Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

components/cast_certificate/cast_crl.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_crl.h"
 
 #include <unordered_map>
 #include <unordered_set>
 
 #include "base/base64.h"
@@ skipping 52 matching lines @@
   friend struct base::DefaultSingletonTraits<CastCRLTrustStore>;
 
   CastCRLTrustStore() {
     // Initialize the trust store with the root certificate.
     net::CertErrors errors;
     scoped_refptr<net::ParsedCertificate> cert =
         net::ParsedCertificate::CreateWithoutCopyingUnsafe(
             kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer), {}, &errors);
     CHECK(cert) << errors.ToDebugString();
     // Enforce pathlen constraints and policies defined on the root certificate.
-    scoped_refptr<net::TrustAnchor> anchor =
-        net::TrustAnchor::CreateFromCertificateWithConstraints(std::move(cert));
-    CHECK(anchor);
-    store_.AddTrustAnchor(std::move(anchor));
+    store_.AddTrustAnchorWithConstraints(std::move(cert));
   }
 
   net::TrustStoreInMemory store_;
   DISALLOW_COPY_AND_ASSIGN(CastCRLTrustStore);
 };
 
 // Converts a uint64_t unix timestamp to net::der::GeneralizedTime.
 bool ConvertTimeSeconds(uint64_t seconds,
                         net::der::GeneralizedTime* generalized_time) {
   base::Time unix_timestamp =
@@ skipping 167 matching lines @@
 
 CastCRLImpl::~CastCRLImpl() {}
 
 // Verifies the revocation status of the certificate chain, at the specified
 // time.
 bool CastCRLImpl::CheckRevocation(const net::CertPath& trusted_chain,
                                   const base::Time& time) const {
   if (trusted_chain.IsEmpty())
     return false;
 
-  DCHECK(trusted_chain.trust_anchor);
+  DCHECK(trusted_chain.last_cert_trust.IsTrustAnchor());
 
   // Check the validity of the CRL at the specified time.
   net::der::GeneralizedTime verification_time;
   if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) {
     VLOG(2) << "CRL verification time malformed.";
     return false;
   }
   if ((verification_time < not_before_) || (verification_time > not_after_)) {
     VLOG(2) << "CRL not time-valid. Perform hard fail.";
     return false;
   }
 
-  // Check revocation. Note that this loop has "+ 1" in order to also loop
-  // over the trust anchor (which is treated specially).
-  for (size_t i = 0; i < trusted_chain.certs.size() + 1; ++i) {
-    // This loop iterates over both certificates AND then the trust
-    // anchor after exhausing the certs.
-    net::der::Input spki_tlv;
-    if (i == trusted_chain.certs.size()) {
-      spki_tlv = trusted_chain.trust_anchor->spki();
-    } else {
-      spki_tlv = trusted_chain.certs[i]->tbs().spki_tlv;
-    }
+  // Check revocation. This loop iterates over both certificates AND then the
+  // trust anchor after exhausting the certs.
+  for (size_t i = 0; i < trusted_chain.certs.size(); ++i) {
+    const net::der::Input& spki_tlv = trusted_chain.certs[i]->tbs().spki_tlv;
 
     // Calculate the public key's hash to check for revocation.
     std::string spki_hash = crypto::SHA256HashString(spki_tlv.AsString());
     if (revoked_hashes_.find(spki_hash) != revoked_hashes_.end()) {
       VLOG(2) << "Public key is revoked.";
       return false;
     }
 
     // Check if the subordinate certificate was revoked by serial number.
     if (i > 0) {
@@ skipping 54 matching lines @@
       LOG(ERROR) << "CRL - Verification failed.";
       return nullptr;
     }
     return base::MakeUnique<CastCRLImpl>(tbs_crl, overall_not_after);
   }
   LOG(ERROR) << "No supported version of revocation data.";
   return nullptr;
 }
 
 }  // namespace cast_certificate