Don't treat trust anchors as certificates during path building.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "net/cert/internal/name_constraints.h"
@@ skipping 85 matching lines @@
   const der::Input& alg2_tlv = cert.tbs().signature_algorithm_tlv;
 
   // Ensure that the two DER-encoded signature algorithms are byte-for-byte
   // equal, but make a compatibility concession for RSA with SHA1.
   return alg1_tlv == alg2_tlv || (IsRsaWithSha1SignatureAlgorithm(alg1_tlv) &&
                                   IsRsaWithSha1SignatureAlgorithm(alg2_tlv));
 }
 
 // This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
 // Processing" procedure.
-//
-// |skip_issuer_checks| controls whether the function will skip:
-//   - Checking that |cert|'s signature using |working_spki|
-//   - Checkinging that |cert|'s issuer matches |working_normalized_issuer_name|
-// This should be set to true only when verifying a trusted root certificate.
 WARN_UNUSED_RESULT bool BasicCertificateProcessing(
     const ParsedCertificate& cert,
     bool is_target_cert,
-    bool skip_issuer_checks,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
     const der::Input& working_spki,
     const der::Input& working_normalized_issuer_name,
     const std::vector<const NameConstraints*>& name_constraints_list) {
   // Check that the signature algorithms in Certificate vs TBSCertificate
   // match. This isn't part of RFC 5280 section 6.1.3, but is mandated by
   // sections 4.1.1.2 and 4.1.2.3.
   if (!VerifySignatureAlgorithmsMatch(cert))
     return false;
 
   // Verify the digital signature using the previous certificate's key (RFC
   // 5280 section 6.1.3 step a.1).
-  if (!skip_issuer_checks) {
-    if (!cert.has_valid_supported_signature_algorithm() ||
-        !VerifySignedData(cert.signature_algorithm(),
-                          cert.tbs_certificate_tlv(), cert.signature_value(),
-                          working_spki, signature_policy)) {
-      return false;
-    }
+  if (!cert.has_valid_supported_signature_algorithm() ||
+      !VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
+                        cert.signature_value(), working_spki,
+                        signature_policy)) {
+    return false;
   }
 
   // Check the time range for the certificate's validity, ensuring it is valid
   // at |time|.
   // (RFC 5280 section 6.1.3 step a.2)
   if (!VerifyTimeValidity(cert, time))
     return false;
 
   // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3)
 
   // Verify the certificate's issuer name matches the issuing certificate's
   // subject name. (RFC 5280 section 6.1.3 step a.4)
-  if (!skip_issuer_checks) {
-    if (cert.normalized_issuer() != working_normalized_issuer_name)
-      return false;
-  }
+  if (cert.normalized_issuer() != working_normalized_issuer_name)
+    return false;
 
   // Name constraints (RFC 5280 section 6.1.3 step b & c)
   // If certificate i is self-issued and it is not the final certificate in the
   // path, skip this step for certificate i.
   if (!name_constraints_list.empty() &&
       (!IsSelfIssued(cert) || is_target_cert)) {
     for (const NameConstraints* nc : name_constraints_list) {
       if (!nc->IsPermittedCert(cert.normalized_subject(),
                                cert.subject_alt_names())) {
         return false;
@@ skipping 169 matching lines @@
   if (!VerifyTargetCertHasConsistentCaBits(cert))
     return false;
 
   return true;
 }
 
 }  // namespace
 
 // This implementation is structured to mimic the description of certificate
 // path verification given by RFC 5280 section 6.1.
-//
-// Unlike RFC 5280, the trust anchor is specified as the root certificate in
-// the chain. This root certificate is assumed to be trusted, and neither its
-// signature nor issuer name are verified. (It needn't be self-signed).
-bool VerifyCertificateChainAssumingTrustedRoot(
-    const ParsedCertificateList& certs,
-    // The trust store is only used for assertions.
-    const TrustStore& trust_store,
-    const SignaturePolicy* signature_policy,
-    const der::GeneralizedTime& time) {
+bool VerifyCertificateChain(const ParsedCertificateList& certs,
+                            const TrustAnchor* trust_anchor,
+                            const SignaturePolicy* signature_policy,
+                            const der::GeneralizedTime& time) {
   // An empty chain is necessarily invalid.
   if (certs.empty())
     return false;
 
-  // IMPORTANT: the assumption being made is that the root certificate in
-  // the given path is the trust anchor (and has already been verified as
-  // such).
-  DCHECK(trust_store.IsTrustedCertificate(certs.back().get()));
+  // TODO(crbug.com/635200): Support anchor constraints.
 
