Remove CertErrors::Add(); use CertErrors::AddError() instead.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
@@ skipping 75 matching lines @@
 //
 // The certificate's validity requirements are described by RFC 5280 section
 // 4.1.2.5:
 //
 //    The validity period for a certificate is the period of time from
 //    notBefore through notAfter, inclusive.
 WARN_UNUSED_RESULT bool VerifyTimeValidity(const ParsedCertificate& cert,
                                            const der::GeneralizedTime time,
                                            CertErrors* errors) {
   if (time < cert.tbs().validity_not_before) {
-    errors->Add(kValidityFailedNotBefore);
+    errors->AddError(kValidityFailedNotBefore);
     return false;
   }
 
   if (cert.tbs().validity_not_after < time) {
-    errors->Add(kValidityFailedNotAfter);
+    errors->AddError(kValidityFailedNotAfter);
     return false;
   }
 
   return true;
 }
 
 // Returns true if |signature_algorithm_tlv| is a valid algorithm encoding for
 // RSA with SHA1.
 WARN_UNUSED_RESULT bool IsRsaWithSha1SignatureAlgorithm(
     const der::Input& signature_algorithm_tlv) {
@@ skipping 75 matching lines @@
   if (!cert.has_valid_supported_signature_algorithm()) {
     errors->AddError(
         kInvalidOrUnsupportedSignatureAlgorithm,
         CreateCertErrorParams1Der("algorithm", cert.signature_algorithm_tlv()));
     return false;
   }
 
   if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
                         cert.signature_value(), working_spki, signature_policy,
                         errors)) {
-    errors->Add(kVerifySignedDataFailed);
+    errors->AddError(kVerifySignedDataFailed);
     return false;
   }
 
   // Check the time range for the certificate's validity, ensuring it is valid
   // at |time|.
   // (RFC 5280 section 6.1.3 step a.2)
   if (!VerifyTimeValidity(cert, time, errors))
     return false;
 
   // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3)
 
   // Verify the certificate's issuer name matches the issuing certificate's
   // subject name. (RFC 5280 section 6.1.3 step a.4)
   if (cert.normalized_issuer() != working_normalized_issuer_name) {
-    errors->Add(kSubjectDoesNotMatchIssuer);
+    errors->AddError(kSubjectDoesNotMatchIssuer);
     return false;
   }
 
   // Name constraints (RFC 5280 section 6.1.3 step b & c)
   // If certificate i is self-issued and it is not the final certificate in the
   // path, skip this step for certificate i.
   if (!name_constraints_list.empty() &&
       (!IsSelfIssued(cert) || is_target_cert)) {
     for (const NameConstraints* nc : name_constraints_list) {
       if (!nc->IsPermittedCert(cert.normalized_subject(),
                                cert.subject_alt_names())) {
-        errors->Add(kNotPermittedByNameConstraints);
+        errors->AddError(kNotPermittedByNameConstraints);
         return false;
       }
     }
   }
 
   // TODO(eroman): Steps d-f are omitted, as policy constraints are not yet
   // implemented.
 
   return true;
 }
@@ skipping 38 matching lines @@
   //    TRUE.  (If certificate i is a version 1 or version 2
   //    certificate, then the application MUST either verify that
   //    certificate i is a CA certificate through out-of-band means
   //    or reject the certificate.  Conforming implementations may
   //    choose to reject all version 1 and version 2 intermediate
   //    certificates.)
   //
   // This code implicitly rejects non version 3 intermediates, since they
   // can't contain a BasicConstraints extension.
   if (!cert.has_basic_constraints()) {
-    errors->Add(kMissingBasicConstraints);
+    errors->AddError(kMissingBasicConstraints);
     return false;
   }
 
   if (!cert.basic_constraints().is_ca) {
-    errors->Add(kBasicConstraintsIndicatesNotCa);
+    errors->AddError(kBasicConstraintsIndicatesNotCa);
     return false;
   }
 
   // From RFC 5280 section 6.1.4 step l:
   //
   //    If the certificate was not self-issued, verify that
   //    max_path_length is greater than zero and decrement
   //    max_path_length by 1.
   if (!IsSelfIssued(cert)) {
     if (*max_path_length_ptr == 0) {
-      errors->Add(kMaxPathLengthViolated);
+      errors->AddError(kMaxPathLengthViolated);
       return false;
     }
     --(*max_path_length_ptr);
   }
 
   // From RFC 5280 section 6.1.4 step m:
   //
   //    If pathLenConstraint is present in the certificate and is
   //    less than max_path_length, set max_path_length to the value
   //    of pathLenConstraint.
   if (cert.basic_constraints().has_path_len &&
       cert.basic_constraints().path_len < *max_path_length_ptr) {
     *max_path_length_ptr = cert.basic_constraints().path_len;
   }
 
   // From RFC 5280 section 6.1.4 step n:
   //
   //    If a key usage extension is present, verify that the
   //    keyCertSign bit is set.
   if (cert.has_key_usage() &&
       !cert.key_usage().AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN)) {
-    errors->Add(kKeyCertSignBitNotSet);
+    errors->AddError(kKeyCertSignBitNotSet);
     return false;
   }
 
   // From RFC 5280 section 6.1.4 step o:
   //
   //    Recognize and process any other critical extension present in
   //    the certificate.  Process any other recognized non-critical
   //    extension present in the certificate that is relevant to path
   //    processing.
   if (!VerifyNoUnconsumedCriticalExtensions(cert, errors))
@@ skipping 37 matching lines @@
 
   // If it "looks" like a CA because it has a CA-only property, then check that
   // it sets ALL the properties expected of a CA.
   if (has_ca_property) {
     bool success = cert.has_basic_constraints() &&
                    cert.basic_constraints().is_ca &&
                    (!cert.has_key_usage() ||
                     cert.key_usage().AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
     if (!success) {
       // TODO(eroman): Add DER for basic constraints and key usage.
-      errors->Add(kTargetCertInconsistentCaBits);
+      errors->AddError(kTargetCertInconsistentCaBits);
     }
 
     return success;
   }
 
   return true;
 }
 
 // This function corresponds with RFC 5280 section 6.1.5's "Wrap-Up Procedure".
 // It does processing for the final certificate (the target cert).
@@ skipping 96 matching lines @@
                             const TrustAnchor* trust_anchor,
                             const SignaturePolicy* signature_policy,
                             const der::GeneralizedTime& time,
                             CertErrors* errors) {
   DCHECK(trust_anchor);
   DCHECK(signature_policy);
   DCHECK(errors);
 
   // An empty chain is necessarily invalid.
   if (certs.empty()) {
-    errors->Add(kChainIsEmpty);
+    errors->AddError(kChainIsEmpty);
     return false;
   }
 
   // Will contain a NameConstraints for each previous cert in the chain which
   // had nameConstraints. This corresponds to the permitted_subtrees and
   // excluded_subtrees state variables from RFC 5280.
   std::vector<const NameConstraints*> name_constraints_list;
 
   // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
   //    * working_public_key
@@ skipping 112 matching lines @@
 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed");
 DEFINE_CERT_ERROR_ID(kValidityFailedNotAfter, "Time is after notAfter");
 DEFINE_CERT_ERROR_ID(kValidityFailedNotBefore, "Time is before notBefore");
 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
                      "Certificate.signatureAlgorithm is encoded differently "
                      "than TBSCertificate.signature");
 
 }  // verify_certificate_chain_errors
 
 }  // namespace net