Add a key purpose parameter to Certificate PathBuilder.

net/cert/internal/path_builder_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/path_builder.h"
 
 #include "base/base_paths.h"
 #include "base/files/file_util.h"
 #include "base/path_service.h"
 #include "net/cert/internal/cert_issuer_source_static.h"
@@ skipping 142 matching lines @@
 // (This test is very similar to TestEndEntityHasSameNameAndSpkiAsTrustAnchor
 // but with different data; also in this test the target cert itself is in the
 // trust store).
 TEST_F(PathBuilderMultiRootTest, TargetHasNameAndSpkiOfTrustAnchor) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(a_by_b_, &trust_store);
   AddTrustedCertificate(b_by_f_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
 
   path_builder.Run();
 
   ASSERT_TRUE(result.HasValidPath());
   const auto& path = result.GetBestValidPath()->path;
   ASSERT_EQ(1U, path.certs.size());
   EXPECT_EQ(a_by_b_, path.certs[0]);
   EXPECT_EQ(b_by_f_, path.trust_anchor->cert());
 }
 
 // If the target cert is has the same name and key as a trust anchor, however
 // is NOT itself signed by a trust anchor, it fails. Although the provided SPKI
 // is trusted, the certificate contents cannot be verified.
 TEST_F(PathBuilderMultiRootTest, TargetWithSameNameAsTrustAnchorFails) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(a_by_b_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
 
   path_builder.Run();
 
   EXPECT_FALSE(result.HasValidPath());
 }
 
 // Test a failed path building when the trust anchor is provided as a
 // supplemental certificate. Conceptually the following paths can be built:
 //
 //   B(C) <- C(D) <- [Trust anchor D]
 //   B(C) <- C(D) <- D(D) <- [Trust anchor D]
 //
 // The second one is extraneous given the shorter one, however path building
 // will enumerate it if the shorter one failed validation.
 TEST_F(PathBuilderMultiRootTest, SelfSignedTrustAnchorSupplementalCert) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(d_by_d_, &trust_store);
 
   // The (extraneous) trust anchor D(D) is supplied as a certificate, as is the
   // intermediate needed for path building C(D).
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(d_by_d_);
   sync_certs.AddCert(c_by_d_);
 
   // C(D) is not valid at this time, so path building will fail.
   der::GeneralizedTime expired_time = {2016, 1, 1, 0, 0, 0};
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(b_by_c_, &trust_store, &signature_policy_,
-                               expired_time, &result);
+                               expired_time, KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_FALSE(result.HasValidPath());
   ASSERT_EQ(2U, result.paths.size());
 
   EXPECT_FALSE(result.paths[0]->IsValid());
   const auto& path0 = result.paths[0]->path;
   ASSERT_EQ(2U, path0.certs.size());
@@ skipping 12 matching lines @@
 // If the target cert is a self-signed cert whose key is a trust anchor, it
 // should verify.
 TEST_F(PathBuilderMultiRootTest, TargetIsSelfSignedTrustAnchor) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(e_by_e_, &trust_store);
   // This is not necessary for the test, just an extra...
   AddTrustedCertificate(f_by_e_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(e_by_e_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
 
   path_builder.Run();
 
   ASSERT_TRUE(result.HasValidPath());
   const auto& path = result.GetBestValidPath()->path;
   ASSERT_EQ(1U, path.certs.size());
   EXPECT_EQ(e_by_e_, path.certs[0]);
   EXPECT_EQ(e_by_e_, path.trust_anchor->cert());
 }
 
 // If the target cert is directly issued by a trust anchor, it should verify
 // without any intermediate certs being provided.
 TEST_F(PathBuilderMultiRootTest, TargetDirectlySignedByTrustAnchor) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(b_by_f_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
 
   path_builder.Run();
 
   ASSERT_TRUE(result.HasValidPath());
   const auto& path = result.GetBestValidPath()->path;
   ASSERT_EQ(1U, path.certs.size());
   EXPECT_EQ(a_by_b_, path.certs[0]);
   EXPECT_EQ(b_by_f_, path.trust_anchor->cert());
 }
 
