Enable trust anchor constraints for the built-in Cast roots.

components/cast_certificate/cast_cert_validator_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include "components/cast_certificate/cast_cert_validator_test_helpers.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/trust_store.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace cast_certificate {
 
 namespace {
 
 // Creates an std::string given a uint8_t array.
 template <size_t N>
 std::string CreateString(const uint8_t (&data)[N]) {
   return std::string(reinterpret_cast<const char*>(data), N);
 }
 
 // Indicates the expected result of test verification.
 enum TestResult {
   RESULT_SUCCESS,
   RESULT_FAIL,
 };
 
+enum TrustStoreDependency {
+  // Uses the built-in trust store for Cast. This is how certificates are
+  // verified in production.
+  TRUST_STORE_BUILTIN,
+
+  // Instead of using the built-in trust store, use root certificate in the
+  // provided test chain as the trust anchor.
+  //
+  // This trust anchor is initialized with anchor constraints, similar to how
+  // TrustAnchors in the built-in store are setup.
+  TRUST_STORE_FROM_TEST_FILE,
+
+  // This is the same as TRUST_STORE_FROM_TEST_FILE except the TrustAnchor is
+  // setup to NOT enforce anchor constraints. This mode is useful for
+  // verifying control groups. It is not how code works in production.
+  TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED,
+};
+
 // Reads a test chain from |certs_file_name|, and asserts that verifying it as
 // a Cast device certificate yields |expected_result|.
 //
 // RunTest() also checks that the resulting CertVerificationContext does not
 // incorrectly verify invalid signatures.
 //
 //  * |expected_policy| - The policy that should have been identified for the
 //                        device certificate.
 //  * |time| - The timestamp to use when verifying the certificate.
+//  * |trust_store_dependency| - Which trust store to use when verifying (see
+//                               enum's definition).
 //  * |optional_signed_data_file_name| - optional path to a PEM file containing
 //        a valid signature generated by the device certificate.
 //
 void RunTest(TestResult expected_result,
              const std::string& expected_common_name,
              CastDeviceCertPolicy expected_policy,
              const std::string& certs_file_name,
              const base::Time& time,
+             TrustStoreDependency trust_store_dependency,
              const std::string& optional_signed_data_file_name) {
   auto certs =
       cast_certificate::testing::ReadCertificateChainFromFile(certs_file_name);
 
+  std::unique_ptr<net::TrustStore> trust_store;
+
+  switch (trust_store_dependency) {
+    case TRUST_STORE_BUILTIN:
+      // Leave trust_store as nullptr.
+      break;
+
+    case TRUST_STORE_FROM_TEST_FILE:
+    case TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED: {
+      ASSERT_FALSE(certs.empty());
+
+      // Parse the root certificate of the chain.
+      scoped_refptr<net::ParsedCertificate> root =
+          net::ParsedCertificate::CreateFromCertificateCopy(certs.back(), {});
+      ASSERT_TRUE(root);
+
+      // Remove it from the chain.
+      certs.pop_back();
+
+      // Add it to the trust store as a trust anchor
+      trust_store.reset(new net::TrustStore);
+
+      if (trust_store_dependency == TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED) {
+        // This is a test-only mode where anchor constraints are not enforced.
+        trust_store->AddTrustAnchor(
+            net::TrustAnchor::CreateFromCertificateNoConstraints(
+                std::move(root)));
+      } else {
+        // This is the regular mode used by the TrustAnchors for the built-in
+        // Cast store.
+        trust_store->AddTrustAnchor(
+            net::TrustAnchor::CreateFromCertificateWithConstraints(
+                std::move(root)));
+      }
+    }
+  }
+
   std::unique_ptr<CertVerificationContext> context;
   CastDeviceCertPolicy policy;
-  bool result = VerifyDeviceCert(certs, time, &context, &policy, nullptr,
-                                 CRLPolicy::CRL_OPTIONAL);
+
+  bool result;
+  if (trust_store.get()) {
+    result =
+        VerifyDeviceCertForTest(certs, time, &context, &policy, nullptr,
+                                CRLPolicy::CRL_OPTIONAL, trust_store.get());
+  } else {
+    result = VerifyDeviceCert(certs, time, &context, &policy, nullptr,
+                              CRLPolicy::CRL_OPTIONAL);
+  }
 
   if (expected_result == RESULT_FAIL) {
     ASSERT_FALSE(result);
     return;
   }
 
