Add production Cast CRL certificate.

components/cast_certificate/cast_crl.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_crl.h"
 
 #include <unordered_map>
 #include <unordered_set>
 
 #include "base/base64.h"
@@ skipping 44 matching lines @@
                                                   CastCRLTrustStore>>::get();
   }
 
   static net::TrustStore& Get() { return GetInstance()->store_; }
 
  private:
   friend struct base::DefaultSingletonTraits<CastCRLTrustStore>;
 
   CastCRLTrustStore() {
     // Initialize the trust store with the root certificate.
-    // TODO(ryanchung): Add official Cast CRL Root here
-    // scoped_refptr<net::ParsedCertificate> root = net::ParsedCertificate::
-    //     net::ParsedCertificate::CreateFromCertificateData(
-    //         kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer),
-    //         net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
-    // CHECK(root);
-    // store_.AddTrustedCertificate(std::move(root));
+    scoped_refptr<net::ParsedCertificate> root =
+        net::ParsedCertificate::CreateFromCertificateData(
+            kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer),
+            net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
+    CHECK(root);
+    store_.AddTrustedCertificate(std::move(root));
   }
 
   net::TrustStore store_;
   DISALLOW_COPY_AND_ASSIGN(CastCRLTrustStore);
 };
 
 // Converts a uint64_t unix timestamp to net::der::GeneralizedTime.
 bool ConvertTimeSeconds(uint64_t seconds,
                         net::der::GeneralizedTime* generalized_time) {
   base::Time unix_timestamp =
@@ skipping 12 matching lines @@
 
 // Verifies the CRL is signed by a trusted CRL authority at the time the CRL
 // was issued. Verifies the signature of |tbs_crl| is valid based on the
 // certificate and signature in |crl|. The validity of |tbs_crl| is verified
 // at |time|. The validity period of the CRL is adjusted to be the earliest
 // of the issuer certificate chain's expiration and the CRL's expiration and
 // the result is stored in |overall_not_after|.
 bool VerifyCRL(const Crl& crl,
                const TbsCrl& tbs_crl,
                const base::Time& time,
+               net::TrustStore* trust_store,
                net::der::GeneralizedTime* overall_not_after) {
   // Verify the trust of the CRL authority.
   scoped_refptr<net::ParsedCertificate> parsed_cert =
       net::ParsedCertificate::CreateFromCertificateData(
           reinterpret_cast<const uint8_t*>(crl.signer_cert().data()),
           crl.signer_cert().size(),
           net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
   if (parsed_cert == nullptr) {
     VLOG(2) << "CRL - Issuer certificate parsing failed.";
     return false;
@@ skipping 15 matching lines @@
     return false;
   }
 
   // Verify the issuer certificate.
   net::der::GeneralizedTime verification_time;
   if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) {
     VLOG(2) << "CRL - Unable to parse verification time.";
     return false;
   }
   net::CertPathBuilder::Result result;
-  net::CertPathBuilder path_builder(
-      parsed_cert.get(), &CastCRLTrustStore::Get(), signature_policy.get(),
-      verification_time, &result);
+  net::CertPathBuilder path_builder(parsed_cert.get(), trust_store,
+                                    signature_policy.get(), verification_time,
+                                    &result);
   net::CompletionStatus rv = path_builder.Run(base::Closure());
   DCHECK_EQ(rv, net::CompletionStatus::SYNC);
   if (!result.is_success() || result.paths.empty() ||
       !result.paths[result.best_result_index]->is_success()) {
     VLOG(2) << "CRL - Issuer certificate verification failed.";
     return false;
   }
   // There are no requirements placed on the leaf certificate having any
   // particular KeyUsages. Leaf certificate checks are bypassed.
 
@@ skipping 139 matching lines @@
             VLOG(2) << "Serial number is revoked";
             return false;
           }
         }
       }
     }
   }
   return true;
 }
 
-}  // namespace
-
+// Parses and verifies the CRL used to verify the revocation status of
+// Cast device certificates.
 std::unique_ptr<CastCRL> ParseAndVerifyCRL(const std::string& crl_proto,
-                                           const base::Time& time) {
+                                           const base::Time& time,
+                                           net::TrustStore* trust_store) {
   CrlBundle crl_bundle;
   if (!crl_bundle.ParseFromString(crl_proto)) {
     LOG(ERROR) << "CRL - Binary could not be parsed.";
     return nullptr;
   }
   for (auto const& crl : crl_bundle.crls()) {
     TbsCrl tbs_crl;
     if (!tbs_crl.ParseFromString(crl.tbs_crl())) {
       LOG(WARNING) << "Binary TBS CRL could not be parsed.";
       continue;
     }
     if (tbs_crl.version() != CRL_VERSION_0) {
       continue;
     }
     net::der::GeneralizedTime overall_not_after;
-    if (!VerifyCRL(crl, tbs_crl, time, &overall_not_after)) {
+    if (!VerifyCRL(crl, tbs_crl, time, trust_store, &overall_not_after)) {
       LOG(ERROR) << "CRL - Verification failed.";
       return nullptr;
     }
     return base::WrapUnique(new CastCRLImpl(tbs_crl, overall_not_after));
   }
   LOG(ERROR) << "No supported version of revocation data.";
   return nullptr;
 }
 
-bool SetCRLTrustAnchorForTest(const std::string& cert) {
-  scoped_refptr<net::ParsedCertificate> anchor(
-      net::ParsedCertificate::CreateFromCertificateCopy(cert, {}));
-  if (!anchor)
-    return false;
-  CastCRLTrustStore::Get().Clear();
-  CastCRLTrustStore::Get().AddTrustedCertificate(std::move(anchor));
-  return true;
+}  // namespace
+
+std::unique_ptr<CastCRL> ParseAndVerifyCRL(const std::string& crl_proto,
+                                           const base::Time& time) {
+  return ParseAndVerifyCRL(crl_proto, time, &CastCRLTrustStore::Get());
+}
+
+std::unique_ptr<CastCRL> ParseAndVerifyCRLForTest(
+    const std::string& crl_proto,
+    const base::Time& time,
+    net::TrustStore* trust_store) {
+  return ParseAndVerifyCRL(crl_proto, time, trust_store);
 }
 
 }  // namespace cast_certificate