 // Test that async cert queries are not made if the path can be successfully
 // built with synchronously available certs.
 TEST_F(PathBuilderMultiRootTest, TriesSyncFirst) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(e_by_e_, &trust_store);
 
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_f_);
   sync_certs.AddCert(f_by_e_);
 
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(b_by_c_);
   async_certs.AddCert(c_by_e_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&async_certs);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
   EXPECT_EQ(0, async_certs.num_async_gets());
 }
 
 // If async queries are needed, all async sources will be queried
 // simultaneously.
 TEST_F(PathBuilderMultiRootTest, TestAsyncSimultaneous) {
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(e_by_e_, &trust_store);
 
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_c_);
   sync_certs.AddCert(b_by_f_);
 
   AsyncCertIssuerSourceStatic async_certs1;
   async_certs1.AddCert(c_by_e_);
 
   AsyncCertIssuerSourceStatic async_certs2;
   async_certs2.AddCert(f_by_e_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&async_certs1);
   path_builder.AddCertIssuerSource(&async_certs2);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
   EXPECT_EQ(1, async_certs1.num_async_gets());
   EXPECT_EQ(1, async_certs2.num_async_gets());
 }
 
 // Test that PathBuilder does not generate longer paths than necessary if one of
 // the supplied certs is itself a trust anchor.
 TEST_F(PathBuilderMultiRootTest, TestLongChain) {
   // Both D(D) and C(D) are trusted roots.
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(d_by_d_, &trust_store);
   AddTrustedCertificate(c_by_d_, &trust_store);
 
   // Certs B(C), and C(D) are all supplied.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(b_by_c_);
   sync_certs.AddCert(c_by_d_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   ASSERT_TRUE(result.HasValidPath());
 
   // The result path should be A(B) <- B(C) <- C(D)
   // not the longer but also valid A(B) <- B(C) <- C(D) <- D(D)
   EXPECT_EQ(2U, result.GetBestValidPath()->path.certs.size());
 }
@@ skipping 12 matching lines @@
   sync_certs.AddCert(f_by_e_);
 
   // Certs B(C), and C(D) are supplied asynchronously, so the path
   // A(B) <- B(C) <- C(D) <- D(D) should be tried second.
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(b_by_c_);
   async_certs.AddCert(c_by_d_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
   path_builder.AddCertIssuerSource(&async_certs);
 
   path_builder.Run();
 
   ASSERT_TRUE(result.HasValidPath());
 
   // The result path should be A(B) <- B(C) <- C(D) <- D(D)
   const auto& path = result.GetBestValidPath()->path;
   ASSERT_EQ(3U, path.certs.size());
@@ skipping 18 matching lines @@
     if (reverse_order) {
       for (auto it = certs.rbegin(); it != certs.rend(); ++it)
         sync_certs.AddCert(*it);
     } else {
       for (const auto& cert : certs)
         sync_certs.AddCert(cert);
     }
 
     CertPathBuilder::Result result;
     CertPathBuilder path_builder(a_by_b_, &trust_store, &signature_policy_,
-                                 time_, &result);
+                                 time_, KeyPurpose::ANY_EKU, &result);
     path_builder.AddCertIssuerSource(&sync_certs);
 
     path_builder.Run();
 
     ASSERT_TRUE(result.HasValidPath());
 
     // The result path should be A(B) <- B(C) <- C(D) <- D(D)
     const auto& path = result.GetBestValidPath()->path;
     ASSERT_EQ(3U, path.certs.size());
     EXPECT_EQ(a_by_b_, path.certs[0]);
@@ skipping 68 matching lines @@
   trust_store.AddTrustAnchor(oldroot_);
 
   // Old intermediate cert is not provided, so the pathbuilder will need to go
   // through the rollover cert.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
 
   // Path builder will first attempt: target <- newintermediate <- oldroot
   // but it will fail since newintermediate is signed by newroot.
   ASSERT_EQ(2U, result.paths.size());
   const auto& path0 = result.paths[0]->path;
@@ skipping 27 matching lines @@
   AddTrustedCertificate(newroot_, &trust_store);
 
