Improvements to the net/cert/internal error handling.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "net/cert/internal/cert_error_params.h"
-#include "net/cert/internal/cert_error_scoper.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/name_constraints.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/trust_store.h"
 #include "net/cert/internal/verify_signed_data.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 
@@ skipping 27 matching lines @@
                      "Does not have Basic Constraints");
 DEFINE_CERT_ERROR_ID(kNotPermittedByNameConstraints,
                      "Not permitted by name constraints");
 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer,
                      "subject does not match issuer");
 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed");
 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
                      "Certificate.signatureAlgorithm is encoded differently "
                      "than TBSCertificate.signature");
 
-DEFINE_CERT_ERROR_ID(kContextTrustAnchor, "Processing Trust Anchor");
-DEFINE_CERT_ERROR_ID(kContextCertificate, "Processing Certificate");
-
-// This class changes the error scope to indicate which certificate in the
-// chain is currently being processed.
-class CertErrorScoperForCert : public CertErrorScoper {
- public:
-  CertErrorScoperForCert(CertErrors* parent_errors, size_t index)
-      : CertErrorScoper(parent_errors), index_(index) {}
-
-  std::unique_ptr<CertErrorNode> BuildRootNode() override {
-    return base::MakeUnique<CertErrorNode>(
-        CertErrorNodeType::TYPE_CONTEXT, kContextCertificate,
-        CreateCertErrorParams1SizeT("index", index_));
-  }
-
- private:
-  size_t index_;
-
-  DISALLOW_COPY_AND_ASSIGN(CertErrorScoperForCert);
-};
-
-// Returns true if the certificate does not contain any unconsumed _critical_
+// Adds errors to |errors| if the certificate contains unconsumed _critical_
 // extensions.
-WARN_UNUSED_RESULT bool VerifyNoUnconsumedCriticalExtensions(
-    const ParsedCertificate& cert,
-    CertErrors* errors) {
-  bool has_unconsumed_critical_extensions = false;
-
+void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert,
+                                          CertErrors* errors) {
   for (const auto& entry : cert.unparsed_extensions()) {
     if (entry.second.critical) {
-      has_unconsumed_critical_extensions = true;
       errors->AddError(kUnconsumedCriticalExtension,
                        CreateCertErrorParams2Der("oid", entry.second.oid,
                                                  "value", entry.second.value));
     }
   }
-
-  return !has_unconsumed_critical_extensions;
 }
 
 // Returns true if |cert| was self-issued. The definition of self-issuance
 // comes from RFC 5280 section 6.1:
 //
 //    A certificate is self-issued if the same DN appears in the subject
 //    and issuer fields (the two DNs are the same if they match according
 //    to the rules specified in Section 7.1).  In general, the issuer and
 //    subject of the certificates that make up a path are different for
 //    each certificate.  However, a CA may issue a certificate to itself to
 //    support key rollover or changes in certificate policies.  These
 //    self-issued certificates are not counted when evaluating path length
 //    or name constraints.
 WARN_UNUSED_RESULT bool IsSelfIssued(const ParsedCertificate& cert) {
   return cert.normalized_subject() == cert.normalized_issuer();
 }
 
-// Returns true if |cert| is valid at time |time|.
+// Adds errors to |errors| if |cert| is not valid at time |time|.
 //
 // The certificate's validity requirements are described by RFC 5280 section
 // 4.1.2.5:
 //
 //    The validity period for a certificate is the period of time from
 //    notBefore through notAfter, inclusive.
-WARN_UNUSED_RESULT bool VerifyTimeValidity(const ParsedCertificate& cert,
-                                           const der::GeneralizedTime time,
-                                           CertErrors* errors) {
-  if (time < cert.tbs().validity_not_before) {
+void VerifyTimeValidity(const ParsedCertificate& cert,
+                        const der::GeneralizedTime time,
+                        CertErrors* errors) {
+  if (time < cert.tbs().validity_not_before)
     errors->AddError(kValidityFailedNotBefore);
-    return false;
-  }
 
