Don't treat trust anchors as certificates during path building.

components/cast_certificate/cast_crl.cc

Index: components/cast_certificate/cast_crl.cc
diff --git a/components/cast_certificate/cast_crl.cc b/components/cast_certificate/cast_crl.cc
index 94ecb1acfe9058abc658f4634372b1d1bb52eaa8..4f7596c7c44d7670d90094434c48a66710f5f8db 100644
--- a/components/cast_certificate/cast_crl.cc
+++ b/components/cast_certificate/cast_crl.cc
@@ -62,12 +62,16 @@ class CastCRLTrustStore {
 
   CastCRLTrustStore() {
     // Initialize the trust store with the root certificate.
-    scoped_refptr<net::ParsedCertificate> root =
+    scoped_refptr<net::ParsedCertificate> cert =
         net::ParsedCertificate::CreateFromCertificateData(
             kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer),
             net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
-    CHECK(root);
-    store_.AddTrustedCertificate(std::move(root));
+    CHECK(cert);
+    // TODO(crbug.com/635200): Support anchor constraints.
+    auto anchor =
+        net::TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert));
+    CHECK(anchor);
+    store_.AddTrustAnchor(std::move(anchor));
   }
 
   net::TrustStore store_;
@@ -167,7 +171,7 @@ bool VerifyCRL(const Crl& crl,
 
   // Set CRL expiry to the earliest of the cert chain expiry and CRL expiry.
   *overall_not_after = not_after;
-  for (const auto& cert : result.paths[result.best_result_index]->path) {
+  for (const auto& cert : result.paths[result.best_result_index]->path.certs) {

[mattm, 2016/08/09 00:59:21]

ok that this doesn't check the trust_anchor?

[eroman, 2016/08/09 01:37:20]

I will make sure to raise that with cast reviewer.

There is no longer the concept of an expiration on trust anchor.

That said in this case there is a single trust anchor (cast CRL root) baked into
the browser binary. So the only meaning of expiring it would be to change it. So
at least currently I don't believe there is meaningful distinction.

     net::der::GeneralizedTime cert_not_after = cert->tbs().validity_not_after;
     if (cert_not_after < *overall_not_after)
       *overall_not_after = cert_not_after;
@@ -191,7 +195,7 @@ class CastCRLImpl : public CastCRL {
               const net::der::GeneralizedTime& overall_not_after);
   ~CastCRLImpl() override;
 
-  bool CheckRevocation(const net::ParsedCertificateList& trusted_chain,
+  bool CheckRevocation(const net::CertPath& trusted_chain,
                        const base::Time& time) const override;
 
  private:
@@ -245,10 +249,9 @@ CastCRLImpl::~CastCRLImpl() {}
 
 // Verifies the revocation status of the certificate chain, at the specified
 // time.
-bool CastCRLImpl::CheckRevocation(
-    const net::ParsedCertificateList& trusted_chain,
-    const base::Time& time) const {
-  if (trusted_chain.empty())
+bool CastCRLImpl::CheckRevocation(const net::CertPath& trusted_chain,
+                                  const base::Time& time) const {
+  if (trusted_chain.IsEmpty())
     return false;
 
   // Check the validity of the CRL at the specified time.
@@ -262,12 +265,20 @@ bool CastCRLImpl::CheckRevocation(
     return false;
   }
 
-  // Check revocation.
-  for (size_t i = 0; i < trusted_chain.size(); ++i) {
-    const auto& parsed_cert = trusted_chain[i];
+  // Check revocation -- Note that this loop has "+ 1" in order to also loop
+  // over the trust anchor (which is treated specially).
+  for (size_t i = 0; i < trusted_chain.certs.size() + 1; ++i) {
+    // This loop iterates over both certificates AND the trust anchor,
+    // depending on what the value of |i| is.
+    net::der::Input spki_tlv;
+    if (i == trusted_chain.certs.size()) {
+      spki_tlv = trusted_chain.trust_anchor->spki();
+    } else {
+      spki_tlv = trusted_chain.certs[i]->tbs().spki_tlv;
+    }
+
     // Calculate the public key's hash to check for revocation.
-    std::string spki_hash =
-        crypto::SHA256HashString(parsed_cert->tbs().spki_tlv.AsString());
+    std::string spki_hash = crypto::SHA256HashString(spki_tlv.AsString());
     if (revoked_hashes_.find(spki_hash) != revoked_hashes_.end()) {
       VLOG(2) << "Public key is revoked.";
       return false;
@@ -277,7 +288,7 @@ bool CastCRLImpl::CheckRevocation(
     if (i > 0) {
       auto issuer_iter = revoked_serial_numbers_.find(spki_hash);
       if (issuer_iter != revoked_serial_numbers_.end()) {
-        const auto& subordinate = trusted_chain[i - 1];
+        const auto& subordinate = trusted_chain.certs[i - 1];
         uint64_t serial_number;
         // Only Google generated device certificates will be revoked by range.
         // These will always be less than 64 bits in length.