   ASSERT_TRUE(result);
   EXPECT_EQ(expected_policy, policy);
   ASSERT_TRUE(context.get());
 
@@ skipping 63 matching lines @@
 base::Time MarchFirst2037() {
   return CreateDate(2037, 3, 1);
 }
 
 // Tests verifying a valid certificate chain of length 2:
 //
 //   0: 2ZZBG9 FA8FCA3EF91A
 //   1: Eureka Gen1 ICA
 //
 // Chains to trust anchor:
-//   Eureka Root CA    (not included)
+//   Eureka Root CA    (built-in trust store)
 TEST(VerifyCastDeviceCertTest, ChromecastGen1) {
   RunTest(RESULT_SUCCESS, "2ZZBG9 FA8FCA3EF91A", CastDeviceCertPolicy::NONE,
           "certificates/chromecast_gen1.pem", AprilFirst2016(),
-          "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
+          TRUST_STORE_BUILTIN, "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
 }
 
 // Tests verifying a valid certificate chain of length 2:
 //
 //  0: 2ZZBG9 FA8FCA3EF91A
 //  1: Eureka Gen1 ICA
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 TEST(VerifyCastDeviceCertTest, ChromecastGen1Reissue) {
   RunTest(RESULT_SUCCESS, "2ZZBG9 FA8FCA3EF91A", CastDeviceCertPolicy::NONE,
           "certificates/chromecast_gen1_reissue.pem", AprilFirst2016(),
-          "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
+          TRUST_STORE_BUILTIN, "signeddata/2ZZBG9_FA8FCA3EF91A.pem");
 }
 
 // Tests verifying a valid certificate chain of length 2:
 //
 //   0: 3ZZAK6 FA8FCA3F0D35
 //   1: Chromecast ICA 3
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 TEST(VerifyCastDeviceCertTest, ChromecastGen2) {
   RunTest(RESULT_SUCCESS, "3ZZAK6 FA8FCA3F0D35", CastDeviceCertPolicy::NONE,
-          "certificates/chromecast_gen2.pem", AprilFirst2016(), "");
+          "certificates/chromecast_gen2.pem", AprilFirst2016(),
+          TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying a valid certificate chain of length 3:
 //
 //   0: -6394818897508095075
 //   1: Asus fugu Cast ICA
 //   2: Widevine Cast Subroot
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 TEST(VerifyCastDeviceCertTest, Fugu) {
   RunTest(RESULT_SUCCESS, "-6394818897508095075", CastDeviceCertPolicy::NONE,
-          "certificates/fugu.pem", AprilFirst2016(), "");
+          "certificates/fugu.pem", AprilFirst2016(), TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying an invalid certificate chain of length 1:
 //
 //  0: Cast Test Untrusted Device
 //
 // Chains to:
-//   Cast Test Untrusted ICA    (not included)
+//   Cast Test Untrusted ICA    (Not part of trust store)
 //
 // This is invalid because it does not chain to a trust anchor.
 TEST(VerifyCastDeviceCertTest, Unchained) {
   RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE,
-          "certificates/unchained.pem", AprilFirst2016(), "");
+          "certificates/unchained.pem", AprilFirst2016(), TRUST_STORE_BUILTIN,
+          "");
 }
 