   // Both old and new intermediates + rollover cert are provided.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
 
   // Path builder willattempt one of:
   // target <- oldintermediate <- oldroot
   // target <- newintermediate <- newroot
   // either will succeed.
@@ skipping 15 matching lines @@
 
 // If trust anchor query returned no results, and there are no issuer
 // sources, path building should fail at that point.
 TEST_F(PathBuilderKeyRolloverTest, TestAnchorsNoMatchAndNoIssuerSources) {
   TrustStoreInMemory trust_store;
   trust_store.AddTrustAnchor(
       TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
 
   path_builder.Run();
 
   EXPECT_FALSE(result.HasValidPath());
 
   ASSERT_EQ(0U, result.paths.size());
 }
 
 // Tests that multiple trust root matches on a single path will be considered.
 // Both roots have the same subject but different keys. Only one of them will
@@ skipping 11 matching lines @@
       TrustAnchor::CreateFromCertificateNoConstraints(newroot_));
   trust_store2.AddTrustAnchor(oldroot_);
 
   // Only oldintermediate is supplied, so the path with newroot should fail,
   // oldroot should succeed.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store_collection,
-                               &signature_policy_, time_, &result);
+                               &signature_policy_, time_, KeyPurpose::ANY_EKU,
+                               &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
   ASSERT_EQ(2U, result.paths.size());
 
   {
     // Path builder may first attempt: target <- oldintermediate <- newroot
     // but it will fail since oldintermediate is signed by oldroot.
@@ skipping 29 matching lines @@
   sync_certs.AddCert(newintermediate_);
   sync_certs.AddCert(newroot_);
 
   // Rollover cert is only provided asynchronously. This will force the
   // pathbuilder to first try building a longer than necessary path.
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
   path_builder.AddCertIssuerSource(&async_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
   ASSERT_EQ(3U, result.paths.size());
 
   // Path builder will first attempt: target <- newintermediate <- oldroot
   // but it will fail since newintermediate is signed by newroot.
@@ skipping 36 matching lines @@
 // trust anchor matches the SPKI and subject of the targe certificate, but the
 // rest of the certificate cannot be verified).
 TEST_F(PathBuilderKeyRolloverTest, TestEndEntityIsTrustRoot) {
   // Trust newintermediate.
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(newintermediate_, &trust_store);
 
   CertPathBuilder::Result result;
   // Newintermediate is also the target cert.
   CertPathBuilder path_builder(newintermediate_, &trust_store,
-                               &signature_policy_, time_, &result);
+                               &signature_policy_, time_, KeyPurpose::ANY_EKU,
+                               &result);
 
   path_builder.Run();
 
   EXPECT_FALSE(result.HasValidPath());
 }
 
 // If target has same Name+SAN+SPKI as a necessary intermediate, test if a path
 // can still be built.
 // Since LoopChecker will prevent the intermediate from being included, this
 // currently does NOT verify. This case shouldn't occur in the web PKI.
 TEST_F(PathBuilderKeyRolloverTest,
        TestEndEntityHasSameNameAndSpkiAsIntermediate) {
   // Trust oldroot.
   TrustStoreInMemory trust_store;
   trust_store.AddTrustAnchor(oldroot_);
 
   // New root rollover is provided synchronously.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(newrootrollover_);
 
   CertPathBuilder::Result result;
   // Newroot is the target cert.
   CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_,
-                               time_, &result);
+                               time_, KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   // This could actually be OK, but CertPathBuilder does not build the
   // newroot <- newrootrollover <- oldroot path.
   EXPECT_FALSE(result.HasValidPath());
 }
 
 // If target has same Name+SAN+SPKI as the trust root, test that a (trivial)
 // path can still be built.
 TEST_F(PathBuilderKeyRolloverTest,
        TestEndEntityHasSameNameAndSpkiAsTrustAnchor) {
   // Trust newrootrollover.
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(newrootrollover_, &trust_store);
 
