Don't treat trust anchors as certificates during path building.

net/cert/internal/path_builder_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/path_builder.h"
 
 #include "base/base_paths.h"
 #include "base/cancelable_callback.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
@@ skipping 205 matching lines @@
   }
 
  protected:
   scoped_refptr<ParsedCertificate> a_by_b_, b_by_c_, b_by_f_, c_by_d_, c_by_e_,
       d_by_d_, e_by_e_, f_by_e_;
 
   SimpleSignaturePolicy signature_policy_;
   der::GeneralizedTime time_ = {2016, 4, 11, 0, 0, 0};
 };
 
-// If the target cert is a trust anchor, it should verify and should not include
-// anything else in the path.
+void AddTrustedCertificate(scoped_refptr<ParsedCertificate> cert,
+                           TrustStore* trust_store) {
+  ASSERT_TRUE(cert.get());
+  auto anchor =
+      TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert));
+  ASSERT_TRUE(anchor.get());
+  trust_store->AddTrustAnchor(std::move(anchor));
+}
+
+// If the target cert is non-self-signed trust anchor, that is signed by
+// another trust anchor, it should verify.
 TEST_F(PathBuilderMultiRootTest, TargetIsTrustAnchor) {
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(a_by_b_);
-  trust_store.AddTrustedCertificate(b_by_f_);
+  AddTrustedCertificate(a_by_b_, &trust_store);
+  AddTrustedCertificate(b_by_f_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
                                &result);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
-  EXPECT_EQ(1U, result.paths[result.best_result_index]->path.size());
-  EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]);
+  const auto& path = result.paths[result.best_result_index]->path;
+  EXPECT_EQ(1U, path.certs.size());
+  EXPECT_EQ(a_by_b_, path.certs[0]);
+  EXPECT_EQ(b_by_f_, path.trust_anchor->cert());
 }
 
 // If the target cert is directly issued by a trust anchor, it should verify
 // without any intermediate certs being provided.
 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) {
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(b_by_f_);
+  AddTrustedCertificate(b_by_f_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
                                &result);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
-  EXPECT_EQ(OK, result.error());
-  EXPECT_EQ(2U, result.paths[result.best_result_index]->path.size());
-  EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]);
-  EXPECT_EQ(b_by_f_, result.paths[result.best_result_index]->path[1]);
+  ASSERT_EQ(OK, result.error());
+  const auto& path = result.paths[result.best_result_index]->path;
+  EXPECT_EQ(1U, path.certs.size());
+  EXPECT_EQ(a_by_b_, path.certs[0]);
+  EXPECT_EQ(b_by_f_, path.trust_anchor->cert());
 }
 
 // Test that async cert queries are not made if the path can be successfully
 // built with synchronously available certs.
 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) {
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(e_by_e_);
+  AddTrustedCertificate(e_by_e_, &trust_store);
 
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_f_);
   sync_certs.AddCert(f_by_e_);
 
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(b_by_c_);
   async_certs.AddCert(c_by_e_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&async_certs);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
   EXPECT_EQ(0, async_certs.num_async_gets());
 }
 
 // Test that async cert queries are not made if no callback is provided.
 TEST_F(PathBuilderMultiRootTest, SychronousOnlyMode) {
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(e_by_e_);
+  AddTrustedCertificate(e_by_e_, &trust_store);
 
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(f_by_e_);
 
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(b_by_f_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&async_certs);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, path_builder.Run(base::Closure()));
 
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error());
   EXPECT_EQ(0, async_certs.num_async_gets());
 }
 
 // If async queries are needed, all async sources will be queried
 // simultaneously.
 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) {
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(e_by_e_);
+  AddTrustedCertificate(e_by_e_, &trust_store);
 
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_c_);
   sync_certs.AddCert(b_by_f_);
 
   AsyncCertIssuerSourceStatic async_certs1;
   async_certs1.AddCert(c_by_e_);
 
