Support trust anchor constraints, by specifying them as a certificate.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "net/cert/internal/name_constraints.h"
@@ skipping 148 matching lines @@
 }
 
 // This function corresponds to RFC 5280 section 6.1.4's "Preparation for
 // Certificate i+1" procedure. |cert| is expected to be an intermediate.
 WARN_UNUSED_RESULT bool PrepareForNextCertificate(
     const ParsedCertificate& cert,
     size_t* max_path_length_ptr,
     der::Input* working_spki,
     der::Input* working_normalized_issuer_name,
     std::vector<const NameConstraints*>* name_constraints_list) {
-  // TODO(eroman): Steps a-b are omitted, as policy constraints are not yet
-  // implemented.
+  // TODO(crbug.com/634456): Steps a-b are omitted, as policy mappings are not
+  // yet implemented.
 
   // From RFC 5280 section 6.1.4 step c:
   //
   //    Assign the certificate subject name to working_normalized_issuer_name.
   *working_normalized_issuer_name = cert.normalized_subject();
 
   // From RFC 5280 section 6.1.4 step d:
   //
   //    Assign the certificate subjectPublicKey to working_public_key.
   *working_spki = cert.tbs().spki_tlv;
 
   // Note that steps e and f are omitted as they are handled by
   // the assignment to |working_spki| above. See the definition
   // of |working_spki|.
 
   // From RFC 5280 section 6.1.4 step g:
   if (cert.has_name_constraints())
     name_constraints_list->push_back(&cert.name_constraints());
 
-  // TODO(eroman): Steps h-j are omitted as policy constraints are not yet
-  // implemented.
+  // TODO(eroman): Steps h-j are omitted as policy
+  // constraints/mappings/inhibitAnyPolicy are not yet implemented.
 
   // From RFC 5280 section 6.1.4 step k:
   //
   //    If certificate i is a version 3 certificate, verify that the
   //    basicConstraints extension is present and that cA is set to
   //    TRUE.  (If certificate i is a version 1 or version 2
   //    certificate, then the application MUST either verify that
   //    certificate i is a CA certificate through out-of-band means
   //    or reject the certificate.  Conforming implementations may
   //    choose to reject all version 1 and version 2 intermediate
@@ skipping 85 matching lines @@
            (!cert.has_key_usage() ||
             cert.key_usage().AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
   }
 
   return true;
 }
 
 // This function corresponds with RFC 5280 section 6.1.5's "Wrap-Up Procedure".
 // It does processing for the final certificate (the target cert).
 WARN_UNUSED_RESULT bool WrapUp(const ParsedCertificate& cert) {
-  // TODO(eroman): Steps a-b are omitted as policy constraints are not yet
-  // implemented.
+  // TODO(crbug.com/634452): Steps a-b are omitted as policy constraints are not
+  // yet implemented.
 
   // Note step c-e are omitted the verification function does
   // not output the working public key.
 
   // From RFC 5280 section 6.1.5 step f:
   //
   //    Recognize and process any other critical extension present in
   //    the certificate n.  Process any other recognized non-critical
   //    extension present in certificate n that is relevant to path
   //    processing.
   //
   // Note that this is duplicated by PrepareForNextCertificate() so as to
   // directly match the procedures in RFC 5280's section 6.1.
   if (!VerifyNoUnconsumedCriticalExtensions(cert))
     return false;
 
   // TODO(eroman): Step g is omitted, as policy constraints are not yet
   // implemented.
 
   // The following check is NOT part of RFC 5280 6.1.5's "Wrap-Up Procedure",
   // however is implied by RFC 5280 section 4.2.1.9.
   if (!VerifyTargetCertHasConsistentCaBits(cert))
     return false;
 