   // Will contain a NameConstraints for each previous cert in the chain which
   // had nameConstraints. This corresponds to the permitted_subtrees and
   // excluded_subtrees state variables from RFC 5280.
   std::vector<const NameConstraints*> name_constraints_list;
 
   // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
   //    * working_public_key
   //    * working_public_key_algorithm
   //    * working_public_key_parameters
   //
   // They are combined for simplicity since the signature verification takes an
   // SPKI, and the parameter inheritence is not applicable for the supported
   // key types.
   //
   // An approximate explanation of |working_spki| is this description from RFC
   // 5280 section 6.1.2:
   //
   //    working_public_key:  the public key used to verify the
   //    signature of a certificate.
-  der::Input working_spki;
+  der::Input working_spki = trust_anchor->spki();
 
   // |working_normalized_issuer_name| is the normalized value of the
   // working_issuer_name variable in RFC 5280 section 6.1.2:
   //
   //    working_issuer_name:  the issuer distinguished name expected
   //    in the next certificate in the chain.
-  der::Input working_normalized_issuer_name;
+  der::Input working_normalized_issuer_name =
+      trust_anchor->normalized_subject();
 
   // |max_path_length| corresponds with the same named variable in RFC 5280
   // section 6.1.2:
   //
   //    max_path_length:  this integer is initialized to n, is
   //    decremented for each non-self-issued certificate in the path,
   //    and may be reduced to the value in the path length constraint
   //    field within the basic constraints extension of a CA
   //    certificate.
   size_t max_path_length = certs.size();
 
   // Iterate over all the certificates in the reverse direction: starting from
-  // the trust anchor and progressing towards the target certificate.
+  // the certificate signed by trust anchor and progressing towards the target
+  // certificate.
   //
   // Note that |i| uses 0-based indexing whereas in RFC 5280 it is 1-based.
   //
-  //   * i=0    :  Trust anchor.
+  //   * i=0    :  Certificated signed by trust anchor.
   //   * i=N-1  :  Target certificate.
   for (size_t i = 0; i < certs.size(); ++i) {
     const size_t index_into_certs = certs.size() - i - 1;
 
     // |is_target_cert| is true if the current certificate is the target
     // certificate being verified. The target certificate isn't necessarily an
     // end-entity certificate.
     const bool is_target_cert = index_into_certs == 0;
 
-    // |is_trust_anchor| is true if the current certificate is the trust
-    // anchor. This certificate is implicitly trusted.
-    const bool is_trust_anchor = i == 0;
-
     const ParsedCertificate& cert = *certs[index_into_certs];
 
     // Per RFC 5280 section 6.1:
     //  * Do basic processing for each certificate
     //  * If it is the last certificate in the path (target certificate)
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
-    if (!BasicCertificateProcessing(cert, is_target_cert, is_trust_anchor,
-                                    signature_policy, time, working_spki,
-                                    working_normalized_issuer_name,
-                                    name_constraints_list)) {
+    if (!BasicCertificateProcessing(
+            cert, is_target_cert, signature_policy, time, working_spki,
+            working_normalized_issuer_name, name_constraints_list)) {
       return false;
     }
     if (!is_target_cert) {
       if (!PrepareForNextCertificate(cert, &max_path_length, &working_spki,
                                      &working_normalized_issuer_name,
                                      &name_constraints_list)) {
         return false;
       }
     } else {
       if (!WrapUp(cert))
         return false;
     }
   }
 
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 
   return true;
 }
 
 }  // namespace net