Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/cert_verify_proc_builtin.cc

 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_builtin.h"
 
 #include <string>
 #include <vector>
 
 #include "base/logging.h"
@@ skipping 85 matching lines @@
   base::SHA1HashBytes(spki_bytes.UnsafeData(), spki_bytes.Length(),
                       sha1.data());
   hashes->push_back(sha1);
 
   HashValue sha256(HASH_VALUE_SHA256);
   crypto::SHA256HashString(spki_bytes.AsStringPiece(), sha256.data(),
                            crypto::kSHA256Length);
   hashes->push_back(sha256);
 }
 
-// Appends the SubjectPublicKeyInfo hashes for all certificates (and trust
-// anchor) in |partial_path| to |*hashes|.
+// Appends the SubjectPublicKeyInfo hashes for all certificates in
+// |partial_path| to |*hashes|.
 void AppendPublicKeyHashes(const CertPathBuilder::ResultPath& partial_path,
                            HashValueVector* hashes) {
   for (const scoped_refptr<ParsedCertificate>& cert : partial_path.path.certs)
     AppendPublicKeyHashes(cert->tbs().spki_tlv, hashes);
-
-  if (partial_path.path.trust_anchor)
-    AppendPublicKeyHashes(partial_path.path.trust_anchor->spki(), hashes);
 }
 
 // Sets the bits on |cert_status| for all the errors present in |errors| (the
 // errors for a particular path).
 void MapPathBuilderErrorsToCertStatus(const CertPathErrors& errors,
                                       CertStatus* cert_status) {
   // If there were no errors, nothing to do.
   if (!errors.ContainsHighSeverityErrors())
     return;
 
@@ skipping 27 matching lines @@
 //  * |path|: The result (possibly failed) from path building.
 scoped_refptr<X509Certificate> CreateVerifiedCertChain(
     X509Certificate* target_cert,
     const CertPathBuilder::ResultPath& path) {
   X509Certificate::OSCertHandles intermediates;
 
   // Skip the first certificate in the path as that is the target certificate
   for (size_t i = 1; i < path.path.certs.size(); ++i)
     intermediates.push_back(CreateOSCertHandle(path.path.certs[i]));
 
-  if (path.path.trust_anchor) {
-    // TODO(eroman): This assumes that TrustAnchor::cert() cannot be null,
-    //               which disagrees with the documentation.
-    intermediates.push_back(CreateOSCertHandle(path.path.trust_anchor->cert()));
-  }
-
   scoped_refptr<X509Certificate> result = X509Certificate::CreateFromHandle(
       target_cert->os_cert_handle(), intermediates);
   // |target_cert| was already successfully parsed, so this should never fail.
   DCHECK(result);
 
   for (const X509Certificate::OSCertHandle handle : intermediates)
     X509Certificate::FreeOSCertHandle(handle);
 
   return result;
 }
@@ skipping 20 matching lines @@
     verify_result->cert_status |= CERT_STATUS_INVALID;
     return;
   }
 
   std::unique_ptr<SystemTrustStore> ssl_trust_store =
       CreateSslSystemTrustStore();
 
   for (const auto& x509_cert : additional_trust_anchors) {
     scoped_refptr<ParsedCertificate> cert = ParseCertificateFromOSHandle(
         x509_cert->os_cert_handle(), &parsing_errors);
-    if (cert) {
-      ssl_trust_store->AddTrustAnchor(
-          TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert)));
-    }
+    if (cert)
+      ssl_trust_store->AddTrustAnchor(cert);
     // TODO(eroman): Surface parsing errors of additional trust anchor.
   }
 
   // TODO(eroman): The path building code in this file enforces its idea of weak
   // keys, and separately cert_verify_proc.cc also checks the chains with its
   // own policy. These policies should be aligned, to give path building the
   // best chance of finding a good path.
   // Another difference to resolve is the path building here does not check the
   // target certificate's key strength, whereas cert_verify_proc.cc does.
   SimpleSignaturePolicy signature_policy(1024);
 
   // Use the current time.
   der::GeneralizedTime verification_time;
   if (!der::EncodeTimeAsGeneralizedTime(base::Time::Now(),
                                         &verification_time)) {
     // This really shouldn't be possible unless Time::Now() returned
     // something crazy.
     verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
     return;
   }
 
   // Initialize the path builder.
   CertPathBuilder::Result result;
   CertPathBuilder path_builder(target, ssl_trust_store->GetTrustStore(),
                                &signature_policy, verification_time,
                                KeyPurpose::SERVER_AUTH, &result);
 
-  // Allow the path builder to discover intermediates from the trust store.
-  if (ssl_trust_store->GetCertIssuerSource())
-    path_builder.AddCertIssuerSource(ssl_trust_store->GetCertIssuerSource());
-
   // Allow the path builder to discover the explicitly provided intermediates in
   // |input_cert|.
   CertIssuerSourceStatic intermediates;
   AddIntermediatesToIssuerSource(input_cert, &intermediates);
   path_builder.AddCertIssuerSource(&intermediates);
 
   // TODO(crbug.com/649017): Allow the path builder to discover intermediates
   // through AIA fetching.
 
   path_builder.Run();
 
   if (result.best_result_index >= result.paths.size()) {
     // TODO(crbug.com/634443): What errors to communicate? Maybe the path
     // builder should always return some partial path (even if just containing
     // the target), then there is a CertErrors to test.
     verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
     return;
   }
 
   // Use the best path that was built. This could be a partial path, or it could
   // be a valid complete path.
   const CertPathBuilder::ResultPath& partial_path =
       *result.paths[result.best_result_index].get();
 
-  if (partial_path.path.trust_anchor) {
+  const ParsedCertificate* trusted_cert = partial_path.path.GetTrustedCert();
+  if (trusted_cert) {
     verify_result->is_issued_by_known_root =
-        ssl_trust_store->IsKnownRoot(partial_path.path.trust_anchor);
+        ssl_trust_store->IsKnownRoot(trusted_cert);
 
     verify_result->is_issued_by_additional_trust_anchor =
-        ssl_trust_store->IsAdditionalTrustAnchor(
-            partial_path.path.trust_anchor);
-  } else {
-    // TODO(eroman): This shouldn't be necessary -- partial_path.errors should
-    // contain an error if it didn't chain to trust anchor.
-    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+        ssl_trust_store->IsAdditionalTrustAnchor(trusted_cert);
   }
 
   verify_result->verified_cert =
       CreateVerifiedCertChain(input_cert, partial_path);
 
   AppendPublicKeyHashes(partial_path, &verify_result->public_key_hashes);
   MapPathBuilderErrorsToCertStatus(partial_path.errors,
                                    &verify_result->cert_status);
 
   // TODO(eroman): Is it possible that IsValid() fails but no errors were set in
@@ skipping 23 matching lines @@
              : OK;
 }
 
 }  // namespace
 
 scoped_refptr<CertVerifyProc> CreateCertVerifyProcBuiltin() {
   return scoped_refptr<CertVerifyProc>(new CertVerifyProcBuiltin());
 }
 
 }  // namespace net