-  if (cert.tbs().validity_not_after < time) {
+  if (cert.tbs().validity_not_after < time)
     errors->AddError(kValidityFailedNotAfter);
-    return false;
-  }
-
-  return true;
 }
 
-// Returns true if |cert| has internally consistent signature algorithms.
+// Adds errors to |errors| if |cert| has internally inconsistent signature
+// algorithms.
 //
 // X.509 certificates contain two different signature algorithms:
 //  (1) The signatureAlgorithm field of Certificate
 //  (2) The signature field of TBSCertificate
 //
 // According to RFC 5280 section 4.1.1.2 and 4.1.2.3 these two fields must be
 // equal:
 //
 //     This field MUST contain the same algorithm identifier as the
 //     signature field in the sequence tbsCertificate (Section 4.1.2.3).
 //
 // The spec is not explicit about what "the same algorithm identifier" means.
 // Our interpretation is that the two DER-encoded fields must be byte-for-byte
 // identical.
 //
 // In practice however there are certificates which use different encodings for
 // specifying RSA with SHA1 (different OIDs). This is special-cased for
 // compatibility sake.
-WARN_UNUSED_RESULT bool VerifySignatureAlgorithmsMatch(
-    const ParsedCertificate& cert,
-    CertErrors* errors) {
+void VerifySignatureAlgorithmsMatch(const ParsedCertificate& cert,
+                                    CertErrors* errors) {
   const der::Input& alg1_tlv = cert.signature_algorithm_tlv();
   const der::Input& alg2_tlv = cert.tbs().signature_algorithm_tlv;
 
   // Ensure that the two DER-encoded signature algorithms are byte-for-byte
   // equal.
   if (alg1_tlv == alg2_tlv)
-    return true;
+    return;
 
   // But make a compatibility concession if alternate encodings are used
   // TODO(eroman): Turn this warning into an error.
   // TODO(eroman): Add a unit-test that exercises this case.
   if (SignatureAlgorithm::IsEquivalent(alg1_tlv, alg2_tlv)) {
     errors->AddWarning(
         kSignatureAlgorithmsDifferentEncoding,
         CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,
                                   "TBSCertificate.signature", alg2_tlv));
-    return true;
+    return;
   }
 
   errors->AddError(
       kSignatureAlgorithmMismatch,
       CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,
                                 "TBSCertificate.signature", alg2_tlv));
-
-  return false;
 }
 
 // This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
 // Processing" procedure.
-WARN_UNUSED_RESULT bool BasicCertificateProcessing(
+void BasicCertificateProcessing(
     const ParsedCertificate& cert,
     bool is_target_cert,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
     const der::Input& working_spki,
     const der::Input& working_normalized_issuer_name,
     const std::vector<const NameConstraints*>& name_constraints_list,
     CertErrors* errors) {
   // Check that the signature algorithms in Certificate vs TBSCertificate
   // match. This isn't part of RFC 5280 section 6.1.3, but is mandated by
   // sections 4.1.1.2 and 4.1.2.3.
-  if (!VerifySignatureAlgorithmsMatch(cert, errors))
-    return false;
+  VerifySignatureAlgorithmsMatch(cert, errors);
 
   // Verify the digital signature using the previous certificate's key (RFC
   // 5280 section 6.1.3 step a.1).
   if (!cert.has_valid_supported_signature_algorithm()) {
     errors->AddError(
         kInvalidOrUnsupportedSignatureAlgorithm,
         CreateCertErrorParams1Der("algorithm", cert.signature_algorithm_tlv()));
-    return false;
-  }
-
-  if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
-                        cert.signature_value(), working_spki, signature_policy,
-                        errors)) {
-    errors->AddError(kVerifySignedDataFailed);
-    return false;
+  } else {
+    if (!VerifySignedData(cert.signature_algorithm(),
+                          cert.tbs_certificate_tlv(), cert.signature_value(),
+                          working_spki, signature_policy, errors)) {
+      errors->AddError(kVerifySignedDataFailed);
+    }
   }
 