 // Tests verifying one of the self-signed trust anchors (chain of length 1):
 //
 //  0: Cast Root CA
 //
 // Chains to trust anchor:
-//   Cast Root CA
+//   Cast Root CA     (built-in trust store)
 //
 // Although this is a valid and trusted certificate (it is one of the
 // trust anchors after all) it fails the test as it is not a *device
 // certificate*.
 TEST(VerifyCastDeviceCertTest, CastRootCa) {
   RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE,
-          "certificates/cast_root_ca.pem", AprilFirst2016(), "");
+          "certificates/cast_root_ca.pem", AprilFirst2016(),
+          TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying a valid certificate chain of length 2:
 //
 //  0: 4ZZDZJ FA8FCA7EFE3C
 //  1: Chromecast ICA 4 (Audio)
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 //
 // This device certificate has a policy that means it is valid only for audio
 // devices.
 TEST(VerifyCastDeviceCertTest, ChromecastAudio) {
   RunTest(RESULT_SUCCESS, "4ZZDZJ FA8FCA7EFE3C",
           CastDeviceCertPolicy::AUDIO_ONLY, "certificates/chromecast_audio.pem",
-          AprilFirst2016(), "");
+          AprilFirst2016(), TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying a valid certificate chain of length 3:
 //
 //  0: MediaTek Audio Dev Test
 //  1: MediaTek Audio Dev Model
 //  2: Cast Audio Dev Root CA
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 //
 // This device certificate has a policy that means it is valid only for audio
 // devices.
 TEST(VerifyCastDeviceCertTest, MtkAudioDev) {
   RunTest(RESULT_SUCCESS, "MediaTek Audio Dev Test",
           CastDeviceCertPolicy::AUDIO_ONLY, "certificates/mtk_audio_dev.pem",
-          JanuaryFirst2015(), "");
+          JanuaryFirst2015(), TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying a valid certificate chain of length 2:
 //
 //  0: 9V0000VB FA8FCA784D01
 //  1: Cast TV ICA (Vizio)
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 TEST(VerifyCastDeviceCertTest, Vizio) {
   RunTest(RESULT_SUCCESS, "9V0000VB FA8FCA784D01", CastDeviceCertPolicy::NONE,
-          "certificates/vizio.pem", AprilFirst2016(), "");
+          "certificates/vizio.pem", AprilFirst2016(), TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying a valid certificate chain of length 2 using expired
 // time points.
 TEST(VerifyCastDeviceCertTest, ChromecastGen2InvalidTime) {
   const char* kCertsFile = "certificates/chromecast_gen2.pem";
 
   // Control test - certificate should be valid at some time otherwise
   // this test is pointless.
   RunTest(RESULT_SUCCESS, "3ZZAK6 FA8FCA3F0D35", CastDeviceCertPolicy::NONE,
-          kCertsFile, AprilFirst2016(), "");
+          kCertsFile, AprilFirst2016(), TRUST_STORE_BUILTIN, "");
 
   // Use a time before notBefore.
   RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE, kCertsFile,
-          JanuaryFirst2015(), "");
+          JanuaryFirst2015(), TRUST_STORE_BUILTIN, "");
 
   // Use a time after notAfter.
   RunTest(RESULT_FAIL, "", CastDeviceCertPolicy::NONE, kCertsFile,
-          MarchFirst2037(), "");
+          MarchFirst2037(), TRUST_STORE_BUILTIN, "");
 }
 
 // Tests verifying a valid certificate chain of length 3:
 //
 //  0: Audio Reference Dev Test
 //  1: Audio Reference Dev Model
 //  2: Cast Audio Dev Root CA
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 //
 // This device certificate has a policy that means it is valid only for audio
 // devices.
 TEST(VerifyCastDeviceCertTest, AudioRefDevTestChain3) {
   RunTest(RESULT_SUCCESS, "Audio Reference Dev Test",
           CastDeviceCertPolicy::AUDIO_ONLY,
           "certificates/audio_ref_dev_test_chain_3.pem", AprilFirst2016(),
-          "signeddata/AudioReferenceDevTest.pem");
+          TRUST_STORE_BUILTIN, "signeddata/AudioReferenceDevTest.pem");
 }
 