   return true;
 }
 
+// Initializes the path validation algorithm given anchor constraints. This
+// follows the description in RFC 5937
+WARN_UNUSED_RESULT bool ProcessTrustAnchorConstraints(
+    const TrustAnchor& trust_anchor,
+    size_t* max_path_length_ptr,
+    std::vector<const NameConstraints*>* name_constraints_list) {
+  // In RFC 5937 the enforcement of anchor constraints is governed by the input
+  // enforceTrustAnchorConstraints to path validation. In our implementation
+  // this is always on, and enforcement is controlled solely by whether or not
+  // the trust anchor specified constraints.
+  if (!trust_anchor.enforces_constraints())
+    return true;
+
+  // Anchor constraints are encoded via the attached certificate.
+  const ParsedCertificate& cert = *trust_anchor.cert();
+
+  // The following enforcements follow from RFC 5937 (primarily section 3.2):
+
+  // Initialize name constraints initial-permitted/excluded-subtrees.
+  if (cert.has_name_constraints())
+    name_constraints_list->push_back(&cert.name_constraints());

[eroman, 2016/08/16 00:03:01]

I don't yet have a test for this -- will probably do that in a follow-up.

+
+  // TODO(eroman): Initialize user-initial-policy-set based on anchor
+  // constraints.
+
+  // TODO(eroman): Initialize inhibit any policy based on anchor constraints.
+
+  // TODO(eroman): Initialize require explicit policy based on anchor
+  // constraints.
+
+  // TODO(eroman): Initialize inhibit policy mapping based on anchor
+  // constraints.
+
+  // From RFC 5937 section 3.2:
+  //
+  //    If a basic constraints extension is associated with the trust
+  //    anchor and contains a pathLenConstraint value, set the
+  //    max_path_length state variable equal to the pathLenConstraint
+  //    value from the basic constraints extension.
+  //
+  // NOTE: RFC 5937 does not say to enforce the CA=true part of basic
+  // constraints.
+  if (cert.has_basic_constraints() && cert.basic_constraints().has_path_len)
+    *max_path_length_ptr = cert.basic_constraints().path_len;
+
+  // From RFC 5937 section 2:
+  //
+  //    Extensions may be marked critical or not critical.  When trust anchor
+  //    constraints are enforced, clients MUST reject certification paths
+  //    containing a trust anchor with unrecognized critical extensions.
+  if (!VerifyNoUnconsumedCriticalExtensions(cert))
+    return false;
+
+  return true;
+}
+
 }  // namespace
 
 // This implementation is structured to mimic the description of certificate
 // path verification given by RFC 5280 section 6.1.
 bool VerifyCertificateChain(const ParsedCertificateList& certs,
                             const TrustAnchor* trust_anchor,
                             const SignaturePolicy* signature_policy,
                             const der::GeneralizedTime& time) {
   // An empty chain is necessarily invalid.
   if (certs.empty())
     return false;
 
-  // TODO(crbug.com/635200): Support anchor constraints.
-
   // Will contain a NameConstraints for each previous cert in the chain which
   // had nameConstraints. This corresponds to the permitted_subtrees and
   // excluded_subtrees state variables from RFC 5280.
   std::vector<const NameConstraints*> name_constraints_list;
 
   // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
   //    * working_public_key
   //    * working_public_key_algorithm
   //    * working_public_key_parameters
   //
@@ skipping 19 matching lines @@
   // |max_path_length| corresponds with the same named variable in RFC 5280
   // section 6.1.2:
   //
   //    max_path_length:  this integer is initialized to n, is
   //    decremented for each non-self-issued certificate in the path,
   //    and may be reduced to the value in the path length constraint
   //    field within the basic constraints extension of a CA
   //    certificate.
   size_t max_path_length = certs.size();
 
+  // Apply any trust anchor constraints per RFC 5937.
+  if (!ProcessTrustAnchorConstraints(*trust_anchor, &max_path_length,
+                                     &name_constraints_list)) {
+    return false;
+  }
+
   // Iterate over all the certificates in the reverse direction: starting from
   // the certificate signed by trust anchor and progressing towards the target
   // certificate.
   //
   // Note that |i| uses 0-based indexing whereas in RFC 5280 it is 1-based.
   //
   //   * i=0    :  Certificated signed by trust anchor.
   //   * i=N-1  :  Target certificate.
   for (size_t i = 0; i < certs.size(); ++i) {
     const size_t index_into_certs = certs.size() - i - 1;
@@ skipping 29 matching lines @@
 
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 
   return true;
 }
 
 }  // namespace net