   AsyncCertIssuerSourceStatic async_certs2;
   async_certs2.AddCert(f_by_e_);
@@ skipping 10 matching lines @@
   EXPECT_EQ(OK, result.error());
   EXPECT_EQ(1, async_certs1.num_async_gets());
   EXPECT_EQ(1, async_certs2.num_async_gets());
 }
 
 // Test that PathBuilder does not generate longer paths than necessary if one of
 // the supplied certs is itself a trust anchor.
 TEST_F(PathBuilderMultiRootTest, TestLongChain) {
   // Both D(D) and C(D) are trusted roots.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(d_by_d_);
-  trust_store.AddTrustedCertificate(c_by_d_);
+  AddTrustedCertificate(d_by_d_, &trust_store);
+  AddTrustedCertificate(c_by_d_, &trust_store);
 
   // Certs B(C), and C(D) are all supplied.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_c_);
   sync_certs.AddCert(c_by_d_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   // The result path should be A(B) <- B(C) <- C(D)
   // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D)
-  EXPECT_EQ(3U, result.paths[result.best_result_index]->path.size());
+  const auto& path = result.paths[result.best_result_index]->path;
+  EXPECT_EQ(2U, path.certs.size());
 }
 
 // Test that PathBuilder will backtrack and try a different path if the first
 // one doesn't work out.
 TEST_F(PathBuilderMultiRootTest, TestBacktracking) {
   // Only D(D) is a trusted root.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(d_by_d_);
+  AddTrustedCertificate(d_by_d_, &trust_store);
 
   // Certs B(F) and F(E) are supplied synchronously, thus the path
   // A(B) <- B(F) <- F(E) should be built first, though it won't verify.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_f_);
   sync_certs.AddCert(f_by_e_);
 
   // Certs B(C), and C(D) are supplied asynchronously, so the path
   // A(B) <- B(C) <- C(D) <- D(D) should be tried second.
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(b_by_c_);
   async_certs.AddCert(c_by_d_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
   path_builder.AddCertIssuerSource(&async_certs);
 
   EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   // The result path should be A(B) <- B(C) <- C(D) <- D(D)
-  ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size());
-  EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]);
-  EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]);
-  EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]);
-  EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]);
+  const auto& path = result.paths[result.best_result_index]->path;
+  ASSERT_EQ(3U, path.certs.size());
+  EXPECT_EQ(a_by_b_, path.certs[0]);
+  EXPECT_EQ(b_by_c_, path.certs[1]);
+  EXPECT_EQ(c_by_d_, path.certs[2]);
+  EXPECT_EQ(d_by_d_, path.trust_anchor->cert());
 }
 
 // Test that whichever order CertIssuerSource returns the issuers, the path
 // building still succeeds.
 TEST_F(PathBuilderMultiRootTest, TestCertIssuerOrdering) {
   // Only D(D) is a trusted root.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(d_by_d_);
+  AddTrustedCertificate(d_by_d_, &trust_store);
 
   for (bool reverse_order : {false, true}) {
     SCOPED_TRACE(reverse_order);
     std::vector<scoped_refptr<ParsedCertificate>> certs = {
         b_by_c_, b_by_f_, f_by_e_, c_by_d_, c_by_e_};
     CertIssuerSourceStatic sync_certs;
     if (reverse_order) {
       for (auto it = certs.rbegin(); it != certs.rend(); ++it)
         sync_certs.AddCert(*it);
     } else {
       for (const auto& cert : certs)
         sync_certs.AddCert(cert);
     }
 
     CertPathBuilder::Result result;
     CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_,
                                  time_, &result);
     path_builder.AddCertIssuerSource(&sync_certs);
 
     EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
     EXPECT_EQ(OK, result.error());
 
