Add errors per ResultPath for CertPathBuilder.

components/cast_certificate/cast_crl.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_crl.h"
 
 #include <unordered_map>
 #include <unordered_set>
 
 #include "base/base64.h"
@@ skipping 127 matching lines @@
   if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) {
     VLOG(2) << "CRL - Unable to parse verification time.";
     return false;
   }
   net::CertPathBuilder::Result result;
   net::CertPathBuilder path_builder(parsed_cert.get(), trust_store,
                                     signature_policy.get(), verification_time,
                                     &result);
   net::CompletionStatus rv = path_builder.Run(base::Closure());
   DCHECK_EQ(rv, net::CompletionStatus::SYNC);
-  if (!result.is_success() || result.paths.empty() ||
-      !result.paths[result.best_result_index]->is_success()) {
+  if (!result.HasValidPath()) {
     VLOG(2) << "CRL - Issuer certificate verification failed.";
+    // TODO(crbug.com/634443): Log the error information.
     return false;
   }
   // There are no requirements placed on the leaf certificate having any
   // particular KeyUsages. Leaf certificate checks are bypassed.
 
   // Verify the CRL is still valid.
   net::der::GeneralizedTime not_before;
   if (!ConvertTimeSeconds(tbs_crl.not_before_seconds(), &not_before)) {
     VLOG(2) << "CRL - Unable to parse not_before.";
     return false;
   }
   net::der::GeneralizedTime not_after;
   if (!ConvertTimeSeconds(tbs_crl.not_after_seconds(), &not_after)) {
     VLOG(2) << "CRL - Unable to parse not_after.";
     return false;
   }
   if ((verification_time < not_before) || (verification_time > not_after)) {
     VLOG(2) << "CRL - Not time-valid.";
     return false;
   }
 
   // Set CRL expiry to the earliest of the cert chain expiry and CRL expiry.
   // Note that the trust anchor is not part of this loop.
   // "expiration" of the trust anchor is handled instead by its
   // presence in the trust store.
   *overall_not_after = not_after;
-  for (const auto& cert : result.paths[result.best_result_index]->path.certs) {
+  for (const auto& cert : result.GetBestValidPath()->path.certs) {
     net::der::GeneralizedTime cert_not_after = cert->tbs().validity_not_after;
     if (cert_not_after < *overall_not_after)
       *overall_not_after = cert_not_after;
   }
 
   // Perform sanity check on serial numbers.
   for (const auto& range : tbs_crl.revoked_serial_number_ranges()) {
     uint64_t first_serial_number = range.first_serial_number();
     uint64_t last_serial_number = range.last_serial_number();
     if (last_serial_number < first_serial_number) {
@@ skipping 164 matching lines @@
 }
 
 std::unique_ptr<CastCRL> ParseAndVerifyCRLForTest(
     const std::string& crl_proto,
     const base::Time& time,
     net::TrustStore* trust_store) {
   return ParseAndVerifyCRL(crl_proto, time, trust_store);
 }
 
 }  // namespace cast_certificate