Add a key purpose parameter to Certificate PathBuilder.

net/cert/internal/verify_certificate_chain.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 
 #include <vector>
 
 #include "base/compiler_specific.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/der/input.h"
 
 namespace net {
 
 namespace der {
 struct GeneralizedTime;
 }
 
 class SignaturePolicy;
 class TrustAnchor;
 
+// The key purpose (extended key usage) to check for during verification.
+enum class KeyPurpose {
+  KEY_PURPOSE_ANY,

[mattm, 2017/04/06 22:16:03]

nit: With enum class I think it's fine to leave off the KEY_PURPOSE_ prefix
since you always need to say KeyPurpose:: anyway.

[eroman, 2017/04/07 00:39:40]

I ran into a couple of problems with macro conflicts, which led me to these
verbose names :(

I don't remember the specific names that collided, but weird things happened on
Windows and Mac.

I can play with these some more and see if I can find something better. If I
could use the kCamelCase that would be ideal, but I don't think that is
consistent with our style guide...

[mattm, 2017/04/07 02:56:36]

Ugh, macro conflicts. Don't worry about it too much then, if you wanna just
stick with these names that's fine too.

[eroman, 2017/04/07 22:13:08]

Checking with trybots now, I can definitely settle on something shorter.
I remember ANY was a problem so I have changed that to ANY_EKU.

+  KEY_PURPOSE_SERVER_AUTH,
+  KEY_PURPOSE_CLIENT_AUTH,
+};
+
 // VerifyCertificateChain() verifies a certificate path (chain) based on the
 // rules in RFC 5280. The caller is responsible for building the path and
 // finding the trust anchor.
 //
 // WARNING: This implementation is in progress, and is currently incomplete.
 // Consult an OWNER before using it.
 //
 // TODO(eroman): Take a CertPath instead of ParsedCertificateList +
 //               TrustAnchor.
 //
@@ skipping 13 matching lines @@
 //     Contains the trust anchor (root) used to verify the chain. Must be
 //     non-null.
 //
 //   signature_policy:
 //     The policy to use when verifying signatures (what hash algorithms are
 //     allowed, what length keys, what named curves, etc).
 //
 //   time:
 //     The UTC time to use for expiration checks.
 //
+//   key_purpose:
+//     The key purpose that the target certificate needs to be valid for.
+//
 // ---------
 // Outputs
 // ---------
 //
 //   Returns true if the target certificate can be verified.
 //   TODO(eroman): This return value is redundant with the |errors| parameter.
 //
 //   errors:
 //     Must be non-null. The set of errors/warnings encountered while
 //     validating the path are appended to this structure. If verification
 //     failed, then there is guaranteed to be at least 1 error written to
 //     |errors|.
 NET_EXPORT bool VerifyCertificateChain(const ParsedCertificateList& certs,
                                        const TrustAnchor* trust_anchor,
                                        const SignaturePolicy* signature_policy,
                                        const der::GeneralizedTime& time,
+                                       KeyPurpose required_key_purpose,
                                        CertPathErrors* errors);
 
 // TODO(crbug.com/634443): Move exported errors to a central location?
 extern CertErrorId kValidityFailedNotAfter;
 extern CertErrorId kValidityFailedNotBefore;
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_