     // The result path should be A(B) <- B(C) <- C(D) <- D(D)
-    ASSERT_EQ(4U, result.paths[result.best_result_index]->path.size());
-    EXPECT_EQ(a_by_b_, result.paths[result.best_result_index]->path[0]);
-    EXPECT_EQ(b_by_c_, result.paths[result.best_result_index]->path[1]);
-    EXPECT_EQ(c_by_d_, result.paths[result.best_result_index]->path[2]);
-    EXPECT_EQ(d_by_d_, result.paths[result.best_result_index]->path[3]);
+    const auto& path = result.paths[result.best_result_index]->path;
+    ASSERT_EQ(3U, path.certs.size());
+    EXPECT_EQ(a_by_b_, path.certs[0]);
+    EXPECT_EQ(b_by_c_, path.certs[1]);
+    EXPECT_EQ(c_by_d_, path.certs[2]);
+    EXPECT_EQ(d_by_d_, path.trust_anchor->cert());
   }
 }
 
 class PathBuilderKeyRolloverTest : public ::testing::Test {
  public:
   PathBuilderKeyRolloverTest() : signature_policy_(1024) {}
 
   void SetUp() override {
     std::vector<std::string> path;
 
@@ skipping 41 matching lines @@
 
   SimpleSignaturePolicy signature_policy_;
   der::GeneralizedTime time_;
 };
 
 // Tests that if only the old root cert is trusted, the path builder can build a
 // path through the new intermediate and rollover cert to the old root.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) {
   // Only oldroot is trusted.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(oldroot_);
+  AddTrustedCertificate(oldroot_, &trust_store);
 
   // Old intermediate cert is not provided, so the pathbuilder will need to go
   // through the rollover cert.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   // Path builder will first attempt: target <- newintermediate <- oldroot
   // but it will fail since newintermediate is signed by newroot.
   ASSERT_EQ(2U, result.paths.size());
+  const auto& path0 = result.paths[0]->path;
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[0]->path[1]);
-  EXPECT_EQ(oldroot_, result.paths[0]->path[2]);
+  ASSERT_EQ(2U, path0.certs.size());
+  EXPECT_EQ(target_, path0.certs[0]);
+  EXPECT_EQ(newintermediate_, path0.certs[1]);
+  EXPECT_EQ(oldroot_, path0.trust_anchor->cert());
 
   // Path builder will next attempt:
   // target <- newintermediate <- newrootrollover <- oldroot
   // which will succeed.
+  const auto& path1 = result.paths[1]->path;
   EXPECT_EQ(1U, result.best_result_index);
   EXPECT_EQ(OK, result.paths[1]->error);
-  ASSERT_EQ(4U, result.paths[1]->path.size());
-  EXPECT_EQ(target_, result.paths[1]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[1]->path[1]);
-  EXPECT_EQ(newrootrollover_, result.paths[1]->path[2]);
-  EXPECT_EQ(oldroot_, result.paths[1]->path[3]);
+  ASSERT_EQ(3U, path1.certs.size());
+  EXPECT_EQ(target_, path1.certs[0]);
+  EXPECT_EQ(newintermediate_, path1.certs[1]);
+  EXPECT_EQ(newrootrollover_, path1.certs[2]);
+  EXPECT_EQ(oldroot_, path1.trust_anchor->cert());
 }
 
 // Tests that if both old and new roots are trusted it can build a path through
 // either.
 // TODO(mattm): Once prioritization is implemented, it should test that it
 // always builds the path through the new intermediate and new root.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
   // Both oldroot and newroot are trusted.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(oldroot_);
-  trust_store.AddTrustedCertificate(newroot_);
+  AddTrustedCertificate(oldroot_, &trust_store);
+  AddTrustedCertificate(newroot_, &trust_store);
 
