out_|.
-WARN_UNUSED_RESULT bool FullyParseCertificate(const der::Input& cert_tlv,
-                                              FullyParsedCert* out) {
+WARN_UNUSED_RESULT bool FullyParseCertificate(
+    const der::Input& cert_tlv,
+    const ParseCertificateOptions& options,
+    FullyParsedCert* out) {
   // Parse the outer Certificate.
   if (!ParseCertificate(cert_tlv, &out->tbs_certificate_tlv,
                         &out->signature_algorithm_tlv, &out->signature_value))
     return false;
 
   // Parse the signature algorithm contained in the Certificate (there is
   // another one in the TBSCertificate, which is checked later by
   // VerifySignatureAlgorithmsMatch)
   out->signature_algorithm =
       SignatureAlgorithm::CreateFromDer(out->signature_algorithm_tlv);
   if (!out->signature_algorithm)
     return false;
 
   // Parse the TBSCertificate.
-  if (!ParseTbsCertificate(out->tbs_certificate_tlv, &out->tbs))
+  if (!ParseTbsCertificate(out->tbs_certificate_tlv, options, &out->tbs))
     return false;
 
   // Reset state relating to extensions (which may not get overwritten). This is
   // just a precaution, since in practice |out| will already be default
   // initialize.
   out->has_basic_constraints = false;
   out->has_key_usage = false;
   out->unconsumed_extensions.clear();
   out->subject_alt_names.reset();
   out->has_name_constraints = false;
@@ skipping 383 matching lines @@
 }
 
 }  // namespace
 
 TrustAnchor::TrustAnchor() {}
 TrustAnchor::~TrustAnchor() {}
 
 std::unique_ptr<TrustAnchor> TrustAnchor::CreateFromCertificateData(
     const uint8_t* data,
     size_t length,
+    const ParseCertificateOptions& options,
     DataSource source) {
   std::unique_ptr<TrustAnchor> result(new TrustAnchor);
 
   switch (source) {
     case DataSource::INTERNAL_COPY:
       result->cert_data_.assign(data, data + length);
       result->cert_ =
           der::Input(result->cert_data_.data(), result->cert_data_.size());
       break;
     case DataSource::EXTERNAL_REFERENCE:
       result->cert_ = der::Input(data, length);
       break;
   }
 
   // Parse the certificate to get its name.
   der::Input tbs_certificate_tlv;
   der::Input signature_algorithm_tlv;
   der::BitString signature_value;
   if (!ParseCertificate(result->cert(), &tbs_certificate_tlv,
                         &signature_algorithm_tlv, &signature_value))
     return nullptr;
 
   ParsedTbsCertificate tbs;
-  if (!ParseTbsCertificate(tbs_certificate_tlv, &tbs))
+  if (!ParseTbsCertificate(tbs_certificate_tlv, options, &tbs))
     return nullptr;
 
   result->name_ = tbs.subject_tlv;
 
   // TODO(eroman): If adding a self-signed certificate, check that its
   // signature is correct? This check will not otherwise be done during
   // verification.
 
   return result;
 }
@@ skipping 39 matching lines @@
   for (const auto& anchor : anchors_) {
     if (anchor->cert() == cert_der)
       return true;
   }
   return false;
 }
 
 bool TrustStore::AddTrustedCertificate(const uint8_t* data,
                                        size_t length,
                                        TrustAnchor::DataSource source) {
-  auto anchor = TrustAnchor::CreateFromCertificateData(data, length, source);
+  auto anchor =
+      TrustAnchor::CreateFromCertificateData(data, length, {}, source);
   if (!anchor)
     return false;
   anchors_.push_back(std::move(anchor));
   return true;
 }
 
 // TODO(eroman): Move this into existing anonymous namespace.
 namespace {
 
 // This implementation is structured to mimic the description of certificate
 // path verification given by RFC 5280 section 6.1.
 //
 // Unlike RFC 5280, the trust anchor is specified as the root certificate in
 // the chain. This root certificate is assumed to be trusted, and neither its
 // signature nor issuer name are verified. (It needn't be self-signed).
 bool VerifyCertificateChainAssumingTrustedRoot(
     const std::vector<der::Input>& certs_der,
+    const ParseCertificateOptions& options,
     // The trust store is only used for assertions.
     const TrustStore& trust_store,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time) {
   // An empty chain is necessarily invalid.
   if (certs_der.empty())
     return false;
 
