Add error information to VerifySignedData().

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "net/cert/internal/cert_errors.h"
@@ skipping 142 matching lines @@
 
   // Verify the digital signature using the previous certificate's key (RFC
   // 5280 section 6.1.3 step a.1).
   if (!cert.has_valid_supported_signature_algorithm()) {
     errors->AddWith1DerParam(kInvalidOrUnsupportedAlgorithm,
                              cert.signature_algorithm_tlv());
     return false;
   }
 
   if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
-                        cert.signature_value(), working_spki,
-                        signature_policy)) {
-    errors->Add(kSignatureVerificationFailed);
+                        cert.signature_value(), working_spki, signature_policy,
+                        errors)) {
+    errors->Add(kVerifySignedDataFailed);

[eroman, 2016/08/30 21:57:40]

I will explore making errors hiearchical in a follow-up to try and address this
deficiency.

For now the errors is a flat list, and there may be some duplicate entries,
which effectively describe the same issue but at varying levels of granularity.

(Need to circle back on that "scoped" context stuff I had added, and see if that
makes sense as a general mechanism, or if errors should just inherently be
hiearchical and have sub-errors within them).

     return false;
   }
 
   // Check the time range for the certificate's validity, ensuring it is valid
   // at |time|.
   // (RFC 5280 section 6.1.3 step a.2)
   if (!VerifyTimeValidity(cert, time, errors))
     return false;
 
   // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3)
@@ skipping 405 matching lines @@
 DEFINE_CERT_ERROR_TYPE(kKeyCertSignBitNotSet, "keyCertSign bit is not set");
 DEFINE_CERT_ERROR_TYPE(kMaxPathLengthViolated, "max_path_length reached");
 DEFINE_CERT_ERROR_TYPE(kBasicConstraintsIndicatesNotCa,
                        "Basic Constraints indicates not a CA");
 DEFINE_CERT_ERROR_TYPE(kMissingBasicConstraints,
                        "Does not have Basic Constraints");
 DEFINE_CERT_ERROR_TYPE(kNotPermittedByNameConstraints,
                        "Not permitted by name constraints");
 DEFINE_CERT_ERROR_TYPE(kSubjectDoesNotMatchIssuer,
                        "subject does not match issuer");
-DEFINE_CERT_ERROR_TYPE(kSignatureVerificationFailed,
-                       "Signature verification failed");
+DEFINE_CERT_ERROR_TYPE(kVerifySignedDataFailed, "VerifySignedData failed");
 DEFINE_CERT_ERROR_TYPE(kValidityFailedNotAfter, "Time is after notAfter");
 DEFINE_CERT_ERROR_TYPE(kValidityFailedNotBefore, "Time is before notBefore");
 DEFINE_CERT_ERROR_TYPE(kSignatureAlgorithmsDifferentEncoding,
                        "Certificate.signatureAlgorithm is encoded differently "
                        "than TBSCertificate.signature");
 DEFINE_CERT_ERROR_TYPE(kNullTrustAnchor, "Missing trust anchor");
 
 }  // verify_certificate_chain_errors
 
 }  // namespace net