   // Check the time range for the certificate's validity, ensuring it is valid
   // at |time|.
   // (RFC 5280 section 6.1.3 step a.2)
-  if (!VerifyTimeValidity(cert, time, errors))
-    return false;
+  VerifyTimeValidity(cert, time, errors);
 
   // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3)
 
   // Verify the certificate's issuer name matches the issuing certificate's
   // subject name. (RFC 5280 section 6.1.3 step a.4)
-  if (cert.normalized_issuer() != working_normalized_issuer_name) {
+  if (cert.normalized_issuer() != working_normalized_issuer_name)
     errors->AddError(kSubjectDoesNotMatchIssuer);
-    return false;
-  }
 
   // Name constraints (RFC 5280 section 6.1.3 step b & c)
   // If certificate i is self-issued and it is not the final certificate in the
   // path, skip this step for certificate i.
   if (!name_constraints_list.empty() &&
       (!IsSelfIssued(cert) || is_target_cert)) {
     for (const NameConstraints* nc : name_constraints_list) {
       if (!nc->IsPermittedCert(cert.normalized_subject(),
                                cert.subject_alt_names())) {
         errors->AddError(kNotPermittedByNameConstraints);
-        return false;
       }
     }
   }
 
   // TODO(eroman): Steps d-f are omitted, as policy constraints are not yet
   // implemented.
-
-  return true;
 }
 
 // This function corresponds to RFC 5280 section 6.1.4's "Preparation for
 // Certificate i+1" procedure. |cert| is expected to be an intermediate.
-WARN_UNUSED_RESULT bool PrepareForNextCertificate(
+void PrepareForNextCertificate(
     const ParsedCertificate& cert,
     size_t* max_path_length_ptr,
     der::Input* working_spki,
     der::Input* working_normalized_issuer_name,
     std::vector<const NameConstraints*>* name_constraints_list,
     CertErrors* errors) {
   // TODO(crbug.com/634456): Steps a-b are omitted, as policy mappings are not
   // yet implemented.
 
   // From RFC 5280 section 6.1.4 step c:
@@ skipping 25 matching lines @@
   //    certificate, then the application MUST either verify that
   //    certificate i is a CA certificate through out-of-band means
   //    or reject the certificate.  Conforming implementations may
   //    choose to reject all version 1 and version 2 intermediate
   //    certificates.)
   //
   // This code implicitly rejects non version 3 intermediates, since they
   // can't contain a BasicConstraints extension.
   if (!cert.has_basic_constraints()) {
     errors->AddError(kMissingBasicConstraints);
-    return false;
-  }
-
-  if (!cert.basic_constraints().is_ca) {
+  } else if (!cert.basic_constraints().is_ca) {
     errors->AddError(kBasicConstraintsIndicatesNotCa);
-    return false;
   }
 
   // From RFC 5280 section 6.1.4 step l:
   //
   //    If the certificate was not self-issued, verify that
   //    max_path_length is greater than zero and decrement
   //    max_path_length by 1.
   if (!IsSelfIssued(cert)) {
     if (*max_path_length_ptr == 0) {
       errors->AddError(kMaxPathLengthViolated);
-      return false;
+    } else {
+      --(*max_path_length_ptr);
     }
-    --(*max_path_length_ptr);
   }
 
   // From RFC 5280 section 6.1.4 step m:
   //
   //    If pathLenConstraint is present in the certificate and is
   //    less than max_path_length, set max_path_length to the value
   //    of pathLenConstraint.
-  if (cert.basic_constraints().has_path_len &&
+  if (cert.has_basic_constraints() && cert.basic_constraints().has_path_len &&
       cert.basic_constraints().path_len < *max_path_length_ptr) {
     *max_path_length_ptr = cert.basic_constraints().path_len;
   }
 