   // IMPORTANT: the assumption being made is that the root certificate in
   // the given path is the trust anchor (and has already been verified as
@@ skipping 53 matching lines @@
     // end-entity certificate.
     const bool is_target_cert = index_into_certs_der == 0;
 
     // |is_trust_anchor| is true if the current certificate is the trust
     // anchor. This certificate is implicitly trusted.
     const bool is_trust_anchor = i == 0;
 
     // Parse the current certificate into |cert|.
     FullyParsedCert cert;
     const der::Input& cert_der = certs_der[index_into_certs_der];
-    if (!FullyParseCertificate(cert_der, &cert))
+    if (!FullyParseCertificate(cert_der, options, &cert))
       return false;
 
     // Per RFC 5280 section 6.1:
     //  * Do basic processing for each certificate
     //  * If it is the last certificate in the path (target certificate)
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
     if (!BasicCertificateProcessing(
             cert, is_target_cert, is_trust_anchor, signature_policy, time,
             working_spki, working_issuer_name, name_constraints_list)) {
@@ skipping 20 matching lines @@
 }
 
 // TODO(eroman): This function is a temporary hack in the absence of full
 // path building. It may insert 1 certificate at the root of the
 // chain to ensure that the path's root certificate is a trust anchor.
 //
 // Beyond this no other verification is done on the chain. The caller is
 // responsible for verifying the subsequent chain's correctness.
 WARN_UNUSED_RESULT bool BuildSimplePathToTrustAnchor(
     const std::vector<der::Input>& certs_der,
+    const ParseCertificateOptions& options,
     const TrustStore& trust_store,
     std::vector<der::Input>* certs_der_trusted_root) {
   // Copy the input chain.
   *certs_der_trusted_root = certs_der;
 
   if (certs_der.empty())
     return false;
 
   // Check if the current root certificate is trusted. If it is then no
   // extra work is needed.
   if (trust_store.IsTrustedCertificate(certs_der_trusted_root->back()))
     return true;
 
   // Otherwise if it is not trusted, check whether its issuer is trusted. If
   // so, make *that* trusted certificate the root. If the issuer is not in
   // the trust store then give up and fail (this is not full path building).
   der::Input tbs_certificate_tlv;
   der::Input signature_algorithm_tlv;
   der::BitString signature_value;
   ParsedTbsCertificate tbs;
   if (!ParseCertificate(certs_der.back(), &tbs_certificate_tlv,
                         &signature_algorithm_tlv, &signature_value) ||
-      !ParseTbsCertificate(tbs_certificate_tlv, &tbs)) {
+      !ParseTbsCertificate(tbs_certificate_tlv, options, &tbs)) {
     return false;
   }
 
   auto trust_anchor = trust_store.FindTrustAnchorByName(tbs.issuer_tlv);
   if (!trust_anchor)
     return false;
   certs_der_trusted_root->push_back(trust_anchor->cert());
   return true;
 }
 
 }  // namespace
 
 bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
+                            const ParseCertificateOptions& options,
                             const TrustStore& trust_store,
                             const SignaturePolicy* signature_policy,
                             const der::GeneralizedTime& time) {
   // Modify the certificate chain so that its root is a trusted certificate.
   std::vector<der::Input> certs_der_trusted_root;
-  if (!BuildSimplePathToTrustAnchor(certs_der, trust_store,
+  if (!BuildSimplePathToTrustAnchor(certs_der, options, trust_store,
                                     &certs_der_trusted_root)) {
     return false;
   }
 
   // Verify the chain.
   return VerifyCertificateChainAssumingTrustedRoot(
-      certs_der_trusted_root, trust_store, signature_policy, time);
+      certs_der_trusted_root, options, trust_store, signature_policy, time);
 }
 
 }  // namespace net