Revert of Cast device revocation checking.

components/cast_certificate/cast_cert_validator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
 #include <memory>
 #include <utility>
 
 #include "base/memory/ptr_util.h"
 #include "base/memory/singleton.h"
 #include "net/cert/internal/cert_issuer_source_static.h"
-#include "components/cast_certificate/cast_crl.h"
 #include "net/cert/internal/certificate_policies.h"
 #include "net/cert/internal/extended_key_usage.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/parse_name.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/cert/internal/path_builder.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/trust_store.h"
 #include "net/cert/internal/verify_signed_data.h"
-#include "net/der/encode_values.h"
 #include "net/der/input.h"
 
 namespace cast_certificate {
 namespace {
 
 // -------------------------------------------------------------------------
 // Cast trust anchors.
 // -------------------------------------------------------------------------
 
 // There are two trusted roots for Cast certificate chains:
@@ skipping 189 matching lines @@
   // Get the Common Name for the certificate.
   std::string common_name;
   if (!GetCommonNameFromSubject(cert->tbs().subject_tlv, &common_name))
     return false;
 
   context->reset(
       new CertVerificationContextImpl(cert->tbs().spki_tlv, common_name));
   return true;
 }
 
+// Converts a base::Time::Exploded to a net::der::GeneralizedTime.
+net::der::GeneralizedTime ConvertExplodedTime(
+    const base::Time::Exploded& exploded) {
+  net::der::GeneralizedTime result;
+  result.year = exploded.year;
+  result.month = exploded.month;
+  result.day = exploded.day_of_month;
+  result.hours = exploded.hour;
+  result.minutes = exploded.minute;
+  result.seconds = exploded.second;
+  return result;
+}
+
 // Returns the parsing options used for Cast certificates.
 net::ParseCertificateOptions GetCertParsingOptions() {
   net::ParseCertificateOptions options;
 
   // Some cast intermediate certificates contain serial numbers that are
   // 21 octets long, and might also not use valid DER encoding for an
   // INTEGER (non-minimal encoding).
   //
   // Allow these sorts of serial numbers.
   //
   // TODO(eroman): At some point in the future this workaround will no longer be
   // necessary. Should revisit this for removal in 2017 if not earlier.
   options.allow_invalid_serial_numbers = true;
   return options;
 }
 
 }  // namespace
 
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
-                      const base::Time& time,
+                      const base::Time::Exploded& time,
                       std::unique_ptr<CertVerificationContext>* context,
-                      CastDeviceCertPolicy* policy,
-                      const CastCRL* crl,
-                      CRLPolicy crl_policy) {
+                      CastDeviceCertPolicy* policy) {
   if (certs.empty())
     return false;
 
   // No reference to these ParsedCertificates is kept past the end of this
   // function, so using EXTERNAL_REFERENCE here is safe.
   scoped_refptr<net::ParsedCertificate> target_cert;
   net::CertIssuerSourceStatic intermediate_cert_issuer_source;
   for (size_t i = 0; i < certs.size(); ++i) {
     scoped_refptr<net::ParsedCertificate> cert(
         net::ParsedCertificate::CreateFromCertificateData(
             reinterpret_cast<const uint8_t*>(certs[i].data()), certs[i].size(),
             net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
             GetCertParsingOptions()));
     if (!cert)
       return false;
 
     if (i == 0)
       target_cert = std::move(cert);
     else
       intermediate_cert_issuer_source.AddCert(std::move(cert));
   }
 
   // Use a signature policy compatible with Cast's PKI.
   auto signature_policy = CreateCastSignaturePolicy();
 
   // Do path building and RFC 5280 compatible certificate verification using the
   // two Cast trust anchors and Cast signature policy.
-  net::der::GeneralizedTime verification_time;
-  if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time))
-    return false;
   net::CertPathBuilder::Result result;
   net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(),
-                                    signature_policy.get(), verification_time,
-                                    &result);
+                                    signature_policy.get(),
+                                    ConvertExplodedTime(time), &result);
   path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source);
   net::CompletionStatus rv = path_builder.Run(base::Closure());
   DCHECK_EQ(rv, net::CompletionStatus::SYNC);
   if (!result.is_success())
     return false;
 
   // Check properties of the leaf certificate (key usage, policy), and construct
   // a CertVerificationContext that uses its public key.
-  if (!CheckTargetCertificate(target_cert.get(), context, policy))
-    return false;
-
-  // Check if a CRL is available.
-  if (!crl) {
-    if (crl_policy == CRLPolicy::CRL_REQUIRED) {
-      return false;
-    }
-  } else {
-    if (result.paths.empty() ||
-        !result.paths[result.best_result_index]->is_success())
-      return false;
-
-    if (!crl->CheckRevocation(result.paths[result.best_result_index]->path,
-                              time)) {
-      return false;
-    }
-  }
-  return true;
+  return CheckTargetCertificate(target_cert.get(), context, policy);
 }
 
 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
     const base::StringPiece& spki) {
   // Use a bogus CommonName, since this is just exposed for testing signature
   // verification by unittests.
   return base::WrapUnique(
       new CertVerificationContextImpl(net::der::Input(spki), "CommonName"));
 }
 
-bool SetTrustAnchorForTest(const std::string& cert) {
+bool AddTrustAnchorForTest(const uint8_t* data, size_t length) {
   scoped_refptr<net::ParsedCertificate> anchor(
-      net::ParsedCertificate::CreateFromCertificateCopy(
-          cert, GetCertParsingOptions()));
+      net::ParsedCertificate::CreateFromCertificateData(
+          data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
+          GetCertParsingOptions()));
   if (!anchor)
     return false;
-  CastTrustStore::Get().Clear();
   CastTrustStore::Get().AddTrustedCertificate(std::move(anchor));
   return true;
 }
 
 }  // namespace cast_certificate