   // From RFC 5280 section 6.1.4 step n:
   //
   //    If a key usage extension is present, verify that the
   //    keyCertSign bit is set.
   if (cert.has_key_usage() &&
       !cert.key_usage().AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN)) {
     errors->AddError(kKeyCertSignBitNotSet);
-    return false;
   }
 
   // From RFC 5280 section 6.1.4 step o:
   //
   //    Recognize and process any other critical extension present in
   //    the certificate.  Process any other recognized non-critical
   //    extension present in the certificate that is relevant to path
   //    processing.
-  if (!VerifyNoUnconsumedCriticalExtensions(cert, errors))
-    return false;
-
-  return true;
+  VerifyNoUnconsumedCriticalExtensions(cert, errors);
 }
 
 // Checks that if the target certificate has properties that only a CA should
 // have (keyCertSign, CA=true, pathLenConstraint), then its other properties
-// are consistent with being a CA.
+// are consistent with being a CA. If it does, adds errors to |errors|.
 //
 // This follows from some requirements in RFC 5280 section 4.2.1.9. In
 // particular:
 //
 //    CAs MUST NOT include the pathLenConstraint field unless the cA
 //    boolean is asserted and the key usage extension asserts the
 //    keyCertSign bit.
 //
 // And:
 //
 //    If the cA boolean is not asserted, then the keyCertSign bit in the key
 //    usage extension MUST NOT be asserted.
 //
 // TODO(eroman): Strictly speaking the first requirement is on CAs and not the
 // certificate client, so could be skipped.
 //
 // TODO(eroman): I don't believe Firefox enforces the keyCertSign restriction
 // for compatibility reasons. Investigate if we need to similarly relax this
 // constraint.
-WARN_UNUSED_RESULT bool VerifyTargetCertHasConsistentCaBits(
-    const ParsedCertificate& cert,
-    CertErrors* errors) {
+void VerifyTargetCertHasConsistentCaBits(const ParsedCertificate& cert,
+                                         CertErrors* errors) {
   // Check if the certificate contains any property specific to CAs.
   bool has_ca_property =
       (cert.has_basic_constraints() &&
        (cert.basic_constraints().is_ca ||
         cert.basic_constraints().has_path_len)) ||
       (cert.has_key_usage() &&
        cert.key_usage().AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
 
   // If it "looks" like a CA because it has a CA-only property, then check that
   // it sets ALL the properties expected of a CA.
   if (has_ca_property) {
     bool success = cert.has_basic_constraints() &&
                    cert.basic_constraints().is_ca &&
                    (!cert.has_key_usage() ||
                     cert.key_usage().AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
     if (!success) {
       // TODO(eroman): Add DER for basic constraints and key usage.
       errors->AddError(kTargetCertInconsistentCaBits);
     }
-
-    return success;
   }
-
-  return true;
 }
 
 // This function corresponds with RFC 5280 section 6.1.5's "Wrap-Up Procedure".
 // It does processing for the final certificate (the target cert).
-WARN_UNUSED_RESULT bool WrapUp(const ParsedCertificate& cert,
-                               CertErrors* errors) {
+void WrapUp(const ParsedCertificate& cert, CertErrors* errors) {
   // TODO(crbug.com/634452): Steps a-b are omitted as policy constraints are not
   // yet implemented.
 
   // Note step c-e are omitted the verification function does
   // not output the working public key.
 
   // From RFC 5280 section 6.1.5 step f:
   //
   //    Recognize and process any other critical extension present in
   //    the certificate n.  Process any other recognized non-critical
   //    extension present in certificate n that is relevant to path
   //    processing.
   //
   // Note that this is duplicated by PrepareForNextCertificate() so as to
   // directly match the procedures in RFC 5280's section 6.1.
-  if (!VerifyNoUnconsumedCriticalExtensions(cert, errors))
-    return false;
+  VerifyNoUnconsumedCriticalExtensions(cert, errors);
 
   // TODO(eroman): Step g is omitted, as policy constraints are not yet
   // implemented.
 