   // Both old and new intermediates + rollover cert are provided.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   // Path builder willattempt one of:
   // target <- oldintermediate <- oldroot
   // target <- newintermediate <- newroot
   // either will succeed.
   ASSERT_EQ(1U, result.paths.size());
+  const auto& path = result.paths[0]->path;
   EXPECT_EQ(OK, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
-  if (result.paths[0]->path[1] != newintermediate_) {
+  ASSERT_EQ(2U, path.certs.size());
+  EXPECT_EQ(target_, path.certs[0]);
+  if (path.certs[1] != newintermediate_) {
     DVLOG(1) << "USED OLD";
-    EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]);
-    EXPECT_EQ(oldroot_, result.paths[0]->path[2]);
+    EXPECT_EQ(oldintermediate_, path.certs[1]);
+    EXPECT_EQ(oldroot_, path.trust_anchor->cert());
   } else {
     DVLOG(1) << "USED NEW";
-    EXPECT_EQ(newintermediate_, result.paths[0]->path[1]);
-    EXPECT_EQ(newroot_, result.paths[0]->path[2]);
+    EXPECT_EQ(newintermediate_, path.certs[1]);
+    EXPECT_EQ(newroot_, path.trust_anchor->cert());
   }
 }
 
 // Tests that multiple trust root matches on a single path will be considered.
 // Both roots have the same subject but different keys. Only one of them will
 // verify.
 TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) {
   // Both newroot and oldroot are trusted.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newroot_);
-  trust_store.AddTrustedCertificate(oldroot_);
+  AddTrustedCertificate(newroot_, &trust_store);
+  AddTrustedCertificate(oldroot_, &trust_store);
 
   // Only oldintermediate is supplied, so the path with newroot should fail,
   // oldroot should succeed.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
   // There may be one or two paths attempted depending if the path builder tried
   // using newroot first.
   // TODO(mattm): Once TrustStore is an interface, this could be fixed with a
   // mock version of TrustStore that returns roots in a deterministic order.
   ASSERT_LE(1U, result.paths.size());
   ASSERT_GE(2U, result.paths.size());
 
   if (result.paths.size() == 2) {
     // Path builder may first attempt: target <- oldintermediate <- newroot
     // but it will fail since oldintermediate is signed by oldroot.
     EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-    ASSERT_EQ(3U, result.paths[0]->path.size());
-    EXPECT_EQ(target_, result.paths[0]->path[0]);
-    EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]);
-    EXPECT_EQ(newroot_, result.paths[0]->path[2]);
+    const auto& path = result.paths[0]->path;
+    ASSERT_EQ(2U, path.certs.size());
+    EXPECT_EQ(target_, path.certs[0]);
+    EXPECT_EQ(oldintermediate_, path.certs[1]);
+    EXPECT_EQ(newroot_, path.trust_anchor->cert());
   }
 
   // Path builder will next attempt:
   // target <- old intermediate <- oldroot
   // which should succeed.
   EXPECT_EQ(OK, result.paths[result.best_result_index]->error);
-  ASSERT_EQ(3U, result.paths[result.best_result_index]->path.size());
-  EXPECT_EQ(target_, result.paths[result.best_result_index]->path[0]);
-  EXPECT_EQ(oldintermediate_, result.paths[result.best_result_index]->path[1]);
-  EXPECT_EQ(oldroot_, result.paths[result.best_result_index]->path[2]);
+  const auto& path = result.paths[result.best_result_index]->path;
+  ASSERT_EQ(2U, path.certs.size());
+  EXPECT_EQ(target_, path.certs[0]);
+  EXPECT_EQ(oldintermediate_, path.certs[1]);
+  EXPECT_EQ(oldroot_, path.trust_anchor->cert());
 }
 
 // Tests that the path builder doesn't build longer than necessary paths.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) {
   // Only oldroot is trusted.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(oldroot_);
+  AddTrustedCertificate(oldroot_, &trust_store);
 
   // New intermediate and new root are provided synchronously.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newroot_);
 
   // Rollover cert is only provided asynchronously. This will force the
   // pathbuilder to first try building a longer than necessary path.
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
   path_builder.AddCertIssuerSource(&async_certs);
 
   EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
   ASSERT_EQ(3U, result.paths.size());
 
   // Path builder will first attempt: target <- newintermediate <- oldroot
   // but it will fail since newintermediate is signed by newroot.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[0]->path[1]);
-  EXPECT_EQ(oldroot_, result.paths[0]->path[2]);
+  const auto& path0 = result.paths[0]->path;
+  ASSERT_EQ(2U, path0.certs.size());
+  EXPECT_EQ(target_, path0.certs[0]);
+  EXPECT_EQ(newintermediate_, path0.certs[1]);
+  EXPECT_EQ(oldroot_, path0.trust_anchor->cert());
 
   // Path builder will next attempt:
   // target <- newintermediate <- newroot <- oldroot
   // but it will fail since newroot is self-signed.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[1]->error);
-  ASSERT_EQ(4U, result.paths[1]->path.size());
-  EXPECT_EQ(target_, result.paths[1]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[1]->path[1]);
-  EXPECT_EQ(newroot_, result.paths[1]->path[2]);
-  EXPECT_EQ(oldroot_, result.paths[1]->path[3]);
+  const auto& path1 = result.paths[1]->path;
+  ASSERT_EQ(3U, path1.certs.size());
+  EXPECT_EQ(target_, path1.certs[0]);
+  EXPECT_EQ(newintermediate_, path1.certs[1]);
+  EXPECT_EQ(newroot_, path1.certs[2]);
+  EXPECT_EQ(oldroot_, path1.trust_anchor->cert());
 
   // Path builder will skip:
   // target <- newintermediate <- newroot <- newrootrollover <- ...
   // Since newroot and newrootrollover have the same Name+SAN+SPKI.
 
   // Finally path builder will use:
   // target <- newintermediate <- newrootrollover <- oldroot
   EXPECT_EQ(2U, result.best_result_index);
   EXPECT_EQ(OK, result.paths[2]->error);
-  ASSERT_EQ(4U, result.paths[2]->path.size());
-  EXPECT_EQ(target_, result.paths[2]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[2]->path[1]);
-  EXPECT_EQ(newrootrollover_, result.paths[2]->path[2]);
-  EXPECT_EQ(oldroot_, result.paths[2]->path[3]);
+  const auto& path2 = result.paths[2]->path;
+  ASSERT_EQ(3U, path2.certs.size());
+  EXPECT_EQ(target_, path2.certs[0]);
+  EXPECT_EQ(newintermediate_, path2.certs[1]);
+  EXPECT_EQ(newrootrollover_, path2.certs[2]);
+  EXPECT_EQ(oldroot_, path2.trust_anchor->cert());
 }
 
-// If the target cert is a trust root, that alone is a valid path.
+// If the target cert is a trust anchor, however is not itself *signed* by a
+// trust anchor, then it is not considered valid (the SPKI and name of the
+// trust anchor matches the SPKI and subject of the targe certificate, but the
+// rest of the certificate cannot be verified).

[mattm, 2016/08/09 00:59:21]

Seems reasonable, maybe add a test where this should succeed (eg, because the
issuer of the anchor is also a trust_anchor, or because the anchor is
self-signed).

[eroman, 2016/08/09 01:37:20]

We have this case in the test "TargetIsTrustAnchor"
I think we have this somewhere, but I will confirm that or add an explicit test
for it and get back to you.

[eroman, 2016/08/09 23:42:07]

Done. I have added some tests.

