Add optional context for certificate errors.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
+#include "base/memory/ptr_util.h"
+#include "net/cert/internal/cert_error_params.h"
+#include "net/cert/internal/cert_error_scoper.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/name_constraints.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/trust_store.h"
 #include "net/cert/internal/verify_signed_data.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 
 namespace net {
 
 using namespace verify_certificate_chain_errors;
 
 namespace {
 
+DEFINE_CERT_ERROR_ID(kContextTrustAnchor, "Processing Trust Anchor");
+DEFINE_CERT_ERROR_ID(kContextCertificate, "Processing Certificate");
+
+class ScopedCertificateContext : public CertErrorScoper {
+ public:
+  ScopedCertificateContext(CertErrors* parent_errors, size_t index)
+      : CertErrorScoper(parent_errors), index_(index) {}
+
+  std::unique_ptr<CertErrorNode> BuildRootNode() override {
+    return base::MakeUnique<CertErrorNode>(
+        CertErrorNodeType::TYPE_CONTEXT, kContextCertificate,
+        CreateCertErrorParamsSizeT("index", index_));
+  }
+
+ private:
+  size_t index_;
+};
+
 // Returns true if the certificate does not contain any unconsumed _critical_
 // extensions.
 WARN_UNUSED_RESULT bool VerifyNoUnconsumedCriticalExtensions(
     const ParsedCertificate& cert,
     CertErrors* errors) {
   bool has_unconsumed_critical_extensions = false;
 
   for (const auto& entry : cert.unparsed_extensions()) {
     if (entry.second.critical) {
       has_unconsumed_critical_extensions = true;
-      errors->AddWith2DerParams(kUnconsumedCriticalExtension, entry.second.oid,
-                                entry.second.value);
+      errors->AddError(kUnconsumedCriticalExtension,
+                       CreateCertErrorParams2Der("oid", entry.second.oid,
+                                                 "value", entry.second.value));
     }
   }
 
   return !has_unconsumed_critical_extensions;
 }
 
 // Returns true if |cert| was self-issued. The definition of self-issuance
 // comes from RFC 5280 section 6.1:
 //
 //    A certificate is self-issued if the same DN appears in the subject
@@ skipping 69 matching lines @@
   const der::Input& alg2_tlv = cert.tbs().signature_algorithm_tlv;
 
   // Ensure that the two DER-encoded signature algorithms are byte-for-byte
   // equal.
   if (alg1_tlv == alg2_tlv)
     return true;
 
   // But make a compatibility concession for RSA with SHA1.
   if (IsRsaWithSha1SignatureAlgorithm(alg1_tlv) &&
       IsRsaWithSha1SignatureAlgorithm(alg2_tlv)) {
-    errors->AddWith2DerParams(kSignatureAlgorithmsDifferentEncoding, alg1_tlv,
-                              alg2_tlv);
+    errors->AddWarning(
+        kSignatureAlgorithmsDifferentEncoding,
+        CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,
+                                  "TBSCertificate.signature", alg2_tlv));
     return true;
   }
 
-  errors->AddWith2DerParams(kSignatureAlgorithmMismatch, alg1_tlv, alg2_tlv);
+  errors->AddError(
+      kSignatureAlgorithmMismatch,
+      CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,
+                                "TBSCertificate.signature", alg2_tlv));
 
   return false;
 }
 
 // This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
 // Processing" procedure.
 WARN_UNUSED_RESULT bool BasicCertificateProcessing(
     const ParsedCertificate& cert,
     bool is_target_cert,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
     const der::Input& working_spki,
     const der::Input& working_normalized_issuer_name,
     const std::vector<const NameConstraints*>& name_constraints_list,
     CertErrors* errors) {
   // Check that the signature algorithms in Certificate vs TBSCertificate
   // match. This isn't part of RFC 5280 section 6.1.3, but is mandated by
   // sections 4.1.1.2 and 4.1.2.3.
   if (!VerifySignatureAlgorithmsMatch(cert, errors))
     return false;
 
   // Verify the digital signature using the previous certificate's key (RFC
   // 5280 section 6.1.3 step a.1).
   if (!cert.has_valid_supported_signature_algorithm()) {
-    errors->AddWith1DerParam(kInvalidOrUnsupportedAlgorithm,
-                             cert.signature_algorithm_tlv());
+    errors->AddError(
+        kInvalidOrUnsupportedSignatureAlgorithm,
+        CreateCertErrorParams1Der("algorithm", cert.signature_algorithm_tlv()));
     return false;
   }
 
   if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
                         cert.signature_value(), working_spki, signature_policy,
                         errors)) {
     errors->Add(kVerifySignedDataFailed);
     return false;
   }
 
@@ skipping 218 matching lines @@
 }
 
 // Initializes the path validation algorithm given anchor constraints. This
 // follows the description in RFC 5937
 WARN_UNUSED_RESULT bool ProcessTrustAnchorConstraints(
     const TrustAnchor& trust_anchor,
     size_t* max_path_length_ptr,
     std::vector<const NameConstraints*>* name_constraints_list,
     CertErrors* errors) {
   // Set the trust anchor as the current context for any subsequent errors.
-  ScopedCertErrorsTrustAnchorContext error_context(errors, &trust_anchor);
+  CertErrorScoperNoParams error_context(errors, kContextTrustAnchor);

[mattm, 2016/09/12 22:26:39]

nit, but the naming style mismatch between CertErrorScoperNoParams and
ScopedCertificateContext bugs me a little.

