Add a key purpose parameter to Certificate PathBuilder.

components/cast_certificate/cast_cert_validator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 142 matching lines @@
   for (const net::RelativeDistinguishedName& rdn : rdn_sequence) {
     for (const auto& atv : rdn) {
       if (atv.type == net::TypeCommonNameOid()) {
         return atv.ValueAsString(common_name);
       }
     }
   }
   return false;
 }
 
-// Returns true if the extended key usage list |ekus| contains client auth.
-bool HasClientAuth(const std::vector<net::der::Input>& ekus) {
-  for (const auto& oid : ekus) {
-    if (oid == net::ClientAuth())
-      return true;
-  }
-  return false;
-}
-
 // Checks properties on the target certificate.
 //
 //   * The Key Usage must include Digital Signature
-//   * The Extended Key Usage must include TLS Client Auth
 //   * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it
 //     is an audio-only device.
 WARN_UNUSED_RESULT bool CheckTargetCertificate(
     const net::ParsedCertificate* cert,
     std::unique_ptr<CertVerificationContext>* context,
     CastDeviceCertPolicy* policy) {
   // Get the Key Usage extension.
   if (!cert->has_key_usage())
     return false;
 
   // Ensure Key Usage contains digitalSignature.
   if (!cert->key_usage().AssertsBit(net::KEY_USAGE_BIT_DIGITAL_SIGNATURE))
     return false;
 
-  // Ensure Extended Key Usage contains client auth.
-  if (!cert->has_extended_key_usage() ||
-      !HasClientAuth(cert->extended_key_usage()))
-    return false;
-
   // Check for an optional audio-only policy extension.
   *policy = CastDeviceCertPolicy::NONE;
   if (cert->has_policy_oids()) {
     const std::vector<net::der::Input>& policies = cert->policy_oids();
     // Look for an audio-only policy. Disregard any other policy found.
     if (std::find(policies.begin(), policies.end(), AudioOnlyPolicyOid()) !=
         policies.end()) {
       *policy = CastDeviceCertPolicy::AUDIO_ONLY;
     }
   }
@@ skipping 71 matching lines @@
   auto signature_policy = CreateCastSignaturePolicy();
 
   // Do path building and RFC 5280 compatible certificate verification using the
   // two Cast trust anchors and Cast signature policy.
   net::der::GeneralizedTime verification_time;
   if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time))
     return false;
   net::CertPathBuilder::Result result;
   net::CertPathBuilder path_builder(target_cert.get(), trust_store,
                                     signature_policy.get(), verification_time,
-                                    &result);
+                                    net::KeyPurpose::CLIENT_AUTH, &result);
   path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source);
   path_builder.Run();
   if (!result.HasValidPath()) {
     // TODO(crbug.com/634443): Log error information.
     return false;
   }
 
   // Check properties of the leaf certificate (key usage, policy), and construct
   // a CertVerificationContext that uses its public key.
   if (!CheckTargetCertificate(target_cert.get(), context, policy))
@@ skipping 14 matching lines @@
 
 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
     const base::StringPiece& spki) {
   // Use a bogus CommonName, since this is just exposed for testing signature
   // verification by unittests.
   return base::MakeUnique<CertVerificationContextImpl>(net::der::Input(spki),
                                                        "CommonName");
 }
 
 }  // namespace cast_certificate