 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) {
   // Trust newintermediate.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newintermediate_);
+  AddTrustedCertificate(newintermediate_, &trust_store);
 
   CertPathBuilder::Result result;
   // Newintermediate is also the target cert.
   CertPathBuilder path_builder(newintermediate_, &trust_store,
                                &signature_policy_, time_, &result);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
-  EXPECT_EQ(OK, result.error());
-
-  ASSERT_EQ(1U, result.paths.size());
-  EXPECT_EQ(OK, result.paths[0]->error);
-  ASSERT_EQ(1U, result.paths[0]->path.size());
-  EXPECT_EQ(newintermediate_, result.paths[0]->path[0]);
+  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error());
 }
 
 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path
 // can still be built.
 // Since LoopChecker will prevent the intermediate from being included, this
 // currently does NOT verify. This case shouldn't occur in the web PKI.
 TEST_F(PathBuilderKeyRolloverTest,
        TestEndEntityHasSameNameAndSpkiAsIntermediate) {
   // Trust oldroot.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(oldroot_);
+  AddTrustedCertificate(oldroot_, &trust_store);
 
   // New root rollover is provided synchronously.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   // Newroot is the target cert.
   CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_,
                                time_, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   // This could actually be OK, but CertPathBuilder does not build the
   // newroot <- newrootrollover <- oldroot path.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error());
 }
 
 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial)
 // path can still be built.
 TEST_F(PathBuilderKeyRolloverTest,
        TestEndEntityHasSameNameAndSpkiAsTrustAnchor) {
   // Trust newrootrollover.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newrootrollover_);
+  AddTrustedCertificate(newrootrollover_, &trust_store);
 
   CertPathBuilder::Result result;
   // Newroot is the target cert.
   CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_,
                                time_, &result);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
 
   ASSERT_FALSE(result.paths.empty());
   const CertPathBuilder::ResultPath* best_result =
       result.paths[result.best_result_index].get();
 
   // Newroot has same name+SPKI as newrootrollover, thus the path is valid and
   // only contains newroot.
   EXPECT_EQ(OK, best_result->error);
-  ASSERT_EQ(1U, best_result->path.size());
-  EXPECT_EQ(newroot_, best_result->path[0]);
+  ASSERT_EQ(1U, best_result->path.certs.size());
+  EXPECT_EQ(newroot_, best_result->path.certs[0]);
+  EXPECT_EQ(newrootrollover_, best_result->path.trust_anchor->cert());
 }
 
 // Test that PathBuilder will not try the same path twice if multiple
 // CertIssuerSources provide the same certificate.
 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediates) {
   // Create a separate copy of oldintermediate.
   scoped_refptr<ParsedCertificate> oldintermediate_dupe(
       ParsedCertificate::CreateFromCertificateCopy(
           oldintermediate_->der_cert().AsStringPiece(), {}));
 
   // Only newroot is a trusted root.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newroot_);
+  AddTrustedCertificate(newroot_, &trust_store);
 
   // The oldintermediate is supplied synchronously by |sync_certs1| and
   // another copy of oldintermediate is supplied synchronously by |sync_certs2|.
   // The path target <- oldintermediate <- newroot  should be built first,
   // though it won't verify. It should not be attempted again even though
   // oldintermediate was supplied twice.
   CertIssuerSourceStatic sync_certs1;
   sync_certs1.AddCert(oldintermediate_);
   CertIssuerSourceStatic sync_certs2;
   sync_certs2.AddCert(oldintermediate_dupe);
@@ skipping 11 matching lines @@
   path_builder.AddCertIssuerSource(&async_certs);
 
   EXPECT_EQ(CompletionStatus::ASYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(OK, result.error());
   ASSERT_EQ(2U, result.paths.size());
 
   // Path builder will first attempt: target <- oldintermediate <- newroot
   // but it will fail since oldintermediate is signed by oldroot.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
+  const auto& path0 = result.paths[0]->path;
+
+  ASSERT_EQ(2U, path0.certs.size());
+  EXPECT_EQ(target_, path0.certs[0]);
   // Compare the DER instead of ParsedCertificate pointer, don't care which copy
   // of oldintermediate was used in the path.
-  EXPECT_EQ(oldintermediate_->der_cert(), result.paths[0]->path[1]->der_cert());
-  EXPECT_EQ(newroot_, result.paths[0]->path[2]);
+  EXPECT_EQ(oldintermediate_->der_cert(), path0.certs[1]->der_cert());
+  EXPECT_EQ(newroot_, path0.trust_anchor->cert());
 