[eroman, 2016/09/12 23:04:35]

Done.

 
   // In RFC 5937 the enforcement of anchor constraints is governed by the input
   // enforceTrustAnchorConstraints to path validation. In our implementation
   // this is always on, and enforcement is controlled solely by whether or not
   // the trust anchor specified constraints.
   if (!trust_anchor.enforces_constraints())
     return true;
 
   // Anchor constraints are encoded via the attached certificate.
   const ParsedCertificate& cert = *trust_anchor.cert();
@@ skipping 114 matching lines @@
     const size_t index_into_certs = certs.size() - i - 1;
 
     // |is_target_cert| is true if the current certificate is the target
     // certificate being verified. The target certificate isn't necessarily an
     // end-entity certificate.
     const bool is_target_cert = index_into_certs == 0;
 
     const ParsedCertificate& cert = *certs[index_into_certs];
 
     // Set the current certificate as the context for any subsequent errors.
-    ScopedCertErrorsCertContext error_context(errors, &cert, i);
+    ScopedCertificateContext error_context(errors, i);
 
     // Per RFC 5280 section 6.1:
     //  * Do basic processing for each certificate
     //  * If it is the last certificate in the path (target certificate)
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
     if (!BasicCertificateProcessing(
             cert, is_target_cert, signature_policy, time, working_spki,
             working_normalized_issuer_name, name_constraints_list, errors)) {
       return false;
@@ skipping 13 matching lines @@
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 
   return true;
 }
 
 namespace verify_certificate_chain_errors {
 
-DEFINE_CERT_ERROR_TYPE(
+DEFINE_CERT_ERROR_ID(
     kSignatureAlgorithmMismatch,
     "Certificate.signatureAlgorithm != TBSCertificate.signature");
-DEFINE_CERT_ERROR_TYPE(kInvalidOrUnsupportedAlgorithm,
-                       "Invalid or unsupported signature algorithm");
-DEFINE_CERT_ERROR_TYPE(kChainIsEmpty, "Chain is empty");
-DEFINE_CERT_ERROR_TYPE(kUnconsumedCriticalExtension,
-                       "Unconsumed critical extension");
-DEFINE_CERT_ERROR_TYPE(
+DEFINE_CERT_ERROR_ID(kInvalidOrUnsupportedSignatureAlgorithm,
+                     "Invalid or unsupported signature algorithm");
+DEFINE_CERT_ERROR_ID(kChainIsEmpty, "Chain is empty");
+DEFINE_CERT_ERROR_ID(kUnconsumedCriticalExtension,
+                     "Unconsumed critical extension");
+DEFINE_CERT_ERROR_ID(
     kTargetCertInconsistentCaBits,
     "Target certificate looks like a CA but does not set all CA properties");
-DEFINE_CERT_ERROR_TYPE(kKeyCertSignBitNotSet, "keyCertSign bit is not set");
-DEFINE_CERT_ERROR_TYPE(kMaxPathLengthViolated, "max_path_length reached");
-DEFINE_CERT_ERROR_TYPE(kBasicConstraintsIndicatesNotCa,
-                       "Basic Constraints indicates not a CA");
-DEFINE_CERT_ERROR_TYPE(kMissingBasicConstraints,
-                       "Does not have Basic Constraints");
-DEFINE_CERT_ERROR_TYPE(kNotPermittedByNameConstraints,
-                       "Not permitted by name constraints");
-DEFINE_CERT_ERROR_TYPE(kSubjectDoesNotMatchIssuer,
-                       "subject does not match issuer");
-DEFINE_CERT_ERROR_TYPE(kVerifySignedDataFailed, "VerifySignedData failed");
-DEFINE_CERT_ERROR_TYPE(kValidityFailedNotAfter, "Time is after notAfter");
-DEFINE_CERT_ERROR_TYPE(kValidityFailedNotBefore, "Time is before notBefore");
-DEFINE_CERT_ERROR_TYPE(kSignatureAlgorithmsDifferentEncoding,
-                       "Certificate.signatureAlgorithm is encoded differently "
-                       "than TBSCertificate.signature");
+DEFINE_CERT_ERROR_ID(kKeyCertSignBitNotSet, "keyCertSign bit is not set");
+DEFINE_CERT_ERROR_ID(kMaxPathLengthViolated, "max_path_length reached");
+DEFINE_CERT_ERROR_ID(kBasicConstraintsIndicatesNotCa,
+                     "Basic Constraints indicates not a CA");
+DEFINE_CERT_ERROR_ID(kMissingBasicConstraints,
+                     "Does not have Basic Constraints");
+DEFINE_CERT_ERROR_ID(kNotPermittedByNameConstraints,
+                     "Not permitted by name constraints");
+DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer,
+                     "subject does not match issuer");
+DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed");
+DEFINE_CERT_ERROR_ID(kValidityFailedNotAfter, "Time is after notAfter");
+DEFINE_CERT_ERROR_ID(kValidityFailedNotBefore, "Time is before notBefore");
+DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
+                     "Certificate.signatureAlgorithm is encoded differently "
+                     "than TBSCertificate.signature");
 
 }  // verify_certificate_chain_errors
 
 }  // namespace net