Add CertErrors* parameter to the main Certificate parsing functions.

components/cast_certificate/cast_cert_validator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 49 matching lines @@
 
   CastTrustStore() {
     AddAnchor(kCastRootCaDer);
     AddAnchor(kEurekaRootCaDer);
   }
 
   // Adds a trust anchor given a DER-encoded certificate from static
   // storage.
   template <size_t N>
   void AddAnchor(const uint8_t (&data)[N]) {
+    net::CertErrors errors;
     scoped_refptr<net::ParsedCertificate> cert =
-        net::ParsedCertificate::CreateFromCertificateData(
-            data, N, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
-            {});
-    CHECK(cert);
+        net::ParsedCertificate::CreateWithoutCopyingUnsafe(data, N, {},
+                                                           &errors);
+    CHECK(cert) << errors.ToDebugString();
     // Enforce pathlen constraints and policies defined on the root certificate.
     scoped_refptr<net::TrustAnchor> anchor =
         net::TrustAnchor::CreateFromCertificateWithConstraints(std::move(cert));
     store_.AddTrustAnchor(std::move(anchor));
   }
 
   net::TrustStoreInMemory store_;
   DISALLOW_COPY_AND_ASSIGN(CastTrustStore);
 };
 
@@ skipping 163 matching lines @@
   // INTEGER (non-minimal encoding).
   //
   // Allow these sorts of serial numbers.
   //
   // TODO(eroman): At some point in the future this workaround will no longer be
   // necessary. Should revisit this for removal in 2017 if not earlier.
   options.allow_invalid_serial_numbers = true;
   return options;
 }
 
-// Verifies a cast device certficate given a chain of DER-encoded certificates.
+// Verifies a cast device certificate given a chain of DER-encoded certificates.
 bool VerifyDeviceCert(const std::vector<std::string>& certs,
                       const base::Time& time,
                       std::unique_ptr<CertVerificationContext>* context,
                       CastDeviceCertPolicy* policy,
                       const CastCRL* crl,
                       CRLPolicy crl_policy,
                       net::TrustStore* trust_store) {
   if (certs.empty())
     return false;
 
-  // No reference to these ParsedCertificates is kept past the end of this
-  // function, so using EXTERNAL_REFERENCE here is safe.
+  net::CertErrors errors;
   scoped_refptr<net::ParsedCertificate> target_cert;
   net::CertIssuerSourceStatic intermediate_cert_issuer_source;
   for (size_t i = 0; i < certs.size(); ++i) {
-    scoped_refptr<net::ParsedCertificate> cert(
-        net::ParsedCertificate::CreateFromCertificateData(
-            reinterpret_cast<const uint8_t*>(certs[i].data()), certs[i].size(),
-            net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
-            GetCertParsingOptions()));
+    scoped_refptr<net::ParsedCertificate> cert(net::ParsedCertificate::Create(
+        certs[i], GetCertParsingOptions(), &errors));
+    // TODO(eroman): Propagate/log these parsing errors.
     if (!cert)
       return false;
 
     if (i == 0)
       target_cert = std::move(cert);
     else
       intermediate_cert_issuer_source.AddCert(std::move(cert));
   }
 
   // Use a signature policy compatible with Cast's PKI.
@@ skipping 59 matching lines @@
 
 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
     const base::StringPiece& spki) {
   // Use a bogus CommonName, since this is just exposed for testing signature
   // verification by unittests.
   return base::MakeUnique<CertVerificationContextImpl>(net::der::Input(spki),
                                                        "CommonName");
 }
 
 }  // namespace cast_certificate