   CertPathBuilder::Result result;
   // Newroot is the target cert.
   CertPathBuilder path_builder(newroot_, &trust_store, &signature_policy_,
-                               time_, &result);
+                               time_, KeyPurpose::ANY_EKU, &result);
 
   path_builder.Run();
 
   ASSERT_TRUE(result.HasValidPath());
 
   const CertPathBuilder::ResultPath* best_result = result.GetBestValidPath();
 
   // Newroot has same name+SPKI as newrootrollover, thus the path is valid and
   // only contains newroot.
   EXPECT_TRUE(best_result->IsValid());
@@ skipping 27 matching lines @@
   CertIssuerSourceStatic sync_certs2;
   sync_certs2.AddCert(oldintermediate_dupe);
 
   // The newintermediate is supplied asynchronously, so the path
   // target <- newintermediate <- newroot should be tried second.
   AsyncCertIssuerSourceStatic async_certs;
   async_certs.AddCert(newintermediate_);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs1);
   path_builder.AddCertIssuerSource(&sync_certs2);
   path_builder.AddCertIssuerSource(&async_certs);
 
   path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
   ASSERT_EQ(2U, result.paths.size());
 
   // Path builder will first attempt: target <- oldintermediate <- newroot
@@ skipping 33 matching lines @@
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(newroot_, &trust_store);
 
   // The oldintermediate and newroot are supplied synchronously by |sync_certs|.
   CertIssuerSourceStatic sync_certs;
   sync_certs.AddCert(oldintermediate_);
   sync_certs.AddCert(newroot_dupe);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&sync_certs);
 
   path_builder.Run();
 
   EXPECT_FALSE(result.HasValidPath());
   ASSERT_EQ(2U, result.paths.size());
   // TODO(eroman): Is this right?
 
   // Path builder attempt: target <- oldintermediate <- newroot
   // but it will fail since oldintermediate is signed by oldroot.
@@ skipping 54 matching lines @@
 // builder does not request issuers of certs that it shouldn't.
 TEST_F(PathBuilderKeyRolloverTest, TestMultipleAsyncIssuersFromSingleSource) {
   StrictMock<MockCertIssuerSource> cert_issuer_source;
 
   // Only newroot is a trusted root.
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(newroot_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&cert_issuer_source);
 
   // Create the mock CertIssuerSource::Request...
   std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>>
       target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>());
   // Keep a raw pointer to the Request...
   StrictMock<MockCertIssuerSourceRequest>* target_issuers_req =
       target_issuers_req_owner.get();
   // Setup helper class to pass ownership of the Request to the PathBuilder when
   // it calls AsyncGetIssuersOf.
@@ skipping 58 matching lines @@
 // asynchronously provide the same certificate multiple times.
 TEST_F(PathBuilderKeyRolloverTest, TestDuplicateAsyncIntermediates) {
   StrictMock<MockCertIssuerSource> cert_issuer_source;
 
   // Only newroot is a trusted root.
   TrustStoreInMemory trust_store;
   AddTrustedCertificate(newroot_, &trust_store);
 
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target_, &trust_store, &signature_policy_, time_,
-                               &result);
+                               KeyPurpose::ANY_EKU, &result);
   path_builder.AddCertIssuerSource(&cert_issuer_source);
 
   // Create the mock CertIssuerSource::Request...
   std::unique_ptr<StrictMock<MockCertIssuerSourceRequest>>
       target_issuers_req_owner(new StrictMock<MockCertIssuerSourceRequest>());
   // Keep a raw pointer to the Request...
   StrictMock<MockCertIssuerSourceRequest>* target_issuers_req =
       target_issuers_req_owner.get();
   // Setup helper class to pass ownership of the Request to the PathBuilder when
   // it calls AsyncGetIssuersOf.
@@ skipping 59 matching lines @@
   const auto& path1 = result.paths[1]->path;
   ASSERT_EQ(2U, path1.certs.size());
   EXPECT_EQ(target_, path1.certs[0]);
   EXPECT_EQ(newintermediate_, path1.certs[1]);
   EXPECT_EQ(newroot_, path1.trust_anchor->cert());
 }
 
 }  // namespace
 
 }  // namespace net