   // Path builder will next attempt: target <- newintermediate <- newroot
   // which will succeed.
   EXPECT_EQ(1U, result.best_result_index);
   EXPECT_EQ(OK, result.paths[1]->error);
-  ASSERT_EQ(3U, result.paths[1]->path.size());
-  EXPECT_EQ(target_, result.paths[1]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[1]->path[1]);
-  EXPECT_EQ(newroot_, result.paths[1]->path[2]);
+  const auto& path1 = result.paths[1]->path;
+  ASSERT_EQ(2U, path1.certs.size());
+  EXPECT_EQ(target_, path1.certs[0]);
+  EXPECT_EQ(newintermediate_, path1.certs[1]);
+  EXPECT_EQ(newroot_, path1.trust_anchor->cert());
 }
 
-// Test that PathBuilder will not try the same path twice if the same cert is
-// presented via a CertIssuerSources and a TrustAnchor.
+// Test when PathBuilder is given a cert CertIssuerSources that has the same
+// SPKI as a TrustAnchor.
 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateIntermediateAndRoot) {
   // Create a separate copy of newroot.
   scoped_refptr<ParsedCertificate> newroot_dupe(
       ParsedCertificate::CreateFromCertificateCopy(
           newroot_->der_cert().AsStringPiece(), {}));
 
   // Only newroot is a trusted root.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newroot_);
+  AddTrustedCertificate(newroot_, &trust_store);
 
   // The oldintermediate and newroot are supplied synchronously by |sync_certs|.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
   sync_certs.AddCert(newroot_dupe);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   EXPECT_EQ(CompletionStatus::SYNC, RunPathBuilder(&path_builder));
 
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.error());
-  ASSERT_EQ(1U, result.paths.size());
+  ASSERT_EQ(2U, result.paths.size());
+  // TODO(eroman): Is this right?
 
   // Path builder attempt: target <- oldintermediate <- newroot
   // but it will fail since oldintermediate is signed by oldroot.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
-  EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]);
+  const auto& path = result.paths[0]->path;
+  ASSERT_EQ(2U, path.certs.size());
+  EXPECT_EQ(target_, path.certs[0]);
+  EXPECT_EQ(oldintermediate_, path.certs[1]);
   // Compare the DER instead of ParsedCertificate pointer, don't care which copy
   // of newroot was used in the path.
-  EXPECT_EQ(newroot_->der_cert(), result.paths[0]->path[2]->der_cert());
+  EXPECT_EQ(newroot_->der_cert(), path.trust_anchor->cert()->der_cert());
 }
 
 class MockCertIssuerSourceRequest : public CertIssuerSource::Request {
  public:
   MOCK_METHOD1(GetNext, CompletionStatus(scoped_refptr<ParsedCertificate>*));
 };
 
 class MockCertIssuerSource : public CertIssuerSource {
  public:
   MOCK_METHOD2(SyncGetIssuersOf,
@@ skipping 22 matching lines @@
 };
 
 // Test that a single CertIssuerSource returning multiple async batches of
 // issuers is handled correctly. Due to the StrictMocks, it also tests that path
 // builder does not request issuers of certs that it shouldn't.
 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncCallbacksFromSingleSource) {
   StrictMock<MockCertIssuerSource> cert_issuer_source;
 
   // Only newroot is a trusted root.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newroot_);
+  AddTrustedCertificate(newroot_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&cert_issuer_source);
 
   CertIssuerSource::IssuerCallback target_issuers_callback;
   // Create the mock CertIssuerSource::Request...
   std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>>
       target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>());
@@ skipping 56 matching lines @@
 
   // Ensure pathbuilder finished and filled result.
   callback.WaitForResult();
 
   EXPECT_EQ(OK, result.error());
   ASSERT_EQ(2U, result.paths.size());
 