   // The following check is NOT part of RFC 5280 6.1.5's "Wrap-Up Procedure",
   // however is implied by RFC 5280 section 4.2.1.9.
-  if (!VerifyTargetCertHasConsistentCaBits(cert, errors))
-    return false;
-
-  return true;
+  VerifyTargetCertHasConsistentCaBits(cert, errors);
 }
 
 // Initializes the path validation algorithm given anchor constraints. This
 // follows the description in RFC 5937
-WARN_UNUSED_RESULT bool ProcessTrustAnchorConstraints(
+void ProcessTrustAnchorConstraints(
     const TrustAnchor& trust_anchor,
     size_t* max_path_length_ptr,
     std::vector<const NameConstraints*>* name_constraints_list,
     CertErrors* errors) {
-  // Set the trust anchor as the current context for any subsequent errors.
-  CertErrorScoperNoParams error_context(errors, kContextTrustAnchor);
-
   // In RFC 5937 the enforcement of anchor constraints is governed by the input
   // enforceTrustAnchorConstraints to path validation. In our implementation
   // this is always on, and enforcement is controlled solely by whether or not
   // the trust anchor specified constraints.
   if (!trust_anchor.enforces_constraints())
-    return true;
+    return;
 
   // Anchor constraints are encoded via the attached certificate.
   const ParsedCertificate& cert = *trust_anchor.cert();
 
   // The following enforcements follow from RFC 5937 (primarily section 3.2):
 
   // Initialize name constraints initial-permitted/excluded-subtrees.
   if (cert.has_name_constraints())
     name_constraints_list->push_back(&cert.name_constraints());
 
@@ skipping 18 matching lines @@
   // NOTE: RFC 5937 does not say to enforce the CA=true part of basic
   // constraints.
   if (cert.has_basic_constraints() && cert.basic_constraints().has_path_len)
     *max_path_length_ptr = cert.basic_constraints().path_len;
 
   // From RFC 5937 section 2:
   //
   //    Extensions may be marked critical or not critical.  When trust anchor
   //    constraints are enforced, clients MUST reject certification paths
   //    containing a trust anchor with unrecognized critical extensions.
-  if (!VerifyNoUnconsumedCriticalExtensions(cert, errors))
-    return false;
-
-  return true;
+  VerifyNoUnconsumedCriticalExtensions(cert, errors);
 }
 
-}  // namespace
-
 // This implementation is structured to mimic the description of certificate
 // path verification given by RFC 5280 section 6.1.
-bool VerifyCertificateChain(const ParsedCertificateList& certs,
-                            const TrustAnchor* trust_anchor,
-                            const SignaturePolicy* signature_policy,
-                            const der::GeneralizedTime& time,
-                            CertErrors* errors) {
+void VerifyCertificateChainNoReturnValue(
+    const ParsedCertificateList& certs,
+    const TrustAnchor* trust_anchor,
+    const SignaturePolicy* signature_policy,
+    const der::GeneralizedTime& time,
+    CertPathErrors* errors) {
   DCHECK(trust_anchor);
   DCHECK(signature_policy);
   DCHECK(errors);
 
   // An empty chain is necessarily invalid.
   if (certs.empty()) {
-    errors->AddError(kChainIsEmpty);
-    return false;
+    errors->GetOtherErrors()->AddError(kChainIsEmpty);
+    return;
   }
 
   // Will contain a NameConstraints for each previous cert in the chain which
   // had nameConstraints. This corresponds to the permitted_subtrees and
   // excluded_subtrees state variables from RFC 5280.
   std::vector<const NameConstraints*> name_constraints_list;
 
   // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
   //    * working_public_key
   //    * working_public_key_algorithm
@@ skipping 22 matching lines @@
   // section 6.1.2:
   //
   //    max_path_length:  this integer is initialized to n, is
   //    decremented for each non-self-issued certificate in the path,
   //    and may be reduced to the value in the path length constraint
   //    field within the basic constraints extension of a CA
   //    certificate.
   size_t max_path_length = certs.size();
 
   // Apply any trust anchor constraints per RFC 5937.
-  if (!ProcessTrustAnchorConstraints(*trust_anchor, &max_path_length,
-                                     &name_constraints_list, errors)) {
-    return false;
-  }
+  //
+  // TODO(eroman): Errors on the trust anchor are put into a certificate bucket
+  //               GetErrorsForCert(certs.size()). This is a bit magical, and
+  //               has some integration issues.
+  ProcessTrustAnchorConstraints(*trust_anchor, &max_path_length,
+                                &name_constraints_list,
+                                errors->GetErrorsForCert(certs.size()));
 
   // Iterate over all the certificates in the reverse direction: starting from
   // the certificate signed by trust anchor and progressing towards the target
   // certificate.
   //
   // Note that |i| uses 0-based indexing whereas in RFC 5280 it is 1-based.
   //
   //   * i=0    :  Certificated signed by trust anchor.
   //   * i=N-1  :  Target certificate.
   for (size_t i = 0; i < certs.size(); ++i) {
     const size_t index_into_certs = certs.size() - i - 1;
 
     // |is_target_cert| is true if the current certificate is the target
     // certificate being verified. The target certificate isn't necessarily an
     // end-entity certificate.
     const bool is_target_cert = index_into_certs == 0;
 
     const ParsedCertificate& cert = *certs[index_into_certs];
 
-    // Set the current certificate as the context for any subsequent errors.
-    CertErrorScoperForCert error_context(errors, i);
+    // Output errors for the current certificate into an error bucket that is
+    // associated with that certificate.
+    CertErrors* cert_errors = errors->GetErrorsForCert(index_into_certs);
 
     // Per RFC 5280 section 6.1:
     //  * Do basic processing for each certificate
     //  * If it is the last certificate in the path (target certificate)
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
-    if (!BasicCertificateProcessing(
-            cert, is_target_cert, signature_policy, time, working_spki,
-            working_normalized_issuer_name, name_constraints_list, errors)) {
-      return false;
-    }
+    BasicCertificateProcessing(cert, is_target_cert, signature_policy, time,
+                               working_spki, working_normalized_issuer_name,
+                               name_constraints_list, cert_errors);
     if (!is_target_cert) {
-      if (!PrepareForNextCertificate(cert, &max_path_length, &working_spki,
-                                     &working_normalized_issuer_name,
-                                     &name_constraints_list, errors)) {
-        return false;
-      }
+      PrepareForNextCertificate(cert, &max_path_length, &working_spki,
+                                &working_normalized_issuer_name,
+                                &name_constraints_list, cert_errors);
     } else {
-      if (!WrapUp(cert, errors))
-        return false;
+      WrapUp(cert, cert_errors);
     }
   }
 
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
+}
 
-  return true;
+}  // namespace
+
+bool VerifyCertificateChain(const ParsedCertificateList& certs,
+                            const TrustAnchor* trust_anchor,
+                            const SignaturePolicy* signature_policy,
+                            const der::GeneralizedTime& time,
+                            CertPathErrors* errors) {
+  // TODO(eroman): This function requires that |errors| is empty upon entry,
+  // which is not part of the API contract.
+  DCHECK(!errors->ContainsHighSeverityErrors());
+  VerifyCertificateChainNoReturnValue(certs, trust_anchor, signature_policy,
+                                      time, errors);
+  return !errors->ContainsHighSeverityErrors();
 }
 
 }  // namespace net