Add tests for keyUsage to the built-in cert verifier.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
@@ skipping 46 matching lines @@
                      "Certificate.signatureAlgorithm is encoded differently "
                      "than TBSCertificate.signature");
 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth,
                      "The extended key usage does not include server auth");
 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
                      "The extended key usage does not include client auth");
 
 bool IsHandledCriticalExtensionOid(const der::Input& oid) {
   if (oid == BasicConstraintsOid())
     return true;
+  // Key Usage is NOT processed for end-entity certificates (this is the
+  // responsibility of callers), however it is considered "handled" here in
+  // order to allow being marked as critical.
   if (oid == KeyUsageOid())
     return true;
   if (oid == ExtKeyUsageOid())
     return true;
   if (oid == NameConstraintsOid())
     return true;
-  // TODO(eroman): SubjectAltName isn't actually used here, but rather is being
-  // checked by a higher layer.
   if (oid == SubjectAltNameOid())
     return true;
 
   // TODO(eroman): Make this more complete.
   return false;
 }
 
 // Adds errors to |errors| if the certificate contains unconsumed _critical_
 // extensions.
 void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert,
@@ skipping 515 matching lines @@
     // goes beyond what RFC 5280 describes, but is the de-facto standard. See
     // https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
     VerifyExtendedKeyUsage(cert, required_key_purpose, cert_errors);
 
     if (!is_target_cert) {
       PrepareForNextCertificate(cert, &max_path_length, &working_spki,
                                 &working_normalized_issuer_name,
                                 &name_constraints_list, cert_errors);
     } else {
       WrapUp(cert, cert_errors);
-      // TODO(eroman): Verify the Key Usage on target is consistent with
-      //               key_purpose.
     }
   }
 
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 }
 
 }  // namespace
 
 bool VerifyCertificateChain(const ParsedCertificateList& certs,
                             const TrustAnchor* trust_anchor,
                             const SignaturePolicy* signature_policy,
                             const der::GeneralizedTime& time,
                             KeyPurpose required_key_purpose,
                             CertPathErrors* errors) {
   // TODO(eroman): This function requires that |errors| is empty upon entry,
   // which is not part of the API contract.
   DCHECK(!errors->ContainsHighSeverityErrors());
   VerifyCertificateChainNoReturnValue(certs, trust_anchor, signature_policy,
                                       time, required_key_purpose, errors);
   return !errors->ContainsHighSeverityErrors();
 }
 
 }  // namespace net