   // Path builder first attempts: target <- oldintermediate <- newroot
   // but it will fail since oldintermediate is signed by oldroot.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
-  EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]);
-  EXPECT_EQ(newroot_, result.paths[0]->path[2]);
+  const auto& path0 = result.paths[0]->path;
+  ASSERT_EQ(2U, path0.certs.size());
+  EXPECT_EQ(target_, path0.certs[0]);
+  EXPECT_EQ(oldintermediate_, path0.certs[1]);
+  EXPECT_EQ(newroot_, path0.trust_anchor->cert());
 
   // After the second batch of async results, path builder will attempt:
   // target <- newintermediate <- newroot which will succeed.
   EXPECT_EQ(OK, result.paths[1]->error);
-  ASSERT_EQ(3U, result.paths[1]->path.size());
-  EXPECT_EQ(target_, result.paths[1]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[1]->path[1]);
-  EXPECT_EQ(newroot_, result.paths[1]->path[2]);
+  const auto& path1 = result.paths[1]->path;
+  ASSERT_EQ(2U, path1.certs.size());
+  EXPECT_EQ(target_, path1.certs[0]);
+  EXPECT_EQ(newintermediate_, path1.certs[1]);
+  EXPECT_EQ(newroot_, path1.trust_anchor->cert());
 }
 
 // Test that PathBuilder will not try the same path twice if CertIssuerSources
 // asynchronously provide the same certificate multiple times.
 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) {
   StrictMock<MockCertIssuerSource> cert_issuer_source;
 
   // Only newroot is a trusted root.
   TrustStore trust_store;
-  trust_store.AddTrustedCertificate(newroot_);
+  AddTrustedCertificate(newroot_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
                                &result);
   path_builder.AddCertIssuerSource(&cert_issuer_source);
 
   CertIssuerSource::IssuerCallback target_issuers_callback;
   // Create the mock CertIssuerSource::Request...
   std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>>
       target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>());
@@ skipping 71 matching lines @@
 
   // Ensure pathbuilder finished and filled result.
   callback.WaitForResult();
 
   EXPECT_EQ(OK, result.error());
   ASSERT_EQ(2U, result.paths.size());
 
   // Path builder first attempts: target <- oldintermediate <- newroot
   // but it will fail since oldintermediate is signed by oldroot.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, result.paths[0]->error);
-  ASSERT_EQ(3U, result.paths[0]->path.size());
-  EXPECT_EQ(target_, result.paths[0]->path[0]);
-  EXPECT_EQ(oldintermediate_, result.paths[0]->path[1]);
-  EXPECT_EQ(newroot_, result.paths[0]->path[2]);
+  const auto& path0 = result.paths[0]->path;
+  ASSERT_EQ(2U, path0.certs.size());
+  EXPECT_EQ(target_, path0.certs[0]);
+  EXPECT_EQ(oldintermediate_, path0.certs[1]);
+  EXPECT_EQ(newroot_, path0.trust_anchor->cert());
 
   // The second async result does not generate any path.
 
   // After the third batch of async results, path builder will attempt:
   // target <- newintermediate <- newroot which will succeed.
   EXPECT_EQ(OK, result.paths[1]->error);
-  ASSERT_EQ(3U, result.paths[1]->path.size());
-  EXPECT_EQ(target_, result.paths[1]->path[0]);
-  EXPECT_EQ(newintermediate_, result.paths[1]->path[1]);
-  EXPECT_EQ(newroot_, result.paths[1]->path[2]);
+  const auto& path1 = result.paths[1]->path;
+  ASSERT_EQ(2U, path1.certs.size());
+  EXPECT_EQ(target_, path1.certs[0]);
+  EXPECT_EQ(newintermediate_, path1.certs[1]);
+  EXPECT_EQ(newroot_, path1.trust_anchor->cert());
 }
 
 }  // namespace
 
 }  // namespace net