 // Tests verifying a valid certificate chain of length 3. Note that the first
 // intermediate has a serial number that is 21 octets long, which violates RFC
 // 5280. However cast verification accepts this certificate for compatibility
 // reasons.
 //
 //  0: 8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA
 //  1: Sony so16vic CA
 //  2: Cast Audio Sony CA
 //
 // Chains to trust anchor:
-//   Cast Root CA     (not included)
+//   Cast Root CA     (built-in trust store)
 //
 // This device certificate has a policy that means it is valid only for audio
 // devices.
 TEST(VerifyCastDeviceCertTest, IntermediateSerialNumberTooLong) {
   RunTest(RESULT_SUCCESS, "8C579B806FFC8A9DFFFF F8:8F:CA:6B:E6:DA",
           CastDeviceCertPolicy::AUDIO_ONLY,
           "certificates/intermediate_serialnumber_toolong.pem",
-          AprilFirst2016(), "");
+          AprilFirst2016(), TRUST_STORE_BUILTIN, "");
+}
+
+// Tests verifying a valid certificate chain of length 2 when the trust anchor
+// is "expired". This is expected to work since expiration is not an enforced
+// anchor constraint, even though it may appear in the root certificate.
+//
+//  0: CastDevice
+//  1: CastIntermediate
+//
+// Chains to trust anchor:
+//   Expired CastRoot     (provided by test data)
+TEST(VerifyCastDeviceCertTest, ExpiredTrustAnchor) {
+  // The root certificate is only valid in 2015, so validating with a time in
+  // 2016 means it is expired.
+  RunTest(RESULT_SUCCESS, "CastDevice", CastDeviceCertPolicy::NONE,
+          "certificates/expired_root.pem", AprilFirst2016(),
+          TRUST_STORE_FROM_TEST_FILE, "");
+}
+
+// Tests verifying a certificate chain where the root certificate has a pathlen
+// constraint which is violated by the chain. In this case Root has a pathlen=1
+// constraint, however neither intermediate is constrained.
+//
+// The expectation is for pathlen constraints on trust anchors to be enforced,
+// so this validation must fail.
+//
+//  0: Target
+//  1: Intermediate2
+//  2: Intermediate1
+//
+// Chains to trust anchor:
+//   Root     (provided by test data; has pathlen=1 constraint)
+TEST(VerifyCastDeviceCertTest, ViolatesPathlenTrustAnchorConstraint) {
+  // First do a control test -- when anchor constraints are NOT enforced this
+  // chain should validate just fine.
+  RunTest(RESULT_SUCCESS, "Target", CastDeviceCertPolicy::NONE,
+          "certificates/violates_root_pathlen_constraint.pem", AprilFirst2016(),
+          TRUST_STORE_FROM_TEST_FILE_UNCONSTRAINED, "");
+
+  // Now do the real test and verify validation fails when using a TrustAncho
+  // with pathlen constraint.
+  RunTest(RESULT_FAIL, "Target", CastDeviceCertPolicy::NONE,
+          "certificates/violates_root_pathlen_constraint.pem", AprilFirst2016(),
+          TRUST_STORE_FROM_TEST_FILE, "");
 }
 
 // ------------------------------------------------------
 // Valid signature using 1024-bit RSA key
 // ------------------------------------------------------
 
 // This test vector comes from the NIST test vectors (pkcs1v15sign-vectors.txt),
 // PKCS#1 v1.5 Signature Example 1.2.
 //
 // It is a valid signature using a 1024 bit key and SHA-1.
@@ skipping 117 matching lines @@
   auto context =
       CertVerificationContextImplForTest(CreateString(kEx2PublicKeySpki));
 
   EXPECT_TRUE(context->VerifySignatureOverData(CreateString(kEx2Signature),
                                                CreateString(kEx2Message)));
 }
 
 }  // namespace
 
 }  // namespace cast_certificate